Endpoint Protection

I have had several clients in the past few weeks get this spyware/virus where it pops up with antivirus 2010 ads and you cannot do anything.  It disables command line, taskmanager everything.  I have figured out a way to get rid of it using malwarebytes, but I cannot figure out why symantec autoprotect is not getting this before it strikes.  I am running endpoint 11.5 and have the latest definitions.
Symantec does not even discover this thing, only malware bytes does.  It finds it as Trojan.FakeAlert.Gen.

Does anyone have any info on this?

Where is it coming from? email? web? etc?

Thanks

 The best thing you can do is submit the file to Symantec. That way we can have it Incorporated into our anti-virus definitions. In order to submit the file please click on the following link:

https://submit.symantec.com/websubmit/gold.cgi


Unfortunately new varients of these rogue anti-virus software are springing up daily. We do our best to stay on top of them, but it helps when users can submit files that we are not catching.

Thanks,
Grant

How does the submission thing work?  I submitted a bunch of samples related to the Qakbot virus in the past and do not know the results.  For example I have numerous machines with _qbot**** files sitting in the windows directory and they never get picked up as a virus.
How can I find out if the submissions I did do where legit or if they were fixed.

Thanks for the input.

-Linc

 submit to https://submit.symantec.com/basic

you'll receive  emails till that is fixed.

Keep in mind the cleaning utilities out there like MB and others are much more prone to false postivies.  They're using a different way to detect malware that would probably prove troublesome if deployed to all computers in an organziation.  Hence they're used more for cleaning up machines.

Lincster,
Over the past few months, our Firm has had several dozen infections of a malware program called "Antivirus 2010", with symptoms identical to what you've reported.  Malwarebytes is finding and removing "trojan.fakeavalert!gen" also.

We're running Symantec AV Corp. Edition 10.1.4.4000, with a managed server pushing current updates. Often it doesn't catch anything or report a Risk Found for these infected machines.

And we haven't been able to isolate an infection source either.  Even after cleaning machines with Re-partitions and re-imaging, end-users who have been infected before, will get infected again almost immediately.

Any luck on your end figuring out where this is coming from?

I'm also curious why both Symantec and Trend Micro have nothing on this virus.

It's not that they don't have anything on it, it comes down to the fact that this variant changes so much, literally hundreds of times a day. As soon as the bad guy discovers his code is being caught, he manipulates it so it is fully undetectable and out the door it goes and the cycle repeats itself.

Use the Application and device control policy in SEP and you will see these start to go away if not completely.

He Brian81, you mention using App Control to stop this.  Can you post a portion of your policy that helps block this?  If not all then the portion for Anitivirus 2010 fake?  I just don't know where to block.  Thanks much.

It's pretty basic and still testing it as well as adding all the time. A couple rules were already built by Symantec. ShadowsPapa's adc policy was a big help as well and I believe there is a specific KB article with some rulesets in there.

A question...  When you open a rule, just below the checkbox to enable this rule, there's the section that says "Apply this rule to the following processes:".  Since it says apply it to these "processes", how come the process name is not listed; but instead a file path?

For example, instead of an entry of "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE", couldn't you just use "OUTLOOK.EXE" since that is the process name in Task Manager?  Why use the path and filename when it says apply it to these "processes"?

Thanks.

My thought would be because a piece of malware could masquerade itself to look like any process.

For example, VirusA could call itself OUTLOOK.EXE to make it look like it was an outlook process.

By applying the rule to the legit OUTLOOK.EXE located in C:\Program Files\Microsoft Office\OFFICE11, the virus would not spread if using ADC if it was located in C:\WINDOWS\system32 directory, where a lot of these things like to hide in the first, or even in a temp location.

Below is a link that will explain more about Fake Antivirus

Thank you for the link and information.  I see this as only good info and background.  But that's why I so much appreciate ShadowsPapa and Brian81 for their willingness to share their experience through their App & Device Control Policies.  I'm a newby with this.  I know we want our users, and sometimes each other, to figure stuff out on their own (teach to fish rather than give a fish); but for security things like this it's critical that we share.  We all want to be protected.  We all have the same file paths - C:\Windows\System32, C:\Program files\Adobe, C:\Documents and Settings, or C:\Users, etc., etc.  So a set of App & Device Control rules that cover the worldwide standard of Windows operating systems is something that Symantec should hurry up and publish.  In the meantime, kudos and thanks to those who share here.

Understood and agreed.  Thank you.

Thromada,

I couldn't agree with you more. It's my personal belief that the Application and Device control component in SEP is the bread and butter. I may be going way out on a limb with this thought but if you can get it working effectively, to me, it is the most important component offered by SEP, even more than the AV/AS part. Of course, they all compliment one another very well but AV alone just doesn't stand a chance against FakeAV these days. ADC can effectively stop it.

I would love it if we could create a thread and have everyone who could post their ADC policy. I'm pretty new to it as well and still testing, not actually using in production but want to move to production soon.

Here is some more info on the Fake AV's. I don't think there is anything new here but it is a pretty good overall explanation of the fake av's and the problems with trying to stop them.

Does Symantec Endpoint Protection protect me from fake anti-virus programs?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/85f42e1c8b9ada23882576be0001dfb1?OpenDocument

Also I really think that Brian and Shadows have the right idea about using App and Device control. I just wanted to add that you might also want to consider upping the sensitivity of PTP which could also help. Keep in mind though that this will lead to more false positives. You should also always submit the file for other users :)

Cheers
Grant