Endpoint Protection

This is probably not identified as a virus, but as SEP has antispyware/adware module i thought it should block such scam/rogue apps. Especially when this application blocks SEP gui (in the systray) and other programs.

Hi,

Please go through the following article

How to troubleshoot FakeAV if it is not detected

https://www-secure.symantec.com/connect/articles/how-troubleshoot-fake-av-if-it-not-detected

Many thanks fo rthe thread, Wroot- please see if you can use the SEP Support Tool's Load POint Analysis to identify any suspicious fiels thatare associated with this new fakeAV, and submit them to Symantc Security Response for analysis. 

Agree to Mick2009!

submit the suspicious file to Symantec security response team! Also open a support ticket to get help on finding the progress of the submission.

Hello,

Here is the Article which Mick is talking about - 

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps you submit the files to the Security Response Team.!!

Weird thing is that i can just uninstall it under Programs and Features (Windows 7 Pro) and after a restart it is gone. I can't find any registry or startup entry or files left. The only suspicious thing i have found is in C:\ProgramData\B7E858A7000D2663000B8EFCB4EB238B\ and inside is the file with the same name, but not an executable. I have uploaded it to Secirity Response team. Probably will have to wait for another infection to submit executables. Infection probably occured while browsing some sites with IE8.

@wroot,

Do you have the submission number? I would like to to see if Symantec has any data about this potential threat. An MD5 checksum would also be nice to have.

Tracking #24742141 , do you want MD5 of that left over non-executable file?

Hi Wroot,

That file does not seem to be malicious in itself.  It's not capable of causing any harm.

It does have a "bad" reputation with SEP 12.1's reputation-based technologies.  If using SEP 12.1 with SONAR / Download Insight, it should be detected.

What would be very useful would be to get the installer and .exe's for the original FakeAV itself, before you managed to uninstall it.  No doubt that will be encountered and submitted to Symantec by someone in due course, and protection added with traditional AV signatures.

Hope this helps!

Mick2009 is correct, Thanks for jumping in Mick! No need for the MD5, it is in your case submission.

Today we had another version of similar app (fake data recovery app, which shows fake warnings, hides user's files and menus). I have uploaded its files to Symantec. This probably came along with Maljava trojan, but only trojan was detected and cleaned.

Tracking #25129945

Detection for the last fake application is in place. So i'm gonna mark this as solved.

Cheers for taking time to update the thread, and especially thanks for submitting the additional suspicious files.  &: )