Turning up settings in SEP to deal with fakeav
For months, my helpdesk has been reporting a high number of machines having to be built due to infection. We use SEP MR2 MP1 on our image. Vundo is the common factor, also fake av scans like Antivirus 2008. Recently a sales engineer came in and had me turn up the scan settings. Since making these changes, our infection rate has gone down significantly. I thought I would share with what we did to achieve this.
First, before I enabled more aggressive settings, my company spent two months coming to an agreement on a new version of the JRE and then deploying it.
Second I made the following changes in the AV policy:
Edit Scheduled scan
Scan Details tab
Advanced Scanning Options button -> Storage Migration tab -> Scan all files, forcing demigration (fills drive). [this scans system restore]
Exit Advanced Scanning Options, change from Scan Details to Actions. Select Security Risks. For all Security Risks, choose Delete Risk as first action and Quarantine if first action fails. [i believe the theory is file may be misbehaving enough before clean can work, so don't take a chance, just delete]. In that same tab make sure "Terminate processes automatically" and "Stop services automatically" are checked.
File System Auto-Protect
Scan Details tab - Advanced Scanning and Monitoring button -> Enable Bloodhoud and set level to Maximum.
In Actions tab in File System Auto-Protect, make same setting changes to Security Risks that I described above (Delete or Quarantine).
For all protections, change Actions setting for Security Risks to Delete first then Quarantine (Internet email, Outlook etc).
Scan Details tab
Deselect "Use defaults defined by Symantec". Set "when a trojan or worm is detected..." to Terminate. Set sensitivity to 100. [this is the most aggressive setting, so you might want to play with this. I went cold turkey from 1 to 100 without reported problem.]
The JRE patching did help some. I also suggest keeping adobe acrobat reader patched. Upgrading to MR4 MP1a did NOT help. However, the biggest improvement was when I changed settings in the AV policy. What is the side effect? Much lower number of rebuilds and cleans due to viruses. I was scared at first to make these changes because I anticipated that client performance would suffer, so I initially pushed these changes only to IT people. After a few days of doing this, I applied the change to all workstations. My help desk is much happier now.
I am not guaranteeing good results for anyone and I am not guaranteeing that you won't see a negative impact. However, this solution worked very well for me.