Why does symantec endpoint protection not pickup Win32/Dorkbot!lnk?
Created: 02 Nov 2011 | 9 comments
MS security essentials picks it up but Symantec enterprise endpoint protection does not. MSE picks it up as Win32/Dorkbot!Ink.Version endpoint is 11.0.6005.562
Discussion Filed Under:
Comments
What to do when a
What to do when a competitor's antivirus, adware scanner, or spyware scanner detects a threat that Symantec AntiVirus does not detect
http://www.symantec.com/docs/TECH99494
Submit the file to symantec
Submit the file to symantec security response and it will get detected.
However I would suggest using the Symantec's recommended Application Control policy that blocks LNK files. There is a MS vulnerability in the the way LNK file can be used and it is highly exploited by numerous threats
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Vikram can confirm it
I dont recollect but there is a MS update released on this long back LNK files ,if Vikram can confirm it would be great .
and that should fix the issue for you
Swapnil
SOC Team .
Please don't forget to mark your thread solved with whatever answer helped you.
http://blogs.technet.com/b/mm
http://www.securityfocus.com/bid/41732/solution
http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=adc
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Thank Vikram
Thank Vikram
Swapnil
SOC Team .
Please don't forget to mark your thread solved with whatever answer helped you.
Workstations are already
Workstations are already patched with this MS security update.
Up:Why does SEP not pick up Win32/Dorkbot!lnk
Application control policy provided in the link doesn't resolve the issue for me. It just pops up notification on you should visit an ancient ms windows update, whenever rtvscan sees a lnk file on a remote location or connected device on windows. Which is pretty often.
On the other hand, current Dorkbot is often accompanied by another virus, A??? something, in an image file with name DSC????.jpg; once executed it's pretty hard to get rid of for a standard user.
Among the two virus' symptoms, there are
Creating a folder with "adobe" name in it.
Replacing remote/connected device files into inisible folders and creating lnk files to them.
I have submitted samples of viral code, Symantec responded to me with an e-mail saying that I have sent too many files(10) without forementioning any limits. And to take a second turn, I had already deleted all samples I had. I have given up on trying to make this work. MS Security Essentials is a free and fast fix.
Maybe Symantec will someday actually do something about it too instead of complaining on a notification pop up about an existing update being missing on my clients' computers?
Please upgrade
SEP12.1 includes over 4 years of security technology improvements.
Up:Why does SEP not pick up Win32/Dorkbot!lnk
It was/is 12.1 on my all clients. It's now resolved through a case, file submission and rapid response definitions being deployed.
Would you like to reply?
Login or Register to post your comment.