live security platinum not detected by SEP 11.0.6
Created: 31 Jul 2012 | 24 comments
Hi all,
we have SEP 11.06. with latest virus DEFs
We have had numeorus PC's infected with the MALWARE "live security platinum".
This type of malware actually DISABLES SEP and all executables
We remove this using malwarebytes.
My questions is, why doesn't SEP detect this type of malware ?
Ray.
Discussion Filed Under:
Comments 24 Comments • Jump to latest comment
Update your system latest Defination.
https://www-secure.symantec.com/connect/forums/need-virus-removal-tool
If not, there are useful some tools that are provided by Symantec for help with finding those hard to detect threats.
1. The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.
2. The SERT (Symantec Endpoint Recovery Tool)is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.
3. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.
Rapid Release Virus Definitions –
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr
Power Eraser tool –
http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default
How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions–http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US
Support Tool with Power Eraser Tool included –
http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US
How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402
If you are unable to remove the threat(s) from your systems, please submit the suspected files to Symantec or ThreatExpert for analysis. New signatures will be created and included in future definition sets for detection.
http://www.symantec.com/business/security_response/submitsamples.jsp
http://www.threatexpert.com/submit.aspx
There is not a signature for it yet.
You can upload the file to security response so one can be created:
https://submit.symantec.com/websubmit/gold.cgi
SEP Knowledge Base
Endpoint SWAT
This type of malware has been around for about 2 years now.
Are you telling me that symantec have never heard of such malware..
what file do I upload?
I am just happy that we got rid of it.
It's considered FakeAV. The signature for this changes multiple times per day, specifically to bypass antivirus technology. So while the name is the same, the signature is always different,
The file you would upload is the one malwarebytes detected. Since it's likely already deleted there is nothing you can do now.
SEP Knowledge Base
Endpoint SWAT
Agreed that it is fake AV but it causes more hastle than an actual virus. ie: disables executables.
So how come a program like malwarebytes always detects and cleans this malware.
Your software is for Viruses AND malware yes ?
Ray..
Hello,
I would request you to Follow the Articles below:
How to troubleshoot FakeAV if it is not detected
https://www-secure.symantec.com/connect/articles/how-troubleshoot-fake-av-if-it-not-detected
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
I would also recommend you to read these articles:
Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not
http://www.symantec.com/business/support/index?page=content&id=TECH98929
What to do when you suspect that a Symantec AntiVirus product is not detecting viruses
http://www.symantec.com/business/support/index?page=content&id=TECH99222
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
There is no such thing as a 100% detection rate. Malwarebytes also misses its share of FakeAV. Traditional antivirus signatures are no match for FakeAV and are simply unable to keep up with the amount of new malware that is created. Other security measures need to be put in place.
You can look at the application and device control component which is available in both SEP 11.x and SEP 12.1 and you can also use the reputation based scanning offered in 12.1. These provide great defenses against FakeAV.
I consider viruses and malware the same thing. You should also look to see if your SEP client is configured for maximum protection. Look at this thread:
https://www-secure.symantec.com/connect/forums/sep...
SEP Knowledge Base
Endpoint SWAT
I would also suggest you to upgrade to SEP12 which has better proactive detection capabilities than SEP11. As everyone said, though, no AV is 100% perfect.
Do you think Symantec wouldn't know about this Malware or people who have release this Fake Av would sit and wait for all Antivirus to detect it and it going out of business..??
The same Malware gets updated more than 100 times in a Day..Same name and same files but just different codes..
Submit this version/Variant and SEP will detect this as well..
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
The first is the hardest..
we understand your concern mondo101 but you'll get same answer once Malwarebytes or any other solution missed to detect 'known' virus.... this is a widely known issue in AV industry... no one is perfect or 100% able to detect everything... or being the first to detect new malware each time....
some solution maybe better in certain area, there are pros and cons... (and price to pay too...)
check this
http://www.virusbtn.com/vb100/latest_comparative/i...
You've just emphasised my point "Malwarebytes or any other solution missed to detect 'known' virus".
Malwarebytes has always detected the platinum Fake AV and cleaned it.
So what are these guys (malwarebytes) doing that symantec are not ?
I would assume that malware bytes monitor coorporate software like symantecs to see what latest Fake AV's are, but it seems to me that it is Malwarebytes that are on top of this.
Are you saying that somone found a new strain of Platinum Fake AV and sent the code off to malwarebytes for me to download their update and thus detect the issue.
While symantec wait for updated code to be sent from the public ?
I understand that no SW is 100% perfect but it looks to me like malwarebytes are more proactive on this particular FakeAV than symantec.
I have this issue for a year now and each time , symantec fails to detect and malwarebytes does.
Someone also suggested SEP12 instead of SEP11, I knew that was coming.
A full update of the symantec software to improve on failes in SEP11
This actually sounds like it might help but I assume all software works off the same DEFS
Ray.
Bom dia,
É certo que ninguém é 100% e que todos deveriam trabalhar da mesma forma, mas pense junto comigo; Se eu criar uma nova forma de ataque a um sistema, nenhum deles irá detectar. Exploits são criados sempre por programadores com profundos conhecimentos e não divulgados para que não haja uma detecção.
Recentemente descobriram um exploit para ataques a roteadores que foi projetado a 1 ano e meio, e ninguém sabia de sua atividade, eu mesmo testei ele em cima de várias soluções e quase todas não pegaram, inclusive o Malwarebytes.
Até que estejam em sua base de dados, ninguém será perfeito, existe uma solução para esse problema? sim existe, trabalho em cima disso, mas não é realizada.
Achar que malwarebytes pegou uma coisa que a Symantec não pegou, é relativo, exemplo: Crie um arquivo .bat com código de vírus somado a sua funções e verá que ele (malwarebytes) não irá detectar. Mas se você pegar o mesmo código do vírus e colocar sozinho, será fácil para ele.
Até que estejam em suas bases, ninguém será 100% mesmo, nem mesmo quem as vezes achamos que é.
Abraços
Fabiano Pessoa
Systems Analyst - Forensic Expert
We could all debate this until we're blue in the face but we'll get nowhere. I'm not disagreeing with you either. But I've worked with this junk so much that traditional AV defs don't work so well against it because it morphs so much in a day. The bad guys specifically test their stuff against some of the more well known AV products, which is how they are able to get around it more easily. I've seen just about all the products miss it.
I have found that other measures are needed. Such as ADC (11.x and 12.1) or the reputation (12.1) based identification. Even applications whitelisting is a huge help if you can get it to work in your environment.
I do know that if we continue to rely on signature based definitions than it will be a losing battle. It's already a proven fact.
SEP Knowledge Base
Endpoint SWAT
Hi mondo101,
I invite you to read our threat report to have an idea of what we are talking about:
http://www.symantec.com/threatreport/
When we talk about 403 milion of new variants only in 2011, do you thing it is appropriate to believe that Malwarebytes is doing a better job than Symantec based on a single threat you got? Are you able to say how may variants got Malwarebytes and how many they did not get before Symantec?
No, Symantec is not just waiting for samples coming from public, we have a wide network of several thousands of sensors in the world but 100% coverage of something called "Internet" is impossible, if a customer gets a threat before Symantec, it is normal to submit it to us to get the signatures, all AV companies work like that.
Regards,
Giuseppe
To be honest your question is a good one, perhaps their Tech or Security Respond can answer more in details here...
I was saying of the posibility why it wasn't detected by Symantec, I might be wrong on how exactly they gather new strain or variant... but many knows one of the source are public sandboxes..
In general terms i do agree external soft/app like Combofix, Malwarebytes or even Spybot S&D doing good against FakeAV
Just as an interesting point, we were on SEP 11.0.6 and, as soon as we went to 12.1.1, one user kept getting "tamper protection" alerts on his computer. After running Spybot, it seems that he had something that turned off A/V software. 12.1 actually caught it through tamper protection be we never got to the point of running a full scan under 12.1 since this was the first client that got pushed out.
hforman... i would run SEP support tool at your place..
the online file rating checker so far worked good for me
I want to comment. We had a Laptop infected with this Fake AV. SEP 11.7101.1056.
Blew right through it. Malware Bytes was only Security App that found anything. Power Eraser found nothing. I don't know about SEP 12, but with SEP 11. Symantec needs to do a better job on FAKE AV's.
They are way behind on 2 area's:
1. RootKit's - Kapersky works Great
2. FAKE AV - Malware Bytes works Great
Just my 2 cents.
I've said this in some areas before. FAKE AV may be an obvious piece of malware to most of us, but I read an interesting story that the people who make this got their lawyers together and tried to stop most of the big name data security firms from blocking their business. They claimed that the program they ask you to BUY is a REAL anti-virus product and, despite finding what I personally call "ransomware" horrible, and their marketing technique outrageous, the lawyers claimed that the product is legitimate. So, while I'm not saying that this is acceptable, there are some legal issues here.
Now that I said that, I did clean two FAKE AV cases off of a couple of computers but is was really difficult and we had to use SAFE MODE and all sorts of repeated cleanings.
If you are one of those that thinks that Apple Mac OS is safe, I also read that this can "infect" Macs as well and the only solution for Macs is to wipe the hard drive completely and reload.
Having said that, I agree with all those who have said that not every a/v product is the same and some miss one thing and find other things. You probably want to do some online research on this item to see if there were any legal issues. I had to deal with it a few years back.
Just saying that I heard there were "legal" issues with this sort of thing according to what I've seen.
Hi Ray,
A very important question- especially with FakeAV- is "what SEP components are running?" Fighting FakeAV with traditional AntiVirus alone is going to battle with one hand tied behind your back. IPS signatures are an incredibly effective way to detect and stop the traffic that these thousands of FakeAV variants use.
In my opinion it is absolutely worth the effort and maintence to have Firewall (NTP) and IPS components as well as SEP's AV. 12.1 adds Reputation technologues, which is also very, very effective.
Hope this helps! &: )
Mick
With thanks and best regards,
Mick
Mick,
In answer to your question, Everything was turned on except the FW piece.
AV
PTP
NTP
When I did a Load Point Analysis using Power Eraser. I did find that WPSHELPER was not working, but that is all. I have seen this on a number of Windows 7 systems we have, but after reading articles, I figured it was not an important piece to have loaded. If I am wrong, please tell me.
I know that I will be loading SEP 12 on this system later today.
Thanks to all for the feedback.
That probably exaplins it.... if WPSHELPER is disabled/not working, then there is no IPS in SEP 11 (and thus SEP was fighting FakeAV with one arm tied behind the back).
A big "thumbs up" for the following:
Many thanks to all for the contributions to this thread!
With thanks and best regards,
Mick
Mick,
In answer to your question, Everything was turned on except the FW piece.
AV
PTP
NTP
When I did a Load Point Analysis using Power Eraser. I did find that WPSHELPER was not working, but that is all. I have seen this on a number of Windows 7 systems we have, but after reading articles, I figured it was not an important piece to have loaded. If I am wrong, please tell me.
I know that I will be loading SEP 12 on this system later today.
Thanks to all for the feedback.
Mick,
As additional follow up on WPSHELPER, the document states that if the version is not current, to then run Liveupdate. That is all fine, but I have NEVER found the version to be wrong. Only recourse is to Reboot then?
Would you like to reply?
Login or Register to post your comment.