Endpoint Protection

Am I missing something? Our help desk is getting slammed by Virus cleanup requests. Not becuase SEP isn't working, it is. However, it will tell me that workstation x has 5 packed.generic.233, but it doesn't clean it? My technicians have to go and clean it in safe mode? Is there a better way to do this? All of these "antivirus 2010" etc.. are killing us.

any advice would be appreciated.

thanks in advance

mc

What is the version of SEP instaalled and what are the definition date for the features installed?.

Please paste a screenshot of the error message the user get.

3 infections of AV Live over the last month. Plus the Vundo trojan, which SEP only half cleaned. Free products are getting rid of this stuff with no problem (after infection, sadly.) As much as I hate to say it, we did not have these issues with the McAfee product.

We are also getting slammed with these fake AV programs, and SEP seems to not even notice.  I don't think it has removed a SINGLE one of these kinds of programs.

MalwareBytes Anti-Malware removes the majority of them without issue.

Which components of SEP are you using?

We only had the Antivirus and Antispyware protection installed on the majority of our clients.  I am installing the Proactive threat protection component on them now.  I'm wondering if it will make any difference.

 If you rely on ONLY SEP for protection, you have bigger IT problems.  
SEP (or insert other AV vendor here) alone is NOT enough for desktop security.

It needs to start at the gateway with a good HTTP scanning product (Symantec Webgate, Websense, etc).  Then down to no local admin rights to the PC's, IE security properly set, Critical patches applied, then, and ONLY then will SEP be the last leg of defense.

Yup, desktop malware protection can only be the protection of last resort nowadays. If the malware gets to the desktop, even if SEP stops it, you're already in trouble.

Why? Because many pieces of malware package multiple exploits into one download. If you can block it at a proxy, then the page or download gets stopped entirely regardless of how many other exploits it contains. SEP on the desktop may stop exploit #3 but #1, #2, #4 and #5 still run on the desktop on your internal network.

You say you can't afford it? "Pay Me Now or Pay Me More Later." How much is it costing you in time and effort now?

Ray

I am also agreeing only SEP can't solve all the problem,But we can do a lot of things with that
refer the following thread. You can find a lot of things regarding this. All suggestions may not be suable for your environment ,test it in a test environment and then you can use in the production environment
SEP secret sauce for better protection
 

Also remember that a lot of virus are using the vulnerability of OS or other installed software to get in to system.So patching it is very important  , not only for OS ,the other softwares installed in it also needs patching.For example adobe acrobat reader is a very commonly using software and having a lot of vulnerability.

 You can start with the five steps of virus troubleshooting
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/59ced4261979d3e78825725f007bfde5?OpenDocument

If the virus isn't taken care of then you should submit it to symantec so we can add it to our definitions list. To do so please follow this guide:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000031615501348?Open&docid=199822105339&nsf=ent-security.nsf&view=854fa02b4f5013678825731a007d06af

If you are curious as to why Symantec misses some viruses but other anti-viruses will get them feel free to read this:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/d52ab8d97f66472988256a22002726f3?OpenDocument

You can also scan with malwarebytes as suggested above. There is a good chance that it will catch this fake AV, but I ask that you also submit it to us too so we can protect other users who might also be affected.

Cheers
Grant

 

I appreciate all the suggestions however it still doesn't answer the question.

The question is: is there a step that I'm missing that will prevent me from having to send techs to go manually clean a machine when it gets  infected with a virus/malware that symantec can't clean.

It seems the answer is no. I either have to have someone run malwarebytes or something else in safemode, which requires a visit.
Maybe someone could write a script that could be incorporated into the next release that would reboot/launch safe mode/run scan/then reboot again.

 Well..you can at the max edit the boot.ini in MSCONFIG of the client so that it boots in safe mode with networking Via RDP then reboot it and run a scan in safe mode .then change the settings back in msconfig..

I have a had a few of these as well. Problem is the signatures on these new variants are not yet known to Symantec.

No, you cannot log into an XP workstation via Remote Desktop while it's running in safe mode even if networking is enabled.

 You're right you cant.  But you can with vPro...  One of the best support tools ever!

Please see the above link about SEP secret sauce for some recommended SEP settings.  Those should help minimize outbreaks in your environment.