Endpoint Protection

I currently work for a small department within a larger entity and have recently been put in charge of managing SEP 11. So far, it has been working great for almost everything. However, there is one thing that our users seem to continually get hammered by and that is fraud antivirus. Is there anything in SEP that I can configure to minimize vulnerability to these types of malware? Are application controls my only options? Obviously, better discretion on the user's part in avoiding shady content and running updates on Flash and other similar softwares would help, but I can't rely on them for security...after all, that is my job ; )

Thanks in advance for the help.

 https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers

https://www-secure.symantec.com/connect/forums/sep-secret-sauce-better-protection

Can you use Application and Device Control or a software restriction policy to keep executable code from running out of the user's profile?  That would help block a substantial ammount of malware.

Title: 'Best practices for responding to active threats on a network'
Document ID: 2010011510455048
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2010011510455048?Open&seg=ent

Thanks for the links everyone. I'll try to go through them tonight.

That's the link posted above - most likely my article on how to use SEP to block EXEs from running from certain places and certain files from being created.
I've done a lot of updating of that policy, and it now prevents the ALOT toolbars as well as many rogue AV apps - which often come in the guise and form of BHO, Browser Helper Objects.
Not only has it saved us, but I can also monitor some EXE files, so that folks can still install webinar software and such, but I see what's going on........... or block it and create exceptions for the legit stuff.
Takes a bit of time, but far less than clean-up!

LOL - is that familiar or what! It's been helping a LOT this past week.........