Endpoint Protection

Upgraded from Symantec Client Security 3.1.8. But now, SEP is not working right.

These files keep showing up, to update flash player type of messages. The files are NOT from Adobe.


I am really concerned at this point. Endpoint 11.0.5 the latest release as of today is not identifying viruses that are in files that tell you to update your flash player. According to Virus Total:

The file "adobeflashplayerv10.0.45.2.exe" is shown as:

DrWeb 5.0.1.12222 2010.02.19 shows as "Trojan.Packed.19705"

eTrust-Vet

35.2.7313

2010.02.19

Win32/TDSS.G!packed

eTrust-Vet

35.2.7313

2010.02.19

Win32/TDSS.G!packed

eTrust-Vet 35.2.7313 2010.02.19 shows as "Win32/TDSS.G!packed"

eTrust-Vet

35.2.7313

2010.02.19

Win32/TDSS.G!packed

F-Secure 9.0.15370.0 2010.02.19 shows as "Suspicious:W32/Malware!Gemini"

Panda 10.0.2.2 2010.02.19 shows as "Suspicious file"

Sophos 4.50.0 2010.02.19 shows as "Sus/UnkPack-C"

Symantec 20091.2.0.41 2010.02.19 "Suspicious.Insight"

TrendMicro 9.120.0.1004 2010.02.19 shows as "TROJ_TDSS.SMAL'

or

flashvidplugin.45047.exe

Shown as on Virus Total:

McAfee

5897

2010.02.19

FakeAlert-MA.gen

McAfee 5897 2010.02.19 shows as "FakeAlert-MA.gen"
McAfee+Artemis 5897 2010.02.19 shows as "FakeAlert-MA.gen"
Prevx 3.0 2010.02.19 shows as "Medium Risk Malware Dropper"
Sophos 4.50.0 2010.02.19 shows as "Mal/FakeAV-CO"
Symantec 20091.2.0.41 2010.02.19 shows as "Suspicious.Insight"
TheHacker 6.5.1.5.202 2010.02.19  shows as "Trojan/FakeAV.gen"


Thanks.

GLOrchard

·        
Please submit adobeflashplayerv10.0.45.2.exe to Symantec Security Resposne   https://submit.symantec.com/websubmit/gold.cgi

Does Symantec Endpoint Protection protect me from fake anti-virus programs?
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748

Title: 'Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not'
Document ID: 2000100610314948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000100610314948?Open&seg=ent

Thank you for the information. With all due respect, Microsoft's Security Essentials detects the files as viruses right at the point the files are saved to the hard drive. The first one, adobeflashplayerv10.0.45.2.exe is very nasty. It adds a "control center" to the machine and when you boot up, you can't get to anything, the task manager is disabled. Last week, Microsoft Secrutiy Essentials detected the last weeks and this week's "variant". I am not a fan of Microsoft's products but I have to say that their free software saved my user's pc. I start to wonder about paying the extra money and admin time for SEP when here is a free product that does the job sooner than SEP. This is not a knock on your product! Just wondering.

Thank you.

I submitted the files. I submitted as a home user because my contact id would not go through on the link you gave me. Not sure why. But anyway, found another site to submit. I understand that the variant's change quickly. I tested Microsoft's free product (though it uses the internal Firewall which is a knock against the firewall) and SEP's firewall is rock solid and I trust it and it right. I will say this, even though SEP did not recognize the file "adobeflashplayerv10.0.45.2.exe" as a virus, the firewall popped up several times with some obscure applicaitons asking for permission to the internet. And I 've trained my users to click NO on firwall pops. I don't allow all IP traffic through. MY SEP is setup as application specific.

Thank you for your time.

Go through this article once
Antivirus software and the illusion of protection. 

Please give us the traccking number that you must have received from the Security response team.

We will keep you updated.

Thank you, guys. I read the article provided by Aravind. I follow the steps exactly as written. I agree. Update, update, update. But, the question I have is why does Microsoft Security Essentials see this file as a virus, which it is (see tracking number #14900287 on the virus I submitted) but SEP does not. I understand variants change. Even Virus Total website uses symantec and the symantec on their site sees the file I submitted as a virus. The question is, how can free software do the job that I am paying for? In fact, the free software (I am not a Microsoft supporter, personally) found all test samples I tested with. Symantec missed three. Then a week later, Symantec missed one out of ten. But the Microsoft product was accurate a week before. I have been using Symantec's corporate products for a long time, from Symantec Client Security. But I wonder...all of this cost...Thank you.

All see tracking number 14893584.

Sorry, last tracking number is 14893603

Sorry, last tracking number is 14893603

I received a response that the file is a trojan. Tracking number 14893584 is now closed. Also, tracking number 4893603 is also closed. The file checked was shvidplugin.45047.exe and shown to be a trojan. At this point all I can say is that I am impressed that free software knew this prior to Symantec Endpoint Protection. I never trust free antivirus software to be effective. Used to not be. SEP 11.0.5 would not have stopped these files from launching and running. That concerns me. SEP will stop the files now.  Thank you for your help.

To Clarify:

adobeflashplayerv10.0.45.2.exe was confirmed by Symantec to be a trojan.
flashvidplugin.45047.exe was confirmed by Symantec to be a trojan.

Make sure you are running the recommended Antivirus Security Setting and not the default settings.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

Best,
Thomas

Hi Thomas,
Thanks for the information in that link!
(http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948)
I just have a question about differences between Workstations and Servers.  Can one policy object be used, or should I be treating my servers differently (talking just about the Antivirus/Spyware protection settings).
I inherited SEPM at my workplace when I came here, so I have no training, little experience, and therefore not much idea (I don't know what I don't know, hence I read here almost every day as part of learning about the product).
We seem to have multiple AV policies (3 of them) and I am just not sure whether that's necessary or not!
Cheers,
Steve

Hi Steve,

You should be protecting your servers and workstations with different policies. Note the PTP feature is not compatible on server OS's

View the Client Guide for Symantec Endpoint Protection for more details.

ftp://ftp.entsupport.symantec.com/pub/support/documentation/Client_Guide_SEP11.0.5.pdf

Other useful links:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032011023248

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348


Best,
Thomas