Endpoint Protection

Why can't Symantec Endpoint Enterprise Edition stop this virus from intstalling on people's computers on my network?  It acts like an anti-virus, but it is not. 
Any ideas??

use this and submit to symantec for further analysis

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009092215125548

 
Title: 'Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not'
Document ID: 2000100610314948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000100610314948?Open&seg=ent

OK, thank you.

The pictures above are screen shots of the ACTUAL virus and what it is doing.  Symantec catches them hours after they are infecting someone's computer and by then I have already started using a third party clean-up software that removes the virus.  I would like to know how Symantec can stop the virus before it gets on the PC.
Thank you.

Try downloading the Norton Power Eraser tool to remove this threat.
http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

The Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

Also make sure you follow the "Must Do, Should Do, and Can Do" of Security Best Practices to help defend your systems from threats.

http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&inid=us_sr_carousel_panel7_best_practices

I can remove the threats when they are infecting the PC,  I want it stopped beforeit gets into the PC.

Are you using IPS?  PTP?  If not, I would strongly consider it.

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748

Title: 'Security Response recommendations for Symantec Endpoint Protection settings'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

Title: 'How to enable, disable, or configure Bloodhound (TM) heuristic virus detection in Endpoint Protection.'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021714114248

Title: 'How to increase the sensitivity of Proactive Threat Protection in Symantec Endpoint Protection 11.x'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120214031748

Title: 'Best practices regarding Intrusion Prevention System technology'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009080314433948

Other best security practices are to ensure systems have critical Windows patches in place:

Microsoft Baseline Security Analyzer
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-8b52-c871d012ba78&displaylang=en

Missing critical updates for third party programs can be a vector of infection.  Current versions to the best of my knowledge:

 - Adobe Reader: 9.3.3 - anything earlier is vulnerable and those vulnerabilities are actively exploited
 - QuickTime for Windows: 7.6.6; iTunes: 9.1
 - Java: Version 6 Update 21
 - Flash: 10.1

From here on Connect:

- Using Application and Device Control to protect against browser hijackers and fake AV
https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers

- Setting recommendations for different technologies
https://www-secure.symantec.com/connect/forums/turning-settings-sep-deal-fakeav

sandra

You need to use an application and device control policy to stop this stuff. Traditional AV alone is no longer the answer.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/7049d06ba3c9e86f802573620054d9c2?OpenDocument

Any security Product out-of-box will not give you best security..
Use other features of SEP..like Application and Device control,Firewall and IPS.

Use the best practise documents and design the rules according to your requirement.
If will block Unwanted traffic/Programs in your network.
Still you cannot be 100% secure
User Awareness is also very necessary 6 out 10 sites are infected..So the users should be aware that in office they do not open suspicious websites which they are not aware of and keep their AV up to date.

Actually, websites do not need to be 'suspicious' to serve malware; someone with malicious intent need only have seeded an ad server with suspect content.  I've talked to people browsing various sites that were perfectly legitimate when they were suddenly hit with popups.

Vikram, out of curiosity, where did you find that '6 out of 10 sites are infected' statistic?

sandra

I read it somewhere something similar 6/10 or 8/10 on google search ( remember its not first 10)....anyways 87% of Statistics are made on the spot.

Staying away from suspicious sites reduces the chances of getting infected.

Yeah that is true.  You also have to balance security with office politics...very challenging.  Thank you guys for your comments and help I have a lot of information now.

Sandra.G,

Is there any other links or advisement you have to offer?
Thank you.

I personally don't use Internet Explorer when I'm using a Windows computer (if I can help it, I mean).  Since IE and the OS are so closely tied into one another, anything that can affect the browser (BHOs, outdated, vulnerable Adobe Reader or Flash, etc) can affect the OS more easily.  (Firefox is not infallible, particularly as its popularity has gone up.)

Disable Autorun or institute a mandatory policy to prevent threats from spreading via USB drives:

Title: 'How to protect a USB Flash Drive from being able to auto-start with an unauthorized Autorun.inf file'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009123010422748

This may also be of use.

Title: 'Security Best Practices for Protecting a Business Environment from Common Threats'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008062705355948

sandra

Ok, I prefer Firefox, but everyone on my network uses IE so that I won't be able to do much about.  Also our main software program is only compatible with IE. 
So basicly SEP will not catch this virus right away unless I crank up the virus and spyware sensors, which is fine except the fact that those sensors can block good programs too. 

One more thing, If this virus shows up again, could you show me the steps to use so I can submit the files to you guys.  Thanks.

The settings that SEP ships with are not set too high so that they don't trigger problems in production environments out of the box.  For example, for PTP, it ships set to 10; Security Response recommends setting it to 100.

What I'd suggest is select a small test group on which you can crank up the sensitivities with 'log only' set at the action instead of blocking, and let it go for a little while.  Then you can examine the logs and set exclusions for legitimate processes before rolling out to your entire environment.

You can use the Load Point Analysis utility that's part of the SEP Support Tool to identify suspicious files.

Title: 'About the Load Point Analysis feature in the Symantec Endpoint Protection Support Tool'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009092215125548

If you have already identified the files, you would submit them to Security Response:

Title: 'How to submit a file to the Security Response website'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010071910522748

sandra

Ok I already have machines setup in a test environment.  I'll give that a try thank you again.

You are very welcome!

sandra