Endpoint Protection

I am running SEPM, 11.0.1 (Yes, working on an upgrade on another box, but haven't finshed yet).  It started showing that one of my servers, which is running Windows 2000 SP4, Citrix Metafame XP is infected with Trojan.Zbot!gen2.  I have searched in Symantec's Threat area, and the solution is to run a full scan on the infected machine.  Well, #1 - brief vent, if SEPM sees it, why can't it block it?  So, I verified the definitions on the 'infected' server are from November 16, 2009 r37 and ran a full scan, it came up with nothing.

I have done a cross-search in some other AV Threat areas to see if there is another removal, but this name is unique to Symantec (Another vent, they should be the same).

So, am I infected?  How do i remove this????  Thanks.

 There are some Threats from which the code is partially detected and by the time it is detected it has already created service etc.The name is not same just because AV competitiveness ..everybody wants to be unique...

Coming to the main problem.
If this set of definition is not detecting no need running full scan with same set of definitions
Download and update the client with RapidRelease definitions ( definitions which are not yet released)
ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/
go to the 2nd or 3 rd folder and download 
start - run -%temp%
C;\Windows\Temp and
Temporary Internet files

There's a some question marks that need to be answered to be better positioned to answer you.

The SEPM itself is only the server portion of SEP.  In previous versions (SAV), the server was also the antivirus protection itself, but it has been seperated out...so now it's possible to have the SEPM installed without AV protection on a machine (although it's not a good idea, for obvious reasons).  Where, exactly, are you seeing the reports of an infection?  Are you viewing a report in the SEPM?  Are you getting a pop-up on the suspected machine? 

As for why the SEPM saw it and the SEP client missed it...we need to know how/where it was found.  Again, the SEPM itself has no detection technologies itself...so if you're seeing it in a report from the SEPM, it means a client has found it and reported it up.  It could also be from an installed client on the SEPM itself...but we need to know where it was found.

As far as the common names, sadly, I doubt that's ever going to change.  Each AV vendor can name the threats however they want...there's no common naming convention or scheme.  While it'd certainly be nice to see from both an end-user and support level, getting all of the AV vendors to use a common name for a threat truthfully probably won't happen.

The detection itself may not truly be infected, as this seems to be renamed from a generic packager detection.

Packagers are ways to combine files into an easy to distribute single file.  A zip file is an example of what a packager does...combines a bunch of files and compresses it into a single file for distribution.  Zip, RAR, ACE, GZ, TAR...these are all examples of what a packager does.

There are *tons* of packagers out there for people to use, each with their own pluses and minuses.  Generally speaking, however, there are only a small handful of packagers that are used by most of the software vendors, both open and closed source.  This leaves a ton of unused packagers for threat writers to choose from.

AutoProtect doesn't scan within compressed files.  A packaged file is a compressed file...so, we don't scan within it.  We do this to help limit the amount of resources AutoProtect uses to scan with...and it's my understanding that most of our competitors do this as well.  The thought behind not scanning within compressed files is that if a compressed file containing a threat is on the box, it's okay, because as soon as something tries expanding that threat file from within the compressed file, AutoProtect will scan the "new" file, see it as viral and flag it.

AutoProtect *does* scan the compressed file itself, just not the contents.  Think of mailing a package...the person you hand the package to at the post office gives it a cursory glance to make sure everything looks okay, but they don't open it to make sure it doesn't contain something it shouldn't.  Later down the line it gets X-Ray'ed for just such a detection.

(Not a perfect analogy, but hopefully it helps to clarify)

So, back to packagers.  We get a lot of submissions, and we look at a lot of files, both infected and not.  We recognized, early on, that 99.9% of the files we saw packaged with the "other" packagers were viral.  Once in a blue moon we'd find one that was completely legitimate, but most of the time they were viral.  As we looked closer and closer at the packagers, we found that it seemed like it was mostly the people that use these obscure packagers were people packaging threats to try to get past our scanners. 

There was a business decision made at some level to flag these "other" packagers as viral.  All in all, we've gotten very few false positives as a result, and we've caught all sorts of threats trying to get into systems.

I'd recommend that you submit the file(s) for inspection.  This may not even really be an infection...but I wouldn't do anything rash like exclude the files or anything quite yet.

Thanks for the update Chris.  To clarify, I have the SEPM Manager running both the manager and it also has a local SEP client to protect the machine itself.  This discovery came up in SEPM in the reporting.  I look at t his daily to ensure that clients are reporting in and check out anything suspicous.  Since it is a Citrix server, there are multiple users.  The file location detected was in one users particular directory, in their profile, Local Settings/Temporary Internet Files/Content.IE5/09YT2VCV/report[1].exe . 

I have installed the Rapid Release and am running a full scan to see if my results vary.  Unforutnatley, this machine has been infected before where SEP was inadequate.  So, when I see anything, I check it out and also do the cross reference.

Thank you for the additional information on my hopes and dreams of the way this should work and be standardized, though I understand that not everyone (AV) vendors agree. :)

I'll post if this comes up with anything and at that point submit the file if it's still being tagged.

Thanks.

I ran a rull scan after performing the suggested fix and nothing was found.  Any other suggestions?

Given where the files are located (Internet Explorer temp files), you may actually be infected by something.

I'd recommend that you contact support so we can help dig into the environment with you to see if there's something there that shouldn't be, then get it submitted.