I have had 3 Computers in the last week that have been infected with Vundo.H. SEP 11 MR4 finds it but cannot clean it automatically. It comes back after each reboot. It does not appear to be a new virus and Symantec has a cleaning tool available but I don't understand why I should have to go through a manual process to clean this.
I am getting pressure from my management as to why Symantec isn't cleaning this automatically. We have paid a lot for SEP why isn't it automatically cleaning this up? We are discussing running a third party anti-malware product in addition to SEP but this should not be necessary if SEP was working as advertised.
Wow, it's almost as if I wrote that post. I have also had 3 computers infected with the Trojan.Vundo (by way of a "Hallmark" card). In each case, SEP threw up a notice that it detected the trojan, but failed to actually do anything about it. Scans do catch the bugger, but they ultimately reappear on reboot. I know about Malwarebytes; it's a tremendous tool. I've been using it and have pretty much gotten rid of the Vundo trojans, but I'm equally as curious as JSienk. Why did this get past our virus protection in the first place? I know there are different strains of it and detection is imperfect, but in this case, it detected it immediately.
I had to use 4?5? products to get rid of that thing at home, and I still think it permanently messed up some part of my internet connection in the registry (some products still refuse to update). Symantec (AV) did not detect it at all.
I think I ended up using Clamwin, Avira Antivirus, Superantispyware, and Malwarebyte's Anti-Malware. This was about 4 or 5 months ago, so perhaps SEP has improved on its vundo-busting capability since then... but I wouldn't count on it.
More praise from me for MalwareBytes anti-malware. It's a wicked tool. On my home machine I run that plus AvG free but AvG seems to be just a pretty icon. lol. Saying that I don't tend to get any virus/trojans at home. Any dodgy software (untested opensource/freeware etc) generally gets run/tested in a VM box (VirtualBox) so can revert the snapshot back straight away.
Anyway I was trying to get at the fact that the FREE malware bytes software does more good than so many paid-for tools, plus it's pretty damn good on the resources and space it demands. Plus the reporting is bloody handy.
Biggest problem I keep seeing on pupil/staff laptops where I work is MyWebSearch. That thing is a pain in the back-end. But then how can you educate people that don't want to know not to click "I accept" or "Yes I Want To Install That Toolbar" to everything.
MalwareBytes is how we have been cleaning this up too and in one case we had to re-image the machine.
Again, My question is why can't SEP clean this up without us having to do manual virus fighting. Perhaps Symantec should buy MalwareBytes Corp.
If you haven't stumbled across this thread already https://www-secure.symantec.com/connect/forums/xp-antivirus-2008, you might find it interesting. Among the respondents are Malwarebytes' Anti-Malware Lead Researcher Bruce Harrison (handle:nosirrah). They discuss some of the reasons why neither of these programs can handle the wide spectrum of threats on their own. Unfortunately, I'm not really convinced that SEP fundmentally can't be expected to clean up things like XP Antivirus 2008 and Vundo. If 3(!) developers can write and maintain MBAM, I just don't see a reason that Symantec can't come up with something similar.
During my test rollout of SEP we had a user come to us infected with AV360, or Vundo. It was a true test to see if Endpoint would clean it, as I was hoping that it would and that we wouldn't have to purchase even more software to clean infections. I was disappointed to find the SEP did not clean it. It got some of the files, but the main thing was it didn't stop the process from running. I finished the cleanup with Malwarebytes.
Thanks Simc-pk. I haven't read that before. Was quite interesting. The author got a bit of a bashing for pointing out the facts though eh?!
I also picked this one up on my computer and had to remove it with Malwarebytes. I use NOD32 and actually found this forum while looking for an alternative since NOD32 failed to even detect the trojan. I guess Symantec has a similar problem.
It's funny that we all seem to rely on Malwarebytes to take care of it.
Has anyone tried Symantecs Trojan.Vundo removal tool?
I think this thread is a little bit unfair to Symantec. Malwarebytes is a tool for removal of already infected machines. It is not an antivirus security software.
There is no Antivirus software today (that I know of) that has removal tools included by default.
Perhaps I am wrong?
Max... you are correct. If you look at the technical aspects of that bug, there are reasons you can't simply clean it in normal mode Windoze. It's more to do with Windoze than anything else.
Even with malwarebytes software, I had to MANUALLY go into safe mode and do some cleaning ON MY OWN. Malwarebytes told me what was what and where, and did a "decent job" but it was up to me to remove hidden folders and files. Safe mode is the only way to kill it properly. I spent a FULL weekend on a notebook and then recently got a rootkit cleaned off a desktop. Similar things - it took safe mode and my expertise (been at this since the late 80's) to clean it.
I do wish the Symantec products at least EXPLAINED the reason why you can't always simply remove these critters in normal mode while the user twiddles his/her thumbs. Blame Microsoft if you want to blame anyone.
Several posters here hit the nail - many of these products are CLEAN UP AFTER THE DAMAGE IS DONE products, they won't keep the critter out to begin with.
AvG free - good stuff, but they come right out and tell you it's not a solve-all tool either. They are honest about it.
The BEST solution - KEEP OUT OF THOSE PLACES where these bugs reside! Don't open email attachments! Computer users are their own worst foe, plain and simple. Want to solve the issue of those bugs? Practice safe computing, stay away from FREE STUFF (for you CHEAPSKATES out there that want something for nothing or feel "owed") stay away from "adult" sites (come on folks!) and don't open email you were not expecting, especially ATTACHMENTS. Too afraid of missing out on something? OR missing something that may be FREE?
The sources for these infections - they way they get in is HIGHLY PUBLICISED.............. draw your own conclusions as to what I mean by that.
NOW, there are many innocent that get these infections anyway - that's a fact! Hacked web sites, shoot, we even had to threaten a local TV station with blocking their web site from access by state agencies due to their web site contractor adding some nifty ads on their own, ads that placed spyware on state computers. I told the station general manager - clean up your site or I'll make sure no state computer can access it from now on. Humble apologies and assurances, and the issue was that the agency they hired from out east to build and maintain their site was a bit heavy-handed in the advertising. Within hours their site was changed!
The thing is if SEP can detect the trojan it should be able to prevent it from installing !
We can understand that some trojans require restarts to remove completely but we're paying for protection and while unknowns will never be protected against completely, using the Pro-Active Threat Protection & BloodHound Heuristics aswell as SEP's AV and AntiSpyware components , threats that SEP knows about and detects AFTER they've installed themselves shouldn't be allowed to install in the first place.
I have bloodhound set to the max here and antivirus2009 still ended up installed on a user computer. So I know where that's coming from, BUT, it was a new, brand new, variant. It was 2 hours after I submitted the files that the next defs actually detected it. Too late, I'd already manually removed it. Now why didn't bloodhound detect it? Possiblt because it was an app that installed and was more adware and pop-ups and did little file-manipulation as far as destroying Windoze files and didn't "infect" in the methods most folks think of. But Symantec is very familiar with these "new methods" so should still block or at least WARN - do you REALLY want to let this thing install??
MS's boot-up protection and checks do just that.
These users are no ordinary computer users, they are non-computer users and have the "if it's there, I should thus click on it!" attitude. And the "it's in my inbox, thus it's for me and important that I open it" attitude. Doesn't matter what we say or do.
(in other words, they invite stuff in and are happy to do so lest they miss out on something)
It seems that these kinds of trojans are able to hide themselves from SEP until they already caused some damage.
Trojans do not self replicate themselves like viruses they depend on user interaction to spread themselves. Either through e-mail or web browsing urging the user to download or click ok on popup messages to infect the pc.
I am curious why SEP is not blocking this by default. I mean in what way does the trojan work to "fool" SEP.
I am sure that with a correct setting/configuration of SEP it should be possible to block also trojan.vundo.
For instance with Intrusion Prevention Policy enabled it looks like trojan.vundo is blocked by default. Anyone who got infected that had this policy enabled?