Endpoint Protection

Recently starting conversion to Symantec Endpoint Protection (11.0.4~).   How do you add a file name to be detected/deleted to the software beyond the standard liveupdate package?  We have a file named virusremoval.vbs trying to spread itself and we want endpoint to delete the file whenever and wherever it finds it.  

Seems like this would not be a hard task, but the only information i have found so far is how to ignore (centralized exception) a file during a scan.  Seems to me an "exception" should give you the ability to choose what to do with a file instead of only being able to ignore it during scans.

Kind of hard to answer your question. Short answer is this is not what you really want to do. I have a couple of questions though. What OS is this machine? Is this only one machine you are seeing this on, or are you managing a full network where this is happening? Is SEP detecting and cleaning this virus now at all? I don't know if you are asking how to get SEP to delete the virus and not quarantine it. I think you are asking if you can add a specific file name to SEP so that it deletes this file. 

The first thing you are going to want to do is start the computer in safe mode, and run a full virus scan. You will want to do this with system restore off. See if SEP will pick up/ clean the virus then. If you have SEP set up to where it will quarantine the virus then you should submit the file to us, and we can analyze it. We will then send out a rapid release if this is a new variant that we don't pick up, and then come out with the full protection against this particular virus in the next set of definitions. Also it is a good idea to try to figure out when/how you picked up this virus in the first place? Questions to ask yourself are these: is peer to peer file sharing on my machine, what questionable websites did i visit recently, did I open any misleading attachments on emails. That sort of thing. Hope this helps, and sorry if I am misunderstanding what you are asking.

Cheers
Grant

I'm in a school system converting from Mcafee to SEP.  We have used the capabilities of McAfee in the past to block files that while not viruses perse we do not allow to run on machines in the district (things like u3).  While we can use other methods like active directory to block some of these files, antivirus in the past has provided an easy solution for finding files using a specific name and either block/quarantine/delete/log depending on what we are trying to do.

My main goal here in posting a question is how do I add to SEP a file name to detect during scans and provide me the standard options (log, quarantine, delete) for said filename.  In this case, it is one of the files used in Safyway.blogspot trojan (more information here: http://net-studio.org/application/safyway-blogspot.php), and if a computer has the virusremoval.vbs file I want it gone.  The computers in question are all Windows 2000/XP.  Multiple machines are becoming infected (we have taken other measures with the users accounts to prevent further infection) and only on the machines we have transitioned to Symantec, the McAfee protected machines seem to be unaffected.  For this particular virus SEP has not detected nor cleaned the machines.

set an application control policy that blocks that file from running.

you should submit the file to Symantec if it is part of a virus/malware that you are seeing.

Ah I see better now what you are trying to accomplish. Yes we do have this capability. Our version is called Application and Device Control. A search of our site here will provide you with more information on than I could possibly mention here. Essentially though it can any block specific USB devices, or applications. You can even break it up on a group by group basis so only certain users will have certain capabilities. It is very handy and completely configurable. Hopefully this is what you are looking for.

Now you kind of have two questions going. Above is the answer to block things like U3 or yahoo messenger or those sort of things from running on your network. Now this will help viruses from spreading via USB in the future, but for now the best way to take care of those files is to do what I said before. Start the machines in safe mode, and run a full system scan. If they aren't getting picked up by SEP then you should submit them to us and we can get you a rapid release very quickly to solve it. Also you should always make sure autorun is disabled on all of your machines. There is a good thread going on right now about if this is really necessary. Personally I think it is a good idea so I always suggest to do it. There is no way to include a specific name into SEP to get it to delete certain files (if I am wrong please someone correct me).

Grant-

If you are looking to prevent p2p apps and IM apps from working, look into IPS policy.  Most of the popular file sharing and IM apps have IPS sigs in there, however by default they dont log and are allowed.

By setting an exception to the default IPS policy for these sigs, you can block the actual network traffic from ever leaving the client machine, thereby rendering the applications useless (they will never log-on or connect).  Each incident can also be logged if you want.

Alternatively you can use an application policy to block the actual .exe from running for each p2p or IM app, again logging can be set here too.

How about UltraSurf? 

It's a single file that can be renamed and would allow the user to bypass the proxy settings of the network.

Mon_rarralio,

What are you talking about?

It's a different application that some of the users here download from home and bring to work. It allows them to visit company prohibited sites.

Anyway, a new thread is in here that discusses this:
https://www-secure.symantec.com/connect/forums/ultrasurf#new

I believe you can block exe programs from running via Group policy, but gets bypassed by renaming the file. in this case for the vbs file, it should be checked by content. It would be better to submit it to Symantec Support if you suspect that this file is a virus, this will definitely help us also to prevent running this file.

As with the USB, best practice is to disable autorun.