Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Turning up settings in SEP to deal with fakeav

Created: 27 Apr 2009 • Updated: 21 May 2010 | 8 comments

Hi everyone,

For months, my helpdesk has been reporting a high number of machines having to be built due to infection.  We use SEP MR2 MP1 on our image.  Vundo is the common factor, also fake av scans like Antivirus 2008.  Recently a sales engineer came in and had me turn up the scan settings.  Since making these changes, our infection rate has gone down significantly.  I thought I would share with what we did to achieve this. 

First, before I enabled more aggressive settings, my company spent two months coming to an agreement on a new version of the JRE and then deploying it. 

Second I made the following changes in the AV policy:

Administrator-defined Scans
Scans tab
Edit Scheduled scan
Scan Details tab
Advanced Scanning Options button -> Storage Migration tab -> Scan all files, forcing demigration (fills drive).  [this scans system restore]
Exit Advanced Scanning Options, change from Scan Details to Actions.  Select Security Risks.  For all Security Risks, choose Delete Risk as first action and Quarantine if first action fails.  [i believe the theory is file may be misbehaving enough before clean can work, so don't take a chance, just delete].  In that same tab make sure "Terminate processes automatically" and "Stop services automatically" are checked. 

File System Auto-Protect
Scan Details tab - Advanced Scanning and Monitoring button -> Enable Bloodhoud and set level to Maximum.
In Actions tab in File System Auto-Protect, make same setting changes to Security Risks that I described above (Delete or Quarantine).

For all protections, change Actions setting for Security Risks to Delete first then Quarantine (Internet email, Outlook etc).

TruScan
Scan Details tab
Deselect "Use defaults defined by Symantec".  Set "when a trojan or worm is detected..." to Terminate.  Set sensitivity to 100.  [this is the most aggressive setting, so you might want to play with this.  I went cold turkey from 1 to 100 without reported problem.]

The JRE patching did help some.  I also suggest keeping adobe acrobat reader patched.  Upgrading to MR4 MP1a did NOT help.  However, the biggest improvement was when I changed settings in the AV policy.  What is the side effect?  Much lower number of rebuilds and cleans due to viruses.  I was scared at first to make these changes because I anticipated that client performance would suffer, so I initially pushed these changes only to IT people.  After a few days of doing this, I applied the change to all workstations.  My help desk is much happier now.

I am not guaranteeing good results for anyone and I am not guaranteeing that you won't see a negative impact.  However, this solution worked very well for me.

Bob

Comments 8 CommentsJump to latest comment

Grant_Hall's picture

It is always nice to hear things are working out well. I just wanted to note how you only changed these settings in a small number of clients first. This is something that is important, and it is something that I want to stress to anyone attemping drastic changes to their policies. It might even be a good idea to try these changes out on a virtual machine or test machine to see how performance is affected. Overall thanks Bob we appreciate you taking time to try and help everyone.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Paul Mapacpac's picture

Hi about scanning system restore, will this always be successful in removing the threats?

vikram3500's picture

My two cents on this:

In our enterprise' experience, a combination of facotrs lends to good security posture.
1. Effective Anti Virus with aggressive policies and zero tolerance to infections
2. Great patch management software (OS and Apps). 
3. Baselining and hardening desktops via ADS policies, locksown modes
4. Use application control and device lock provided with sep 11
5. Use SNAC is required (Depending on risk perception)
6. Have strong network security protection
7. Use Application firewalls for the most critical enterprise apps.

BzlBob1's picture

Hi Paul,

My sales engineer told me that the setting "Scan all files, forcing demigration (fills drive)" does get the system restore.  Do you disagree?

Bob

Paul Mapacpac's picture

Hi Bob, yes it will get system restore but not sure if it can make an action on it. If you see some example on the Symantec Threat Explorer site, number 1 on the Procedure is to disable system restore.

As I know, you can only remove data on system restore in 3 ways,

1.  Disable system restore
2. Disk Cleanup, remove restore points but the most recent 1 will remain.
3. changing a registry value (advanced users)

But I noticed on some threat history on our STR, sometimes the av can delete/clean/quarantine the theat sometimes not..

BzlBob1's picture

Hi everyone,

It has been 45 days now since I turned up the AV settings, and the results are still very positive.  Rebuilds way down. 

Bob

Weisman's picture

I'm currently doing the same thing, ratcheting down the settings on a group of "Problem" users and watching the effects. I've found most of the problem is in vulnerable software and not Endpoint Protection. Endpoint Protection is the last line of defense in our enviroment. Here are a few things I've put into play with much success, All with group policy.

Lockdown IE7 or 8 Enable or Disable the following
1. Enable -Empty Temporary Internet Files folder when browser is closed
2. Disable -Allow installation of desktop items
3. Disable -Open windows without address or status bars
4. Disable -Launching applications and files in an IFRAME
5. Disable - Allow active scripting
6. Disable - Allow file downloads
7. Restrict File size limits for Internet zone to 32kb
8. Restrict File Download for Internet Explorer Processes

Lockdown Adobe Acrobat 9.01 Enable or Disable the following
1. Enable Enhanced Security
2. Uncheck “Display PDF in browser”
3. Uncheck “Allow fast webview”
4. Uncheck “Allow speculative downloading in the background”
5. Uncheck “Enable Acrobat JavaScript” 

I'm currently testing this function and it works awesome so far with RUNASSPC. You can create a shortcut for the users and call it Personal Internet so when they browse they know to use the runasspc version of Internet Explorer.
Run Internet Explore as a restricted user with RUNASSPC or similar program:

runas /profile /env /user:domain\user "C:\Program Files\Internet Explorer\iexplore.exe"

If you want specific GPO settings or links I have the templates and can post them. But the main points are there. 

-Wayne