Endpoint Protection Small Business Edition

 View Only

  • 1.  sep can't remove koobface virus

    Posted Jan 11, 2011 09:44 AM

    a user of mine running sep 12 client

     got infected over facebook with koobface virus

    sep client was unable to remove the virus, it's just blocked suspecious incoming and outgoing traffic

    but after running several scans

    update the client

    the computer was still  infected

     

    facebook blocked the user account for spamming and virus spearding and offered mcafee tool to clean it.

    wich worked and removed a file from win folder that sep didn't found

    later i installed male ware anti bytes and it found 7 "trojans"

     

    lately sep protection seems a bit off ...

    it's not the first time i tackle with files that sep can't remove and i have to use diffrent tools to clean the computer

    i can't even send the files for observatrion cause it's not being quartined

     

    what's up with sep latly ?



  • 2.  RE: sep can't remove koobface virus

    Posted Jan 11, 2011 09:53 AM

    Make sure you are running SEP with the recommended security settings.

    Make sure your system OS is patched and running the latest software updates.

    Security Response recommends the following Scan Settings

     

    Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
    Lock settings Some Some All
    Remediation: terminate processes No No Yes
    Remediation: terminate services No No Yes
    Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
    Network Auto-Protect Disabled Enabled Enabled
    Bloodhound Level Default (2) Default (2) Default (3)
    SEP Startup System Start System Start System Start
    Auto-Protect Scan Modify and access Modify and access Modify and access

    Security Response recommends the following setting changes to Truscan for best protection

     

    Truscan Default Setting Security Response Recommendation
    Scan Sensitivity 9/Low 100
    Action on Detection Log Terminate
    Scan Frequency 1:00 00:15

    http://www.symantec.com/business/support/index?page=content&id=TECH122943&locale=en_US

    Follow the best practices for stopping malware and other threats -

    http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&inid=us_sr_carousel_panel7_best_practices

    Use a tool like the Norton Safe Web lite to help alert you of unsafe websites when searching the net.

    https://safeweb.norton.com/lite

     

    W32.Koobface - Removal - http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3

    I hope this infromation is helpful.

     

    Best,

    Thomas



  • 3.  RE: sep can't remove koobface virus

    Posted Jan 11, 2011 02:33 PM

    Unfortunately I don't think Truscan sensitivity can be adjusted in SEP 12 Small Business.

    sandra



  • 4.  RE: sep can't remove koobface virus

    Posted Jan 12, 2011 04:08 AM

    thanx

    i will try that settings

     

    but it still doesn't change the fact the sep couldn't recognize the virus at all...



  • 5.  RE: sep can't remove koobface virus

    Posted Jan 12, 2011 10:12 AM

    SEP uses signature based detection. I suspect this is a new variant, and until Security Response gets a sample to create new definitions, then it will go undetected.

     

    If you have a sample, please submit to Security response or Threat Expert for analysis ASAP.

    http://www.symantec.com/business/security_response/submitsamples.jsp

    http://www.threatexpert.com/submit.aspx