Endpoint Protection

Two weeks ago, we had 4 of computers become infected with Fake.AV, even though their virus definitions were up to date.  About a day and a half later, there were definitions for that variant, but then 3 more were infected with a different variant.  It was my understanding that using Proactive Threat Protection should protect the user against this type of 0-day virus.  Our particular variant would load a randomname.exe ino the Run registry, then change the network connection settings to point to itself as a proxy, compromising the box.  It's pretty typical from what I've read:  no cmd.exe prompt, no task manager, can't run Live Update, etc.

So, I understand that it appears very difficult to have definitions for 0-day or very recent viruses, but what exactly is Proactive Threat Protection doing?  Isn't the point of it to prevent malware from being able to install itself?  

We're pretty disappointed with the SEP product.  If you've seen Fake.AV pop-ups, they really do look legit.  The user believes they are doing the right thing by clicking the Fake.AV boxes, which of course only makes things worse. 

We run into the same issues from time to time. The biggest step I've taken is to educate the heck out of the users, explaining SEP is our one and only AV client, never click on anything telling you to purchase AV, call our help desk first before doing anything, etc etc..

In this case, I don't think PTP really has a hand in it as this FakeAV is not really zero day, I just don't think it's included in the AV signatures..yet..which is why it's important to submit a sample if you can. There are so many variants, it's impossible to have a signature for all.

For me, the biggest part ot stopping this has been educating users. Just my two cents...

 Actually it's NTP that would have prevented this, not PTP

"fake AV" are in the definitions, however, they literally change daily, if not more-so, as I've discovered.
In fact, new domains are registered daily! Each is equipped with new threats every day. These folks don't hide their registrations, so they aren't too hard to find and each of the "email addresses" seems to have dozens of domains registered to it.

I use application control.......... I posted a policy in my article here that handles it. You have to create a white-list of good apps you want to allow, but so far, it's working fairly well here.

The issue is that these phony AV apps are INVITED in, or scripted, OR launched in FLASH ads.
Then they put their files under the user profile area where the user, even a lowly ordinary user, has "god rights".
So they install or download freely!
Gee, even Google Chrome will do that, so that's how we blocked it as well as a number of those really nasty toolbars like the ALOT toolbars, rogue browser helpers (BHOs) and other stuff we don't want.
I attached an example DAT file to my article, but it needs a lot of tweaking and cleaning up, and you'll need to exclude JAVA apps you like, webinar software and so on.

The Fave A/V programs are supported by heavily-funded organized crime operations.  They release dozens, if not hundreds of variants daily and purposefully test their code to make sure it avoids A/V detection.  As such, no A/V can fully-protect against such 0-days.

If user education doesn't look like its going to be succesful, look at using application and device control or group policy to implement a software restriction policy that prevents new executables from executing.

Sorry, I meant that that particular variant may have not been in the signatures, not ALL FakeAV. I see SEP cleaning it all the time from my view from SEPM.

     Does Symantec Endpoint Protection protect me from fake anti-virus programs?
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748

I would hope that Symantec obeously not being able to properly detect this, would activly share what information they do have. That is to try to describe the tactic being used to evade detection so that 'we' can try to find other solutions for prevention.

We are getting pounded by this problem. My fear is that this is becomming a smoke screen for an even more advanced attack yet to come.

Have fun!

I've been less than positive in previous posts regarding Proactive Threat Protection.   But...I will say that the key to preventing FakeAV with regard to SEP technology is using IPS on your client workstations and keeping the IPS definitions up to date.   We have about 300 computers and I get alerted about IPS blocking a Fake  AV install about 5 times a day.   I really give kudos to Symantec on this one.   Short of whitelisting applications on computers, there is no heuristic engine that can keep up with the hourly software updates that Fake AV is cabable of.      The key is keeping it away from the file system.    Even if you don't want the client firewall running, at leave use IPS.   False positives have been really low in our environment.    

Hi the admin what did you do to clean all these infectect PCs?  Did you try any thrid party scanners to try to clean them up?