Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP missed again - need to know how to lock-down....

Created: 13 Apr 2009 • Updated: 21 May 2010 | 1 comment

I'm speaking here as a CUSTOMER - nothing else! -------->
SEP missed a big one again. This is happening every week now, sometimes more than once a week. I don't have to tell you how over-worked we ALREADY are, then to have to deal with this.........
Anyway, since SEP is missing some stuff, I need to know - what can I do, if anything using the OTHER parts of SEP, to lock things down so that these crazy phony AV apps can't install. My thinking is that if a user has no rights to their computer, they can't even install a printer or update a printer driver, HOW are these getting in? Some run as "Browser helpers" and are installed as such. Others seem to be DLLs and such. With no right, how do they install?
So can I put up some sort of "don't allow program install" rules, or some other part of SEP rule to prevent these from getting in since the AV part of SEP lets them in contstantly?
Management is really not happy campers at all - so many infections - they keep asking what's wrong - "don't we have protection agains this" and "what are we paying for".

So there must be some rule I can put in place that prevents these phoney AV apps from getting installed?

NExt - this last one was really annoying - and SEP let it in, let it install, THEN after the horses had all gotten out of the barn, like an afterthought, started alerting "oh, by the way, this computer is now infected" and this was over a weekend - it kept alerting every hour, exactly every 60 minutes.
Why? What was going on every 60 minutes?
Further, it saw the SAME file as two different things! One it quarantined and sent an alert for, the other it only logged and said "access denied", but it was the SAME file name, an HTML file in the cache?

I'll be spending my morning on damage control - two different types if you catch my drift............ something I don't really have time for.
1. How did it get in, why did SEP miss?
2. Why did SEP keep alerting exactly every 60 minutes?
3. Why did it see the same file in two different parts of the cache as two different things? And alert on one, only log on the other?

Further - if another employee tells me just one more time I don't need details on how these get in, how they are triggered, your SUPERVISOR WILL be notified - even a regional manager if I must.
We already got TWO Cisco employees sent back to remedial customer support classes and pulled off their support duties with bad marks in their records for telling us "you dont really need that" and implying we dind't know what we were doing. This is a government agency........ with advanced IT staff.

When I say I need to know technical details on these bugs - HOW they get in, HOW they install, file names, locations, etc. - don't DARE ever challange me on that again and suggest "you don't really need to know that" - that burns me. I'm the customer, and the customer is always right, and in this case, I know I'm right with 22 years experience in the A-V field - mostly with Symantec products in corporate envirnoments.
We are stressed enough here, bugs keep getting in, and I face enough stress and issues because of all the misses here and you tell me I don't need the info.
And if I can't get such information from you, I WILL get it from someone!
On this one, I need to know - stress the word NEED - how this one works - how it got in, how to prevent it, since SEP sure won't, and how it works - in bloody technical gory details - it may have been "detected" but that was *AFTER* an infection caused panic among senior management here - it was a MANAGER's computer (note it found an HTML file, but each time IE was opened, it started with pop-ups all over the place warning of infections and the red circle with an X in the tray, lower right - so there HAD to be more files than just an HTML file):

[CLOSING]: Symantec Security Response Automation: Tracking #10559975

Dear Bill Dickerson,

 

We have analyzed your submission.  The following is a report of our findings for each file you have submitted:

 

filename:  C:\VIRUS\142[1].htm

machine: Machine

result: This file is detected as Trojan.Malscript!html. 

 

Customer notes:

popups loaded from web page constant alerts. SEP alerted every hour exactly every 60 minutes and finally stopped. SEP let the computer get infected then alerted that the infection was there.

 

 

Developer notes:

 C:\VIRUS\142[1].htm is a non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions.

 

 

 

The current definitions are capable of detecting this virus.  Please update your definitions by clicking the "LiveUpdate" button in your NAV program.

 

Should you have any questions about your submission, please contact your regional technical support from the Symantec website and give them the tracking number in the subject of this message.

Comments 1 CommentJump to latest comment

Hear4U's picture

Hi Shadowspapa,


Threat expert can provide a quick analysis of a suspected file, giving a wealth of information that can be used to lock-down a network (IP addresses, URLs, registry changes, etc.)

 

To quote the Symantec KB “5 Steps of virus troubleshooting” :

 

Preliminary automated analysis can be performed for some types of threats through http://www.threatexpert.com  This step can quickly alert you to sites the threat is coded to contact so they can be blocked at the firewall.  Symantec Support does not provide troubleshooting for http://www.threatexpert.com and this step does not replace the need to submit files to Symantec Security Response.

I'll "double-back" with you on this in a couple days.  Let me know what transpires in the interim.

Best,

Eric

check out the community at www.infoblox.com/community