Endpoint Protection

Users in my company are getting hit by Fake.AV for a year. We run Win XP SP3 with SEPP ver.11 and Webroot AntiSpyware ver. 3.5.1 installed on each desktop. Sometimes I do get a message from either AV that Fake.AV was detected on a machine, but a few time those viruses went completely undetected and did the damage. The virus defs. on those machines are up-to-date.
Why Symantec is not able to detect those Fake.AV ? In all cases when the virus did infect a machine I used Malwarebytes to remove the threat. Why this free program is able to do the job and Symantec can't? I attached a screenshot of a scan that I ran just yesterday from one of the user's machine that got infected. It had a familiar Fake.AV popup message "You need to purchase this AV to remove the virus", several registry keys were modifyed and proxy setting in IE were changed. I booted into SafeMode with Networking, installed Malwarebytes, updated definitions, ran the scan, deleted infected files and machine has being working fine so far.

Symantec, I need your help to block those Fake.AV!

Thank you,

Paul Leskov,

Network Administrator

 
Title: 'Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not'
Document ID: 2000100610314948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000100610314948?Open&seg=ent


Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
Document ID: 2010020116202748
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2010020116202748?Open&seg=ent

This may be handy

https://www-secure.symantec.com/connect/articles/how-block-known-virus-executeables-using-application-and-device-control-running-userprofile

Prachand,

Thanks for the links.


Paul.

Is Network Threat Protection enabled and installed?
 If not, it will not detect those things.  Without NTP installed, you basically have SAV 9/10 installed, a 4yr+ old technology!

You should also put Bloodhound set to maximum too.

Search "SEP secret sauce," on google for a list of strongly recommended settings for SEP.

I just posted a bunch of links in another thread with a similar title.  Please see my post here:
https://www-secure.symantec.com/connect/forums/endpoint-consistently-allows-fake-av-malware

sandra

FakeAV / missleading app / smitfraud / scareware / rougeware is an area that Symantec is very actively investigating. In October 2009, a white paper was made public on the topic.

The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs and how they affect users. The report includes an overview of these programs, how they work, their risk implications, various distribution methods and innovative attack vectors.

To learn more, please download and read the report or listen to the podcasts on the subject. http://www.symantec.com/business/theme.jsp?themeid=threatreport, click on White Papers.

You may also wish to add your vote to these related  "Connect Forum Ideas" (Enhancement Requests)

https://www-secure.symantec.com/connect/idea/detect-prevent-remove-rogue-security-software
https://www-secure.symantec.com/connect/idea/fake-avs-maybe-way-combat-them

Thanks and best regards,

Mick