Endpoint Protection

I'm using Symantec endpoint protection 11 in the company and one of my users got infected by a spyware named "security tool". He said that he got the infected by surfing on the internet.

From information that I got from internet, it is a rogue antivirus that uses fake security alerts and system scan results to make computer users believe that they must purchase the Security Tool program

i want to know why does SEP did not detect it as a spyware as the user got infected.

Hi,

Please refer to the following KB:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d52ab8d97f66472988256a22002726f3?OpenDocument

Moving this thread to the SEP 11 forums.

Aniket

Hi Tonks,

If possible, please submit to Security Response the files that make up this "security tool."  Security Response can then study them and build definitions that protect againstthem.

Here's an article about Misleading Applications / Rogue Security Software / FakeAV.  The best practices and links within are very highly recommended:  Does Symantec Endpoint Protection protect me from fake anti-virus programs?

The information in the Symantec Report on Rogue Security Software (http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=istr_rogue_security) is particularly interesting.... these fakeav vendors have a serious financial motive for making these programs as annoying as possible.

Thanks and best regards,

Mick

There is an excellent write-up that ShadowPapa did that shows how to setup an application/device control policy that can help with these threats:
https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers

We have all dealt with these threats at some point. Just this week, we had a user get infected with the XP Defender (Vundo - Trojan.FakeAV), by clicking on a link in an e-mail. There are a few other things, you can do to help...

1. Block websites such as facebook, myspace, youtube, etc...
2. Make sure you are using the NTP component of the SEP client the antivirus defs are not enough.
3. Set the heuristic scanning level to max - Policies>Antivirus and Antispyware>Edit>File System Auto-Protect>Advanced Scanning and Monitoring>Bloodhound Detection Settings.
4. Setup a batch to download and parse the rapid release defs posted by Symantec. Search the forum. There are scripts out there.
5. Follow, the link above to create an application control policy to block these pesky BHOs.
6. You can also create custom IPS (NTP) signatures to help.

Mike

In my opinion,antivirus companies do have trouble publishing hundreds of signatures for rogue software.Since there is much prospect for financial gain,hackers do test their fake softwares against popular security software to ensure they are not detected in the first instance.
These scareware mutate frequently to evade detection.
No security software is 100% effective.Prevention is better than cure.User education about sensible internet browsing should form part of your company security policy.
It's wise to have a backup security solution with no real time protection(To avoid conflict with SEP) to clean up missed samples of malware on computers.But here also,there is the possibility of having false positives.Striking the right balance is the job of your IT officer.Your security is as strong as the weakest link in your organisation,namely employees who invite malicious code into your network by visiting questionable sites or execute untrusted code.
IF YOU ARE GENUINELY HIT BY SECURITY TOOL:
Kill processes:
4946550101.exe
Delete registry values:
HKEY_CURRENT_USER\Software\Security Tool
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "4946550101"
Delete files:
4946550101.bat 4946550101.cfg 4946550101.exe Security Tool.lnk Security Tool.lnk
Delete directories:
%UserProfile%\Application Data\4946550101
AS A RULE,IF YOU CATCH A ROGUE SOFTWARE IN A LIMITED ACCOUNT,THE ROGUE WILL INSTALL IN THE %UserProfile%\Application Data\  FOLDER.IN CASE OF INFECTION,JUST DELETE SUSPICIOUS FILES IN THE SAID FOLDER IN SAFE MODE.