Endpoint Protection

 View Only

  • 1.  HELP: AVASoft Antivirus Professional Fake Software Infection

    Posted Mar 19, 2013 07:50 PM

    Hello:

    I have a client who appears to be infected with the AVASoft Antivirus Professional rogue/fake anti-virus software.  The SEP client's definitions were updated, today, prior to the infection, as they are dated March 19, 2013.  I cannot find information about this, within the Symantec website; so, is there any information relating to the detection, cleanup, etc. of this infection, using a Symantec Endpoint Protection 11.x, unmanaged client? 

    When the system is booted up, the infection disables SEP from the system tray, as the user can see the SEP system tray icon disappear, upon system start; then, the AVASoft Antivirus Professional system tray icon appears.  I have instructed the person to boot into SAFE MODE and run a full system scan.  So far, the unmanaged SEP 11.x client can start in SAFE MODE and is scanning, which is good, because the SEP 11.x client cannot start when the person boots, normally.

    Therefore, any KB, technical notes, tool, etc,. would be greated appreciated; thank you.



  • 2.  RE: HELP: AVASoft Antivirus Professional Fake Software Infection

    Posted Mar 19, 2013 07:55 PM

    Run Load Point Analysis and submit any suspicious files to security response. You can also run Power Eraser which should help to remove some of the more persistent malware as well as malware without a signature.

    Using SymHelp, how to collect the Load Point Analysis Logs and Submit the same to Symantec Technical Support Team.

    Article:TECH203028  |  Created: 2013-02-21  |  Updated: 2013-03-07  |  Article URL http://www.symantec.com/docs/TECH203028

     

    Download SymHelp from this link

    Symantec Help (SymHelp)

    Article:TECH170752  |  Created: 2011-09-29  |  Updated: 2013-02-12  |  Article URL http://www.symantec.com/docs/TECH170752

     



  • 3.  RE: HELP: AVASoft Antivirus Professional Fake Software Infection

    Posted Mar 19, 2013 08:06 PM

    Hi Volron,

    These may help:

    Additional information about FakeAV threats
    Article URL http://www.symantec.com/docs/TECH191739 
     

    How to troubleshoot FakeAV if it is not detected
    Article URL http://www.symantec.com/docs/TECH157781 
     

    Putting IPS into place on SEP is very effective against FakeAV.  AV alone is not enough for complete protection.

    Hope this helps!



  • 4.  RE: HELP: AVASoft Antivirus Professional Fake Software Infection
    Best Answer

    Trusted Advisor
    Posted Mar 21, 2013 03:40 PM

    Hello,

    Consider Using Symantec Power Eraser when:

    An outbreak on a small number of workstations or windows servers

    Symptoms seen of Fake/Rogue AV such as:
    • A reoccurring pop up notification
    • Alerts indicating that they are infected
    • Prompts to register (buy) the solution
    • Fake Blue Screen Of Death messages

    I would suggest you to work on the below Articles:

    Using Symantec Help (SymHelp) Tool, how to Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    http://www.symantec.com/docs/TECH203027

    Symantec Power Eraser using Symantec Help (SymHelp) Tool.

    http://www.symantec.com/docs/TECH203683

    How to troubleshoot FakeAV if it is not detected

    http://www.symantec.com/docs/TECH157781

    Hope that helps!!



  • 5.  RE: HELP: AVASoft Antivirus Professional Fake Software Infection

    Posted Mar 21, 2013 05:48 PM
    Hello, everyone: I want to thank everyone for their valuable assistance. I plan to follow the strategies outlined above, along with a few others, geared toward this specific "infection." The KB articles pointed to in this posting have been valuable and will help me in this instance and I am certain will be helpful, in the future. Once again, thank you, everyone.