Video Screencast Help

SEPP 11 is not detecting Fake.Alert virus

Created: 13 Aug 2010 | 5 comments

Users in my company are getting hit by Fake.AV for a year. We run Win XP SP3 with SEPP ver.11 and Webroot AntiSpyware ver. 3.5.1 installed on each desktop. Sometimes I do get a message from either AV that Fake.AV was detected on a machine, but a few time those viruses went completely undetected and did the damage. The virus defs. on those machines are up-to-date.
Why Symantec is not able to detect those Fake.AV ? In all cases when the virus did infect a machine I used Malwarebytes to remove the threat. Why this free program is able to do the job and Symantec can't? I attached a screenshot of a scan that I ran just yesterday from one of the user's machine that got infected. It had a familiar Fake.AV popup message "You need to purchase this AV to remove the virus", several registry keys were modifyed and proxy setting in IE were changed. I booted into SafeMode with Networking, installed Malwarebytes, updated definitions, ran the scan, deleted infected files and machine has being working fine so far.

Symantec, I need your help to block those Fake.AV!

Thank you,

Paul Leskov,

Network Administrator

Comments 5 CommentsJump to latest comment

P_K_'s picture

 
Title: 'Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not'
Document ID: 2000100610314948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000100610314948?Open&seg=ent

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
Document ID: 2010020116202748
> Web URL: http://service1.symantec.com/support/ent-security....

This may be handy

https://www-secure.symantec.com/connect/articles/h...

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

teiva-boy's picture

Is Network Threat Protection enabled and installed?
 If not, it will not detect those things.  Without NTP installed, you basically have SAV 9/10 installed, a 4yr+ old technology!

You should also put Bloodhound set to maximum too.

Search "SEP secret sauce," on google for a list of strongly recommended settings for SEP.

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

sandra.g's picture

I just posted a bunch of links in another thread with a similar title.  Please see my post here:
https://www-secure.symantec.com/connect/forums/end...

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Mick2009's picture

FakeAV / missleading app / smitfraud / scareware / rougeware is an area that Symantec is very actively investigating. In October 2009, a white paper was made public on the topic.

The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs and how they affect users. The report includes an overview of these programs, how they work, their risk implications, various distribution methods and innovative attack vectors.

To learn more, please download and read the report or listen to the podcasts on the subject. http://www.symantec.com/business/theme.jsp?themeid=threatreport, click on White Papers.

You may also wish to add your vote to these related  "Connect Forum Ideas" (Enhancement Requests)

https://www-secure.symantec.com/connect/idea/detect-prevent-remove-rogue-security-software
https://www-secure.symantec.com/connect/idea/fake-avs-maybe-way-combat-them

Thanks and best regards,

Mick
 

With thanks and best regards,

Mick