Video Screencast Help


Created: 25 Apr 2011 • Updated: 26 Apr 2011 | 14 comments
This issue has been solved. See solution.

I have had Trojan.FakeAV all over my organization and the only thing that get completely rid of it is Malwarebytes.

Symantec has been detecting it but not removing it completely.

SEP 11.6100.645

Comments 14 CommentsJump to latest comment

Thomas K's picture

Make sure you are running the latest definitions. If possible, please submit the files to Security Response for analysis.

New variant was discovered 4/19 -

MackSRQ's picture

I have summitted a few already today and yesterday.  It seems its starting to slow down through out the organization.

Funny thing is the newest Fake.AV it hides all files and folders now.  Just enable veiw all files and folders and then you can see them.  highlight all files and folders RT click and properties.  Uncheck the hidden box.

Simpson Homer's picture

Also, Do not forget that Malware Bytes is a free product, so could detect things that may be false or fake.

khaskins82's picture

I've used Malwarebytes for years and it is one of the best removal products on the market bar none.

Malwarebytes is not freeware. It is free for home users.

MackSRQ's picture

I have seen a few that where security settings I have set on our Image.  Thanks for the heads up.

Mithun Sanghavi's picture


To answer your Question: Why isn't Symantec Detecting Threats?

Read this:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

About the FakeAV and how to get the Suspicious files to make Symantec detect the same,

Read the following:
How to troubleshoot FakeAV if it is not detected
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the
same to Symantec Security Response Team.
Hope the above would provide you all your Answers!!!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

glentc's picture

When I come across a new FakeAV variant obtained from either as a malicious file attachment or a download file from a malicious URL, I run the following procedures;

(1) I test the file with my current official denfinitions on my invetigative environment (linux & windows) and perform a scan on the malicious file.

(2) I then download the latest rapid release definitions onto my investigative environment and perform a scan on the malicious file. At the employee's workstation, I boot from a CD with the PowerEraser tools and supply it with the latestet rapid release definitions and it doesn't detect the issue.

(3) I test the file with MalwareBytes with the latest defintinions. I also test the file with a site that tests against 40 AV engines which includes Symantec.

(4) I upload malicious FakeAV files to the Symantec's submission premium site. I'll eventually get an email with the details of the submission.

(5) Anywhere from 15 minutes to several hours later, I get an email stating that they already have the malicious file profile within their rapid release definition. The emails used to include which Rapid Release version to use but I haven't seen that detail included for some time now.

(6) I download the latest rapid release definition and it fails to identify the FakeAV file. If I submit the file late in the afternoon, I'll download the rapid release definintion the following morning and the majority of the time it still fails to identify the FakeAV file.

I see instructions on how to hunt & remove the threat yourself but shouldn't the client already do that? I followed the suggested best practices with updating and that doesn't seem to help with the new threats.

macpiano's picture

I'm thinking if Malwarebytes can find it surely Symantec with all their resources can find the same things and we are getting daily def files. When we have anything suspicious we always reach for Malwarebyte first.

glentc's picture

It's nice having alternate sources to examine suspicious files, but look at how much organizations are paying for a premium enterprise product. Management is expecting the product to protect the organization from the latest threats but we're not seeing that.

* How long does it take for newly identified variant to be added to a rapid release definition?

* How long does it take for newly added signatures that appeared in a rapid release to be fully tested and migrated over to an official standard definition release?

Ted G.'s picture

Detecting/Stopping Fake AV infections really depends on what parts of SEP you have installed. If you want full protection, then you need to use all three features of the product (AntiVirus and Antispyware, Proactive Threat Protection and Network Threat protection). Anything less is asking for drive by infections, etc. Also make sure you keep your OS and programs up to the latest possible patches, particularly Adobe Reader and Flash.

Basically, if you are relying only on the Antivirus and Antispyware feature of SEP to protect your environment, that's simply not enough in this day and age.

glentc's picture

Here is another example of a FakeAV type malware which is pushing 3+ days old and Symantec still doesn't detect it even with this morning's rapid release definitions installed.

  • Delivery method: Email attachment
  • Date Received: Friday 5/6/2011 at 8:41pm
  • Definitions:  Rapid Release 05/09/2011 rev. 8
  • Retrieved & Scanned: Monday morning 5/9/2011 at 8:49am

The Norton protection at Yahoo Mail service didn't detect the malicious file. Our SEP with the latest rapid release didn't detect the malicious file. However here is a brief list of other AV engines that detected the threat. How come Symantec is having trouble detecting this malicious file?

  • Avast    4.8.1351.0    2011.05.09    Win32:Malware-gen
  • AVG    2011.05.09    Downloader.Generic11.YDB
  • BitDefender    7.2    2011.05.09    Gen:Trojan.Heur.UT.bqW@bSt1C@ji
  • Commtouch    2011.05.09    W32/Oficla.EX
  • F-Prot    2011.05.09    W32/Oficla.EX
  • Kaspersky    2011.05.09    Trojan.Win32.Deliver.g
  • McAfee    5.400.0.1158    2011.05.09    Artemis!011B4E9CE03E
  • Microsoft    1.6802    2011.05.09    TrojanDownloader:Win32/Chepvil.K
  • Sophos    4.65.0    2011.05.09    Mal/Bredo-K
  • TrendMicro-HouseCall    2011.05.09    TROJ_GEN.RC1C2E9
  • Malwarebytes sees it as a FakeAV downloader

Symantec wasn't the only vendor that didn't detect the malicious file. Is Symantec taking too long with publishing new signatures to it's rapid release and then to their official daily release?

thomas_m's picture

What is the tracking number of your submissions (PM me if you want with it) and I'll look up the status of it.

Symantec Technical Support Engineer, SEP, SAV for Linux<

glentc's picture

Thank you Thomas. I'll PM you.

Mithun Sanghavi's picture


UPS.exe (0x011b4e9ce03e6e83195745917d91d31f) has been identified as Trojan.FakeAV.


How to troubleshoot FakeAV if it is not detected

How to block known virus executables that run from %UserProfile% using Application and Device Control

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.