Video Screencast Help

Key Logger Detection | SEP vs SWG??

Created: 01 Mar 2011 | 2 comments

Hi,

We have discovered a key logger on one of our servers with the help of the Symantec Web Gateway. The server is also running SEP-11 (the latest AV definitions installed on 2011-02-23 rev. 019) and found that it has the latest signature sets, but the SEP could not detect the key-logger, nothing in its risk log either.

Just wondering as to why is the SEP incapable of detecting a key logger (we have seen it detect a few in the past) and the Symantec Web Gateway detect the same? Wouldn’t key loggers actually be part of SEP signature-based detection?

Appreciate any inputs.

Thanks

Comments 2 CommentsJump to latest comment

Thomas K's picture

How was the key logger detected by SWG? Check your SEP Truscan settings. Make sure you follow the Security Response recommendations for your Truescan and AV settings.

Security Response recommends the following setting changes to Truscan for best protection

Truscan Default Setting Security Response Recommendation
Scan Sensitivity 9/Low 100
Action on Detection Log Terminate
Scan Frequency 1:00 00:15

Security Response recommends the following Scan Settings

 

Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
Lock settings Some Some All
Remediation: terminate processes No No Yes
Remediation: terminate services No No Yes
Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
Network Auto-Protect Disabled Enabled Enabled
Bloodhound Level Default (2) Default (2) Default (3)
SEP Startup System Start System Start System Start
Auto-Protect Scan Modify and access Modify and access Modify and access

 

Regards,

Thomas

MiRa's picture

Thanks Thomas.

We'll chcek the SEP settings to see if they are in-line with what Security Response recommends.

If required, will make necessary changes and post the findings.

Thanks again!

MiRa..