Endpoint Protection

Instead of worrying about image and writing whitepapers about the problem, perhaps Symantec should address the problem of Rouge Anti-virus problems in a more effective manner, as obviously you are a complete failure at such at present time. I have just finished hours of work on the 8th machine in the past 2 weeks that has been hot and i might as well not had SEP even on the machine.

I do not need a lecture or your outline you read from to tell me about proper security practices (as if someone's else’s fence should make up for your lack of one).

If groups like Bleeping Computer or, Malaware Bytes can figure out how to handle these problems , what is your BS excuse for not doing so??????????????????????????????  I can run SEP and scan over specific files I know are the infected ones and it goes right on by- as if they were air.

If you want to say  that you have lost the battle- then fine- at least you are honest- but your prodct contentions are in another universe from reality.

I am sure that others will comment to the same points. Why should we in IT deploy a product that does not work???

Apparently your partnership with Microsoft has put you in their game and we all have to suffer (except for myself at home and I have a nice Mac and NEVER any virus problems).

Hi Jazzwineman, please read this KB -

"Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not"

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000100610314948

Make sure you are running your security settings to the recommended levels.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

See the "Must Do", "Should Do", and "Can Do" for best practices.

http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&inid=us_sr_carousel_panel7_best_practices

I hope this is helpful information.

Thomas

You didn't really give us any information on how SEP is installed and configured in your environment, but it seems clear via your post that you're not really interested in what you can do to further secure these machines.  If you only have AV on these machines, it's not going to be enough.  If you have other components (PTP, NTP) installed, the settings need to be adjusted.  If Application and Device Control is not in use, it's strongly recommended you test and implement policies (examples given in the Connect article given below) to block BHOs and fake AV.

I'm sorry if you feel that recommendations for a multi-layered approach for the current threat environment is a 'lecture'.

For what it's worth, here is the best explanation for Symantec's stance on rogue / fake AV programs, and some other documents of interest:

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748

Title: 'Security Response recommendations for Symantec Endpoint Protection settings' (also given above)
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

Title: 'How to enable, disable, or configure Bloodhound (TM) heuristic virus detection in Endpoint Protection.'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021714114248

Title: 'How to increase the sensitivity of Proactive Threat Protection in Symantec Endpoint Protection 11.x'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120214031748

Title: 'Best practices regarding Intrusion Prevention System technology'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009080314433948

From here on the forum: Using Application and Device Control to protect against browser hijackers and fake AV
https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers

Also, I can't stress enough the importance of updating not only Windows critical updates but third party programs like Adobe Reader, Flash, Apple Quicktime, Java, etc..   When I encounter a case involving fake AV, a majority of the time I also find (for example) vulnerable builds of Adobe Reader installed.

I can't speak on other programs such as Malwarebytes.  I don't know if they're using code-based detection, heuristics or brute force like the Power Eraser does.

Regards,
sandra

PS. I have a Mac as well.  I have never had a virus on my machine, but I keep it protected with AV.  I just encountered (with a customer) a Mac-native trojan that uses social engineering to prompt you to authenticate to install.  Hope your Mac is protected too. :)

As an IT admin, the first thing you should put in practice is Best Practice.  The fact that so many Fake AVs get installed from the fact that an End-User CAN install anything and everything is already as stated above: "as if someone's else’s fence should make up for your lack of one" and you relying on an AV product to protect you from yourself... 

I have also heard the argument many times before about not having deployment servers and all the rest, but there do exist open source solutions for small to non-existent budgets for capabilities in deploying.  GPOs and scheduled reboots to roll out deployments etc.

But hey, that's my opinion and mine alone.  I don't work for Symantec, but have been in IT for over a decade and in all my career, never once have I ever had to deal with a Virus outbreak or infection.  In both closed and open environments, with and without access to the internet. 

Nothing gets connected to my network if it shouldn't be there.  No thumb drives, floppies, phones, laptops.  No cracks, installers or anything else from the outside.  Evaluations, demos, etc.  Not on production machines. 

But than again, for incoming corporate e.mail we do rely on Kapersky, ClamAV and Symantec.  OVerkill is better than no kill... 

And MACs do get infected as well- apparently.  Never personally seen it.  Could be a myth. 

But, MACs are the single most vulnerable issue to any network.  There is no such thing as a secure MAC.  Microsoft has a 3 finger salute to "protect" the login process, MAC has a 2 finger salute to avoid it... 

My 2 cents.

Pet peeve: Mac, not MAC (that's Media Access Control)    I saw my first honest to goodness infection detection yesterday on a Mac, something that wasn't just a macro virus infected word document, or a Windows virus file sitting on a Mac.  It's next to impossible for it to happen accidentally, but it does happen. And without AV protection on them, they could act as a pass-through.

What's the "2 finger salute"?  I don't agree that they can't be secured: I keep my screensaver set to reauthenticate with a password when waking, and I don't automatically sign any user in upon reboot. 

sandra

9/10, you have it configured wrong.  If you don't read the best practices, and recommendations, no one can help you.  Out of the box, SEP is configured pretty bad, and needs to be adjusted quite a bit to stop malware and such. (Search "SEP secret sauce" on google.com for some great recommendations)

Did you know SEP even has a Malwarebytes like tool built-in and avail to you in RU5 and higher builds?  Yes it does, but since you don't read, you don't know about it.  

Beyond that, I see no failure on SEP's part that hasn't already been addressed in the last 3yrs this product has been out....  I see a failure in the self entitlement issues this world has come to.

Check all my posts on this very same topic, then check my article on how I helped us get around the issue by BLOCKING virtually anything that tries to install in the USER PROFILE (which Windows leaves wide open, and nasty folks like google take advantage of when they push their junk on you) by using SEP's great application control!
AV products are a tool, and like any good carpenter, he reads all there is to know about his power saw, and keeps spares in the truck just in case.............
It's been a while since a rogue has made it in here. Yes, some folks are preturbed that they can't install anything and everything under the sun whenever they have a notion to, but I've created a group in SEP where the IT folks can simple move a computer or computers into that group, install software, then put them back. It doesn't impact SCCM and SMS installs because those don't rely on user profiles to install like the shysters and crooks at Google and other places do when they push their Chrome and toolbars at you.
(so how do they rate bypassing Microsoft's requirement that applications install in the Program Files directory anyway??? And folks want to trust them in a CLOUD situation??)

Personally, if I didn't read the whitepapers or have the technical documentation, it would be game over for me. I rely on these things very much as they contain loads of info written by the experts. The documents/whitepapers, whatever you want to call them, are worth their weight in gold. We have a few products we run which lack good documentation and I just cringe over it.

Also, if you're relying on just AV to protect you, you might as well find another career because you will go crazy pretty quickly. SEP really has a nice multi-layered approach if setup and configured correctly. Out of the box will not do the trick, as is the case with most products.

Just an fyi, application and device is the way to go with today's emerging threats, It will stop everything if done the right way.

It is nice to try and make It people your partners to help you do what you are paid for. All of these suggestions are nice and I am sure well intended, but have long since been implemented. The only one that I have not- is to shut the Internet  and email off from all users and thus secure the deal. It is ridiculous that the largest threat encountered on the net, is not something you are up to date on and even if you recognize- are not able to do a thorough job in removal.

To Pet Peeve, sorry about the Mac issue, however, i am not the typist/secretary that others may aspire to be.

Sorry, but I HAVE to speak to this>

>>It is ridiculous that the largest threat encountered on the net, is not something you are up to date on and even if you recognize- are not able to do a thorough job in removal.<<

You think it's just one?
It's not - the so-called "fake av" apps are many many many hundreds of different threats that morph or are changed multiple times a day, and literally moved from server to server daily. It's a collection of threats, but the general population, and even some mistaken IT folks call it "a risk" when it's like the mafia - the mafia is not one person or a single family. It's a living breathing entity and so is the "phony AV" class. So if you think that an AV company can finally stop that threat and be done with it, please think again - as in this very afternoon, it will have changed and moved, and will now be a new threat to contend with.
Further, my policies have blocked these a few times, and I've watched the logs roll by as one in particular tried 10 different file names and several folders in its attempt to infect. So to block this threat would at one level, block a lot of GOOD applications from installing.
And finally, I'd blame Microsoft - in their zest and zeal to make computers dumb and simple enough for the dumb masses, they make them simple enough for kids to break into. They COULD secure them if they desired, but then you'd actually have to know something to operate one!  ;-)

Hey, Mac -
Mac means "son of"................ so who are we to change the historical definition of a term or name?

Did the fireman ever wear a mac in the pouring rain?

(Nic is the female version, "daughter of", not a network interface card)

Edited to say: So you're saying you've implemented Application and Device Control policies and all of the other suggested methods of increasing security and sensitivity to secure your environment and you're still getting hit with fake AV?  Something's gone unpatched, then, be it Windows or Adobe Reader or some other vulnerable piece of software.  If properly implemented and configured, SEP should be working to stop these things.

As for my pet peeve, I wasn't really talking to you.

sandra

I actually knew that :)

sandra

Personally, I would like to see your App and Device control policy or a snippet of it to see what it's doing. Bottomline is that some configuration is missing somewhere if stuff is still getting in.