Does Symantec Endpoint Protection protect me from fake anti-virus programs?

Article:TECH122898  |  Created: 2010-01-01  |  Updated: 2012-06-26  |  Article URL http://www.symantec.com/docs/TECH122898
Article Type
Technical Solution


Subject

Issue



I have heard that fake anti-virus programs aren't always detected by anti-virus programs and I want to make sure I am protected.

How do I make sure I'm protected from rogue security software programs?

 


Solution



What is a Rogue Security Software (Fake Anti-Virus) program?:

    A rogue security software (fake anti-virus) program is a type of misleading application (also known as scareware) that pretends to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provides the user with little or no protection whatsoever and, in some cases, can actually facilitate the installation of malicious code that it purports to protect against. Commonly, rogue security software claims that the programs can remove unwanted applications such as spyware or adware. Not only do these scams cheat users out of money by charging for their fraudulent product, but the personal and credit card information that users provide to register these fake products could also be used in additional fraudulent activity.


How does it get installed?:

    There are multiple different ways in which rogue security software can be installed on a user's computer:

      • It is downloaded and installed manually by a user after he or she has been tricked into believing that the software is legitimate
      • It is unknowingly installed onto a user's computer, such as when a user visits a malicious website designed to automatically download and install illegitimate applications
      • End-users click on a pop-up or advertisement choosing to download/install the rogue security software
      • Emailed executable files that are executed
      • Already resident malicious code on the machine
          • Rogue security software can also be installed onto the machine by malicious threats that already reside on the machine that download other threats and install them such as Staged Downloaders
      • Drive-by download
          • Drive-by downloads occur when a user visits a malicious website or a legitimate website that has been compromised and malicious code is downloaded onto the user's computer without the user's interaction or authorization


Where do they come from?:

    Profit is a primary motivation for creators and distributors of rogue security software scams. A common approach is to try to trick users into believing that these rogue security applications are valid and to get users to download and install the programs and to pay for them. Techniques used to entrap users often rely on fear tactics and other social engineering tricks that are distributed through means such as:

      • Links found in spam email messages
      • Pop-up and banner advertisements on websites and instant messaging programs
      • Postings on forums and social networking sites
      • Sponsored or falsely promoted search engine results
      • Browser helper objects
      • Disguised as needed video codecs or browser plug-ins to view web content and offered as instant download
      • Software Vulnerabilities. Rogue security software can also get onto the machine through unpatched software vulnerabilities. Some of the more commonly exploited software vulnerabilities come from the following products:
          • Adobe Acrobat
          • Adobe Flash
          • Apple QuickTime
          • Real Player
             



Why isn't Symantec detecting the rogue security program on my computer?:

    New variants and clones are the primary reason why infections still happen. Rogue security software programs are often rebranded or cloned versions of previously developed programs. Cloning is often done because the original version of the rogue security application has been discovered or detected by legitimate security vendors. Cloning is therefore fuelled by the hope that one or more of the clones will escape detection. With the rapidly expanding threat landscape it is not uncommon for hundreds of new variant signatures to be added each day to our definition sets. While these signatures are added to your Antivirus definitions, it is still possible for a new threat (variant/clone), which has not yet been submitted in for our review, to miss detection by our antivirus product.


How to prevent infection from Rogue Security Software?:

    Enterprise users:
    • Update Antivirus software to the newest available version
    • Update Antivirus definitions regularly
    • Keep the Operating Systems updated with all posted security patches
    • Keep all installed applications in the environment patched so that there are no other software related vulnerabilities on the machines
        • It is very important to react quickly when a new vulnerability is announced for any software you use. Once the vulnerability is made public it will only be a short time before someone takes advantage of it. Always ensure your software has the necessary security patches to prevent security holes in your environment.
    • Filter out potentially malicious email attachments to reduce exposure to threats
    • Scan all downloads & email attachments with your antivirus program prior to opening them
    • Institute a firewall to monitor and restrict malicious or unwanted traffic
    • Educate end-users about these threats
    • Configure SAV or SEP's Bloodhound (Heuristic) technology to provide the Maxinum level of protection
    • Use SEP's IDS (Intrusion Detection System) in addition to the Antivirus and Antispam components. There are IDS signatures which can detect and act upon the traffic generated by FakeAV programs. Using AV and IDS and together increases the level of protection.
    General users:
    • Update Antivirus definitions regularly
    • Run Windows Update regularly to keep your Operating System up to date with all posted security patches
    • Keep all installed software up to date and patched
        • It is very important to react quickly when a new vulnerability is announced for any software you use. Once the vulnerability is made public it will only be a short time before someone takes advantage of it. Always ensure your software has the necessary security patches to prevent security holes in your environment.
    • Don't click on links or attachments in emails unless you trust the sender and were expecting the information sent
    • Scan all downloads & email attachments with your antivirus program prior to opening them
    • Be cautious of pop-up displays and banner advertisements that mimic legitimate displays or try to promote security products
    • Do not accept or open suspicious error displays from within a Web browser as these are often methods rogue security software scams use to lure users into downloading and installing their fake product
    • Only purchase security software from reputable and trusted sources and only download applications directly from the vendor's website or legitimate partners
       

References
Symantec Report on Rogue Security Software
http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=istr_rogue_security

 

 




Legacy ID



2010020116202748


Article URL http://www.symantec.com/docs/TECH122898


Terms of use for this information are found in Legal Notices