Endpoint Protection

 View Only

  • 1.  Security Essentials 2011

    Posted Dec 13, 2010 05:44 PM

    I have a PC that is infected with the Security Essentials 2011 fake AV program.  The SEP client - ver 11.6a - did not find anything infected or catch it when it was installed on the system.

    I pulled down the Support Tool, ran Power Eraser, and it found a folder for the program in All Users\App Data which I had Power Eraser wipe out. 

    However I am worried about the items it did not find, ie. the registry entries, etc..

    Found this website detailing how to remove it, but being that I work at a Corporation I cannot use Malwarebytes for free.  Would rather get Symantec to the point of catching these.

    http://www.bleepingcomputer.com/virus-removal/remove-security-essentials-2011

    Attached is the save file of the Power Eraser Scan and a Load Point Analysis.  Could not attach them as the default file type so I zipped them.

    Can anyone help or do I need to submit these through support by getting a case number and all that?



  • 2.  RE: Security Essentials 2011

    Posted Dec 13, 2010 08:44 PM

    You need to submit to Security Response:

    https://submit.symantec.com/websubmit/gold.cgi

    You can try downloading the latest rapid release definitions and run a scan in safemode to see if it picks it up:

    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    Also, I'm not sure why you can't use Mbam, as it is free but I suppose if your company doesn't allow it then that's a different story. Mbam would most likely catch and clean this infection.

    The biggest problem with FakeAV is that it is re-coded numerous times a day to evade traditional Antivirus detection.

    Make sure you tighten up SEP settings. Take a look at the excellent recommendations laid out by tevia-boy. It is very informative. Many other Connect users also weigh in:

    https://www-secure.symantec.com/connect/forums/sep-secret-sauce-better-protection

    In addition, you will want to use a good application and device control policy to stop FakeAV infections:

    http://www.symantec.com/business/support/index?page=content&id=TECH102525&actp=search&viewlocale=en_US&searchid=1292291001330

    http://www.symantec.com/business/support/index?page=content&id=TECH104431&actp=search&viewlocale=en_US&searchid=1292291035687



  • 3.  RE: Security Essentials 2011

    Posted Dec 13, 2010 09:13 PM

    Hi, I recommend that you send this to support so they can make a Rapid Release definition file for you, and also have it added to future definition files.



  • 4.  RE: Security Essentials 2011

    Posted Dec 14, 2010 03:31 AM

    >> The biggest problem with FakeAV is that it is re-coded numerous times a day to evade traditional Antivirus detection.

    I agree with Brian! Moreover what usually this applications do is to display fake detections and claming that full version is needed to remove them. I do not say that they cannot perfor other malicious actions but if the only thing they do is to display some weird interface "scanning" your system and "finding" malware and then giving you a link to "full version" - heuristic protection is helpless.



  • 5.  RE: Security Essentials 2011

    Posted Dec 14, 2010 08:50 AM

    To my knowledge Malwarebytes is not free for Corporate use.  You have to buy a Corporate license.  

    From their ULA:

     

     As such, using the Software as part of a help desk or computer repair service is still prohibited to Corporate License users, but you may use the Software to protect your hardware and software products from malicious programs prior to sale.
     
    Same thing with Spybot.  It is not free for Corporate use. 
     
    I will submit these files.  


  • 6.  RE: Security Essentials 2011

    Posted Dec 14, 2010 08:20 PM

    To expand on this, fake AVs are animations that masks as applications. And it's probably like telling the computer to differentiate between a video documentary and an action flick so how can an AV detect if the animation. Some of the ways it can be detected is if it ever tries to contact headquarters to give you their form or upload software to be installed on your PC. And blocking the website is only effective until they changed their domain/IP address which probably happens way too often to get a hold of.

    And to the Symantec Programmers, keep it up and I'm hoping that you get Bloodhound to detect these nasty jokewares they pass off as softwares.



  • 7.  RE: Security Essentials 2011

    Posted Dec 15, 2010 08:14 AM

    jpj1980,

    Do you have the Network Threat Component installed? I see that IPS is not installed which leads me to believe NTP is not installed. This is something you should consider. The IPS can block many FakeAV attempts from the web.

    At a bare minimum, you should have both AV/AS and the IPS installed. If you don't want to use the firewall, just withdraw the policy and all traffic will be allowed thru. You can then use the Windows firewall if you like.

    You will want to go into safemode and delete this directory if you have not already done so:

    c:\documents and settings\all users\application data\security essentials 2011

    Also check the following reg key to make sure it didn't set itself to run every time the PC boots up:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run



  • 8.  RE: Security Essentials 2011

    Posted Dec 15, 2010 09:43 AM

    No we only install the AV/AS modules.  We are working on test the rest in our environment to install it.  

     

    The directory you indicate actually was removed by Power Eraser and I called tech support and worked with them to verify that everything else associated with the threat was gone.  The system is clean at this point.

     

    Thanks for all the help