Endpoint Protection

I have had some computers that have been infected with viruses that I could only get rid of with Malwarebytes.  Symantec would Quartine the viruses, but the threat would return everytime you logged back in. Why does SEP not kill all of the risks? The virus defs were up to date.

Filename            Risk             Action
pizda_ntload.dll Trojan.Gen Quarantined
ntdevice.exe Infostealer Quarantined
pizda_ntload.dll Trojan.Gen Quarantined
userinit.exe Infostealer Quarantined

This is what Malwarebytes found and removed.

Trojan.Downloader

Rootkit.Agent.Gen

Rogue.Multiple

Malware.Trace

quarentine would have stopped it from spreading , most of times submitting the virus to the security response team helps to delete such viruses by creating defintions for them

please submit those infected files here, you will get a response, this would help in better detection.

https://www-secure.symantec.com/connect/forums/how-submit-virus-samples

Quarantine should render a malicious file inert.  If you would prefer they just be deleted, you could change the detection action from Quarantine via Antivirus and Antispyware policy.

So are the 4 items removed by Malwarebytes the same files that were quarantined by SEP?

sandra

Scan the infected machine completely in safe  by making system restore off and delete all the temparory files from %temp% and temp folder.

Note : Before scan the Machine virus def should be up to date

could that be residual which are inert

If we are detecting the file/threat and quarantining it, submitting it would be a waste of time. we wouldnt make definitions for a file/threat we are already detecting. You should only submit files we don't detect.

The problem is that SEP does not get rid of the payload. SEP stops the attack, but does not kill the attackers.  SEP should get rid of the payload as Malwarebytes did.

This seems like a problem with SEP. I know have to use two products to accomplish one task.

So are the 4 items removed by Malwarebytes the 'payload', or are they the same four items SEP quarantined?  The sequence of events you describe are not clear, as the payload usually means something a trojan drops onto a machine.  If SEP was stopping the attack, it shouldn't have a chance to drop its payload.

If there is something malicious that we're not detecting, by all means submit it.  I would also use the Load Point Analysis portion of the Support Tool to see if there are suspcious items in the system's load points.

"How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files"
http://www.symantec.com/docs/TECH141402

If the same machines keep getting infected over and over again, I would examine them with the Microsoft Baseline Security Analyzer to determine if any critical updates are missing, and also ensure third party programs (like Java and Adobe Reader / Flash) are fully updated.

If you are not using NTP for IPS protection, I would advise enabling that ASAP.

"Best practices regarding Intrusion Prevention System technology"
http://www.symantec.com/docs/TECH95347

sandra

Thank you for the help.

The files below are the ones that SEP is not putting in quarantine. These files create the risks at logon that SEP does quarantine.  So SEP is catching the risks, but not the program that is creating the risks.  SEP did not find any of the files below.

Trojan.Downloader

Rootkit.Agent.Gen

Rogue.Multiple

Malware.Trace

Those aren't file names.  Those are the names by which Malwarebytes classifies what it detects.  Whatever the actual file is (or was) would be what you would want to submit for analysis.

sandra