Endpoint Protection

Recently, a co-worker went to a wikipedia page, and clicked a link. Seconds later, there was one of those antivirus pop ups asking for money, as well as a url redirector. I am curious as to why Symantec Endpoint Protection Version 11.0.5002.333 wouldn't catch the program before it installed. I ran a totally different malware program and here is a basic of what it found, and deleted: REGISTRY KEYS INFECTED: Trojan.BHO Adware,MyWebSearch (this is listed three times) FILES INFECTED: c:\documents and settings\username\local settings\application data\mmxjttphq\naokxhitssed.exe (rogue.antivirussuite.gen c:\documents and settings\shared\lib.sig (adware.deepdive c:\documents and settings\username\local settings\temp\e.exe (trojan dropper) The program i used reported that it quarantied and deleted those. I ran the program again, and it found: REGISTRY KEYS INFECTED: Trojan.BHO Adware.MyWebSearch (this is listed 3 times) Would anyone possibly know why these were not caught by the Symantec program? Thanks in advance, Bruce Zoldak

These applications are rewritten about 3 times every 5 minutes, we are doing our best but its almost impossible to be on top of this infection. I recommend running an alternative like malwarebytes and having it detect the files if not able to be found by symantec, then dont delete the files. Use symantec to quarantine the files, there is an add button to do this in the client quarantine section. After you have quarantined the files you can upload them and this will prevent them from infecting your machine in the future as symantec will create definitions for them.

I actually do not understand that response, and need more time to process this.

What i am getting is that i should purchase a different program from a vendor other than Symantec to get rid of an issue that Symantec Endpoint Protection should catch?

Help me understand this logic...

Go through these KBs you will get what symantec is telling about these king of scenarios
Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

Does Symantec Endpoint Protection protect me from fake anti-virus programs?

Also have a look at these links
Security Response recommendations for Symantec Endpoint Protection settings
prevention is better than cure

How to prevent infection from Rogue Security Software:
Enterprise users:

• 
  Update Antivirus software to the newest available version
• Update Antivirus definitions regularly
• Keep the Operating Systems updated with all posted security patches
• Keep all installed applications in the environment patched so that there are no other software related vulnerabilities on the machines
  • It is very important to react quickly when a new vulnerability is announced for any software you use. Once the vulnerability is made public it will only be a short time before someone takes advantage of it. Always ensure your software has the necessary security patches to prevent security holes in your environment.
• Filter out potentially malicious email attachments to reduce exposure to threats
• Scan all downloads & email attachments with your antivirus program prior to opening them
• Institute a firewall to monitor and restrict malicious or unwanted traffic

• Educate end-users about these threats

This has been discussed at length in other threads, but here's a good starting point:

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748

sandra

I'd like to know if you have Network Threat Protection installed and enabled on the client?
It also helps to have the Bloodhound detection set to Maximum, but Network Threat Protection is more effective IMO.

With SEP RU5 on Win7 x64, I just went to a Costa Rican news website that is infected with one of those fake av pop-ups, and Network Threat Protection, specifically the IPS engine stopped the attack.  Very cool!