Message Image  

Endpoint Protection

 View Only

  • 1.  Win 7 Antivirus 2012 - Fake Antivirus tool.

    Posted Jan 12, 2012 11:00 AM

    I recently had to clean a computer affected by the above malware. The Client SEP quarantined the trojans that carried the SW onto the computer but did not block it loading. The virus definitions were uptodate on the computer at the time. I was unable to clean his computer using SEP and Microsoft Malicious SW removal tool. Malwarebytes did the trick. This is not the first time that fake Antivirus tools have succeeded in loading on SEP protected client computers. An therefore i am getting concerned that either, our client protection settings and user policies are weak, or SEP is not providing adequate protection.

    Please comment on the above.

     



  • 2.  RE: Win 7 Antivirus 2012 - Fake Antivirus tool.

    Trusted Advisor
    Posted Jan 12, 2012 11:03 AM

    Hello,

    It is important to understand the Rogue Antivirus / FakeAV (virus) to answer your question.

    FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased. 

    Check this Article:

    How to troubleshoot FakeAV if it is not detected

    https://www-secure.symantec.com/connect/articles/how-troubleshoot-fakeav-if-it-not-detected

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec

    Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security

    http://www.symantec.com/docs/TECH132337

    About the FakeAV, let me share some Symantec Knowledgebase Articles:
     

    Does Symantec Endpoint Protection protect me from fake anti-virus programs?

    http://www.symantec.com/docs/TECH122898

    SEP and Norton Network Threat Protection/IPS Signature Naming Improvements

    http://www.symantec.com/docs/TECH152794

     

    The latest variant was discovered on the 01/01/2012. SEP should be catching these known threats, but remember when a new varient is released, SEP will not be able to catch it until a signature is written. Notice the increase in new threats this year, there are  three in the first two weeks. As always, be sure to have the latest definitions on all your systems.

    http://www.symantec.com/business/security_response/landing/azlisting.jsp?azid=T

     

     

    Hope that helps!!



  • 3.  RE: Win 7 Antivirus 2012 - Fake Antivirus tool.

    Posted Jan 12, 2012 11:38 AM

    Are you using all features of the product or just AV/AS? It is highly recommend you use all features, especially Intrusion prevention.

    In terms of removal tools we have developed our power eraser tool in order to remove fakeAV infections. Below is documentation regarding power eraser, which is built into the SEP support tool that you can run on a infected machine.

    http://www.symantec.com/docs/TECH134803