Video Screencast Help

Why Endpoint security is not catching most of the Malware?

Created: 07 Apr 2011 | 7 comments

We have endpoint security installed with most current updates. ( 11.0.6100.645).  Most of the time SEP misses the malware and I have to malwarebytes ( www.malwarebytes.org ) to clean it up. Am I missing something or not setup my sep right?  I think malware bytes does a way better job than SEP.

Comments 7 CommentsJump to latest comment

Thomas K's picture

Bump up the AV Security Settings - See the Security Response Recommened Settings

http://www.symantec.com/business/support/index?pag...

Make sure all your systems are patched and running the latest updates.

Follow the Security Best practices - http://www.symantec.com/business/theme.jsp?themeid...

 

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not -

http://www.symantec.com/business/support/index?pag...

 

If you have a file that SEP is still missing, then please submit it for analysis ASAP.

http://www.symantec.com/business/security_response...

Ooyala - Check us out!

w-d's picture

I think this document can help:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not
http://www.symantec.com/business/support/index?pag...

 

I would strongly suggest to check this document as well to ensure if the SEP configuration is correct:

Security Best Practice Recommendations
http://www.symantec.com/business/support/index?pag...

sandra.g's picture

...but I think we all agree that prevention is far better than remediation. smiley

It is essential that you use not just AV, but PTP and especially NTP for Intrusion Prevention (IPS). Code on fake AV programs and malware changes multiple times a day. AV detections are, for the most part, code-based, i.e. reactive (and I mean all traditional AV protection). IPS is proactive--looking for traffic patterns regardless of code.

Ensure all plugins that tie into Internet Explorer are updated (Quicktime, Adobe Flash / Reader, Java, etc). Make sure all critical system patches are applied.

Look too into using Application and Device control. There are links and details for all of this on this similar thread:

https://www-secure.symantec.com/connect/forums/new...

Most current build of SEP is 11.0.6300, by the way, though I don't believe that will have a significant impact on protection.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Mithun Sanghavi's picture

Hello,

Same old story. Who comes first.... Thief or Cop?

Don't Take me otherwise, what I mean to say is; there may be cases where Symantec is not detecting the Threat. In that case, Symantec would need your Assistance. 

Let us know about it. We would like to hear from you.

If you feel there is a new varient of an old Threat or a new Threat and Symantec is not catching, you would have to submit suspicious files to verify whether those files are Clean or Malicious.

There are 2 ways to catch the suspicious files.

1) Manual - You may find some files which shouldn't be there on the computer. You could submit those files. Yes, sometimes you feel those files are hidden. in that case, go for option 2.

2) Automatted - Run the Symantec Support Tool with Loadpoint Analysis and it would collect the suspicious files for you. Check the Below:

 

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
 
https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
 
As told above, Prevention is far better than Remediation. (Thanks Sandra...!), So what will you do to Preventing this thing from happening.
 
You may also find your answers in the Symantec Knowledgebase Article as given above:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/business/support/index?page=content&id=TECH98929

 

 

Few Documents which may be helpful in answering all your How, why, what and where questions.
 
 
1) About viruses and security risks
 
http://www.symantec.com/business/support/index?page=content&id=TECH140085
 
2) What to do when you suspect that a Symantec AntiVirus product is not detecting viruses
 
http://www.symantec.com/business/support/index?page=content&id=TECH99222
 
3) Security Best Practice Recommendations
 
http://www.symantec.com/business/support/index?page=content&id=TECH91705
 
4) Best practices for troubleshooting viruses on a network
 
http://www.symantec.com/business/support/index?page=content&id=TECH122466
 
5) Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003
 
http://www.symantec.com/business/support/index?page=content&id=TECH99331
 
6) About creating a plan to respond to viruses and security risks
 
http://www.symantec.com/business/support/index?page=content&id=HOWTO27199
 
7) How to prevent a virus from spreading using the "AutoRun" feature
 
http://www.symantec.com/business/support/index?page=content&id=TECH104447
 
 
 
Hope I have tried my Level Best to Answer you.
 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ntripp's picture

We're seeing the same thing.  Our customers are constantly getting infected by the same malware every day.

I submit the infections to Symantec and they are never picked up.  When I analyze with Virus-Total competitors pickup the malware (most often Ransom Ware).

At this point I wouldn't be able to recommend Symantec, besides not detecting even most common malware that exists in the wild well after it is first introduced.

Antivirus Version Last Update Result
AhnLab-V3 2011.08.31.01 2011.08.31 -
AntiVir 7.11.14.62 2011.09.01 TR/Fake.Rean.AC
Antiy-AVL 2.0.3.7 2011.09.01 -
Avast 4.8.1351.0 2011.08.31 -
Avast5 5.0.677.0 2011.08.31 -
AVG 10.0.0.1190 2011.09.01 -
BitDefender 7.2 2011.09.01 -
ByteHero 1.0.0.1 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.31 (Suspicious) - DNAScan
ClamAV 0.97.0.0 2011.09.01 -
Commtouch 5.3.2.6 2011.09.01 -
Comodo 9947 2011.09.01 -
DrWeb 5.0.2.03300 2011.09.01 -
Emsisoft 5.1.0.11 2011.09.01 -
eSafe 7.0.17.0 2011.08.31 -
eTrust-Vet 36.1.8534 2011.09.01 Win32/FraudSecurity.A!generic
F-Prot 4.6.2.117 2011.09.01 -
F-Secure 9.0.16440.0 2011.09.01 -
Fortinet 4.3.370.0 2011.08.31 -
GData 22 2011.09.01 -
Ikarus T3.1.1.107.0 2011.09.01 -
Jiangmin 13.0.900 2011.08.31 -
K7AntiVirus 9.111.5077 2011.08.31 -
Kaspersky 9.0.0.837 2011.09.01 -
McAfee 5.400.0.1158 2011.09.01 FakeAlert-Rena.ac
McAfee-GW-Edition 2010.1D 2011.08.31 -
Microsoft 1.7604 2011.09.01 -
NOD32 6427 2011.09.01 a variant of Win32/Kryptik.RYF
Norman 6.07.11 2011.09.01 -
nProtect 2011-09-01.01 2011.09.01 -
Panda 10.0.3.5 2011.08.31 -
PCTools 8.0.0.5 2011.09.01 -
Prevx 3.0 2011.09.01 -
Rising 23.73.01.03 2011.08.30 -
Sophos 4.68.0 2011.09.01 Mal/FakeAV-NW
SUPERAntiSpyware 4.40.0.1006 2011.09.01 -
Symantec 20111.2.0.82 2011.09.01 -
TheHacker 6.7.0.1.287 2011.09.01 -
TrendMicro 9.500.0.1008 2011.09.01 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.01 -
VBA32 3.12.16.4 2011.08.31 -
VIPRE 10335 2011.09.01 -
ViRobot 2011.9.1.4651 2011.09.01 -
VirusBuster 14.0.195.0 2011.08.31 -
Thomas K's picture

@ ntripp,

If you submit a file that is proven malicious, we will create definitions to protect. What you may be seeing are new variants of an existing threat that are getting through.

As you can see by the VirusTotal list that you posted, not every AV product will catch every threat 100% of the time.

Please submit the new file(s) to us for analysis ASAP, so that we can create the signatures to protect you.  http://www.symantec.com/business/security_response...

 

It is not just about Antivirus these days. You need to educate your users on safe Web surfing and email practices.

Tighten your security settings on your AV policy - http://www.symantec.com/business/support/index?pag...

Use plug-ins like Norton Safe Web Lite to help warn users of malicious websites - http://safeweb.norton.com/lite

Use features such as our facebook link scanner - http://www.facebook.com/apps/application.php?id=31...

Add an email filtering product to your environment such as Symantec Mail Security for Microsoft Exchange or one of our Symantec.cloud Email Security products.

And most importantly, follow all the Security Best Practices  - http://www.symantec.com/business/theme.jsp?themeid...

 

Regards,

Thomas

Ooyala - Check us out!

Austin2011's picture

We are a company. We have approximately 100 PCs that have internet access. We use SEP 11.0.5002.333. They are managed by a SEP server. We also use the proactive threat protection. We have approximately 3pcs a week that are incapacitated by Malware. We are extremly frustrated with SEP. We have increasingly relied on Malwarebytes to help us deal with the problem.

Today I spent 4 hours on a Laptop infected with Malware. SEP never recognized any file as a threat.

I was able to identify the time of the attack and identify the files created at that time and was able to delete them. I also installed Malwarebytes. It found 4 threats. SEP found 0.

What can I do to help Symantec help us?