FAKE AV's maybe a way to combat with them...??
Lately we have been getting a lot of these FAKE AV, which also popup porn sites, and Change your IE Proxy Settings (Enabling) so you can't surf anymore. Shouldn't Symantec know something is strange when all of a sudden an application changes IE Settings? Is there anyway to maybe at least have a POPUP message alerting the user that your proxy settings are being modified, and allow or Deny access? Then if you deny, to kill and quarantine the application which is trying to make these changes. This would be one way that a user can KILL and remove these FAKE AV's without an IT person having to do all the cleanup work after the destruction has been done. Also remove the RUN reg key that it also puts in place. The latest one I submitted, has a tracking #14881480, which is a FAKE AV and changed the proxy settings. It seams they keep coming up with new versions that SEP misses.
Hope something can be done, because these FakeAV's are becoming more and more popular.
Thanks!
Comments
Similar situation here (see post Receiving SAV virus alert sho..
We are seeing the exact same behavior, and have the same question you do: why is SAV/SEP missing these puppies?... (title of our post / string is " Receiving SAV virus alert showing "Static" (only) as threat description")
HHC
IT Services
I made an application device
I made an application device control policy that protects the proxy settings in the registry.
That might be great for a
That might be great for a managed computer, but what about unmanaged ones? Still doesn't solve Symantecs problem for Identifying these garbage Fake AV programs. They should use this as a method of identifying a hazzard program, and block/quarantine it from doing anything else to your computer.
That is just one area
The Fake AV and SEP not picking uup has become an issue, but does anyone notice that is happens with many other forms of Malware?
The fake AV programs take
The fake AV programs take advantage of the weakness of traditional signature based virus scans; The window of time between when they are released in the wild and we have a sample to write definitions that remove/prevent infection.
One solution to this is to turn up the Heuristic portions of SEP. One of those places is a part of antivirus (bloodhound) and the other is the Truscan Proactive Threat Protection.
How to enable, disable, or configure Bloodhound (TM) heuristic virus detection in Endpoint Protection.
http://service1.symantec.com/SUPPORT/ent-security....
Symantec Endpoint Protection: About Proactive Threat Protection.
http://service1.symantec.com/SUPPORT/ent-security....
By default PTP is set to 'log only' and also set to a low level of aggressiveness; Set it to 'quarantine' and the level up and you will see SEP do a better job of preventing/removing zero day threats.
Try this program
It removes most fake virus programs
http://www.malwarebytes.org/
use the free verson
Tommy
Have you seen the Security
Have you seen the Security Response recommendations for Scan Settings kb?
http://service1.symantec.com/SUPPORT/ent-security....
A nice thing could be allow
A nice thing could be allow only approved email attachements / scripts to run in a user environment.
Would you like to reply?
Login or Register to post your comment.