Hi,
Can anybody elaborate on the internal workings of sepp? We see more and more infections by the Backdoor.Trojan at customers all over the country. Sepp lacks the ability to scan and delete the virus as it is copied to multiple (32) different locations on the computer. Its only detected after is had the opportunity to run itself and copy itself to other parts of the computer.
We also have difficulty finding the source of the infection. As the files are found in the IE cache among other places I suspect social networking sites that are not blocked by the firewall.
One customer had installed a free AVG scanner instead of SEPP, wich did catch the virus and deleted it before it got copied all over the place. I installed the full product on all clients, applied the SBS 2003 policies from this site but still virusses can install itself without many counterforce of SEPP. Even more inconvienient is the fact that SEPP cannot fully delete the bugger, even after system restore is disabled and a scan in safe mode gave the big OK after deleting even more virusses.
QUESTIONS
1. I want to know how the trojan manages to get on the computer. this is a questions for my peers, if they also suspect netlog and facebook spreading the stuff. although I do not know how.
2. how does sepp handle these files once being 'downloaded' or opened on that site, and why it can get around sepp so easily
3. It seems Sepp is unable to delete any recent threat without rebooting in safe mode and scanning there. Do you guys have the same experience. You really cant expect IT admins walking around SMB's kicking users of machines, reboting in safe mode, and scan the cmputer for an hour or two...
4. A request for the Security response write-up team. It would help a great deal if the technical papers also include possible infection sources like, sites or emaildomains etc, surely symantec know where there coming from
5. A request for the developers. Try cathing the buggers before the get written to disk and can execute itself. Try harder removing the threat like free AV products do!
Any shared experience much appreviated, I need some reassurance SEPP is a good endpoint product, and that the trouble we experience is soon over :)