Endpoint Protection

 View Only

  • 1.  SEP - Mac Malware

    Posted Jun 02, 2016 09:42 AM
      |   view attached

    Hi Group!

    We wanted to run this by any of you to see if maybe something else needs to be configured/tweaked with our Mac community using SEP 12.1.6 (12.1 RU6 MP2). Some running Yosemite (10.10.5) and some running El Capitan (10.11.4) We found 3 instances of malware on several machines which SEP, for whatever reason, did not pick up. The three were:

    SMOKYASHAN

    JAVEVIEW

    DOWNLITE

    all residing in the users local Library/Application Support folder. Everytime these users would restart their machines, a pop up would appear to either install something or and option to abort it. Screenshot attached. We were able to manually tackle and remove it, THANK GOODNESS! but why SEP did not pick up these instances, is a bit concerning to us. Any thoughts?

     

     



  • 2.  RE: SEP - Mac Malware
    Best Answer

    Posted Jun 02, 2016 10:48 AM

    SEP didn;t pick it up because it either didn't have a detection signature or the defs were out of date. You can submit the samples to SYmantec here:

    https://www.symantec.com/security_response/submitsamples.jsp

    I would also suggest submitting to virustotal to see what it shows:

    https://www.virustotal.com



  • 3.  RE: SEP - Mac Malware
    Best Answer

    Trusted Advisor
    Posted Jun 05, 2016 01:53 AM

    Hello,

    Undetected files should be submitted to Symantec Security Response for examination, after the computer upon which they are found has been isolated.

    Submit the Suspicious file to Symantec Security Response Team on 

    https://submit.symantec.com/websubmit/essential.cgi

    We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

    I would suggest you to work on the Steps provided in the Article:

    What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

    http://www.symantec.com/docs/TECH99222

    Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

    http://www.symantec.com/docs/TECH98929

    Later, incase of suspicious activity still happening, then follow the steps provided in the Article below:

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

    Here's some advice from Security Response on how to make the best use of SEP.  Auto-Protect with traditional AV derfinitions alone is not enough for a complete defence against today's sophisticated threats: using IPS, Insight etc is crucial.  And, of course, educated users following best security practice... that';s the best protection.

    http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

    Hope that helps!!



  • 4.  RE: SEP - Mac Malware

    Posted Jun 07, 2016 11:29 AM

    Okay great! Thanks for this. Looks like the virus definitions/signatures are definitely up-to-date. When i checked each workstation yesterday they all had an activity of date 6/6. Which we guess means SEP is working as expected.