Endpoint Protection

Does SEP not catch the Windows Recovery virus/trojan?  Do they have a removal tool?  I can't find anything on their website about how to remove.  Like every other virus, perhaps they have their own name for it and i'm searching for the wrong thing?

It often happens that different company have different name for the same threat. Example - a virus Conficker is called W32.Downadup in Symantec.

Do you suspect you are infected with this virus? To be sure if SEP detects it, please download the Rapid Release definitions (symrapidreleasedefsv5i32.exe file for SEP client):
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

And run full scan on the machine (preferably in safe mode).
 

If you have any suspected file(s), you should submit them to the Security Response webpage for the analysis:
How to submit a file to the Security Response website
http://www.symantec.com/business/support/index?page=content&id=TECH134967

You may also upload the file(s) to ThreatExpert -> http://www.threatexpert.com/
You will found a list of Antivirus companies which are detecting it and what name they give to that threat.

Hi,

You can also try with power eraser tool.

It's built in with SEP support tool.  Select power eraser option and scan infected system.

http://www.symantec.com/business/support/index?page=content&id=TECH105414

Try bumping up your Security Settings?

Also, make sure you follow the Security Best Practices.

Security Response recommends the following Scan Settings

 

Security Response recommends the following setting changes to Truscan for best protection

 

http://www.symantec.com/business/support/index?page=content&id=TECH122943&locale=en_US

I believe this may be related to Fake AV... this blog post may be of interest:

https://www-secure.symantec.com/connect/blogs/fake-disk-cleanup-utilities-ruse

I would treat it like any other Fake AV. In addition to the above recommendations, if you are not using the Intrusion Prevention System, you really need to be.

Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

sandra

The issue with this virus is it makes all of the C: Drive files and folders hidden and readonly.  Is there a AV signature that can prevent this?

The latest Fake AV variant was discovered 4/18/11. Make sure you have the latest definitions. If this is not getting detected, try the rapid Release definition set. If possible submit a sample file to Security Response or ThreatExpert for analysis.

Trojan.FakeAV!gen50 - http://www.symantec.com/business/security_response/writeup.jsp?docid=2011-042005-5526-99

SR Submission - http://www.symantec.com/business/security_response/submitsamples.jsp

ThreatExpert - http://www.threatexpert.com/submit.aspx

thanks for the comments/suggestions.  we have utilized the SEP support tool/power eraser option per Symantec's tech support and uploaded several files to the security response team per their request.