Endpoint Protection

My company is seeing this in our enterprise running SEP 12.1.4013 clients.  Appears to be malware/rootkit not being detected from what I've found on Google.

In searching Symantec Security Response results in no returns?

I'm running manual scans as I write this with nothing detected.  Next step is Malwarebytes 

What does Symantec have to say about this as the SEP client did not and is not detecting this?

You can submit file symantec Security Response Team

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

You need to submit a sample to Symantec here:

http://www.symantec.com/security_response/submitsamples.jsp

Also, upload to see what other AV engines detect it

https://virustotal.com

https://threatexpert.com

Hello,

Could you please zip each of the files and submit the zip files (without password) to the Symantec Security Response Team on : 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Check these articles:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

Here are some excellent suggestions on how to keep your computers, their users and data safe:

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope that helps!!

Scanned and Uploaded

Well done, you will get what you are looking for... Symantec classification and new defintions.

Please read:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

Hi thedominion,

I recommend using Symantec Power Eraser (which is in SymHelp) rather than any other tool.

How to run Symantec Power Eraser with the SymHelp utility
 http://www.symantec.com/docs/TECH203683

Hope this helps!

Mick
 

Hi thedominion,

Just pinging to see if you were able to get this resolved?  Please post an update when time allows.  The thread is still marked "needs solution."

Submitted both full report and load point analysis suspected files ( #35305188) and have not heard anything back.

Used both HJT and Malwarebytes to remove browser add-ons and redirects creating popups as uninstalling the numerous programs did not work.

Bettersrf was prevalent in both IE10 and Chrome as add-ons and under Programs.

Why isn't SEP catching this?  It obviously malicious!

Because a signature(s) does not yet exist to detect it. Hopefully, the submission comes back with something shortly.

Hi again,

It looks like that submission actually closed on 11/28/2013- a mail was sent out by Security Response with the findings. 

It appears that some vendors have "not-a-virus:AdWare.Win32.BetterSurf.b" type detections for that file- https://www.virustotal.com/en/file/f5a3d50a97b7c3d462e5efdcd9017463de41ecdb07cc20749a809ae6e1db32ec/analysis/

Chances are there is a EULA which describes what this program does and a box that says "I have read the terms and conditions" when installing.  If that is the case, the file would not meet Symantec's criteria for detection.  Admins can create their own ADC polcies against the file, regardless.

Here is an article that may be of interest...... http://www.theregister.co.uk/2013/12/01/dont_like_our_malware_tough_read_the_eula/

Hope this helps!

Mick  

Thanks Mick.  Interesting I did not receive an email regarding the findings. 

I will see what I can do to block it.

Keith

My SEPM logs show SEP catching BetterSurf.exe as Adware.BL and Better-Surf.exe as Trojan.ADH.2 on some systems.  The system in question is running an up-to-date SEP client which wasn't caught?

Hello,

did you compare the MD5 hash of those files to confirm the exact same file is detected in one system and not in another?

As mentioned by Mick, if the user is accepting a malicious EULA, the meaning of malicious is not so obvious anymore and threats' authors like such gray areas.

Without entering in too specific details, regardless of the EULA, what may be obvious for human eyes may be very complex for a brainless computer (said in a more accurate way, it is not so easy as you believe to write automatic routines which fully replace a person in evaluating if a file is malicious or not).