Endpoint Protection

My company is running SEP 11.0.3001.2224 and my computer has been infected with the (Trojan.FakeAlert) that SEP did not even detect.  I had to resort to using McAfee Stinger to remove the infection.  Stinger works in removing it, but it keeps turning back up.

Why is this not just handled by SEP's autoprotect, since this is not a new virus?

Any suggestions on how to tune SEP to identify /prevent this virus from infection would be very helpful.

make sure sep has latest defs

and run a full scan in safe mode; 

Here are a few threads that you might want to read over that deal with this subject.

• https://www-secure.symantec.com/connect/forums/malwarebytes
• https://www-secure.symantec.com/connect/forums/fake-viruses

Some additional helpful links:

https://www-secure.symantec.com/connect/articles/how-troubleshoot-fakeav-if-it-not-detected

http://service1.symantec.com/SUPPORT/ent-security.nsf/b7186c7fefd6f0c3882573410063493e/d77f9ee39aac2ba7882574e80064e3fe?OpenDocument

http://www.symantec.com/business/security_response/writeup.jsp?docid=2011-042005-5526-99&tabid=3

Hello,

To anwer you, it may be a new Variant.

However, you could read this Article provided below:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

The updating of the definitions makes sense, doubly so if he downloads the latest rapid release definitions. But how does running a full scan in safe mode help with the auto-protection issue in his enterprise?

You should submit the suspicious files to Symantec Security response 

For Gold License Holders

https://submit.symantec.com/gold/

For Essential License Holders

https://submit.symantec.com/essential

For BCS License Holders

https://submit.symantec.com/bcs

They will create Virus defs for the virus and then it will get detected. The name might be old however it might be new variant of the same virus that has been recently released.

One more thing. Once you have resolved the infection issue, I recommend upgrading off that old MR3 build.

That version came out in September 2008, and there have been thousands of issues fixed since that build came out.

RU6 MP3 is the latest build available.

http://www.symantec.com/business/support/index?page=content&id=TECH155655

You can get the software from Fileconnect with a valid serial number.

https://fileconnect.symantec.com/licenselogin.jsp?localeStr=en_US

If SEP is up-to-date, and a full system scan does not remove the threat, you could also try running the Symantec Power Eraser (which is built into the SEP Support Tool)

www.symantec.com/docs/tech105414

One of our clients has been having the same issue on different machines (~4) for about a month now.

Malware Bytes successfully finds and cleans the problem from the machine without fail.

The MB cleanup lists them as FakeAlert, Agent and Hijack, however I'm aware that there is also a Proxy being inserted into the mix which I manually remove with HijackThis prior to updating MB.

Their Endpoint clients believe that they are up to date, the resident shield is active, and they have no-threat-detected scans from startup (even though the FakeAlert, Agent and Proxy are all present at that time), and it will successfully detect the Hijack, but only after the Agent/Proxy/FakeAlert have been removed.

The client wants to keep Symantec, so we were wondering if there's anything we can do on our end to expedite prevention of infection even though I've already purged the infected files from the machines in question.

@ puppetSoul,  make sure you are running SEP at the Security Response recommened settings.

http://bit.ly/SecuritySettings

Make sure you are using all the technologies included with SEP such as IPS, NTP, etc.

http://bit.ly/SymantecSecurityBestPractice

Install Norton Safe Web Lite on your clients, to help provide a safer search experience for your users.

http://bit.ly/nortonsafeweblite 

Best regards,

Thomas