Endpoint Protection

Hello everyone, we have a big problem here. Our collegues get infected very often (most of the time by drive by downloads) without Symantec interacting. Or if Symantec interacts it's always too late and the virus installed itself. All users have administrative rights (no discussion about this please chanching it with the migration to windows 7). Using Windows XP SP3 Policy is almost standard: The recommended policy for most environments Client is RU5 or RU6a I just added two more settings. The shutdown of processes and services. I hope this helps. So is there something wrong with our settings or is it just as it is ? After installation of the malware we need to install extra programs like Malwarebytes Antimalware to get rid of the virus. This can't be the solution. Greets Stephan

Best practices for responding to active threats on a network
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011510455048
 
Security Response recommendations for Symantec Endpoint Protection settings
 
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

Thank Prachand,

i now set it like the recommendations.

I will report if it gets any better.

Greets
Stephan

One an other point:
In the default Centrlized Exception Policy, the clients are able to add axclusion in their Symantec Client installed on their PC.
Check if the clients haven't created any exclusion and it is better to remove all the check marks in the mentioned policy.

Assure that your all PCs having latest virus defs and patches...Disable autorun...

We disabled autorun a long time ago since one of our customers gave us a virus on an usb stick :)
Exclusions set by clients arn't allowed.

I hope the settings i've done from "Security Response recommendations for Symantec Endpoint Protection settings" will help.
I think i can tell you in one week if it got better.

Maybe a tip from me:
After many people getting virus using Internet Explorer i've set up a new shortcut which runs IE without administrative rights using psexec.

To run Internet Explorer as with limited-user privileges use this command:
psexec -l -d "c:\program files\internet explorer\iexplore.exe"

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

I'm thinking about replacing the IE shortcut in the quicklaunch with this shortcut.

have a look at these threads
SEP secret sauce for better protection
5 steps for Virus Prevention

Also check this KB
How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection

I performed all the tips and i still get many infected notebooks.

Most of them get infected via Java.
It's Bloodhound.Exploit.292.

But when i connect to the specific notebook the virus has already been installed. I then update all programm like Java, Adobe and ensure that Windows XP has the latest patches (which it has most of the time).

And even if i run Malwarebytes and some other programs sometimes i can't get rid of it.

I hope with Windows 7 everything is getting better....

Ok the boss made a decision we will move away from Symantec to another antivirus program.

We had too many virus infections in the last months. I hope it is getting better :)

hf

I'm sorry to hear that you've moved away from Symantec.  I did want to point out that it's very important to look at the Security Response writeup for more information on what is being detected.

For example, for Bloodhound.Exploit.292:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-041418-2428-99

"Bloodhound.Exploit.292 is a heuristic detection for potentially malicious files that may exploit the Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution Vulnerabilities (BID 39346)."

[emphasis mine]

This detection does not necessarily mean there is an infection, and if these vulnerabilities have already been addressed, then there is nothing to be concerned about.

sandra

We are having the same problem with auto protect not detecting the virus or Trojan (these are not bloodhounds) before the Malware installs. In most cases even running a full scan the Malware is not detected by Symantec. I'm talking as many as 5 or 6 infections a day. As a research / teaching institution we cannot lock down Internet access and thereby are heavily reliant upon our AV solution.

We too end up installing the free version of Malwarebytes which 99% of time finds and cleans off the infection. In many of these cases Symantec auto protect only sees and stops the infected file as the file is touched by the Malwarebytes scan. 


Our management is seriously considering not renewing our Symantec contract.

If I had to guess, I'd say it's probably rogue antispyware, which generates new code constantly to evade detection by antivirus programs.   I would strongly suggest shoring up security with Endpoint Protection, which employs additional technologies and can be hardened to deflect these threats before they reach the end user's computer.

I would also examine whether all known software vulnerabilities are patched; not just Windows, but Adobe Reader, Flash, Quicktime...  I've found that these tend to be avenues of infection for fake AV.

Title: 'Does Symantec Endpoint Protection protect me from fake anti-virus programs?'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748

Title: 'Security Best Practices for Protecting a Business Environment from Common Threats'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008062705355948

[edited to replace 2nd document link with a link to a more comprehensive one.]

sandra

Stop using a 3yr+ old product to detect modern day viruses?

SEP is designed for today's threats, not SAV 10

Hello Sandra,

i'm also not that glad. Because i find the administration of the clients very easy.

But most of the time after we got a detection like this Malwarebytes detected more viruses that have already been installed. I'm not even sure that another antivirus program will perform better.

Greets
Stephan

As I understand it, Malwarebytes is more brute force than code-based detection, and code-based what most antivirus programs are at this stage.  Heuristics and application & device control (i.e. application whitelisting) seems to be the best way to combat  more modern threats.

sandra

hope you at least scan in safe mode when you had problem with virus

If i have the notebook on my desk. Yes.
But what can i do when having it remote ? In Safemode i can't use RDP or our VNC programm to connect.

But even if i scan in Safemode using all possibilites i have. The virus sometimes comes back. Does Symantec have workshops (especially in Germany) where you learn virus removal ? ;)

Greets
Stephan