Endpoint Protection

 View Only

  • 1.  SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 02, 2011 10:15 PM

    We're migrating from SAVECE 10.4 to SEP 11.  We had a report from a user that they had a Security Shield notification popping up.  I determined that it was this SecurityShieldFraud aka Troj/FakeAV-CDA [Sophos].  The writeup is here:

    http://www.symantec.com/security_response/writeup.jsp?docid=2010-121516-1707-99&tabid=2

    Is there any reason that SAVCE 10.4 didn't detect this with current definitions (Feb 2nd) and set to scan all files, in either real-time protection or via the on-demand scan?  It detected the eicar.com test string OK.  After isolating the box, and installing SEP 11, the .exe was detected immediately by the real-time protection as i single-clicked on it.

    With many machines still to be migrated, i want to get to the bottom of this.  There's no mention that you need a specific version of AV to detect this, but if SAV is not protecting us, we might need to put more resources into accelerating the migration.



  • 2.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 02, 2011 10:18 PM

    SEP11 has better technology, like,  scan engines, etc... and hence better detection capabilities...



  • 3.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does



  • 4.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 02, 2011 11:04 PM

    SAV 10.1.4.4000 and SEP 11 should not have much different in ability to detect malware.

    A few question to start with

    1. What was the definition date and revision on the SAV ? and what was the one in SEP?
      As SAV definition is published only once daily at around 5am NZ time and for SEP , its published 3 times daily. Mostly 5am , 1pm and 9pm NZT.
    2. After single click or highlight the file, did you do the same in SAV ?
      If not, what was the detected threat name under SEP ?
    3. What was the Bloodhound / heuristic setting?

    SEP indeed have more technology embedded in it that enables its users to proactively detect malwares. And the detection name can tell us more.


     



  • 5.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 03, 2011 12:15 AM

    Aah.. SEP has Feb 2nd defs, and SAV still has Feb 1st Rev 3, which means that we wouldn't be covered.

    The "updated December 15, 2010 4:17:07 PM" on this page is misleading and made me believe that since that was almost a month and a half ago, i'd be ok if my definitions were made in Feb.

    http://www.symantec.com/security_response/writeup.jsp?docid=2010-121516-1707-99

    So, we have the following: 

    Antivirus Protection Dates

    • Initial Rapid Release version December 15, 2010 revision 022
    • Latest Rapid Release version February 1, 2011 revision 021
    • Initial Daily Certified version December 15, 2010 revision 023
    • Latest Daily Certified version February 1, 2011 revision 037
    • Initial Weekly Certified release date December 22, 2010

     

    I believe we use the daily certified ones and that would explain the difference in the two versions.  I've forced an update and we're now to Feb 2 rev 2.  This should resolve it, but why would something take a month and a half to maked it from initial certified to latest certified?



  • 6.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 03, 2011 12:25 AM

    Good to hear that.

    For the certified definition issue, it simply mean :

    Initial Daily certified means when we first spot the threat in the wild.

    Latest Daily certified means when we last spot the threat in the wild

    So for this specific threat family , it was covered by Rapid release update from 15 Dec 2010 rev 022
    and end up in certified defs 15 Dec 2010 rev 023.

    and the last sample we saw was covered from 1 Feb 2011 rev 021 Rapid release definition
    and end up in the 1 Feb 2011 rev 037 certified defs.

     



  • 7.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 03, 2011 12:30 AM

    So, if this doesn't detect and remove this with the latest definition update, we should submit a sample, and you will add protection and change the date?

     

    If i get any more samples once the defs are updated I'll do the checks you asked me for.



  • 8.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Broadcom Employee
    Posted Feb 03, 2011 12:56 AM

    yes, any suspicious files can be submitted to Symantec for analysis.



  • 9.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 03, 2011 12:59 AM

    SAV 10.4 has few Vulnerabilities of it own which can be exploited. So make sure you are on SEP 11.x

    However any suspicious files has to be submitted to symantec security response so that symantec can make definitions for it.



  • 10.  RE: SAVCE 10.4 doesn't pick up SecurityShieldFraud but SEP11 does

    Posted Feb 03, 2011 04:49 AM

    Hi NZdude,

     

    Lots of "thumbs up" for the recommendations and advice in this thread.... I agree 100%.

     

    Here ar ethe details on those vulnerabilities Vikram mentioned.  Al SAV users should upgrade to SAV 10.1 MR10 or to SEP in order to avoid these!

     

    http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_01

    http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00

     

    I strongly encourage all SAV users to upgrade to SEP: SEP is not vulnerable to any attacks which may take advantage of these known vulnerabilities in SAV.

     

    Thanks again and best regards!

     

    Mick