Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Smart Fortress 2012 fake antivirus is not detected?

Created: 11 May 2012 • Updated: 17 Jun 2012 | 12 comments
This issue has been solved. See solution.

This is probably not identified as a virus, but as SEP has antispyware/adware module i thought it should block such scam/rogue apps. Especially when this application blocks SEP gui (in the systray) and other programs.

Comments 12 CommentsJump to latest comment

Chetan Savade's picture

Hi,

Please go through the following article

How to troubleshoot FakeAV if it is not detected

https://www-secure.symantec.com/connect/articles/how-troubleshoot-fake-av-if-it-not-detected

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mick2009's picture

Many thanks fo rthe thread, Wroot- please see if you can use the SEP Support Tool's Load POint Analysis to identify any suspicious fiels thatare associated with this new fakeAV, and submit them to Symantc Security Response for analysis. 

With thanks and best regards,

Mick

pete_4u2002's picture

Agree to Mick2009!

submit the suspicious file to Symantec security response team! Also open a support ticket to get help on finding the progress of the submission.

Mithun Sanghavi's picture

Hello,

Here is the Article which Mick is talking about - 

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps you submit the files to the Security Response Team.!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

wroot's picture

Weird thing is that i can just uninstall it under Programs and Features (Windows 7 Pro) and after a restart it is gone. I can't find any registry or startup entry or files left. The only suspicious thing i have found is in C:\ProgramData\B7E858A7000D2663000B8EFCB4EB238B\ and inside is the file with the same name, but not an executable. I have uploaded it to Secirity Response team. Probably will have to wait for another infection to submit executables. Infection probably occured while browsing some sites with IE8.

Thomas K's picture

@wroot,

 

Do you have the submission number? I would like to to see if Symantec has any data about this potential threat. An MD5 checksum would also be nice to have.

wroot's picture

Tracking #24742141 , do you want MD5 of that left over non-executable file?

Mick2009's picture

Hi Wroot,

That file does not seem to be malicious in itself.  It's not capable of causing any harm.

It does have a "bad" reputation with SEP 12.1's reputation-based technologies.  If using SEP 12.1 with SONAR / Download Insight, it should be detected.

What would be very useful would be to get the installer and .exe's for the original FakeAV itself, before you managed to uninstall it.  No doubt that will be encountered and submitted to Symantec by someone in due course, and protection added with traditional AV signatures.

Hope this helps!

 

 

With thanks and best regards,

Mick

Thomas K's picture

Mick2009 is correct, Thanks for jumping in Mick! No need for the MD5, it is in your case submission.

wroot's picture

Today we had another version of similar app (fake data recovery app, which shows fake warnings, hides user's files and menus). I have uploaded its files to Symantec. This probably came along with Maljava trojan, but only trojan was detected and cleaned.

Tracking #25129945

SOLUTION
wroot's picture

Detection for the last fake application is in place. So i'm gonna mark this as solved.

Mick2009's picture

Cheers for taking time to update the thread, and especially thanks for submitting the additional suspicious files.  &: )

With thanks and best regards,

Mick