PAV.exe - SEPM not finding it......
Updated: 03 Jun 2010 | 7 comments
We have a user who somehow (on purpose or not) has Personal Antivirus installed on their company machine. It's one of those fake antivirus programs that normally comes up after you visited some malicious website or installed a video codec that has a trojan or virus attached. My question is, why did Symantec Endpoint not catch that? Has anyone else seen this? What do we need to do to ensure this doesn't happen again and how do we remove it?
We are running SEP v 11.0.4000.2295. This product has been pretty solid thus far.
discussion Filed Under:
Comments
sep able to detect pav.exe
plz go through the link.
http://www.symantec.com/security_response/writeup.jsp?docid=2002-071916-3525-99&tabid=3
Submit it.
@jbmwk75
Your question: why did Symantec Endpoint not catch that?
The answer would probably be because Symantec didnt have the definitions for it then.
The fake anti virus software variants are increasing enormously.
You need to narrow down on as many executables and dll's that the program has installed and submit them to Symantec.
De facto when AV does something, it starts jumping up and down, waving its arms, and shouting "Hey! I found a virus! Look at me! I'm soooo goooood!"
PAV.exe infection
I see the original post to this issue was some weeks back. Today, July 20, 2009, a user on my network was hit with this fake virus. We are using Endpoint 11.0 Maintenance Release 4 Maintenance Patch 2 version number 11.0.4202.75. I can not understand why Endpoint did not trigger on this and stop it. Any ideas?
Are you able to narrow the
Are you able to narrow the infection down and submit the file(s) to the Security Response Team for analysis?
Use the appropriate from below -
https://submit.symantec.com/websubmit/basic.cgi
https://submit.symantec.com/websubmit/gold.cgi
https://submit.symantec.com/websubmit/platinum.cgi
https://submit.symantec.com/websubmit/bcs.cgi
Thomas
Update the definitions on the computer
-Update the definitions on the computer using the rapidrelease from the following link.
ftp://ftp.symantec.com/public/english_us_canada/an...
From there open the folder with updated date and time.
Download symrapidreleasedefsv5i32.exe from there to update the definition the a local computer.
You can also use download vd2de860.jdb and follow the link :-
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f31aff6fdd7dc91d80257405003c0fce?OpenDocument
That will help you in updating the clients from the manager console.
After the client machines are update with the latest virus definition perform a full scan on safe mode.
Re
You could try to uninstall it manually, go to Control Panel, Add/Remove Programs.
We're seeing a very similar
We're seeing a very similar issue. Occasionally a few users will go to a website that notifies them that they need Windows Antivirus 2009 or 2010 (fake antivirus). Irregardless what option the user selects, the fake antivirus installs. If the user knew to close the window, it wouldn't install.
I, too wonder why Endpoint Protection v11.03 or 4 doesn't stop it. I haven't seen it infect a PC with 11.05 yet, but imagine that it's just a matter of time.
Would you like to reply?
Login or Register to post your comment.