Video Screencast Help

EndPoint consistently allows fake AV malware

Created: 13 Aug 2010 | 65 comments

We've had several customers lately who have had to buy Malwarebytes to clean up their systems because SEP 11.06a allows Fake AV malware to install and run.  I've had to clean up a dozen or more machines like this in the past month or two.  SEP seems quit adept a keeping out traditional viruses, but when it comes to malware like Fake AV products it's lacking in many skills to detect or remove them.  Is it time to dump SEP, use MS Security Essentials for AV and have customers buy Malwarebytes which seems to do a far superior job at keeping malware at bay or will Symantec be stepping up its diligence and fix this deficiency?

Comments 65 CommentsJump to latest comment

Brook's picture

Our security group has the same views as you. We can have a PC that has the latest SEP defs on it, it get's infected with malware and SEP can't fix it.
Then we load Malwarebytes on this already infected PC, run it, and it cleans it. This is very depressing. We pay Symantec a lot of money to do this job and it can't!
Step it up Symantec!

P_K_'s picture

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
Document ID: 2010020116202748
> Web URL: http://service1.symantec.com/support/ent-security....

 
Title: 'Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not'
Document ID: 2000100610314948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000100610314948?Open&seg=ent

https://www-secure.symantec.com/connect/articles/h...

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Terabyte Computers's picture

Prachand,

Sorry, that's a lame excuse.  Malwarebytes catches MANY more threats than SEP does and does this consistently and regularly.  This article was clearly written by your PR or marketing team.  Let's actually look into the problem and find a solution that doesn't involve feeding us marketing's answers.  Look at Brook's statement, it's obvious that I'm not alone here.  Either this is fixed or our customers are leaving SEP & Symantec even faster than they already are.

BTW, I can take an infected HDD with one of the fake av malwares installed, connect it via an external HDD chassis, scan it with a clean system running 11.06a and it will NOT find it!  Then turn around and scan with Malwarebytes and it will find it.  Let's stop trying to excuse this away and find out what's going on and fix it.  SEP has been a disappointment from day 1 and it's not much better 6+ major builds later.

sandra.g's picture

Terabytes,

In the first article, it explains that the FakeAV variants are constantly being modified to avoid detection by traditional antivirus programs, whose definitions are based on submissions received.   I don't know much about Malwarebytes; I do know that a friend performed a test putting a blank text file with the right name in the right location (i.e a common file name of a FakeAV variant in one of the places FakeAV likes to plant itself), and that tool erased it as a threat.

If your customers are not using all three protection components of SEP, have not increased the sensitivity of the heuristic scanners, and do not use IPS, this is going to continue to happen.  I've pasted these in other threads before, but here they are again:

- You can increase the sensitivity of the heuristic detection in Antivirus/Antispyware:

Title: 'How to enable, disable, or configure Bloodhound (TM) heuristic virus detection in Endpoint Protection.'
http://service1.symantec.com/SUPPORT/ent-security....

- You can also increase the sensitivity of the heuristic scanner of Proactive Threat Protection (PTP), which is shipped with a relatively low setting so as not to trigger false positives in a production environment.  I recommend testing on a small group set to "log only" so that you can create exclusions for system critical processes that are detected.

Title: 'How to increase the sensitivity of Proactive Threat Protection in Symantec Endpoint Protection 11.x'
http://service1.symantec.com/SUPPORT/ent-security....

If you are not using Network Threat Protection (NTP) because you don't want to use the firewall, it is recommended to install it anyway to reap the benefits of Intrusion Prevention.  Unknown threats can be stopped and prevented from infecting system in the first place based on the method by which it is trying to get on the system.

Title: 'Best practices regarding Intrusion Prevention System technology'
http://service1.symantec.com/SUPPORT/ent-security....

- Other best security practices are to ensure systems have critical Windows patches in place:

Microsoft Baseline Security Analyzer
http://www.microsoft.com/downloads/details.aspx?Fa...

- Missing critical updates for third party programs can be a vector of infection.  Current versions to the best of my knowledge:

 - Adobe Reader: 9.3.3 - anything earlier is vulnerable and those vulnerabilities are actively exploited
 - QuickTime for Windows: 7.6.6; iTunes: 9.1
 - Java: Version 6 Update 21
 - Flash: 10.1

These are user-contributed suggestions via the Symantec forums, for your information:

- Using Application and Device Control to protect against browser hijackers and fake AV
https://www-secure.symantec.com/connect/articles/h...

- Setting recommendations for different technologies
https://www-secure.symantec.com/connect/forums/tur...

I hope this helps.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

davidrb's picture

I agree with the two posters.  End point does not do a good job of detecting Malware.  We use both Malwarebytes and end point on all systems we serve.  That seems to minimize the problem.  Maybe Symantec should buy them!
dave

Terabyte Computers's picture

No!  Symantec should not buy them.  All too often Symantec has bought products only to ruin them.  I offer BackupExec as one.  WinFax/TalkWorks Pro as another.  Or worse, they buy a product like Brightmail and force users of their own code to use the new code that's far inferior.  What Symantec needs to do is learn to admit they have a problem (that is, of course, the first step to any solution) and then work with Partners to find one.  SEP has been a lousy product form day one, using 10x more RAM on servers than SAV 10.1.7 did and they've only managed to reduce the RAM hogging footprint to about 5-6x the load that 10.1.7 had.  They continue to use numerous 3rd party and open source apps in their products that cause many problems (try installing and admistering SEP from an RDP session, worked fne in 10.1.7, they specifically say you're not allowed in 11.x). 

IMHO, if SEP 13 (12 was for SMBs but it wastes more RAM than 11.06a does) isn't 50% smaller with all the malware detection/cleaning probems fixed Symantec better hope their other products continue to sell well or they'll have serious financial problems

BTW, I know someone very close to me who works for a Fortune 40 company and they have SEP and they also have Malwarebytes deployed!!!  Now, what does that tell you about the expectations that Fortune 40 companies have that SEP can or will protect them???

Terabyte Computers's picture

Sandra,

Malwarebytes ALWAYS, I repeat ALWAYS, find the Fake AV junk and SEP NEVER, I repeat NEVER, finds it.  As I've stated I can take an infected HDD out of a machine, put it in an external USB chassis, plug that drive into a known clean system, scan it with SEP with the latest defs (either normal or rapid release) and it won't find it and then turn around and scan with Malwarebytes with a week old defs and it will find and remove it.

Also, do not insult your Partners by suggesting we don't know how to update systems.  I am more than happy to let you have at my personal desktop which I guarantee has the latest Flash, Acrobat, Java, & Quicktime (I don't do iTunes and very few of our business customers do either).  Furthermore, if you want to talk about vectos, there are MANY more avenues of infection than the ones you've mentioned.

We are absolutely use NTP as well as all the other technology provided by SEP on all our customer LANs.  The fact remains that a free product like Malwarebytes finds malware that SEP simply doesn't in any form with any definitions.

Finally, with regards to your other suggestions, increasing Bloodhound detection, sensitvity (you're joking here, right, your false positive rate is a bit too high for that), and App Device Control, they're all unacceptable.  Again, with ZERO changes to the DEFAULT settings for Malwarebytes and a week or more old definitions (often with Fake AV you can install Malwarebytes but not update it without a manual file) Malwarebytes will kill it the first time where SEP won't find it at all.

Now, let's stop excusing away the problems and find a solution.  Monday I'll send this information on to the PM and we'll get his input, but I can assure you the next time I have to clean a customers FULL patched and FULLY updated (as well as FULLY managed) SEP-protected system from FakeAV or anythign else that Malwarebytes finds that SEP doesn't it'll be the last install of SEP we do.

J.Bonner's picture

I had a user whose laptop got infected with FakeAV despite having SEP running with up-to-date definitions. So we tried scanning with Malwarebytes, but it didn't detect it either.

Jon

sandra.g's picture

You would be surprised how many people I talk to who are still running Windows XP SP2, have Adobe Reader 7 and Macromedia Flash installed.  It's a valid concern, and I'm sorry if that offends you.  That was not my intent.

Finally, with regards to your other suggestions, increasing Bloodhound detection, sensitvity (you're joking here, right, your false positive rate is a bit too high for that), and App Device Control, they're all unacceptable.

I explained that sensitivity is set low to prevent false positives, and you say that upping the sensitivity makes the false positive rate is a bit too high -- if it were to ship with the higher sensitivity settings, this is exactly what would happen.  That's where testing comes in to ensure neither knocks out a mission-critical application or process.

Definitions are based on samples received.  Traditional antivirus (aside from heuristics) is and always has been reactive in this way.  I don't know what Malwarebytes is using to make detections, but with the rate at which the code on FakeAV changes, it can't be based on sample code received.  My limited experience with it suggests it's partially brute force, looking for specific file names in specific locations.  (I have to wonder what Malwarebytes' false positive rate is.)

My solution was noted above--upping the sensitivity the proactive heuristics, using Application and Device Control--and not rely on default settings, but you're admitting that you don't find this acceptable.  I'm honestly not sure what more to suggest.  Let us know what the PM has to say.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Terabyte Computers's picture

Sandra,

I'm not surprised that people still run old versions of products, but XP SP2 isn't the infection reason (all patches for SP3 are available for SP2 as well).  As for Adobe and Flash, they're also not a major source of infection.  People clicking on popups that claim their PC is infected (anyone can write HTML code to say that, people are just too dumb to know that) is the cause.  Having Win7, the latest patches, latest Adobe, Flash, and every other possible patch will not stop that.

The other problems with your solutions is they shouldn't be needed.  What you're suggesting would be like Cisco shipping enterprise firewalls like their ASA line with most ports open to the world and then them asking companies to lock it down tighter until they achieve a level of security that's acceptable.  Smaller businesses also will not have the expertise to setup app/device control without breaking their entire LAN.  You don’t provide any predefined apps (the top 500 by sales should be predefined).  Furthermore, the FAQ presented by another user here is laughable as it provides as examples C:\windows\*.exe and %windir\system32\*.  I can’t count how many times a virus or other malware placed itself in one of these folders.  You’re not providing ANY level of safety with examples like this.
 
In the end, your programmers have spent more time on fluff and bloatware (500-600MB on the server for AV counts as bloatware in any book I’ve seen) in the past few years rather than keeping up with the times and a tiny 6MB program kicks SEP around the block day in and day out.  I think it’s time to move on if we can’t get Symantec to admit it has a problem.  I'm betting we won't be alone.

.Brian's picture

You use app and device control and it's still not stopping FakeAV?

I haven't seen an infection of this kind since I implemented it so I'm curious as to what you have in place.

Also, do you use Proactive Threat Protection?

I have it set to quarantine with a sensitivity of 100. There are some false positives (plus I give the users the option to add exceptions), which I set exceptions for, but it does catch FakeAV as well.

The fact remains that there is no such thing as an AV that catches everything (as noted above AV is reactive and based on samples). I agree MBAM is good but I've also seen it miss some things that others have caught. I've seen MSSE, Norman Malware Scanner, McAfee, Avast, etc, etc, miss things.

If configured properly, I have a hard time believing App and Device control is not working for you.
http://www.symantec.com/avcenter/security/ADC/Conf...

Just offering my two cents

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Terabyte Computers's picture

FIrst, app & device control are NOT part of Malwarebytes and yet they manage to stop it and in my experience 100% of the time.  I've yet to have a customer runnig paid Malwarebytes get FakeAV (and I've tried to get it installed and it failed) and yet I can take a customer's HDD that's been infected for a week or more, remove it, and scan it with in extenal HDD USB chassis and even with the most recent defs (a week older than the infection) and SEP simply doesn't find it.

Yes, you are right in that there is no 100% prevention solution, but the fact remains that other tools prevent (or find and remove if they're not using the paid version) far more often than SEP does even a week out from the initial infection.  SEP is supposed to have tamper proteciton as well so the Symantec rep's assertion that they can modify SEP to stop it tells me SEP's tamper proteciton isn't vey tamper resistent.

As for app control, I don't know how big your orginization is, but we have customers with hundreds of employees with potentially hundreds of apps.  How long does Symantec expect these companies to spend making their SEP functional?  At the very least, IMHO, the top 500 or so apps (by sales volume) should come preconfgured.  Also, does anyone at Symantec expect the SMB with say < 50 users and no IT admin to configure App & Device control? 

BTW, the funny thing about the document you mention is on page 16.  It shows an exmaple of C:\windows\*.exe.  I can't even begin to name the # of viruses that plant themselves in C:\windows or %windir%\system32 so I can't imagine how many SEP owners just follow the examples!

Furthermore, how does App control stop FakeAV from installing from a Web site without preventing an admin from installing new software/patches/updates from other web sites?

Honestly, this strikes me as the hocus pocus AV vendors used to try in the 80's when they tacked code onto the end of .exe's to keep (or try anyway) viruses from infecting them.  It often prevented the app from working, made installing new apps a pain (the AV product would whine that the .exe wasn't immunized), and just created hassles that weren't worth the potential rewards.

In the end, Symantec needs to stop excusing this away, study how others catch Fake AV (and that was just an example, there are many more that Malwarebytes catches that SEP doesn't) and fix SEP to catch it at least occassionally.

Symantec, why don't you try this on your own.  Get a machine, isolate it, deliberatly infect it, remove the HDD, take it to another machine with current defs, attach the drive via USB in an external chassis, and scan it.  When SEP doesn't find it scan it with Malwarebytes and your machine will be fixed.

Finally, It's not just SEP from Symantec that doesn't catch this, Norton 360 doesn't either so I'm of the belief it's the scanning engine not the lack of app control.

.Brian's picture

I have 10k+ employees but then again, my main focus right now is SEP so I spend most of my time in the SEPM console. Yes, it requires a lot of tweaking as out of the box settings don't cut it.

I don't have the issues you do, but it also sounds like you work with a wide variety of customers from different companies. I'm able to manage my users and tweak settings, policies, etc. and lock them down as I see fit.

What MBAM needs to do is figure out how to make it's product centrally managed. Until then, it's just another product to me, used on a case by case basis. I can't not have visibility of all my users.

You make good points but SEP works for me. Maybe it just doesn't work for some, I don't know. I've always though App and Device control is the bread and butter of SEP. Sure I have my complaints, as I do with most products I use but it works so I'm not going to try and fix what isn't broken, for me anyways.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Terabyte Computers's picture

Yep, in a controlled environment like you have where you have total control and you only answer to one set of bosses I can see how A/D control would work, but if it's what SEP relies on to secure systems then it's not really an antivirus/antimalware product it's really a user permissions product.  The kicker is SEP files regularly, and I'm obviously not alone, with its out of the box settings and no SMB will take the time to hack settings into place to protect themselves.  SEP 12 Smal Biz Edition isn't any better than 11 so that's not the solution.  Symantec either needs to fix it or admit they have a problem so their customers can buy another product that will protect themselves.

The say MBAM is centrallyed managed will be the day SEP loses a huge % of customers.  Their product is 1/100th the size of SEP, far faster, and, in my experience, much better than SEP at removing everything but traditional viruses.

LTDSecurity's picture

We were in the same boat as the original poster as well as some others that have replied. This all changed when we turned on the IPS option and updated the end points client. I did weeks of testing with current SEP with out IPS that were infected from known good sites pushing out the Fake AV crap and then tested the same exact site with SEP with IPS installed and the Fake AV was blocked.

In the past 3 months since we have turned on IPS and made no major tweaks we have had 2 Fake AV infect 2 users machine compared to 35 the previous 3 months. The issue was due to IPS not being enabled on their machine, they were notebooks that were never updated.

The beauty of the IPS is that it blocks more then just Fake AV, it blocks Eleonore Kit, Nukesploit, Malicious Toolkit IFrame Injection and alot more!

Turn on IPS and dont look back!

Gary_L's picture

This from malwarebytes:

"As far as why MBAM is very good at dealing with this infection ,that is simple . MBAM is designed to be very good at dealing with malware that the AVs seem to be having problems with . I do not spend my time making MBAM detect millions of infections that any decent AV already detects as MBAM is DESIGNED to work alongside antivirus software , not replace it . A huge chunk of the research that goes into MBAM revolves around what we see making it into HJT threads as the vast majority of these threads involve antivirus software that was in some way bypassed ."

and

"Lastly, I note that Malwarebytes is specifically a removal tool, NOT a protection tool - it is far easier to identify and remove something that is running on a PC than it is to prevent it from getting there in the first place - which is our goal."

Terabyte Computers's picture

Actually MBAM has a real time tool if you pay for the full version.  From their site, "Activating the full version unlocks realtime protection, scheduled scanning, and scheduled updating."

teiva-boy's picture

If you follow my recommendations on a thread called "SEP Secret sauce," as well as get to a SEP version of RU5 or better, you will minimize your infections down to nothing.

Google/bing/yahoo search it.  

The above quote from Gary_L is from the author/owner of Malwarebytes himself!  He had posted on this forum a while back to defend his product and Symantec's.

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

Terabyte Computers's picture

You create too many limitations.  For example, how do you expect one to install, say MS Office, if you prevent running programs from removable drives?  If I read it right that includes CD/DVD drives.

As for Gary's oft quoted quote, the thread is 2½ years old and is actually FALSE.  I'd like to see the original quote but all I seem to find are Symantec employees and then others blinding quoting it with no reference to the original post.  The fact is it is absolutely false.  Their pro version is real time, their free/home version is removal only.  If you have a link to the original post I'd sure like to read it, but in the end, until Symantec provides a product that an SMB can use without spending weeks testing SEP will continue to be a 3rd rate security product.

BTW, we've gotten off topic.  The fact remains, once you're infected SEP with the most recent defnitions can't even find Fake AV let alone reomve it and yet MBAM with a week old set of defs finds and removes it 100% of the time.  Let's get back on topic.  SEP can't remove what MBAM can and when Symatec admits to that we can move forward with finding a solution.

teiva-boy's picture

SEP includes a product called Power Eraser, a similar product to MBAM.  It's a separate download found on the client.
SEP includes an iSO you can boot off to scan machines offline.  It can be found on fileconnect with a valid support contract.

And most likely you are configuring SEP wrong, and using out of the box policies and assuming that is sufficient for security.

Network Threat Protection, Bloodhound set to maximum, and TruScan PTP all need to be tweaked from their defaults...  Not to mention they have to be installed as a feature!

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

Terabyte Computers's picture

Teiva-boy,

You continue to miss the point.  SEP FAILS to remove items that MBAM removes.  Period.  You haven't disputed that as it's really not in dispute.  Furthermore, we are doing FULL deployments of every option including PTP and NTP but if SEP's default settings don't catch modern nasties why is it shipped that way?  Symantec is assuming, wrongfully so, that small biz's are going to know how to jury rig their product to protect their systems (but of course they will sell you an install session with a rep to do it for you!). 

Again, let's get back to the real debate.  SEP, in a running system out of the box, FAILS to remove nasties other products remove.  Period.  Furthermore, if I remove a HDD from an infected system and connect it to a non-infected but fully updated box with SEP it won't remove it either.  Let's stop excusing away the initial config and focus on the problem, removal.

teiva-boy's picture

"Again, let's get back to the real debate.  SEP, in a running system out of the box, FAILS to remove nasties other products remove.  Period.  Furthermore, if I remove a HDD from an infected system and connect it to a non-infected but fully updated box with SEP it won't remove it either.  Let's stop excusing away the initial config and focus on the problem, removal."

The fail here is assuming out of the box is sufficient (in all aspects of security products, not just limited to Symc).  And Power Eraser is a removal tool.  So lock down SEP so that it blocks the stuff, and it can reduce the infections by a large magnitude, and when it does get through, you have the PowerEraser at your disposal to try to further eradicate it.

There's something to be said if you continually bash a product that you cant get to work...  Perhaps it's time for you to invest in something you are more comfortable with?

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

.Brian's picture

There really isn't much to debate. SEPs default configurations don't cut it, as we all know, hence they need to be tweaked.

Administrators who work with SEP day in and day out are probably (should be) more aware of this.

SEP is more taylored to the enterprise meaning it will give you default configurations (which don't really work for most), and I think they try to take the safer approach of not breaking things out of the box, less false positives, etc etc. This allows for the admins to test and tweak to make it work for their enterprise.

MBAM is not an enterprise product.

Either way, I'm not defending anything. I'm just giving my two cents.

I take a multi-layer approach when trying to protect the enterprise, with the main purpose of trying to stop anything from even getting to the workstations in the first place.

As I've said, SEP works for some and not others just like McAfee works for some and not others and Kaspersky, and all other AV vendors.

Maybe it is time for you to look into other suppliers.

Regardless, this thread and others like it, have run their course.

On another note, Symantec Power Eraser is designed to detect and remove:

FakeAV and other Rogueware
New variants of existing threats
Rootkits
System setting which have been tampered with

Don't ask me why SEP doesn't do this but it is a nice tool as I've used it a few times and it has gotten things SEP hasn't picked up. Same with the SERT.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ted G.'s picture

"BTW, we've gotten off topic.  The fact remains, once you're infected SEP with the most recent defnitions can't even find Fake AV let alone reomve it and yet MBAM with a week old set of defs finds and removes it 100% of the time. Let's get back on topic.  SEP can't remove what MBAM can and when Symatec admits to that we can move forward with finding a solution."

Absolutely incorrect. I talk to customers all day who have told me that MBAM fails to remove malware as well. In the 10+ years I have working in this industry I have found that nothing works 100%, and you will never find an AV product that works 100%. I have even had MBAM fail on my machine at home to remove a fake AV.

Bottom line is this; If you expect SEP to work out of the box and not have to configure it to work in your environment, you are failing to use the product corectly. It doesn't get any more plain or simple than that. As the previous poster said. We designed it to be the least disruptive to the environment as possible when installed. At that point it's up to the user, whoever that may be, to configure it to work properly in their environment. That includes days/weeks of testing before full deployment, etc.

Terabyte Computers's picture

“Days/weeks of testing” would be laughable if it weren’t so tragically off-base in a SMB environment.  Your statement suggests to me that Symantec has little insight into how an SMB operates.  SMBs don’t’ have the manpower, time, or $ to do what you suggest.  Fortune 500’s do, but then again at least one of them doesn’t truest SEP entirely either.  SEP 12 only emphasizes that problem for SMBs and certainly doesn’t go very far toward fixing it.  Something well over half of all seats in the business world are in SMBs but Symantec’s focus is on the Fortune 500 seat.  As I said before I know of a Fortune 40 company who has BOTH SEP and Malwarebytes deployed.  Makes you wonder why a company that size would need both too?

davidrb's picture

Mr. Terabytes:  The reason that I suggested that Symantec should buy Malwarebytes is because they have a tendency to buy the competition only to ruin them.  I agree with YOU.

Dave 

khaley's picture

Symantec does miss malware.  We are not alone in that, but it is cold comfort to someone with an infected system.  I understand why people get upset.

I disagree that MalwareBytes is a better desktop security product than SEP.  Rather than prolong the argument  by making my own case for why this is wrong, I’d like to propose a real world test. 
 
Take half of your machines and install MalwareBytes on them.  Configure them any way you wish.  Take the other half and install SEP with the recommended settings.  Now leave the machines for a week or better yet a month.  And then go see which ones have the most infections. You could even then run a SEP scan on the MalwareBytes machines and a MalwareBytes scan on the SEP machines.  But make sure you don’t count the tmp files and registry entries that MalwareBytes counts as viruses.
 
This would be a fair way to compare the two products.
 
Kevin

Terabyte Computers's picture

Kevin,

Actually, that's not a fair way.  The fair way is to infect a machine with one of the Fake AV variants, remove the HDD, clone the HDD, and then using the latest defs let each product scan one of the drives.  My experience is SEP won't remove much of these types of malware products and MBAM will remove the vast majority. 

Also, if you fail to remove registry entries that malware/viruses install you're just asking for re-infection so I don't know why you want to ignore these registry keys.  Are you saying that SEP would or should leave a malware's registry keys during removal?

Next, it's appears from this side of the street that you have multiple divisions at Symantec pulling in different directions.  The developers appear content to ship SEP as-is without Security Response's recommendations and Security Response appears intent on telling everyone what's wrong with the way SEP is designed and shipped. 

Let me ask it this way.  If you take a brand new computer with an unformatted HDD, and by using NOTHING but defaults install Windows 7 and then install Microsoft Office what changes from the defaults in Windows/Office do you have to make before they're usable in the manner in which they were advertized?  The answer is NO changes. Yes, they can be customized to change the way they behave, but to have the standard functionality that will allow for 99.9% of folks to use them efficiently, the out-of-the-box configuration is just fine. 

SEP, on the other hand, apparently isn't.  SR disagrees with the out-of-the-box configuration and suggests major configuration changes in order for SEP to provide the "advanced threat prevention to deliver unmatched defense against malware for laptops, desktops and servers" (quoted right off your web site).  Nowhere on http://www.symantec.com/business/endpoint-protection does it speak about the only way to actually achieve this "advanced threat prevention" does one have to make MAJOR configuration changes to the product after installation.  At the very least the statement is misleading.

The same page goes on to state:

Key Benefits:
Stops malware such as viruses, worms, Trojans, spyware, adware, bots, zero-day threats and rootkits.

That's simply not my experience with the out-of-the-box configuration (others here have agreed and given SR's FAQs on how they believe SEP should be configured, it's pretty clear we’re not alone).  Now if you want to add an * to those statements and then add a disclaimer at the bottom that might say something like:

* Please note that the out-of-the-box configuration may not provide acceptable levels of protection.  Significant amounts of time may be required to configure SEP and then to maintain it as usage changes.

That might get the job done, but as it stands now I find MBAM removes what SEP fails to find, more often than not. 
 
Finally, much here has focused around using SEP’s management tools to setup policies.  How do you handle the unmanaged LAN of 5-10 PCs or other unmanaged client PCs?  The MAJOR drawback of SEP is SEPM requires the wasting of 500MB+ RAM on the management server as well as significant amounts of CPU time.  SAV 10.1.7 was perfect for this type of LAN.  It used <100MB on the management box and ran wonderfully.  SEP, on the other hand, is unmanageable in a small environment.  SEP really fails these customers all around and SEP 12.0 doesn’t solve it at all.  SEP 13 or whatever you call it, had better be back to 100MB on the management side or you will lose huge numbers of small businesses to another product.

rpatty's picture

"Actually, that's not a fair way. The fair way is to infect a machine with one of the Fake AV variants, remove the HDD, clone the HDD, and then using the latest defs let each product scan one of the drives."

Sorry, but that's just silly. Yes, if the ONLY thing you care about is exactly one version of the Fake AV virus, this might be a good test. If you care about the overall effectiveness of malware protection, Kevin's suggestion of running two groups of parallel computers is far more reasonable. Despite your frustrations with this particular weakness (and I have some of the same frustrations), I think overall effectiveness is a far better metric.

There hasn't been a time in the last decade where I haven't kept a backup cleanup program (or three) to supplement the primary program. That's just how this business works. The virus writers write and test specifically against the well-known AV software. AV software for the most part has to wait until a virus is released in the wild before they can build in protections. Having multiple sources of protection is a necessity -- some software is better at certain types of virus than others, or identifies new outbreaks sooner.

From what I've seen in other places, the Fake AV is the #1 type of virus recently, with something like 30,000 different versions released in the past 12 months. Is it any surprise at all that a few of those versions get by the SEP defenses? Is it any surprise those are the ones you see the most, if they're the most common?

 

postechgeek's picture

There was a good webcast on the FakeAV issue back in April. You can find it here:
http://www.symantec.com/partners/sales-and-marketi...

And this thread was extremely helpful:
https://www-secure.symantec.com/connect/forums/sep...

But, no security product is 100% full proof. So, I have told and retold the users to not click links from people they don't know. And, believe it or not this has helped (but you have to them over and over). Also, I think it is important to have gateway security as well. We use Trendmicro CSC at the hardware level, but Symantec has a gateway product as well.

Mike

Terabyte Computers's picture

I've already pointed out Teiva-Boy's flaws.  App & Device control is all well nice and good for large enterprises where they have precise control over what users may and may not have installed.  SMBs don't have this level of control if for no other reason than they don't have individuals responsible for nothing but SEP.  Furthermore, blocking external devices prevents the installation of legitimate products from CD/DVD drives.

Furthermore, how does one do this on an unmanaged network or on other unmanged clients?

Now , if one listens to the webcast they say in Oct 2009 they finally put a name on this but they admit it had been going on for "a year and a half"!!!  So now we're at late August 2010 making it 2½ years since it first became a problem and we're still being told to jury rig SEP to stop it?!?!  How many builds of SEP have their been in 2.5 years and they couldn't have included better "rogue security products" (to use their term) defenses in 2.5 years?

To those of you who are defending Symantec here, 2.5 years is an eternity in the IT world.  It took MS less time to dump Vista for Windows 7.  That there is no native, out-of-the-box protection for this type of malware is simply not acceptable, not 2.5 years after initial detection.

BTW, the video was very humorous!  About 1/2 way through he showed a slide admitting the default settings aren't cutting it so the question is why hasn't development fixed this???  We're 6 or more versions of SEP 11.  Time to make some changes at the development level.

postechgeek's picture

Do you have gateway protection? How is your security policy? I think looking at that might be worth while. Just an idea.

Thanks, 
Mike 

.Brian's picture

I would say go with another product

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Citlali's picture

"Actually, that's not a fair way.  The fair way is to infect a machine with one of the Fake AV variants, remove the HDD, clone the HDD, and then using the latest defs let each product scan one of the drives.  My experience is SEP won't remove much of these types of malware products and MBAM will remove the vast majority."

Malware Bytes is designed as a Malware removal tool.  To have SEP try and compete with Malware Bytes on a pure removal basis would be absurd unless you also wanted to account for false positives.  Malware Bytes doesn't use traditional "definitions" to remove threats.  Take any executable, name it Antivirus2010.exe, and throw it into C:\Program Files\Antivirus 2010\ and it will probably get detected. 

SEP on the other hand uses actual definitions based on specific samples to remove threats.  So if SEP detects Antivirus2010.exe, the cleanup engine will remove the specific registry values and files for that variant.  SEP is precise in its removal.  Malware Bytes uses a shotgun approach.  If you want a product that uses the shotgun approach, then use Power Eraser.  It is a free tool provided with SEP designed to remove Malware with the "shotgun" approach that you're looking for. 

Now if you actually want to prevent these things from installing on your system in the first place, I would recommend following some of the suggestions already provided.  (Application and Device Control + NTP mainly) Ultimately the current model for detecting and removing these things will have to change.  Bottom line is that the whole security model will need to go white listing anyways.  There are something like 1200 new versions of these fake AV programs a day.  Traditional AV software regardless of the vendor won't be able to keep up with that without white listing of some sort. 

Paul Gazo's picture

I'd like to weigh in.

I keep seeing Symantec employees reference that "Does SEP detect FakeAV" article as though there's really any value in it.  The answer is "no".  SEP doesn't typically detect FakeAV instances.  That being said, it can be used to proactively prevent FakeAV and similar threats.  Application Control is the key.  ShadowsPapa has a great thread here https://www-secure.symantec.com/connect/articles/h... that basically tells us how to set it up.  It's reasonable and helps a lot.

I've got two concerns though.  One: Application Control doesn't work with unmanaged clients.  That's completely, totally, and utterly unacceptable.  Huge feature-hole.  I should be able to drop a config file applying a policy on any box, not just fully managed clients.  Two: out of the box it's a pain to set up.  I'd like to see a pre-defined policy, perhaps on by default that prevents execution of EXE and DLL code in user profiles.  Suddenly even for clueless administrators SEP would just magically block spyware.  If it notified users visually when something was blocked, it would be EASY to adjust any overzealous blocking.

Bottom line is that somehow Malwarebytes manages to make a highly reliable definitions-based malware detection and removal package.  SEP doesn't have that, which upsets a lot of people because we KNOW the definitions exist.  Regardless of how many new variants are released each day, MBAM mysteriously manages to have defs that are massively more applicable than Symantec's.  Symantec just doesn't have them.  Let's say it another way: Symantec's threat definitions aren't NEARLY as good as Malwarebytes' for purposes of spyware remediation.  On the up-side, SEP has some tools which are more useful at prevention.

So.  Symantec, here's my advice.  Get your hands on better defs AND make your prevention tools more friendly.  I can handle setting the stuff up (in a managed environment) but there's no excuse for "you're doing it wrong" being a default answer when you're told SEP doesn't work against FakeAV.  It's an AV tool for crying out loud.  It shouldn't require high degrees of intervention and tweaking and fiddling and research to make it actually work against digital threats.

Ted G.'s picture

"That's completely, totally, and utterly unacceptable.  Huge feature-hole.  I should be able to drop a config file applying a policy on any box, not just fully managed clients"

You can. Help and Support>Troubleshooting>Policy Profile>Import.

"I'd like to see a pre-defined policy, perhaps on by default that prevents execution of EXE and DLL code in user profiles."

If I remember correctly, We tried that when the product was new. Got way too many complaints that SEP was locked down too tight. Now there are three default AV/AS policies you can use along with App and device control. They still need to be adjusted for each environment since no two are extactly the same.

"Bottom line is that somehow Malwarebytes manages to make a highly reliable definitions-based malware detection and removal package."

Incorrect, MBAM is only definitions based if you pay for it. Other than that, it's a brute force removal utility.

Paul Gazo's picture

Ted, SEP doesn't support Application Control in an unmanaged format.  I can't import a policy because it isn't permitted.  Or am I simply wrong?  I'm willing to entertain that, but my understanding to date had been that AC isn't an unmanaged feature, which is what I was refering to there.  If AC is supported unmanaged, I'd be fascinated to learn that because it'd be hugely useful to a couple of my customers.  This is one where I'd love to be wrong.

As for the complaints you got, I'd like to point to my suggestion that the product could offer visible alerts and explanations as to when and why something is blocked.  You can't stop developing features simply because it's hard to do so.  Application and Device Control are really, really cutting-edge technologies and it's awesome that an endpoint license includes those features.  That being said, usability is king.  If you got complaints that things were "locked down too tight", the proper answer isn't necessarily to disable useful features.  It's to make those lockdown features intelligent and easily managed.  Much like adding Windows Firewall into XP, as long as there's a simply way to manage the product you're golden.  Forcing a systems administrator to crawl through pages of ProcMon and SEP logs to figure out what's going wrong isn't the ideal approach.  A nice pop-up saying "I blocked PATH\EXECUTABLE because REASON and click HERE to understand how to change this" would go a long way towards letting you ship SEP in a secure format.

MBAM is definitions-based, period.  It's not heuristics.  I download the free product, I download the definitions update, I scan, it finds, it cleans.  That's definitions-based.  What the payed product (which I have pitched to ZERO of my customers) gets you is realtime protection.  My point is that moments after an infection, I can download the free product, the free defs, and find and remove nasties in huge quantities that SEP doesn't recognize.  By definition (pun intended) SEP could have the same definitions and use them both in on-demand scans and realtime scans.  But it doesn't.

Please understand, I'm not going elsewhere.  I'm not Symantec-bashing.  I'm explaining the context of why there are so many complaints.  I know how and why to use things like Application Control.  It isn't an option for many of my customers (I do out-sourced IT for dozens of small & medium businesses so I maintain a couple dozen servers and probably a thousand or so desktops in different environments).  That bugs me.  The fact that SEP could be better simply by having access to the identification definitions I know another product has... that too bugs me.  I'm not disgruntled.  I'm just explaining that the complainers have good cause and the spin that's being put on the situation isn't valid.  "Just roll out AC" doesn't explain why SEP doesn't detect that which MBAM does.  Sorry.

Paul Gazo's picture

Hey, look at that.  AC unmanaged just might work.  I'll play with this later today.  You learn something every day.

Mind you, SEPM policy exports are .dat and SEP client import wants an XML.  The DAT definitely isn't XML format.  I'll investigate.

Ted G.'s picture

"Ted, SEP doesn't support Application Control in an unmanaged format. I can't import a policy because it isn't permitted."

Actually, it does, and yes you can. You can't import a policy from the SEPM into an unmanaged client However, you can export the policy from a managed client and import that policy into the unmanaged client. The client will then use that policy. The problem with that is you cannot make changes to the policy on the unmanaged client very easily. You'd have to change it on the managed client and re-import it to the unmanaged client.

MBAM may appear to download what they call "definitions" but I don't think they are definitions in the same sense as what SEP or SAV uses, since SEP and SAV look for specific code strings in files rather than specific file names and/or registry keys like MBAM does. Like previous posters have said, try naming a file after a known fake AV executeable and more likely than not MBAM will detect it as a threat.

Terabyte Computers's picture

Ted,

Really?  This is beyond being jury rigged.  How do you expect this be accomplished in a 10 user peer-to-peer environment where SEPM is so overtly bloated that there's no way they can run it?  You're grasping at straws here trying to defend an undefendable problem.

Let's focus on the issue again.  I posted screen shots of Malwarebytes finding junk that your "Power Eraser" didn't.    I've now tested this on multiple other machines, ALL with the same finding!  Apparently nothing Symantec has can reliably detect or clean modern nasties.  I'd sure like to hear the explaination as to why when it clealy states that it's designed to hunt down Fake AV and variants.

Ted G.'s picture

Yeah really. Look, I'm done talking to you because you are clearly only out for an argument and do not really want any help. All I have to say to you is; if you do not want to use the product the way it's designed to be used, then your clients are going to keep getting these fake AV's, PERIOD. And ultimately who's fault is that? Yours.

Terabyte Computers's picture

All right.  We had another infection this weekend so I used Power Eraser.  Guess what, it removed a legitimate program, GE Healthcare's Logician EMR and left the Fake AV junk.  You'll also noitice that the latest defs for Power Eraser are 10 days old.  An eternity in the malware world.

See attached screen shot of the results from both scans.  Power Eraser was run BEFORE Malwarebytes.

Symantec_Power_Eraser_failure.jpg
Mahesh Roja's picture

Compare to all other Antivirus I feel SEP feels good against Network Threats 

If this Info helps to resolve the issue please Mark as Solution

Thanks

Terabyte Computers's picture

Fake AV isn't a network threat.  It's malware installed when a foolish user clicks Yes or Ok on a bogus warning claiming their system is infected.

Tim.Jing's picture

I will have to agree with the above in that SEP does not do a great job in removing Fake AV's. However it is a very solid product when configured correctly and also offers good performance both on the server and clients. it is option ladden and I would not be too quick to call it a "unacceptable" product.

khaskins82's picture

I've administered our SEP environment for 2 years now. At first I felt that we were loosing the war on malware. We started patching our workstations better, configured policy and reconfigured policy in SEP. Now we are on 11.0.6000.550 and only have about 2 or 3 detections of fake AV variants. Over 1 year ago we were getting 40 or 50 per day.

SEP has come a long way. I'm happy with it now.

Vikram Kumar-SAV to SEP's picture

Its not only SEP but Malwarebytes is the best at the moment when it comes to Fake Antivirus.
If you would have scanned those files in Virustotal.com you might have found very less to none detecting it other than MBAM..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

sandra.g's picture

Terabyte, you have more than made your point.  You're not happy with how SEP deals with detecting Fake AV, and you keep finding things with Malwarebytes that SEP can't touch or doesn't see.  Fine, fair.  In all sincerity, I can understand this being hugely frustrating and your wanting to vent your feelings on the subject.

So moving forward... what's next?

Rather than detect and remove after the fact, we'd prefer to try to help you lower the incidence of infection in the first place.  We have collectiively offered configuration and preventative suggestions.  To the best of my recollection, most of the suggestions we have had to offer have been met with resistance; that the product out of the box should work with little to no configuration; that tools like Application & Device Control are beyond small shops' capabilities to handle... and so forth.  (Forgive me--this is a long thread and I can't remember if you said you have already adjusted the heuristics to greater sensitivity, installed NTP for Intrusion Prevention, and so on.) 

For a good deal of individuals I've talked to, simply upping the sensitivity of PTP and Bloodhound has helped many bring the number of FakeAV infections down considerably.

As for Application and Device Control, which you keep mentioning in the context of SEP Small Business 12 users who don't have access to A&D Control.  Fair enough, they don't.  However, for those who do have SEP 11 and have A&D Control available, why not use it?  Even smaller shops can benefit and testing only needs one mahine.  Yes, it's a time investment to configure, but the potential rewards, not having to fight infections, would be worth it.  (Ounce of prevention, pound of cure.)

ShadowsPapa wrote an excellent article on using A&D control to stop BHOs and FakeAV, and it doesn't rely on whitelistiing installed apps, but preventing certain types of files from being written to specific locations, locations that FakeAV likes to write to.  Testing recommended (in log only mode; the article explains how) so that something you want to allow doesn't get blocked by accident.

Apart from the features that are included as a part of SEP, what about Windows security in general?  Postechgeek asked about a week ago in response to one of your comments: "Do you have gateway protection? How is your security policy?"  Are end users typically admins on their own boxes?  Not all of these apply to Fake AV in specific, but it's a list worth looking over:

Title: 'Security Best Practices for Protecting a Business Environment from Common Threats'
http://service1.symantec.com/SUPPORT/ent-security....

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Terabyte Computers's picture

These are often very small companies.  Gateway protection is expensive and often unrelaible on small biz devices (Trend Micro, for example, offers services via Cisco's Small Biz devices that slows down the Internet so much people would rather live with the risks).  In small biz's often the users have to be admins.  Intuit, for exmaple, has demanded that users be admins to run Quickbooks and given QB runs 90% or more of the small biz's out there how are you going to tell a company they can't run QB to be safe?

I have no problem upping the threat protection level so long as SEP doesn't create tons of false positives, which has been a major problem in the past for all AV vendors and I've done so on all the managed networks and told unmanged customers how to do it on each machine. 

The "solution" offered for App & Device control is simply unacceptable and to have asked that small biz's do that again shows that Symantec has totall clueless when it comes to small businesses.

But in the end, it's clear my original post is still accurate and no one here has show otherwise.  SEP and Symantec Power Eraser fail time and time again to detect and remove Fake AV even though Power Eraser specifically states that's what it's for.  Let's not blame the way small businesses are forced to run, let's find solutions to clean them up when there are no ways to lock them down.  The better solution would be for Symantec to admit there's a problem in your detection engine as-is and release 11.07 with this fixed.

sandra.g's picture

The "solution" offered for App & Device control is simply unacceptable and to have asked that small biz's do that again shows that Symantec has totall clueless when it comes to small businesses.

That's your opinion.  Even small businesses are interested in securing their environment, and will find a way to utilize the tools provided to them in the software they purchased, in lieu of massive security infrastructure.  If they're paying for Support, guess what?  They can call Support if something about A&D Control is not working the way they want or expect it to.

...let's find solutions to clean them up when there are no ways to lock them down

I disagree; I think that prevention is vastly more important then cleanup after the fact.  There's ALWAYS a way to lock things down.  If someone is responsible for a company's computer network, it behooves them to properly secure it, their financial and private information, their livelihood.  If they are not able do it, they need to find someone who can.  It is not my intent to be flippant or suggest this would be easy.  It can often be expensive too (the cost of consultants, etc), I don't deny that, but compared the cost of a damaging breach of security, private information getting into the wrong hands, loss of trust...

I think you would agree that one's network should be viewed as an investment to protect.  I'm not assigning blame to small businesses; rather, I'm not making the assumption that they aren't capable of handling working with the software they have purchased.

Once again, to try to get past this fixation on the AV engine:  AV/AS has reactive detections based on code provided--common for traditional antivirus.  Fake AV code, which I and others have explained, is CONSTANTLY CHANGING.  Antivirus is no longer enough, and that is not just true for Symantec products.  Yes, there are heuristic detections and other proactive components that can be amped up to protect against these repackaged threats; false positives, for which Symantec consistently rates as LOWEST in the business, are a possibility, it's true.

I don't know how much simpler I can possibly put this, so I think it's time I stop bothering to try.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Terabyte Computers's picture

Sandra,

I've taken many of the recommended steps at customers who have managed SEP, but that still doesn't explain why Power Eraser doesn't find it. 

Furthermore, please tell me how Symantec wants me to do this at a customer with no management capabilities?  Since App & Device control isn't avialble to an unmanged client other than by exporting from a managed client, does Symantec want me to setup a dummy SEPM console so I can setup management for each one of these PCs?  Come on, that's illogical.  I'm open to options, but what really needs to happen is Symantec needs to upgrade its engine to work out-of-the-box to stop the infection, as you have said prevention is better than reacting after the fact, but in these networks there aren't many clear choices.

Ted G.'s picture

"...but that still doesn't explain why Power Eraser doesn't find it."

We've explained why things get missed many times. Sandra just explained it again, you just aren't listening. There's no need to explain things any further at this point.

"I'm open to options" 

No, actually you aren't. You've argued with each and every suggestion that's been made to this point.

"but what really needs to happen is Symantec needs to upgrade its engine to work out-of-the-bo"

No. Again, what really needs to happen is you need to configure the product for your customers environments, Symantec isn't going to do that for you. We could not configure the product to work "out of the box" for every environment out there, it's simply not possible. You do understand how many customers Symantec has and how many thousands of different environments those customers use, right? Again, we tried locking the product down at release and got more complaints than I care to remember. It was a HUGE call generator, so the product was set to a semi-generic state and we left it up to the customer's to configure it for their needs. THIS WAS DONE DUE TO CUSTOMER REQUESTS/COMPLAINTS.

.Brian's picture

Gets my vote for post of the year.

Can't wait to see the response cool

Anyways, this thread is long overdue to be closed

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Why don't you purchase Malwarebytes and use that?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Terabyte Computers's picture

Really?  That's not the solution.  Our customers, as ever other SEP customer has, have paid a lot of $ for SEP and they have a right to expect it to work.  Look, Symantec has FULLY admitted things have changed since SEP shipped and have by default admitted their settings don't cut it any more.  They're just in denial that their engine, even Power Eraser doesn't remove this type of junk reliably.  What we need and deserve from Symantec is an acknowledgment that this is the case and then a road map for a solution that doesn't require hundreds of hours of initial and ongoing maintenance to keep it running.

.Brian's picture

Honestly, an acknowledgment from Symantec that their FakeAV detection rate is poor would make you feel better?

I would prefer a fix over anything else and I have found it using the various components within SEP. I've seen it all on this post and all of the suggestions given to you, you find unacceptable for various reasons. And that's fine. But frankly, I'm out of advice for you other than to look for a different product. SEP just doesn't seem to work for. I also get the feeling your customers rely only on AV, which is fine I guess but anyone who does that is in for a rude awakening.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Aniket Amdekar's picture

Security as a framework will not work and should not depend on a single component for achieving the desired results.

I agree with Sandra and Brian that various components deployed in an environment togather protect the machines in your network. So, expecting AV products to do all the work is almost expecting other products to do nothing?

Aniket

Knottyropes's picture

Some of the FAKE AV programs that are coming out are being changed so often that no single company can get them all.

Locking down your system is a great defiense, I do wish more was caught but if no one is sending it in then how will any AV maker make a definition of it.

I get 1 or 2 machines a week to fix for spy ware out of 240, just about as bad as a hard drive going bad on us.

I dont see this being as bad on windows 7 with UAC, but the XP machines that we have to keep for older software are a pain at times with malware out there.

Facebook scam, Myspace links that take over and even the white and yellow pages have it now. It seems a bit worse this year than last year with all these new variants slipping through.

maybe need quad core to run all the scanning software needed.

LTDSecurity's picture

Doesn't security start at the perimeter of the network and work its way in? If the small companies you deal can not afford a gateway appliance, why not use the built in feature of the NTP with IPS. This will block the FakeAV's via the signature files and will prevent the end user from making the mistake of clicking the FakeAV install button.

You can then make other recommended changes like upping the sensitivity of PTP and Bloodhound and tweaking those settings. As well as some of the other changes other posters have offered as well as the Symantec employees.

In this day and age just an Anti-Virus application is not going to cut, due to the malware/virus writers being one step of ahead of the vendors. You need to take a multi-stage/step defense for your customers, by either using the tools you have available or look at different options.

Don't forget about patch management and updates, this is a key factor in how machines get hit with the drive by downloads and how the FakeAv's get launched in the first place.

If you can use all the available options in SEP, your infection rate will dwindle and you will only need to use malwarebytes in extreme cases and sometimes malwarebytes might not catch all the infected files either.

If you can block the attempts at the network/internet layer, they wont be able to make it to the end user who does not know not to click the button. Take the depth in defense way and you will be much more happy with the SEP product.

Hotel Chain CIO's picture

As CIO for a hotel chain, I've renewed our Enterprise subscription to the various incarnations of Symantec AV products over the last 8-9 years, and I'd felt comfortable with Symantec's anti-virus protection capabilities.  However, over the years AV protection took a back seat to malware protection.  For the last two to three years we've be underwhelmed with Symantec's ability to prevent and/or eradicate malware.

Citali comments that MBAM (MalwareBytes) is primarily a removal tool.  As a free product, this is true.  If you purchase the product, MBAM is also a real time malware infection prevention product, and it is one of the best (out of the box) products we've tested.

TEP / SEP requires extensive monitoring, configuring, and server/client overhead.  Our dedicated servers consume huge bandwidth pushing updates to hundreds of client PCs.  Unfortunately, today we had yet another group of PCs infected with the fake "Microsoft Security Essentials" malware.  TEP did nothing to stop it. 

The safest configuration we've found is a combination of TEP running only as an anti-virus product, and MBAM loaded on the same system.  The downside is that we're paying many thousands of dollars keeping our TEP / SEP contract current.  MBAM is much less expensive and does a far better job of protecting systems from malware than TEP / SEP unless you consume much more administrative overhead in configuring the latter. 

When our Symantec TEP expires at the end of the year we're not planning on renewing.  We can purchase corporate licensing of MBAM much more inexpensively, and we're reviewing pricing of competing Enterprise AV products such as "G Data" or Avira.

Ted G.'s picture

You'll be hard pressed to find any AV product that will protect 100% from threats.

I don't know what TEP is, but SEP will protect you in most cases if it's configured properly. It is a corporate product. We've already commented in this thread extensively as to why it must be configured after installation.

One thing, if you are only using the AV/AS portion of the product, as you can see from the previous posts in the thread, that's not going to cut it. You can't stop these types of threats using only AV/AS. Which is why we included Proactive Threat Protection, Application and Device Control, and Network Threat Protection.

khaskins82's picture

It was said earlier in the thread but here it is again.

 

We had this problem. I kept saying that we were not patching enough. We use Altiris and were only patching critcial and important patches. I point out that there were dependancies in the patches and not applying them all caused problems.

We now have 98% of our 4000+ workstations patched with all software being patched including Adobe, all Microsoft patches, and any other programs we can patch. We see very little Fake AV malware. We also eliminated the need for users to be Local Admin.

 

Our potential for infection is great as we have researchers from China and Russia working at our facility and we really can't block their access to the websites in those countries.

SEP is getting better, it recognizes more malware than it did 1 1/2 years ago.