We're migrating from SAVECE 10.4 to SEP 11. We had a report from a user that they had a Security Shield notification popping up. I determined that it was this SecurityShieldFraud aka Troj/FakeAV-CDA [Sophos]. The writeup is here:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-121516-1707-99&tabid=2
Is there any reason that SAVCE 10.4 didn't detect this with current definitions (Feb 2nd) and set to scan all files, in either real-time protection or via the on-demand scan? It detected the eicar.com test string OK. After isolating the box, and installing SEP 11, the .exe was detected immediately by the real-time protection as i single-clicked on it.
With many machines still to be migrated, i want to get to the bottom of this. There's no mention that you need a specific version of AV to detect this, but if SAV is not protecting us, we might need to put more resources into accelerating the migration.