Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Endpoint Fails to Prevent Spyware From Running?

Created: 12 Dec 2011 | 8 comments

Hey!

There's this thing called PC Security Test 2011 and I ran it on the computer which has Symantec Endpoint Protection 12.1 and I got odd results. I'd like to know what you guys think of it.

Comments 8 CommentsJump to latest comment

sandra.g's picture

Never heard of this program before (in all honesty it sounds a little like the name of one of those fake AV programs...). I'd be curious to know which SEP 12.1 protection technologies are installed and enabled, and the trustworthiness and reliability of the company that made this tool.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

SymDoq's picture

Thank you for your reply.

I were just searching on the internet on how to test your security product and came across this. It's not a rogue ware as it doesn't do anything malicious, not that I noticed or SEP notified about at least. About the settings, they were all set at their factory default settings as I believe default settings provide the best security. However, I changed some of the settings, like the first action in case of detection would be to quarantine and if failed, delete. And I set the SONAR protection at: Aggressive and Bloodhound at Automatic. Internet connection was enabled during scan so as to utilize in-the-could dections. The following components are installed and enabled:

1. AntiVirus & AntiSpyware Protection

2. Proactive Threat Protection

3. Network Threat Protection

mon_raralio's picture

http://www.pc-st.com/us/download.htm

Tried it. It contains some code to place Eicar on the PC. Plus a System32.exe file that was classified as Trojan.Gen. Then in the end, advertises the security product of the said company. No pop-ups or Web pages opened. Our proxy probably prevented that.

You could have your techs analyze this for malware. Maybe get some ideas on the next Symantec tool. *wink *wink.

“Your most unhappy customers are your greatest source of learning.”

sandra.g's picture

Please, feel free to submit it for analysis!

How to Use the Web Submission Process to Submit Suspicious Files
http://www.symantec.com/docs/TECH102419

Or, more directly: http://www.symantec.com/business/security_response...

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Marius Salay's picture

Hello simdog,

 

I agree with Sandra.g to be careful about the trustworthiness! Just have a look at ThreatExpert:

http://www.threatexpert.com/reports.aspx?find=PC%20Security%20Test%202011

Many bad entries...

 

Give us some more informations about the SEP Version you are curently running and the system it is installed on (OS, installed software, etc.)

Regards,

Marius

mon_raralio's picture

Hi,

Check if your email security is enabled in the Antivirus and Antispyware.

Symantec does not prevent softwares from adding entries to the Startup or its equivalent in the registry. However, it detects processes if it is malicious in nature and can block it. And by default, the Network Threat Protection's Firewall Policy has ports opened. You can modify it to suit your needs, like blocking/allowing only specific ports. However, once all the ports/network services are enabled - they are in listening mode and would allow remote communication with other machines. This includes allowing them to send and receive data. NTP could detect these atacks and can block them.

“Your most unhappy customers are your greatest source of learning.”

SymDoq's picture

My email security is enabled in AntiVirus and AntiSpyware. Since my ports are 'open' by default, is there a way to 'stealth' them? Thanks for the information.

mon_raralio's picture

First, I'd like to correct one thing. The Default settings provided by Symantec provides a balance between PC performance and security. For the Firewall part, It is created with a tad more attention placed on security.

To increase the stealth settings. The easiest way is to go to the Policies page > Firewall Policies > [select a policy and edit] > Traffic and Stealth Settings. Then enable the ones you thing would provide you the security detail you require.

“Your most unhappy customers are your greatest source of learning.”