Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

System Progressive Protection malware

Created: 12 Dec 2012 | 14 comments

Hi,

I have a small problem and i need so information about it. Namelly, it is about the System Progressive Protection malware that is found in the wild. I want to know if symantec have a signature about it at if it is implemented in some SEP definitions. In our company in the last week w had 3 different cases of this malware found on systems protected with SEP 11.0.6 and I want to know if the the signature exists and in what release of the SEP this malware can be detected. It is clear that in 11.0.6 the malware is not detected and infects the clients. We have manually cleaned the systems but I want the malware to be stoped as soon as the client tries to download it and not to waste our time in cleaning it afterwards

Upgrade of the clients, as a solution, is acceptable.

thanks for any replays

Comments 14 CommentsJump to latest comment

Ashish-Sharma's picture

If any suspicious files symantec antivirus not detect you can submit file in symantec

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 

https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

Check this thread

https://www-secure.symantec.com/connect/forums/whats-process-submit

Thanks In Advance

Ashish Sharma

pete_4u2002's picture

the latest signatures should be used on the client machines. If you feel any suspicious files submit it to security response.

http://www.youtube.com/watch?v=SGfW2gAODWU

tylerMK's picture

I've collected the file and uploaded to symantec for analsys.

Also have blocked the web sites that were infecting our clients and informed them about the malware. Hope to get defentions that will block this file soon, because the number of infected clients started growing

Appel's picture

We have just been through a cleanup of System Progressive Protection on a machine in our company.  The machine is running SEP 12.1 RU1 MP1 with the latest virus definition files.

cus000's picture

It could be a new variant, if it's not detected by Rapid Release then you'll need to submit the sample to Symantec...

Also you'll need to do a lil bit of forensic to identify real source of this threat.

Is it coming from USB?

Is it from certain websites browsed by user? etc

tylerMK's picture

symantec replyed me with the following message:

Determination: Not a threat (Symantec does not consider this file to be a threat, no detection is necessary for this file.)

I'm guaranteeing that this is a threat and I'm not agreeing with this findings. Does someone knows how to send them a notification saying that i dont agree or I should just open them a case and have them work hadr to earn my money?

tylerMK's picture

@cus000, as I said before I've found the file that causes this, It is automaitcally donwloaded from two websites (I have blocked both of them on my web proxy) but I dont know how fast is this spreading and if some other sites are infected. This is why I want a signature and definition created for it

cus000's picture

I apologize, i thought the post was from @Appel

If you don't mind, can you upload the sample to threatexpert.com and virustotal.com and then share the result with us?

Sometimes it could be threat remnants.... so it won't be detected...

the real source files might have been deleted or gone somehow....

well virustotal and threatexpert could give some hints ;)

Ashish-Sharma's picture

HI,

Kindly contact Support and have a case created to get further help.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

India: Toll-Free 000 800 4401 456 directly

IDD call: +61 2 8220 7111

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Customer Care Contact Numbers for Licensing Issues:-

http://www.symantec.com/support/assistance_care.jsp

Thanks In Advance

Ashish Sharma

pete_4u2002's picture

open a support ticket and work with Tech support so that they might have a second look.

tylerMK's picture

here are the results from virustotal:

Here even symantec says that it is a threat

Antivirus Result Update
Agnitum - 20121212
AhnLab-V3 - 20121212
AntiVir TR/Kryptik.UA 20121213
Antiy-AVL - 20121212
Avast Win32:Dropper-gen [Drp] 20121213
AVG FakeAV_s.UF 20121212
BitDefender - 20121213
ByteHero - 20121212
CAT-QuickHeal - 20121213
ClamAV - 20121213
Commtouch - 20121213
Comodo UnclassifiedMalware 20121213
DrWeb Trojan.Fakealert.34707 20121213
Emsisoft - 20121213
eSafe - 20121212
ESET-NOD32 a variant of Win32/Kryptik.APVK 20121213
F-Prot - 20121213
F-Secure - 20121213
Fortinet - 20121213
GData Win32:Dropper-gen 20121213
Ikarus - 20121213
Jiangmin - 20121213
K7AntiVirus - 20121212
Kaspersky Trojan.Win32.FakeAV.ozdb 20121213
Kingsoft - 20121210
Malwarebytes - 20121213
McAfee FakeAlert-SecurityTool.ga 20121213
McAfee-GW-Edition - 20121213
Microsoft Rogue:Win32/Winwebsec 20121213
MicroWorld-eScan - 20121213
NANO-Antivirus - 20121213
Norman W32/Kryptik.DAX 20121212
nProtect - 20121213
Panda - 20121212
PCTools - 20121213
Rising - 20121213
Sophos Mal/FakeAV-KL 20121213
SUPERAntiSpyware - 20121213
Symantec Trojan.FakeAV 20121213
TheHacker - 20121211
TotalDefense - 20121212
TrendMicro PAK_Generic.012 20121213
TrendMicro-HouseCall PAK_Generic.012 20121213
VBA32 - 20121213
VIPRE Trojan.Win32.Generic!BT 20121213
ViRobot Trojan.Win32.A.FakeAV.652288.BQ 20121213
cus000's picture

Ok, forward this result and ask to recheck.

They have missed something....

cus000's picture

Before i forget... do open a case with Support....(via my.symantec.com portal or phone)

the threat submission tracking number itself cant be consider as a case..

(yeah ...no offfense but i found it's a joke.....u'll need to open support case to follow up on the tracking number)

tylerMK's picture

case was opend.

so we will see what it is going to happend