Video Screencast Help

SEP cannot remove Antivirus Pro 2010

Created: 26 Sep 2009 • Updated: 29 Aug 2010 | 13 comments

Definition: Antivirus Pro 2010 is a fake security software which uses fraudulent strategies by displaying false or exaggerated security issues on your computer rather than any legitimate ones to coerce you into purchasing their software.

One of my machines running Symantec Endpoint Protection ver 11.0.4000.2295, with up-to-date definitions, was infected with this Antivirus Pro 2010. The machine started to freeze, reboot etc. OS is windows 2000, sp4 and fully patched.

I ran a quick scan and then a full scan, still SEP was not even able to find it, said the machine was clean.

I ran the free version of malwarebytes which removed it. Machine is clean once again.

Question: Why was SEP unsuccessful while a free program could do the job?

SEP knows about this threat, the details are listed on the symantec web site at:

http://securityresponse.symantec.com/security_resp...

Curious and disappointed.

JAY

Comments 13 CommentsJump to latest comment

dimitri limanovski's picture

Join the club, Jay. SEP can't detect or remove a LOT of things other freeware programs have no problems with. We're test-driving Hitman Pro as an additional stand alone on-demand scanner to pick up things SEP's on-access scanner misses.
Sorry, don't have a better answer. Submit a sample, maybe?

Anshuman's picture

Hi,

Try GMER tool.

GMER is an application that detects and removes rootkits .

It scans for:

  • hidden processes
  • hidden threads
  • hidden modules
  • hidden services
  • hidden files
  • hidden Alternate Data Streams
  • hidden registry keys
  • drivers hooking SSDT
  • drivers hooking IDT
  • drivers hooking IRP calls
  • inline hooks
Mick2009's picture

Hi Megahertz,

These fake AV / smitfraud / misleading applications are currently a major source of income for organized criminals.  They have a strong financial motive for speading these applications as far as they can, making them seem as convincing as possible, and making them difficult to remove.   

Symantec adds many new detections every single day.  Check out how many new "Misleading Application" detection signatures were added over the course of yesterday, for illustration: http://www.symantec.com/business/security_response/definitions/rapidrelease/detail.jsp?relid=2009-09-26

These new signatures are very often created in response to submissions of new suspicious files.  If there is an infection that SAV or SEP is not able to detect, please do contact Technical Support.  They will be able to help identify the file which is avoiding detection and will give guidence on how to get it to Security Response. 

Here's a couple good blogs on the subject of Misleading Applications:

https://www-secure.symantec.com/connect/blogs/misleading-applications-faking-left-running-right
https://www-secure.symantec.com/connect/blogs/misleading-applications-how-they-fool-endusers 

Here are a couple of YouTube clips with some info:

http://www.youtube.com/watch?v=pBH5YJngYB0
http://www.youtube.com/watch?v=Upciy-g_n28 

Please do submit the files from any new fake AV's that you encounter so that Security Response  can add protection. 

Thanks and best regards,

Mick

With thanks and best regards,

Mick

Peter_007's picture

Hi megahertz,

  Antivirus Pro 2010 is a fake application . Firstly you should not use them.
  symantec will not detect them initially but after you submitt sample it will detect.

thanks

snekul's picture

There's another current thread on this topic.  See my comment on the other thread regarding this malware.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

Jason1222's picture

For so long, I have been reading these forums, which to the best of my knowledge is for corporate users in small, medium, large and enterprise environments.  I say this because I have seen threads where people are being told to post in "home user sections of the boards".  Also, as far as I know, is for troubleshooting issues related to SEP and SEPM.  

Furthermore, these "threats" such as Fake AV and so on, have to be installed in order for the system to be infected.  Installed as part of a package from a website or some package that an "end user" wants to have or thinks he or she may need.

Short of certain "mobile users", I don't understand how corporate administrators today, be it a lone IT guy or an entire department, still allows end-users, corporate end-users at that, to have free access on the internet- to download and/or upload all that they will and please.   Moreso than that, allowing those same end-users to have the 'rights' granted them to install these applications, bundles, packages at their own will...  

Granted, some legitimate websites today do get 'hacked' 'cracked' or become victims of fly-by malware and continue to spread that infection along, but nearly all corporate AV/AS software should catch it.  

That a user, can go home and download an application, burn it to a CD, e-mail it to himself/herself or even put it in on a USB key to than bring it into the coporate environment and infect his/her own machine- spreading the malware/spyware/virus further into the coporate chain and causing more damage than good is completely baffling to me.  The time spent cleaning the machines and removing wipe spread or fast moving Viruses, which were brought there by a user, should not be.  Worse than that, the administrators that allowed the threat to be brought in is even more appauling.  

Dissapointed.  People constantly say that SEP couldn't detect this or that, well really I am dissapointed in the quantity of administrators that allow this to happen.  End-users don't get the impact of what they do, because to them, a home PC is not usually a big deal to format and re-install.  Pictures saved on an external drive and the applications "they can always download again".  The time and the cost of rebuilding a machine from scratch, dumping an image, recovering sensitive materials...  All that time, ressource and budget being wasted, which could have served so many better causes.  

I am not saying any and all systems are impervious, and the latest Blaster worm or Code Red or Voondo or whatever is lurking around the corner and some of us will eventually get hit.  But why expose yourself to all the harm out there?

Dissapointed?  Yes!  But not in Symantec or Kapersky or McAfee or CA or any other vendor.  The dissapointment comes from how many people allow their companies to get infedted, time and time again.  AV is not your only line of defense. 

That's my 2 cents.  Sorry about the rant...

snekul's picture

I wonder that too, but a good number of businesses out there have administrators that demand they have admin rights (and that some users do as well) because that's how things used to work under 95, 98, etc.  Depending on the place of business, the IT guys may not be in a position to challenge that assertion.  I've heard this one in the past "I make all the decisions in this office, you implement them."

You also have the odd-ball situations like our university, where you have all sorts of departments where the rules change from users having their own desktop, admin rights, and are in charge of maintanace on their box, to heavily locked-down workstations where the users can hardly do anything.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

Derrick Farley's picture

As others have said, submissions are really the best way to help improve our detections. One of the main problems with FakeAV software is that the end user willingly allows the install to go through. We, unfortunately, can't protect against bad clicks. Generally I recommend sending out periodic emails notifying your end users to contact their help desk when they are confronted with notifications of potential AV failure. 

Also, it would be a good idea to update the version of SEP in use in your environment. That is a rather old build.   


knightstorm's picture

I just had to use malwarebytes anti-malware software to clean one of our machines and submitted the malwarebytes quarantine directory to Symantec. SEP11 detects the EXE file on a full scan, but did not block the program itself.  Antivirus 2010 seems to re-create the executable on logon, and only the executable was detected by SEP11 RU5 as of  the 2009-09-29 rev 37 definitions.  I hope Symantec can use the quarantined files for analysis - I had no other way of identifying the source for the re-created exe file.

snekul's picture

There is probably a root-kit or other background process that SEP is not yet able to detect that reinstalls the malware.  The good news, if a user gets this on their machine now, you're at least are going to know about it.  The bad, you still can't clean it up.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

dmount's picture

Not a technical guy so please excuse any misuse of terms.  Had Antivirus Pro popping up all over the place.  Got into this thread to see what I could find.  Tried to google the "malwarebytes" suggestion but Antivirus Pro wouldn't even let the page load.  Kept popping up with the virus warning.  The searched the GMER rootkit suggestion.  Downloaded that, ran it.  It wouldn't run if I left clicked on it but did run when I right clicked on "run as" .  This worked!  No more problems with AV Pro.  Malwarebytes may work it you can get it, GMER certainly did. Free download.  Eric Lukens, if you read this, are you a former Penn Stater?   Dan

Ajit Jha's picture

What i would suggest you that u if you feel there is some malicious activity onto you machine then you just collect the log and the sample file and submit it to the Security Response team.

There are millions of suspicious activity found every day and they need time to analyse them and bring up the definitions.

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Sharpear's picture

I am curious how reading through this post it states that these are all installed manually.  Every Rouge AV program that I have seen pop into our network is new, and usually not even listed as a threat yet.  I just had this Antivirus Pro 2010 pop onto a PC of an employee who goes to drudge. He does not install anything and questions anything that is not normal to his job even errored program messages and strange email subjects.  This had to have been installed through a website, in an activex or some other background process.  Looking at how old this forum is why is it still not detected by symantec.  If freeware companies are able to pick this up why can't Symantec quit slacking and fix their software to make it worth buying.

I think symantec should have some type of protection to keep other programs from taking over AV actions.  When I try to remove Symantec AV I have to use a password to uninstall it.  I think they should further this idea to have it require a password to install files to keep these Rouge programs off the PCs.  This would limit users even with admin rights from installing applications that are not wanted within the network, by the IT department.

This is not something a normal user would recognize (due to not looking at the AV program name), but when you go to a website and it pops up saying your computer is infected "click this" to repair,  I think symantec should be able to kick in and deny the action even if it was intentionally ran.  It might just be the version 10.1.6.6000, but Symantec even told me to stick with this version because it was better.  I find the new Norton home edition has some of the features I want for corporate, but have yet to see this work into more than a home user setting.

I personally use Malwarebytes and Superantispyware for my virus removal. It just sucks I pay for Symantec, and yet it has done nothing to protect our network before its infected, then I have to run freeware apps to remove the threat.  I have no issues with Viruses, just the Rouge AV programs.

My only option left is to set a ghost image so every computer within the network loads back to the default when a user logs out and back in.