Endpoint Protection

 View Only

  • 1.  Symantec Anti-Virus question

    Posted Feb 19, 2013 12:56 PM

    Not sure if I'm posting this in the right place or not, but here it goes....

    Symantec End Point Anti-Virus... Lately i've been seeing alot of PC's on our network who are infected SEP finds the threat, tags it and kills it.  But is that enough? In a recent report (Top sources of attack) i saw over 15pc's with over 500 hits each... I believe the product is working as intended, but I suspect that it may be a better idea to just re-image these machines... I'm hoping someone else has seen something like this...

     

    Any thoughts?

    Thank you!



  • 2.  RE: Symantec Anti-Virus question

    Posted Feb 19, 2013 12:59 PM

    make sure you have a look at this for best practice:

    Security Response recommendations for Symantec Endpoint Protection 12.1 settings

    Article:TECH173752  |  Created: 2011-11-07  |  Updated: 2011-11-21  |  Article URL http://www.symantec.com/docs/TECH173752

     

    The default out of the box settings need to be tweaked for better protection

    Have you been able to investigate some to find out exactly what is causing it? Maybe a user plugged in an infected USB drive? Or they visited a malcious web site?



  • 3.  RE: Symantec Anti-Virus question

    Posted Feb 19, 2013 01:10 PM

    Wow Brian! Thank you for the quick reply... I am looking at the article url now. 

    I believe we have SEP setup out of the box.  I'll have to get my head around this KB that you provided.

    The reason for my concern was that I'm seeing way too many PC's infected and yet, Symantec kills the threat, I'm just wondering if all were doing here is a Cat and Mouse chase...

    I'm pretty sure all of this activity is a result of our large user community and peoples surfing habits.  I'm just thinking it may be best to pick the top 20 machines that are repeat offenders and re-image them.  Once a virus has been found, it will delete/quarantine it, but I'm just curious about installer files remaining behind etc...

     

     



  • 4.  RE: Symantec Anti-Virus question

    Posted Feb 19, 2013 01:17 PM

    Also another good article written by a community member, teiva-boy:

    http://www.symantec.com/connect/forums/sep-secret-sauce-better-protection

    But most definitely will need to tweak if only using out of the box protection. Some protection is there but to get optimal you will need to make some changes



  • 5.  RE: Symantec Anti-Virus question

    Posted Feb 19, 2013 01:57 PM

    Probably the infection is on one of the computers in the network and is trying to spread to the other computers in the network by some means (the most common way is by using a shared folder and autorun.inf). In such cases, even if the risk is detected and removed on an infected computer, the risk recurs again and again as long as the source of the infection remains in the network. You will need to take measures to stop further spreading of the risks (such as disabling autoplay in the entire network) and then work on finding the source computer of the risk (by using SEP features such as Risk Tracer) and clean it.

    You may try follow the article below to help you in completely removing the infection from the network.

    Remediating risks on the computers in your network
    Article URL http://www.symantec.com/docs/HOWTO81376

    Best Practices for Troubleshooting Viruses on a Network
    Article URL http://www.symantec.com/docs/TECH122466

    Preventing a virus from using the AutoRun feature to spread itself
    Article URL http://www.symantec.com/docs/TECH104447



  • 6.  RE: Symantec Anti-Virus question

    Posted Feb 21, 2013 06:10 AM

    Hi

    Please scan the systems in safe mode

    Regards