Endpoint Protection

Hi team, we have Symantec endpoint protection 12 setup into our organization at the start of this year(2013). we are also using Widestep's Elite key-logger 4.93 running successfully from last 18 months in our organization. (we are not able to update elite key-logger due to our license is not flexible(perpetual) to 5th version of theirs). As my team mandatorily have setup Symantec client into each and every Windows machine due to our security policy and in-turn we also have to monitor users what activities they do in their work hours, we do this with the help of elite key-logger by key-logging and screenshots taking time to time automatically, which use to works best in our scenario (1000+ systems) until the Symantec deployment came to scene. What is happening is Symantec is removing all the associated programs, background services and files which elite key-logger is using, even it is not allowing key-logger to get installed, and not allowing keylogger to work which stops us from taking out user logs. I tried every configuration/exceptions from server and client side but still no success. I am studying elite key-logger's behavior patterns so that I can except it from Symantec. I did googling deeply but still no result. Do you have experience in this kind of scenarios? How we can add exception for Widestep's Elite key-logger into Endpoint manager or how we can approach both vendors with technical details. We need to symantec (SEP12) and elite keylogger to work together in our systems. Your help would be greatly appreciated.

Note:- I cannot disclosed company's information right now as per security policy and I am individually trobleshooting/implementing it.

You can contact me furthur for more information.

thanks.

If you have already tried adding exceptions, you may need to contact support to work more closely with them. Normally, you can work with Symantec to have it added to a whitelist but I'm not sure it would work in this case since it is considered a keylogger.

Have you tried adding as an exception from the SEPM after it has been detected?

Also, what is detecting it, antivirus component or proactive threat protection component?

What's more interesting is their website claims it is 100% undetectable...

Hi Brian,

thanks for the reply, my team were aware as Widestep's Elite keylogger is one of the mainstream keyloggers, so we did some only minute settings in SEPM, but as SEP is also not allowing it to install, and it detects keylogger as "Bloodhound.Sonar.9" during its installation, and we also except - security exception - "Sypware.Elite.Keylogger" from SEPM console to allow keylogger to operate, but still SEP is deleting all keylogger's associated files.  Yes, widestep do cliam it is 100% undetectable only if we use their latest compiled version of setup and is also 100% working and with SEP, but we cant use that version in our organization due to licence restrictions. What we need from Symatec is to have customize a signature/rule file for us as an patch for Widestep's Elite keylogger specific only, so that we can import that signature file into our exception list to have keylogger to operate. In short:- what rules symatec is using agaist Widestep's Elite keylogger to delete it, we want customize signature file to except it. Is that possible?

thanks,

You can start here:

https://submit.symantec.com/whitelist/isv/

But you may need to work with Symantec on how to set this

Hello,

Bloodhound.Sonar.9 is a heuristic detection for processes based on certain attributes. 

http://www.symantec.com/security_response/writeup.jsp?docid=2011-122605-0918-99

Files that are detected as Bloodhound.Sonar.9 may be malicious. We suggest that you submit any such files to Symantec Security Response. For instructions on how to do this using Scan and Deliver, read Submit Virus Samples.

Before you contact Symantec Technical Support, I would recommend you to submit the Files to the Symantec Security Response Team.

You would have to Submit the Files to the Symantec Response Team on  the Following Sites:

https://submit.symantec.com/false_positive/

https://submit.symantec.com/websubmit/essential.cgi

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

Secondly, check these Articles:

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

http://www.symantec.com/docs/TECH98360

Restoring a false positive file detection from the Symantec Endpoint Protection quarantine

http://www.symantec.com/docs/TECH150607

About managing false positives detected by TruScan proactive threat scans

http://www.symantec.com/docs/HOWTO27058

Secondly, check these Threads:

https://www-secure.symantec.com/connect/forums/bloodhoundsonar9

https://www-secure.symantec.com/connect/forums/false-positive-2

Hope that helps!!