Video Screencast Help

sep can't remove koobface virus

Created: 11 Jan 2011 | 4 comments

a user of mine running sep 12 client

 got infected over facebook with koobface virus

sep client was unable to remove the virus, it's just blocked suspecious incoming and outgoing traffic

but after running several scans

update the client

the computer was still  infected

 

facebook blocked the user account for spamming and virus spearding and offered mcafee tool to clean it.

wich worked and removed a file from win folder that sep didn't found

later i installed male ware anti bytes and it found 7 "trojans"

 

lately sep protection seems a bit off ...

it's not the first time i tackle with files that sep can't remove and i have to use diffrent tools to clean the computer

i can't even send the files for observatrion cause it's not being quartined

 

what's up with sep latly ?

Comments 4 CommentsJump to latest comment

Thomas K's picture

Make sure you are running SEP with the recommended security settings.

Make sure your system OS is patched and running the latest software updates.

Security Response recommends the following Scan Settings

 

Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
Lock settings Some Some All
Remediation: terminate processes No No Yes
Remediation: terminate services No No Yes
Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
Network Auto-Protect Disabled Enabled Enabled
Bloodhound Level Default (2) Default (2) Default (3)
SEP Startup System Start System Start System Start
Auto-Protect Scan Modify and access Modify and access Modify and access

Security Response recommends the following setting changes to Truscan for best protection

 

Truscan Default Setting Security Response Recommendation
Scan Sensitivity 9/Low 100
Action on Detection Log Terminate
Scan Frequency 1:00 00:15

http://www.symantec.com/business/support/index?pag...

Follow the best practices for stopping malware and other threats -

http://www.symantec.com/business/theme.jsp?themeid...

Use a tool like the Norton Safe Web lite to help alert you of unsafe websites when searching the net.

https://safeweb.norton.com/lite

 

W32.Koobface - Removal - http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3

I hope this infromation is helpful.

 

Best,

Thomas

sandra.g's picture

Unfortunately I don't think Truscan sensitivity can be adjusted in SEP 12 Small Business.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

doom's picture

thanx

i will try that settings

 

but it still doesn't change the fact the sep couldn't recognize the virus at all...

Thomas K's picture

SEP uses signature based detection. I suspect this is a new variant, and until Security Response gets a sample to create new definitions, then it will go undetected.

 

If you have a sample, please submit to Security response or Threat Expert for analysis ASAP.

http://www.symantec.com/business/security_response...

http://www.threatexpert.com/submit.aspx