Endpoint Protection

 View Only

  • 1.  Why doesn't SEP stop Rogue Viruses?

    Posted Apr 18, 2011 06:04 PM

    I'm an IT guy who supports several Symantec Endpoint Protection customers.  Lately (the past 3 months) I've been dealing with infections which are fake antivirus, antispyware, or hard drive utilities.  When we scan with SEP, no detections are found.  But, I can tell you, they're infected!  They get pop-up screens continually telling the user that their system is infected and they need to purchase the advertised software. 

    These infections basically make the system unusable.  I've run web searches to get info about them and how to get rid of them.  Most of the time, it seems that a free AV software is the one that does the trick. (Malwarebytes Anti-Malware, most often).

    Why are we having the customers spend so much on SEP, when a free-ware program seems to do a better job at protecting the stations?

    And, when I just searched Symantec's threat database, I don't find anything about these infections.  Are you ignoring them purposely, or what?

    I haven't found any other way to contact Symantec's support re: these things, so that's why I'm doing it here.

    Let me know what Symantec's doing about these types of infections, as they seem to be more and more prevalent.

    Todd

    F1 - Albuquerque, NM   USA



  • 2.  RE: Why doesn't SEP stop Rogue Viruses?

    Posted Apr 18, 2011 09:15 PM

    It does but the problem is FakeAV is re-coded numerous time a day, making it difficult to keep up with definitions.

    Make sure to review some of the best practices:

    http://www.symantec.com/business/theme.jsp?themeid=stopping_malware

    Also, tighten up security on the SEP client. Out of the box settings do not cut it:

    http://www.symantec.com/business/support/index?page=content&id=TECH122943

     

    Top "Best Practices" Articles for Symantec Endpoint Protection (SEP) 11.0

    http://www.symantec.com/business/support/index?page=content&id=TECH133764&actp=search&viewlocale=en_US&searchid=1303175572946



  • 3.  RE: Why doesn't SEP stop Rogue Viruses?

    Posted Apr 18, 2011 09:46 PM

    Current trend I think is that these Rogue AVs does not install malware directly. When one of your users visit their sponsored site, they open up another browser windows with  images that looks like the local desktop of your user. And it contains the script that then downloads the rogue software.

    The best practice here is to not allow the end users to download and install softwares from sites. Educate them on Rogue AVs and what SEP looks like when scanning and showing alerts so they can differentiate between the two. And setup a web filtering server to protect all endusers inside the network - the goal here is to prevent threats from entering your network.



  • 4.  RE: Why doesn't SEP stop Rogue Viruses?

    Trusted Advisor
    Posted Apr 19, 2011 10:16 AM

    Hello,

    Did you check this Symantec Forum Article:

    How to troubleshoot FakeAV if it is not detected

    https://www-secure.symantec.com/connect/articles/how-troubleshoot-fake-av-if-it-not-detected

     

    I am sure this may answer all your questions.



  • 5.  RE: Why doesn't SEP stop Rogue Viruses?

    Posted Apr 19, 2011 10:20 AM

    Hi Todd,

     

    The people who write these FakeAV programs have a serious financial incentive to make them as elusive as possible.  Symantec has recently released the Internet Security Threat Report, Volume 16 (http://www.symantec.com/business/threatreport/index.jsp) which offers a bit of information about today's threat lanscape.  Definitely recommended!

     

    Here's some forum threads with additional information on FakeAV:

    https://www-secure.symantec.com/connect/forums/why-endpoint-security-not-catching-most-malware

    https://www-secure.symantec.com/connect/forums/application-and-device-control-policy-stop-fakeav-terminating-sep

    https://www-secure.symantec.com/connect/forums/what-does-mean

     

    Hope this helps!

     

    Mick



  • 6.  RE: Why doesn't SEP stop Rogue Viruses?

    Posted Apr 19, 2011 10:36 AM

    I believe that the key to protecting your users from these threats is to:

    • Patch your computers.
    • Patch your computers. (so important, I listed it twice)
    • Users can't be local admins
    • Use alternate browsers. I recommend chrome or firefox
    • Subscribe to a web filtering service
    • User education

     

    I believe that we can't expect Symantec to solve all of our security problems

     

    We stopped using Malwarebytes because it violates their EULA.



  • 7.  RE: Why doesn't SEP stop Rogue Viruses?

    Posted Apr 19, 2011 11:45 AM

    my thoughts are that your first 4 items have been complied with in our case... didn't make any difference.

    it will happen no matter what you tell the users but having something to help stop it like SEP would be a really nice feature.  do you want to rely on your users to keep your workstation running, that in itself is a huge problem.  why do we have this software running on the workstation in the first place?

     



  • 8.  RE: Why doesn't SEP stop Rogue Viruses?

    Posted Apr 19, 2011 12:01 PM

    You might try installing Safe Web Lite on all your clients.

    Safe Web Lite provides a safer search experience by warning you of dangerous Web sites right in your search results, so you can search, browse, and shop online without worry.

    https://safeweb.norton.com/lite

    Idea - https://www-secure.symantec.com/connect/idea/add-safe-web-lite-sep

    Paul Murgatroyd stated -Safeweb is included on the upcoming SEP12.1 distribution media.  Its not integrated yet, but can still be used by customers.