Endpoint Protection

I scheduled weekly scan of a desktop pc found a number of "Trojan.Maljava Viral" and "Trojan Horse Viral"  viruses which is good, BUT when I spoke to the user about this he said he copied the files onto his PC 2 days ago!!!! How come Endpoint did not detect the viruses when they were copied a few days ago.

FileSystem Autoprotect is enabled and set to scan "ALL" files.

TruScan Proactive Threat Scan is set to scan for worms and use symantec defaults.

Any ideas why the Trojan never got picked up when copied to the desktop?

Hello,

I would try my level best to Explain the Situation.

Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that exploit one or more of the following vulnerabilities: 

Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities (BID 32608)

http://www.securityfocus.com/bid/32608/solution

Sun Java SE November 2009 Multiple Security Vulnerabilities (BID 36881)

http://www.securityfocus.com/bid/36881/solution

Oracle Java Runtime Environment 'HsbParser.getSoundBank()' Remote Heap Buffer Overflow Vulnerability (BID 39559)

http://www.securityfocus.com/bid/39559/solution

Check the Write up on Trojan.Maljava :

http://www.symantec.com/security_response/writeup.jsp?docid=2010-102003-2856-99&tabid=2

Symantec may not have detected the File as Threat when copied from your Source to the Target Source, beacuse at that time, the File may have not run and Exploited the Vulnerability of Java.

Probably the Vulnerability got exploited when the files were Run OR When you Run a Full Scan on the Machine.

It is adviseable to follow the Link below which may answer your question:

SEP has been configured here to scan all files copied to a workstation so confused as to why the trojan was not detected when it was copied as it would have been scanned. Whats the difference between a file that is scanned when copied to a machine and a file that is scanned when a scheduled scan is run on a machine?

Hello,

Nice Question.

Auto-Protect--   Scans whenever a file is accessed or modified in memory Real Time.

Auto-Protect is the first line of defense against threats by providing real-time protection for your computer. Whenever you access, copy, save, move, open or close a file, Auto-Protect scans the file to ensure that a threat has not attached itself. By default, it loads when you start your computer to guard against threats and security risks. It also monitors your computer for any activity that might indicate the presence of a threat or security risk. Auto-Protect can determine a file's type even when a threat changes the file's extension.

Note: Auto-Protect does not function on Linux platforms, you must run a manual scan on those machines to detect threats.

Example: A threat changes a file's extension to one that is different from what you configured Auto-Protect to scan. When a threat, threat-like activity (an event that could be the work of a threat), or a security risk is detected, Auto-Protect alerts and takes the necessary steps to either clean, quarantine, delete or leave alone (log only) the detection of a threat depending upon the Actions configured for each detection type.

In your case, Auto-Protect didn't detect it as the Threat didn't exploit any vulerability of Java while it was being copied.

Probably, Auto-Protect may have detected this, if the file was Ran after the file got copied and it started exploiting the Vulerability of Java.

Full Scan-- It wIll scan each file by starting with A to Z its not real time..Its manual or scheduled.

A Full system scan are the antivirus and antispyware scans that detect known viruses and security risks. For the most complete protection, you should schedule occasional scans for your client computers. Unlike Auto-Protect, which scans files and email as they are read to and from the computer, A Full system scans detect viruses and security risks. 

A Full system scan detect viruses and security risks by examining all files and processes (or a subset of files and processes). A Full system scan can also scan memory and load points.

A Full system scan does these...

1. Scans the system memory and all the common virus and security risk locations. 

2. Scans the entire computer for viruses and security risks, including the boot sector and system memory.

Which type of scanning you set.

is it active scan or full scan ?

Active scan scans only certain important files like windows file

And full scan scans entire system

.

Most of the persons put active scan daily and full scan weekly once

Are you saying.

Autoprotect scans any file when copied but will not scan inside the file to look for a virus, it will only perform an action if the file tries to do something, like change how java works or renames some other files.

A full scan - the only difference with a full scan is that it scans inside a file to look for a virus?

Sorry, still a little confused as the difference between the 2.

AP will scan for files when copied .

Just a quick note. When you say

"Note: Auto-Protect does not function on Linux platforms, you must run a manual scan on those machines to detect threats."

This is factually incorrect. The Tech article for AutoProtect has been updated with the correct info for quite some time. Please update your records.

Hello,

As pete pointed, Auto-Protect do scan the files when copied. However, in your case, this file didn't exploit any vulerability of Java while it was being copied and that could be the reason, Symantec didn't detect that file.

What is Auto-Protect ?

http://www.symantec.com/business/support/index?page=content&id=TECH94990