I don't have any answers but I just want to say that I am fighting the same battle of SEP letting FAKE AV on to my machines.  It has gotten really bad and I would love it if they came up with a good fix.

I've seen some rogue AV suites out there, and they're probably hard to catch and prevent because lots of them don't act like viruses (i.e. they don't lock you out of your system, delete files, log keystrokes, etc.)  They just sit there doing nothing, popping up fake alerts, hoping that you'll pay them money to fix the issues.  I'm guessing that the malicious ones are more easily detected. 

1. User Education.

a. Show your users what SEP and SEP alerts look like and instruct them not to click any other 'Virus Alerts'.
b. Look in the internet history to see what sites they were going to around the time of infection, I bet you find sites you dont want your employees going to on company time.


2. Patch your browser (Internet Explorer especially.)

In the rare case where the fake antivirus was not installed via the end user clicking on a cleverly designed popup an unpatched browser is to blame.

Another possible solution could be to bump up your heuristics detection to maximum. There is a newer technology that has been implemented with this level of detection that has proven to be very beneficial in other customer's environments.

To do this you will need to edit your av policy, and go to file system auto-protect,
Then click on the "Advanced Scanning and Monitoring" button.
At the bottom change your bloodhound heuristic detection to maximum from the default.

*EDIT* I would like to also add that this may lead to more false positives though.

Before I contacted Symantec with the submission, I moved the computer into a test group that had maximum heuristics enabled as I did the last time this happened.    It did not detect it unfortunately.

How long does it take for Gold Support response?   It's been over 6 hours now and I haven't heard back from anybody.   Should I call into Support as well?   The tracking numbers are 12405115, 12404807 respectively.

 Yes calling support with those numbers will help you find out the status of your submission

One user infected yesterday with Personal AV (pav.exe) from a drive by infection. SEP 11 had no clue there was an infection. Did a manual scan and then SEP found several things but not PAV. Ran spybot and it found this infection.

My question is other than patched browsers (is there such a thing?) what can we do to prevent drive by infections? As noted above advanced heuristics does not seem to be the answer either.

I am not real happy with SEP 11 but it is probably as good as the other big names out there.

Thank you.

Mike

I think the answer lies in Application Device and Control System Lockdown feature (whitelisting).   I just don't think it's mature enough product for incorporating into an existing IT infrastructure.   If you were starting a new company and started with a fresh, clean template of server and client systems, it would be easy to implement the lockdown features using the tools currently available IN SEPM.    Integrating it in after the fact would require more tools, filters, reports, etc. within SEPM.  

tekkid,

You should have received an email from Security Response. Submission #12405115 was found to be Trojan.Fakeavlert,
and 12404807 was found to be Downloader.Misleadapp.

Trojan.Fakeavlert was addressed in Rapid Release Sequence 99441

Downloader.Misleadapp was addressed in Rapid Release Sequence 99436

Regards,
Thomas

Thomas -

Thank you for the update.  I tested and the rapid release definitions worked and removed the files from the affected computers.   I want to kick myself because I found two more files that weren't detected.   I have re-submitted those and am waiting for new definitions.

I'm happy to hear the RR definitions cleaned your infected systems.. Please keep us updated on your latest submissions.

Best regards,
Thomas

Sounds like you have all your end users setup with admin priveleges?
Is that right?

Very hard to stop rogue app installs in this instance.

I usually run a rapid release SEPM for dealing with zer0 day stuff.
When you have your suspicions about systems you just moved them over to the rapid release group and they get the absolute newest defs available.

Z

If you already submit the virus defintion to security response team, you will expect the result within the day, and if the file is a virus get the latest update or RR then perform a full scan in that PC

Cycletech:

All four files are being detected by Symantec now.   Looks like each submission took about a 24 hour turn around.  

Zer0:

It's about a 60 / 40 mix.   60 percent are normal users w/o admin rights.   40 percent have software that won't work w/o admin rights.   Most of those apps are on the Windows Hall of Shame website (not sure if that site is still around or not).    Clarification, the FakeAV software never install, the setup files made it  to the user's temp directory and attempted to download additional files from a remote site which was blocked by SEP IPS on the computer in question. 

--------------------------

Looking back, the situation worked ok -- this time.   The lack of admin rights, up-to-date security patches, and multi-layered approach (AV,IPS) protected our company's data residing on the PC in question.     Feedback for Symantec...   I'd like to see better heuristic detection/protection technology and more development work on the Application Device and Control side of things so it would be easier to start whitelisting applications.