Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 11 missed AntiVirus Live

Created: 21 Dec 2009 • Updated: 06 Sep 2010 | 57 comments

Hi guys,

We had an infection recently where one of our users managed to get AntiVirus Live.

http://ca.answers.yahoo.com/question/index?qid=20091209153654AAQCqLG

SEP 11 didn't report an infection and was disabled when we went to check. But it sure does find VNC clients quickly!

It seems odd to me, I'm sure this particular piece of fake AV software has been around for a while. Anyone have this detected successfully? Anyone have SEP remove it successfully?

Thanks!

Comments 57 CommentsJump to latest comment

Rafeeq's picture

not sure , i'm not infected with that so far,
seems like our symantec does not have infection in the list
it would be good if you could upload these files to SRT team, so that we can  make our symantec lot better, thank you for your time and helping to make this product better.

https://www-secure.symantec.com/connect/forums/how-submit-virus-samples 

tcraighenry's picture

Rafeeq,

We don't have the virus samples. The machine was re-imaged as soon as we discovered the infection.

It does appear this piece of Malware has been out at least since November.

Does SEP not protect against Malware/Spyware?

Rafeeq's picture

Earlier versions were just antivirus
but sep is antivirus and antispyware,
if its been out for a long time
symantec should detect it
as far as i know symantec has global sensors all over the world
with lot more advanced detection technoloy
not sure why it missed this one
seems to be an irritating virus.
if you anytime get the virus please submit those, thanks again for helping symantec. 

isnms's picture

I just had one get infected with Antivirus Live too. We have SEP 11.0.4202.75
It seems Gamevance was also installed yesterday, seemingly with no knowledge of the user.

I don't have the virus files because I was just trying to the system useable.
I started safe mode and used system restore to the 21st.
Got back in to add remove programs to remove gamevance
Now doing a full system scan.

Eilis's picture

What do I do?!

Seriously. How do I get rid of this.

ccrockett's picture

Hello

I had 2 infections this morning. removed them in 2 hours by following the instructions from bleepingcomputer.com
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-live

You will have to download the rkill application. i had to run it several times before it disabled the virus. make sure to keep running it until it closes the virus.
Make sure to delete the reg keys at the end of the doc. Go to a known good comuter and compare and delete. Make sure to backup the registry before you remove anything.

RicknDallas's picture

I got Antivus Live on 12/24.  I got rid of it by doing a recovery to a prior backup.  I then called Symtec. They had no comments if they were aware of it or developing a method to detect and stop it.  This concerns me that I could not get a good crip answer to my problem.

dday515's picture

i've got two users who've gottne infected with this this week - I'll try and upload the virus.

barton's picture

I picked up this nasty this morning.  nav corporate edition 10 doesn't find it. 

Grmtc's picture

I had 2 users who got this infection.  Symantec Endpoint Protection did not detect this infection.  I was able to remove it in safe mode by killing some processes and running Malware Bytes. Malware Bytes also removed other versions (Personal Antivirus, Antivirus 2009, etc) in the past that Symantec did not detect/did not remove successfully.  Overall, this seems to be one of the few viruses/malware that we see pop up that Symantec doesn't take care of.

dday515's picture

I was able to upload the files in question - and was given Tracking #14335555

dday515's picture

And did notice that Endpoint Protection did catch this now:

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}

Dear Daniel Day,

We have analyzed your submission.  The following is a report of our findings for each file you have submitted:

filename:  lhdrio.zip

machine: Machine

result: See the developer notes

filename: ovovsysguard.exe

machine: Machine

result: This file is detected as Trojan.FakeAV. 

Customer notes:

THis is the Antivirus Live virus. Have two machines that have been infected with this both running endpoint with latest definitions.

Developer notes:

 lhdrio.zip is a container file of type  ZIP

ovovsysguard.exe is a non-repairable threat.  This file is contained by   lhdrio.zip

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.

Downloading and Installing RapidRelease Definition Instructions:

1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as:  http://securityresponse.symantec.com/

2. Click this link to the ftp site: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleasedefsx86.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.

3. When a download dialog box appears, save the file to the Windows desktop.

4. Double-click the downloaded file and follow the prompts.

Virus definition detail:

Sequence Number : 104785 (or higher)

Defs Version:           111229r

Extended Version: 12/29/2009 rev.18

Should you have any questions about your submission, please contact your regional technical support from the Symantec website and give them the tracking number in the subject of this message.

Bijay.Swain's picture

these two months(decand jan ) are very crucial for av products as many new virus will be launched . I am already infeted now and sep failed to protect me.
 

Chimpo's picture

I felt the need to register just to log my experiences...

Having just bought Norton, I was suprised to find out that after this virus infected my computer i had two options (upon calling them):

1- sort it out myself (no advice given)
2- pay them another £70 to sort it out for me

THankfully I found ccrockett's post here with this- http://www.bleepingcomputer.com/virus-removal/remove-antivirus-live

This worked a treat- but a bit of a joke that i had to install other software when ive paid for norton

norton = useless!

Ken_D's picture

I used the following instructions listed by tcraighenry.

Antivirus Live Removal Step By Step:

1. Kill processes: (random)sysguard.exe

2. Delete registry keys: (always backup first)
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\I… Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\W… Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\W… Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\W… "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\W… "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\W… "(random)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\… "(random)"

3. Delete files:
%UserProfile%\Local Settings\Application Data\(random)\(random)sysguard.exe

4. Delete folders:
%UserProfile%\Local Settings\Application Data\(random)\

Once I finished the above steps, I used Spybot to scan again.  I was able to completely remove the Antivirus Live trojan.

MrMax's picture

Ken_D, I see that I still have these entries that need deleted after removing the file. I would like to know if you also found the entry below and if it should be deleted as well or if it should be left to remain as it is. Thank you.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"

IT Support 10's picture
Thank you Ken_D for providing the removal steps, but I think the topic and purpose of this thread is to understand why Symantec (any version) isn't preventing or detecting this threat. We use SEP 11.0.5002.333 and spend several thousand $$ a year to do so - and for it not to detect this prevalent threat, is unacceptable (to say the very least).
 
How can FREE solutions such as Malwarebytes and MS Security Essentials provide protection, but Symantec cannot??
 
I have just used the following article to clean our THIRD Symantec-protected computer (now how many $$ is that lost to Symantec’s negligence?)…
 
MrMax's picture

IT Support 10, I  see that I still have the entries that Ken_D posted and your link mentions and that they need to be deleted after removing the file. I would like to know if you also found the entry below and if it should be deleted as well or if it should be left to remain as it is. Thank you.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"

Clarus_IT's picture

To follow up with what IT Support 10 says, it's hard to understand why a free solution is faster than Symantec at this.

This thread is 4 weeks old!

dimitri limanovski's picture

Hitman Pro will detect and remove it. I use it as a daily on-demand scanner to take care of items that SEP missed.
http://www.surfright.nl/en/hitmanpro 

P.S. It uses 7 different A/V engines and takes about three minutes to scan my machine. EWS scan take a tiny bit longer.

IT_Support_Tech's picture

Just wanted to add that I've been hit by ****sysguard.exe FakeAV junk also.  Very annoying that SEP11 (with up-to-date definitions) doesn't catch it.  It doesn't even catch it when you manually scan the randomly-named folder under Documents and Settings\Local Settings\Application Data.

As others have mentioned, we pay thousand$ for this product.  I expect the threat to be neutralized after more than a month of free circulation.

Firegirl's picture

I'm frankly sick of reloading machines because Endpoint Protection isn't detecting this threat.

When is this going to be fixed???

MikeM1's picture

We just reimaged out 400+ computers and upgraded to SEP 11.0.4202.75, finishing up last week.
I got the first infection yesterday and thought it was due to one of our inexperanced users, and just imaged him again,. Now today on of our most savy users brought me his with this "Antivirus Live " BS on it
 I'm very disappointed ot see this thread, and it's age without any solutions/fixes

mynameisbear's picture

 So far we've had two clients infected with this, one at the end of November and another now.  I'd like some explanation from Symantec regarding why the product does not detect this threat after it has spent 2+ months in wide circulation.

mynameisbear's picture

I was considering the possible use of an exclusion list to at least prevent (randomcharacters)sysguard.exe from running, but it doesn't seem I can configure such a policy.

Is there a workaround Symantec might suggest until the standard defs include this "Antivirus Live" malware?

tcraighenry's picture

Hi guys,

Just thought I'd add a comment to this. SEP still isn't detecting this Malware almost a month later. Here's how I've been fixing it:

Note, this is just for AV Live. It only (?) hooks in to explorer.exe, adds a browser redirect and a few registry entries.  Go into Safe Mode and run Malwarebytes Anti-Malware program. Blessedly Safe Mode does not add the AV Live explorer extension and it makes it possible to clean.

The Vundo Trojan/Exploit is only half cleaned by SEP. It doesn't get to it before Vundo disables the running AV/anti-malware processes. This is an automatic rebuild. Or a good few hours of booting off another harddrive and manually removing registry entries and files.

mwolfe's picture

Add me to the list..

I have been using tasklist and pskill to remotely view the running processes and kill them, then using MalwareBytes to clean it up.

tcraighenry's picture

@mynameisbear I'm wondering the same thing. I expected it to be added to the detection/clean up routines by now. Especially since my first post was a month ago about something that had been out for at least a month before that. But looking at the McAfee forums, seems this is running rampant through their AV product as well.

@MikeM1
The latest incarnation is really tricky. It takes the user through about 4 ARE YOU SURE pop up windows. Where cancel isn't cancel and Ok isn't ok and sometimes ok is cancel and the X to click out of the box installs it anyway. I had to actually end the iexplore.exe process to get out of it the last time I was called to check it out. So there's no "JUST SAY NO" advice to give to them.

Tonez's picture

One of my clients has been attacked by this (Antivirus Live). We run SEP 11 and absoulutly no detection from Syamntec. I have cleaned this one with malwarebytes once again. Not to mention the AV360, Antivitus 2009, Antivirus XP, that Symantec couldn't remove. When are you guys gonna figure it out!?! Really stinks trying to explain to my clients why we recommend a product the doesn't work ><. How much for the addon thats going to keep my networks safe from this stuff?

Sorry I'm frustrated, just please add the definitions.

postechgeek's picture

I thought dday515 said that there was rapid release defintions that detected this virus, is this not the case?

Mike

getnrdone's picture

This has been a problem for a while now.  Like Tonez said above its not just antivirus live but to me seem like everything.  I have lost count of the amount of hours i have spent cleaning these machines of this junk that symantec does not see as a threat.  It is absolutely ridiculous that symantec cant see this stuff and stop it when just about every free version of software out there can.  If this was just one here and there i would let it slide, but its not just one. 

To symantec if you listen:
Fix this now or we will not be renewing our contract again!  I don't pay good money for a product to not work, especially when your competitors products do work and most of them are cheaper.  Get it together!

postechgeek's picture

Just a question, what components are you guys running?
Are Antivirus, PTP and NTP active. I am wondering if the PTP or IPS components would catch this? We had a user get infected with Antivirus 2009 and when I checked SEP it was disabled. Very strange as I have set via policy to not allow SEP to be disabled.

Mike

getnrdone's picture

we use all the components except the firewall.  SEP gets disabled by this virus.  It is downloaded by the user (which is not allowed to turn SEP off by policy), when it runs it disables SEP some how along with just about every other program.

Vance Shearer's picture

Last straw. Bye Symantec. Our enterprise will NOT be paying the 15K renewal next month.

dimitri limanovski's picture

FWIW, SEP still doesn't detect it. We had few slipped in, and SEP didn't as much as peep. Hitman Pro took care of both in Safe Mode like a champ, but MBAM left few infections behind, so if you're using MBAM alone, follow up as Hitman Pro for complete cleanup. 

getnrdone's picture

Yet another infection of this again today and not a peep from symantec with the latest defs.  I dont know who is the dumber one.  The user for clicking on this crap in the first place or me for continuing to use symantec!

Frosty's picture

One of my user PCs got hit with this a couple of days ago.  Unfortunately it is in a remote location and I have not been able to physically access it yet (remote access being disabled seems to be one of the results of the infection).  We have determined that the virus was received via email, so it got through:
 
-- Symantec Information Foundation Mail Security for Exchange;
-- Microsoft Exchange Anti-Spam; and
-- Symantec Endpoint Protection v11.0.5000

The email in question was one of those "DHL" spams, where the user is told about a parcel unable to be delivered.  As it happens, our user was expecting a delivery of goods, so opened the email and click-click-click ... bingo.

The PC should be on my desk some time early next week, so I will be able to investigate further.  If its possible, I will try to submit the virus to Symantec for analysis, however I am not real sure how to go about that (never have had to do this before).  Can someone give me an overview of the process?

.Brian's picture

@Frosty

Not sure if this works for you but here is what I do to get samples.....

In most cases, the infected machine will not allow any programs to run locally on it. Assuming it will, download Malwarebytes, go into SafeMode, run a scan and when it finishes, view the results. From there, it will show you what files, reg keys, etc are infected. You can usually make a copy of the infected file, zip it, and send it to Symantec for further analysis.

If I cannot get any programs to run, I use Dameware NT Utilities to remotely connect and view the processes running on the machine. From there I weed out any "suspicious" looking process and kill them. Once killed, I get Malwarebytes to run a scan, view the results when finished and send samples. This is what I do for machines sitting at remote sites and no tech there.  I hate putting an infected machine on the network but the users hate sending them in because it takes 2 days to get it back and in most cases they can't work without a machine.

Otherwise, start in safemode for machines that are in your possession. There are also a host of malware tools you can use to find malware. Try process monitor from sysinternals, its task manager on steroids and great great tool.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Frosty's picture

Appreciate this info Brian!  I had a rather vague set of ideas, that involved Safe Mode and a few other tools (e.g. I'm familiar with the SysInternals stuff), but your post gives me a really good overview of how to approach it.  I will post again once I (eventually) get the machine and am able to examine it more closely.

.Brian's picture

Any time. Luckily my company has Dameware NTU. A lot of people complain / don't like it but I find it very helpful.

Even if you don't have DNTU or a similar tool, remote registry and access to the C share can be your friend as well.

You can PM me any time if you have questions, thoughts, comments, etc. I'm always looking for new insights when fighting the never ending battle with malware.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SoN_Forum_acct's picture

 You can add us to the list, completely update SEP defs and Antivirus Live is NOT detected.  What a POS software company.  A joke.

edandrew's picture

We just got hit a few times by this today. The behavior is exactly the same but redirects to www.newsoftspot.com to purchase Antivirus Soft not antivirus live. However the same [random]sysguard.exe files were found under local settings application data. 

Each case SEP11's tamper protect tried to block the file but failed and ended up being blocked. 

MrMax's picture

Just wanted to add that gxpisysguard.exe is the file I encountered yesterday. I thought I'd add it to the list in case others attempt a search for it rather than [random]sysguard.exe. It redirects to several sites including:

porno (.org)
porno (.com)
adult (.com)
newsoftspot (.com)

It opens the fake security scan that can only be closed by clicking on it, places fake security icons across the taskbar, opens fake security balloons/speech bubbles in the lower right corner of the screen above the taskbar stating that your antivirus software reports it is out of date, opens a very real looking (but fake) Microsoft Security center window that shows you have no antivirus software enabled, disables the ability to open task manager to terminate it, disables to ability to open system restore, opens Internet Explorer 8 and visits the above listed sites. Working around it to locate the problem is difficult.

SecurityResponse at Symantec sent me a Tracking # after I submitted the file so that I can contact them. It seems everything is left up to the user of their products to contact them a second time regarding the matter rather than them making contact with a user after the user has made initial contact with them. It seems the user has to visit the website and track down their regional technical support and make contact again. The experience is less than satisfying and leaves the user with no sense of security over whether their system and information is safe. After 10 hours spent identifying, locating and submitting the file, I still have no clear idea of what steps to take next to see if my system has been altered by this file and I have to make contact again and put forth more effort.

.Brian's picture

I saw it as jlhssysguard.exe on 2 machines I had last week.

Basically, the naming convention of the exe is [4 RANDOM CHARACTERS]sysguard.exe

If you have remote access to the registry / processes running, it's easy to fix but not so much locally.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

@MrMax

I have the Malwarebytes log from dealing with this. i can send to you if you like, just PM me an email address. In the 5-6 machines, I've seen this on, the logs were about as identical as could be. Hopefully, it can help you.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MrMax's picture

Thank you for your offer, Brian81. May I ask if the file is the same as the ones posted above by Ken_D and IT Support 10? If they are it may save you some trouble. Also, if it is the same, I found another entry and am wondering if it needs deleted as well. I appreciate your help.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"

Thank you.

Alamey's picture

This piece of malware also infects a computer on my campus at least once a week.

The damage seems to be localized to the roaming profile. I just delete the roaming profile, clean the local copy, and the software disappears.

I am also very frustrated with this and others that seem to slip right past the very expensive Endpoint Protection. Most seem to only effect the profile, but it is still very annoying.

David-Z's picture

One thing some of you may consider implementing to assist with the blocking of this is an Application Control policy. I've helped out a few other customers implement something similar and it's fairly easy to keep up with and add to if needed.

Here are some quick steps to implement this as part of your Application Control Policy. (Note: If you have never used Application Control before then it will require one reboot for it to become enabled after the policy has been deployed. As always please ensure that you test anything before you implement it as Application Control is quite powerful.)

1. Edit your Application and Device Control Policy
2. Select Application Control
3. Click Add..
4. Change the Rule set name to something of your preference.
5. Select Rule 1 under Rules.
6. Next to "Apply this rule to the following processes:" select the Add... button.
7. Under "Process name to match" type *
8. Click OK.
9. Next to "Do not apply this rule to the following processes:" select the Add... button.
10. Type Rtvscan.exe
11. Click OK.
12. Under Rules in the left pane select the Add... button
13. In the drop-down menu select Add Condition->File and Folder Access Attempts
14. Select "File and Folder Access Attempts" in the left pane.
15. In the right pane next to "Apply this rule to the follow files and folders:" select the Add... button.
16. Type: %appdata%\*\*sysguard.exe
17. Click OK.
18. Add any other paths or files that you would like blocked. (ex. %programfiles%\InternetSecurity* or %systemroot%\system32\winhelper86.dll)
19. Next select the Actions tab.
20. Under Read Attempt set the action to "Block Access".
21. Under Create, Delete, or Write Attempt set the action to "Block Access"
22. Set any other logging or notification options as you please.
23. Click OK.
24. Ensure that the new "Rule Set" you created is checked as "Enabled.
25. Ensure that the Test/Production field is set to "Production" (If you are interested in implementing it now, but you should still test anything you have done before you deploy it site-wide.)
26. Click OK.
27. Verify that the Application and Device Control Policy has been applied to the groups you want it to be applied to.

I have had a lot of success using policies such as this in the past and it is fairly easy to update or add to at any point in time going forward.

Anyway, hope that helps! Feel free to PM me or reply if you have any questions about any of this or simply open up a case with support and someone will be glad to assist you.

Good luck!

David Z.

Senior Principal Technical Support Engineer, Symantec Corporation

Enterprise Security, Mobility and Management

.Brian's picture

Here was my log:

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

04/01/2010 14:02:18
mbam-log-2010-01-04 (14-02-18).txt

Scan type: Quick Scan
Objects scanned: 128468
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\GUARRAM\Local Settings\Application Data\ogwxbr\dmqjsysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uplmyxrt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\disableconfig (Windows.Tool.Disabled) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\GUARRAM\Local Settings\Application Data\ogwxbr\dmqjsysguard.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\GUARRAM\Local Settings\Temp\pdfupd.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\GUARRAM\Local Settings\Temporary Internet Files\Content.IE5\P9AEOC4Q\instRLS[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

MSal's picture

We applied the recommended fix by David-Z above to all of our workstations and now many of our users are experiencing problems accessing all of our applications.  I believe this is due to the wildcard for this application control to apply to all applications.  When the user tries to connect to an application it times out and they are never able to use the program. We had to disable this application control as it has crippled our organization.  As we use a multitude of applications it is not feasible to list them in this application control policy. 

Is there some other way to make this policy effective without crippling our applications? 

Maybe have it apply to gxpisysguard.exe or *sysguard.exe? 

Any thoughts/successes with this application control?

Vikram Kumar-SAV to SEP's picture

Always test application control policy on your test env. before putting it to production.
You can fine tune your policy by giving exception of your applications.

FIle names can differ. Its not mandatory it will be always these files and these are not the only files.
 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Lyle Scully's picture

I have been using Symantec AV for quite a while now pre SEP (9 & 10) and now SEP11. I have been nailed with these FakeAV things in all versions. Symantec has never been able to detect them, and I doubt at this stage of the game they will never detect them. Right now we are on the current Rev and up to date definition sand in the last 2 weeks have removed this from 7 different machines. This is unacceptable, but pretty much par for the course with Symantec AV solutions (don't even get me started on the bloated abomination that Norton has become).

The fact that Symantec says we have to use an Application Control Policy is ridiculous. Why can other products in the same class and dedicated malware scanners detect this yet Symantec for over a year now still falls flat? It really makes us wonder what else it is missing that might actually be active on our machines.

They need to go back to the drawing board and create a program for the Enterprise that actually works. SEPM is a joke and the client itself has become something that we don't have much faith in. When you have to add a second product (in our case it will probably be MalwareBytes) just to make sure you are taken care of, it is time to look hard at your current solution.

sbertram's picture

Hi, have seen that oen before never had luck having any anti virus remove it.  I just wipe and reloaded.
Good luck.

Vikram Kumar-SAV to SEP's picture

If you find any Enterprise Product that detects each and every Fake Antivirus do let me know..In SEP atleast you have an option to block it in the first place without any defs.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Lyle Scully's picture

Not saying that any of them detect all of them. My point was that Symantec doesn't seem to detect ANY of them. We got hit with Antivirus 2010, Antivirus Live, and Antivirus XP. You would think at least one of them would be detected. Antivirus XP has been out for quite a while now.

We have had the application control policy in place and in testing for about 2 weeks now. So far it hasn't impacted the IT group at all (but then we don't tend to get virus infestations on our machines). We will put it in place for everyone else if it looks good. It just feels like a kludge to get past a scanning engine that isn't working the way it should.

Just my opinion.

kristopherjturner's picture

 First, I agree with Vikram comment on if you find another Enterprise product that will block anything and everything then please let us know.  This is almost impossible to do.  Yes I have seen Malwarebytes and other products catch things Symantec hasn't but I have also seen Symantec catch a lot more things without having an updated definition then any other product we have tested and I have used.  I don't think there is an AV company out there that has a turn around time like Symantec does for update definitions.  I know Trend, Microsoft, McAfee can't beat them when it comes to getting definitions out.

Trust me, I am not always happy with SEP's performance.  This last 2 weeks we have been cleaning up after a couple of nasty Qbot and Qakbot out breaks withing our district.  I am not overstating but we had about 6,000 XP clients, a few Vista clients, and about  95 Windows 2003 servers hit hard.  Wasn't until a few days later did our 2008 and Win 7 systems start showing possible infections but never did.  I can't blame Symantec for the outbreak but we have to blame ourselves for lack of user training, lack of security, and lack up updates on our XP boxes.  Yes, I can go and complain that our DMC didn't deploy SEP11 correctly to all 8000 systems.  However, most our XP systems are a year behind in critical updates (they where), we had users full admin rights to the local boxes, and file and print sharing wide open on every XP system, we didn't have any type of Web Gateway device, and other issues that all lead up to this breakout.

My point, nothing you buy or even get for free is going to be 100%.  However, if SEP is setup correctly and you are using all three technologies I can bet you will stop more attacks and risk then any other enterprise solution out there.

Just my thoughts.

Thanks,

Kris

.Brian's picture

I also get the impression that many people try to run SEP as is rght out of the box. As with any product, this will not suffice. SEP has many great features and does need to be tested and tweaked before being deployed.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.