MalwareBytes
Updated: 26 Apr 2011 | 14 comments
This issue has been solved. See solution.
I have had Trojan.FakeAV all over my organization and the only thing that get completely rid of it is Malwarebytes.
Symantec has been detecting it but not removing it completely.
SEP 11.6100.645
Discussion Filed Under:
Comments
Make sure you are running the
Make sure you are running the latest definitions. If possible, please submit the files to Security Response for analysis.
http://www.symantec.com/business/security_response...
New variant was discovered 4/19 - http://www.symantec.com/business/security_response/writeup.jsp?docid=2011-042005-5526-99
Trojan.FakeAV!gen50
I have summitted a few
I have summitted a few already today and yesterday. It seems its starting to slow down through out the organization.
Funny thing is the newest Fake.AV it hides all files and folders now. Just enable veiw all files and folders and then you can see them. highlight all files and folders RT click and properties. Uncheck the hidden box.
Also, Do not forget that
Also, Do not forget that Malware Bytes is a free product, so could detect things that may be false or fake.
I've used Malwarebytes for
I've used Malwarebytes for years and it is one of the best removal products on the market bar none.
Malwarebytes is not freeware. It is free for home users.
I have seen a few that where
I have seen a few that where security settings I have set on our Image. Thanks for the heads up.
Why is Symantec not detecting Threats?
Hello,
To answer your Question: Why isn't Symantec Detecting Threats?
Read this:
Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not
About the FakeAV and how to get the Suspicious files to make Symantec detect the same,
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3
Follow me on Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo
When I come across a new
When I come across a new FakeAV variant obtained from either as a malicious file attachment or a download file from a malicious URL, I run the following procedures;
(1) I test the file with my current official denfinitions on my invetigative environment (linux & windows) and perform a scan on the malicious file.
(2) I then download the latest rapid release definitions onto my investigative environment and perform a scan on the malicious file. At the employee's workstation, I boot from a CD with the PowerEraser tools and supply it with the latestet rapid release definitions and it doesn't detect the issue.
(3) I test the file with MalwareBytes with the latest defintinions. I also test the file with a site that tests against 40 AV engines which includes Symantec.
(4) I upload malicious FakeAV files to the Symantec's submission premium site. I'll eventually get an email with the details of the submission.
(5) Anywhere from 15 minutes to several hours later, I get an email stating that they already have the malicious file profile within their rapid release definition. The emails used to include which Rapid Release version to use but I haven't seen that detail included for some time now.
(6) I download the latest rapid release definition and it fails to identify the FakeAV file. If I submit the file late in the afternoon, I'll download the rapid release definintion the following morning and the majority of the time it still fails to identify the FakeAV file.
I see instructions on how to hunt & remove the threat yourself but shouldn't the client already do that? I followed the suggested best practices with updating and that doesn't seem to help with the new threats.
I'm thinking if Malwarebytes
I'm thinking if Malwarebytes can find it surely Symantec with all their resources can find the same things and we are getting daily def files. When we have anything suspicious we always reach for Malwarebyte first.
Read my blog on dedupe https://www-secure.symantec.com/connect/blogs/garys-dedupe-experiences
It's nice having alternate
It's nice having alternate sources to examine suspicious files, but look at how much organizations are paying for a premium enterprise product. Management is expecting the product to protect the organization from the latest threats but we're not seeing that.
* How long does it take for newly identified variant to be added to a rapid release definition?
* How long does it take for newly added signatures that appeared in a rapid release to be fully tested and migrated over to an official standard definition release?
Detecting/Stopping Fake AV
Detecting/Stopping Fake AV infections really depends on what parts of SEP you have installed. If you want full protection, then you need to use all three features of the product (AntiVirus and Antispyware, Proactive Threat Protection and Network Threat protection). Anything less is asking for drive by infections, etc. Also make sure you keep your OS and programs up to the latest possible patches, particularly Adobe Reader and Flash.
Basically, if you are relying only on the Antivirus and Antispyware feature of SEP to protect your environment, that's simply not enough in this day and age.
Here is another example of a
Here is another example of a FakeAV type malware which is pushing 3+ days old and Symantec still doesn't detect it even with this morning's rapid release definitions installed.
The Norton protection at Yahoo Mail service didn't detect the malicious file. Our SEP with the latest rapid release didn't detect the malicious file. However here is a brief list of other AV engines that detected the threat. How come Symantec is having trouble detecting this malicious file?
Symantec wasn't the only vendor that didn't detect the malicious file. Is Symantec taking too long with publishing new signatures to it's rapid release and then to their official daily release?
What is the tracking number
What is the tracking number of your submissions (PM me if you want with it) and I'll look up the status of it.
Symantec Technical Support Engineer, SEP, SAV for Linux<
Tracking #20066286 (Delivered
Thank you Thomas. I'll PM you.
That's a Trojan.FakeAV
Hello,
UPS.exe (0x011b4e9ce03e6e83195745917d91d31f) has been identified as Trojan.FakeAV.
Trojan.FakeAV
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99
How to troubleshoot FakeAV if it is not detected
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3
Follow me on Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo
Would you like to reply?
Login or Register to post your comment.