Video Screencast Help

Why doesn't SEP stop Rogue Viruses?

Created: 18 Apr 2011 | 7 comments

I'm an IT guy who supports several Symantec Endpoint Protection customers.  Lately (the past 3 months) I've been dealing with infections which are fake antivirus, antispyware, or hard drive utilities.  When we scan with SEP, no detections are found.  But, I can tell you, they're infected!  They get pop-up screens continually telling the user that their system is infected and they need to purchase the advertised software. 

These infections basically make the system unusable.  I've run web searches to get info about them and how to get rid of them.  Most of the time, it seems that a free AV software is the one that does the trick. (Malwarebytes Anti-Malware, most often).

Why are we having the customers spend so much on SEP, when a free-ware program seems to do a better job at protecting the stations?

And, when I just searched Symantec's threat database, I don't find anything about these infections.  Are you ignoring them purposely, or what?

I haven't found any other way to contact Symantec's support re: these things, so that's why I'm doing it here.

Let me know what Symantec's doing about these types of infections, as they seem to be more and more prevalent.

Todd

F1 - Albuquerque, NM   USA

Comments 7 CommentsJump to latest comment

_Brian's picture

It does but the problem is FakeAV is re-coded numerous time a day, making it difficult to keep up with definitions.

Make sure to review some of the best practices:

http://www.symantec.com/business/theme.jsp?themeid...

Also, tighten up security on the SEP client. Out of the box settings do not cut it:

http://www.symantec.com/business/support/index?pag...

 

Top "Best Practices" Articles for Symantec Endpoint Protection (SEP) 11.0

http://www.symantec.com/business/support/index?pag...

mon_raralio's picture

Current trend I think is that these Rogue AVs does not install malware directly. When one of your users visit their sponsored site, they open up another browser windows with  images that looks like the local desktop of your user. And it contains the script that then downloads the rogue software.

The best practice here is to not allow the end users to download and install softwares from sites. Educate them on Rogue AVs and what SEP looks like when scanning and showing alerts so they can differentiate between the two. And setup a web filtering server to protect all endusers inside the network - the goal here is to prevent threats from entering your network.

“Your most unhappy customers are your greatest source of learning.”

Mithun Sanghavi's picture

Hello,

Did you check this Symantec Forum Article:

How to troubleshoot FakeAV if it is not detected

https://www-secure.symantec.com/connect/articles/how-troubleshoot-fake-av-if-it-not-detected

 

I am sure this may answer all your questions.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mick2009's picture

Hi Todd,

 

The people who write these FakeAV programs have a serious financial incentive to make them as elusive as possible.  Symantec has recently released the Internet Security Threat Report, Volume 16 (http://www.symantec.com/business/threatreport/index.jsp) which offers a bit of information about today's threat lanscape.  Definitely recommended!

 

Here's some forum threads with additional information on FakeAV:

https://www-secure.symantec.com/connect/forums/why-endpoint-security-not-catching-most-malware

https://www-secure.symantec.com/connect/forums/application-and-device-control-policy-stop-fakeav-terminating-sep

https://www-secure.symantec.com/connect/forums/what-does-mean

 

Hope this helps!

 

Mick

With thanks and best regards,

Mick

khaskins82's picture

I believe that the key to protecting your users from these threats is to:

  • Patch your computers.
  • Patch your computers. (so important, I listed it twice)
  • Users can't be local admins
  • Use alternate browsers. I recommend chrome or firefox
  • Subscribe to a web filtering service
  • User education

 

I believe that we can't expect Symantec to solve all of our security problems

 

We stopped using Malwarebytes because it violates their EULA.

swixt's picture

my thoughts are that your first 4 items have been complied with in our case... didn't make any difference.

it will happen no matter what you tell the users but having something to help stop it like SEP would be a really nice feature.  do you want to rely on your users to keep your workstation running, that in itself is a huge problem.  why do we have this software running on the workstation in the first place?

 

Thomas K's picture

You might try installing Safe Web Lite on all your clients.

Safe Web Lite provides a safer search experience by warning you of dangerous Web sites right in your search results, so you can search, browse, and shop online without worry.

https://safeweb.norton.com/lite

Idea - https://www-secure.symantec.com/connect/idea/add-s...

Paul Murgatroyd stated -Safeweb is included on the upcoming SEP12.1 distribution media.  Its not integrated yet, but can still be used by customers.

Ooyala - Check us out!