Endpoint Protection

I am running Symantec 12.1.4100 Enterprise

I didn't see a gripe group so I put mine here. I am experencing a explosion of malware like none I've had in the past 10 years.

I have used Symantec for many many years and I like it but as it started as a anti- virus product which it is good at, nowadays most applications coming out are Malware/Spyware and I see the same files being caught and quantined over and over again on the same client.

When you look up the risk on the Symantec site it always says its a low risk ( it might be low but it slows the computer, pops up things and just reeks havoc) and to run a scan and if that doesn't get rid of it run eraser. Well I'm here to tell you the scan finds it a quantines it but does not get rid of it. Running eraser has been mostly useless to find or gett rid of it.

If a simple malware remover program can get rid of it completely then why can't Symantec? My gripe.

Also here's my other delima, As a K12 system we are not allowed to disrupt any computer. Testing is going on almost 6 months out of 9 months which school is in session and which is a no no to even mess with one. The Teachers take theirs home. And mostly there is not a person on site to run a full scan on a infected machine or malware remover.

Anything that gets done is done remotely. So since there's a hour between when school is out and I am off I try to do everything then if the computer is left on. Strictly not enough time. Money is scarce so we cannot afford a purchase a anti-virus and a Malware remover program.

Also to even submit a file to Symantec I have to remote to the client and submit there. I would like to see that ability on the management console.

One final thing when I do a risk report in the console I can click on the risk and make a exception but I can't make it a blocked application. I have to go out into the policies to change.

So I would like to see a more robust Symantec with respect to malware.

AV alone doesn't work. Do you use IPS, firewall, download insight, sonar? Did you leave settings as is out of the box?

Security Response recommendations for Symantec Endpoint Protection 12.1 settings

http://www.symantec.com/docs/TECH173752

Security Best Practice Recommendations

http://www.symantec.com/docs/TECH91705

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

Symantec Endpoint Protection – Best Practices

http://www.symantec.com/page.jsp?id=stopping_malware

Brian, I did not leave the settings the same as  out of the box.

I am going to go back and check some of the doc files you listed to see if I need to do more adjustments. I know I've seen some suggested settings in the past that I could not set (such as running full scheduled scans) due to performance issues. I work for k12 education and computers are used for testing and anything that interferes with that I can be fired for.

I know I have to leave the firewall wide open, insight is used, sonar is used and I'm not sure about IPS but I think its on. I can't remember what it was but the firewall default settings interfered with some applications so I was TOLD to turn them off.

Hi,

On September 18, 2014, Symantec released Symantec Endpoint Protection 12.1 Release Update 5 (12.1.5). You can download this version from Symantec FileConnect.

https://www-secure.symantec.com/connect/blogs/symantec-released-symantec-endpoint-protection-121-release-update-5-1215

What's new in SEP 12.1 RU5: http://www.symantec.com/docs/HOWTO101747 

It's a continious process to improve the SEP mangement console.

Power Eraser tool is now integrated with the SEPM console.

The administrator starts a scan by issuing a command from the SEPM.

The scan is only available on a managed client and can't be run from the client UI.

New Notificaitons have been added, whenever any clients need Power eraser scan, SEPM will generate a notification.

By checking power results admin will decide whether infected file should be deleted or not.

As you mentioned " Scan finds it a quantines it but does not get rid of it" - It means SEP is able to detect it but it's not possible to clean the file 100% probably it's badly infected so SEP has quarantine it.

We do recommend to use all three SEP features Antivirus/antispyware, Proactive Threat Protection (PTP) & Network Threat Protection (NTP). If SEP firewall is turned off make sure at least Windows firewall is turned on. Either of the firewall must be ON.

Thanks Chetan for your reply.

This goes back to another discussion I have here but since starting this discussion I have found the Malware is getting more complex and installing a Scheduled task. Now I'm not sre if it goes out and reinstalls its self or just downloads more malware. This looks like Symantec is not doing its job because risks are constantly poping up.

I have started going in to every computer that reports a risk and removing  these scheduled tasks and that has slowed the reports from about 60 a day to 3 a day.

I have not installed 12.1 RU5 yet but it sounds like it might be a step up in the fight against Malware.

I can't remember which of SEP features require the firewall but I have all 3 features you mentioned installed but I had to open the firewall because it interferes with another program I use.

Why not just add an allow rule to the fw for your app?

If you think SEP is not able to detect infection, you should run Symhelp tool to identify suspicious files on the system and submit it to the security response team for analysis.

Symantec Help (SymHelp) is a diagnostic utility designed for Symantec Endpoint Protection used in identifying common issues and providing quick solutions to common problems. SymHelp - with a run time around three minutes - provides the ability to automatically detect whether a system with a supported Symantec product has a known issue or is in an otherwise problematic condition. In addition to the individual tests results and their statuses, the SymHelp report contains links to documents in the Symantec knowledge base which provide detailed information on how to resolve an issue or pursue further investigation as to its cause and resolution.

To learn more about how SymHelp can help with your Symantec Endpoint Protection can help solve your problem quickly, take a look at the below video titled How to Run Self-help Reports with SymHelp.

In situations where SymHelp is unable to successfully resolve your issue, SymHelp can help expedite your experience with our Technical Support staff by capturing essential logs and uploading them so that Symantec has the information available to quickly identify problems and provide solutions. To learn more about how SymHelp can help with your Symantec Endpoint Protection case, take a look at the below video titled How to Collect Data for Support with SymHelp.

Refer this article: https://www-secure.symantec.com/connect/articles/symantec-help-symhelp-quick-and-easy-help-your-installation-configuration-and-deployment

Is there any update?

OR

If issue has been resolved could you mark this thread as a solved with the best answer that helps you?