Endpoint Protection

My company has invested in SEP and I've recently moved into the role of administrator for antivirus. I'm trying to gain as much knowledge / insight as possible on the product. Personally, I like SEP very much and have had more good times than bad, save for some minor headaches migrating from SAV to SEP but that's too be expected with any migration.

I'm trying to gain some insight though as to why a free product (ex. Malwarebytes) is able to catch FakeAV or rogueware compared to SEP. Now, I have seen SEP catch the occasional rogueware but Malwarebytes seems to do a much better job as catching and removing it.

I have numerous log files from Malwarebytes showing different points of infections which SEP did not catch. I would like to know what I can do to turn this around? I know there are so many variants of rogueware / Fake AV that it is hard to keep up with definitions but what does Malwarebytes do differently than SEP. Lately, FakeAV / rogueware has been a big issue for me trying to catch / contain / remove so I would like to assist in any way I can to help SEP catch these types of malware.

I can submit samples and / or log files but I'm just curious as to why SEP catches it here and there but not on the same frequency of Malwarebytes.

Any thoughts on this would be great.

We too want to know why SEP 11 MR5 seems oblivious to threats from Fake AV such as Personal Security Antivirus while tools such as Malwarebytes and Superantispyware readily detect and remove this and other rogue applications.

Troy Taylor

Recently i have faced the same issue with other product...
Customer says other product is detecting the virus and their problem was solved but Symantec was not able to detect even though the virus was listed in the threat list.  Its really difficult to convince the customer.

 

Hard to sell a client with many PC's SEP when a competitors' product is free and does a better job of removing the threats.

I've liked, used and recommended Symantec / Norton for *years*, but it's getting harder to justify the cost versus protection all the time.

Brian

It seems to be the registry keys being infected and SEP not catching it in my case. Much of this rogueware uses "Image Hijacks" to block any legit program from running. It's a pretty well known location in the registry at this point though.

 You install Malwarebytes ONLY when SEP misses them..So you feel Malwarebytes is working better than SEP.
If you install SEP on 1 system and MBAM or any other AV on other system and then compare you will find how much Malwares SEP detects and how much they detect.

I understand Malwarebytes is also doing good job in catching these rouge AV but thats it...I haven't heard Malwarebytes caught Downadup or bigger names at first instance..
So based on few detections missed by SEP you cannot says MBAM is better than SEP.

I'm not trying to argue, I'm simply asking what can be done to bring SEP up to the level of MBAM in catching Rogueware / FakeAV. SEP does a great job in catching everything else, except the Rogueware category. I never said MBAM was better than SEP, but that MBAM does a better job in catching Rogueware / FakeAV than SEP. I don't believe you will get to many arguments on this. You can even toss Spybot S & D into the mix.

And yes, I install MBAM when SEP misses it but what else would you expect. If one can't find it, then get something that does.

Because my company is so large (# of users), I don't have time to spend investigating each incident (and believe me I would love to) because our engineers need to work. They make the company go. They want their PC back right away and will breathe down your back until they get it back.

I would love to help in any way that I can to make this the best product possible (and I believe it is already up there). Mainly because I use it on full time basis and the more malware that is caught, the less headaches for me.

 I understand your concern ..the only way we can help Symantec catch the rouge AV's is by submitting them..If we think that somebody else will submit them or Symantec's Sensors should catch it then it might come back to us some day..

Say you've got 1000 computers. You get a rouge AV on 1 computer you install MBAM and remove it..
It save time, energy and tension..
But what if the same Rouge AV kept coming to other computer in 1 or 2 days interval ? Or say 100 computers at once ?
So we've got to get into the practice of Submitting files before removing them..

Here is the official symantec view on this subject http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000100610314948. You will find that almost any modern virus protection will have similar views on this subject, nothing is 100%. Symantec will catch some viruses while other AV's will not and vice versa. Also if you want to hear more about virus submissions to Symantec then read the bottom half of the article I posted above. It goes over the process of rapid release definitions, which is our way of trying to get definitions out to users as quickly as possible when a virus goes undetected.

Thanks
Grant

Thats a very good and explainatory article..I guess how i missed that..

It is very good and informative, answers most of my questions. Thanks

Just adding a link to this excellent forum thread---  fake AV / missleading app / smitfraud / scareware / rougeware is an area that Symantec is very actively investigating.  In October 2009, a white paper was made public on the topic. 

The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs and how they affect users. The report includes an overview of these programs, how they work, their risk implications, various distribution methods and innovative attack vectors.

To learn more, please download and read the report or listen to the podcasts on the subject. http://www.symantec.com/business/theme.jsp?themeid=threatreport or  http://www4.symantec.com/Vrt/wl?tu_id=XuOB125692283892572210 

Thanks and best regards,

Mick
 

Great stuff. Thanks as well, Mick

Check my recent post that starts out "YAHOO!!..............."  (do a forum search, it should be in the past day or two so fairly close to the top)

I created a policy using SEP that blocks some of those rogue av apps and other things from installing.
In fact, I was fully successful yesterday in that SEP didn't stop the EXE installer from running, even though it flagged and attempted to delete it, but the policy DID prevent any DLL or EXE files from being installed in the user profile area!
So in effect, I used a part of SEP to block the infection that otherwise might have taken place.
I saw it in action as the logs rolled by on my screen and was pretty happy with it.
I've also got an article posted from months ago that tells what I did and how it worked.
So do read all the above, and know that SEP or any other can't be 100%, but at some risk here, I'll also state and AV is only as good as the security administrator makes it.......... and you with our help can make SEP even better by using custom policies and configurations.
Go for it, then post your sucess stories!
Too often forums are gripe areas where those with problems come to find others like them........... I'd like to see some more "YES, we killed it and here's how we did it" posts myself. We can ALL learn from those as well!

Is there somewhere to submit these Fake AV's?   The following I have found and have been adding to my block list via MD5's:

349A38F0D2C98246F096980F0599D6D1   cotgsysguard.exe

%AppData%\vucgpk\cotgsysguard.exe
259,328 bytes MD5: 0x349A38F0D2C98246F096980F0599D6D1

SpywareGuard2008
93b0bde48b3e5d5bccac209d08ae12ec

SpywareGuard2009
ad6aade72380dc4798e6d19c65b811d1
fb93c7a7fb4dcb27f8350d101277a3e1
7ef5d69e18d9c5aba2a6d05c43caf947
4b2f679760885c0e2f529f0637dc092f
1badd200b0182c248a6a007fc0d19a1c
db22dd87b1c4ec9780196c8d051c5c7b

kjllsysguard.exe
7af7fb93c6e93fd74d3ecf4fcf2e8693

e5f1e4c8b9f5263c918bf1b7d18d1f5e
tddpsysguard.exe

0383540afc05660ade28947b8e186598 yctfsysguard.exe

a3c80be179cb9b63ea136959628cdc13 qbyqsysguard.exe
This last one, I just got infected with yesterday.

 
There seems to be a LOT of different ones out there.
Would be nice to be able to add MD5's to unmanaged clients, but looks like this can only be done on the server end.

 https://www-secure.symantec.com/connect/articles/online-virus-and-behavioural-scan-engines

Thanks.  Just submitted the latest one to them.

That was quick, I already got a response from them:

Nice, I've been submitting as well. Every little bit helps :-)

It was not a quick response but it was a threat that symantec already detected today and had not released the definitions. So they would have pointed u to rapidrelease definitions.

I don't think the one I sent was in there release yet.  Because I just sent another one and got a different response, not one saying it will be "added", the other one stated it would be added to the next Rapid release defs.....

I can tell you this - SEP is not catching the latest iteration of "Antivirus Live". My primary workstation became infected yesterday. That was protected with SEP 11.0.4000.2292 with 1/19/2010 r8 definitions. We've had about a dozen different systems infected over the past two weeks with "Antivirus Live" and the fact that SEP is proving to be less than adequate is highly frustrating. This may very likely cause us to rethink our upcoming enterprise renewal. I was a Symantec employee for 8 years - I believe in the company and the technology. But the fact is that SEP has not provided us with a suitably high level of protection against this particular malware.

 What steps have you taken to remove this Antivirus Live or whatever fake AV ?
Did you use any 3rd party Av or manual removal or did you actually submit the files ?
When you were infected did you just go by the current definition on the client or you download the lastest rapidrelease definition from symantec ftp or http site ?

Vik,

Do yourself a favor and take off the yellow-tinged sunglasses. Symantec is not the end-all and be-all of the world. Not even of the significantly smaller world of system security. Trust me - taking off the yellow sunglasses is a liberating experience.

To answer your question - once systems become infected to the point that taskmanager, regedit and other common binaries will not load (common affects of "Antivirus Live" by the way) our policy is generally to "nuke and pave". Our desktop support team (much like other companies, I am sure) simply doesn't have enough time to waste trying to solve a problem that's not theirs. We can reimage a system and have it back online in 10 minutes - ergo, why then spend more than 10 minutes troubleshooting?

My problem becomes when the desktop support team comes to the system admin team saying "this is beginning to take up to much of our time". As before, we've seen about a dozen different systems go down with this in the past few weeks. The latest it turns out, much to my embarrassment, is my own.

My primary point - which I believe remains intact - is that as an Enterprise customer, we expect reasonably good protection. Sure - there's always going to be the situation where a new piece of malware sneaks in before definitions are in place. However, we've been getting beat up by "Antivirus Live" for a few weeks now and it is getting to be a more and more significant issue. SEP, even with our configuration being to perform an hourly check for certified defs, is clearly not doing the job.

The fact that we even have to start talking about using third party tools or freeware to be able to clean this beast post-infection is unacceptable. We maintain SEP with realtime protection enabled and the latest definitions we can get our grubby paws on so that we don't have to do much post-infection cleanup.

I know this discussion will not lead us to a solution coz there isn't one..

However you can read this blog written yesterday
https://www-secure.symantec.com/connect/blogs/it-malware-you-make-call

and the report posted by Mick above..
When it comes to FakeAv i haven't heard a name other than Malwarebytes though i would agree..even the other so called enterprise antivirus companies are either at the same place or lagging behind..

If you compare what is happening now and what was happening earlier you'll always be not on the happier side..as the numbers released today..
However if you really have a Antivirus ( Enterprise ) with which you can really compare SEP with then you could say this..
But at todays date when it comes to detection everybody is somewhat at the same place..However you might find freewares and home products detecting more than any known company..

I like how this issue is flagged as "solved." What a joke. SEP is completely useless against scareware and we have to rely on a free program to get rid of it. I don't know how many hours I've wasted cleaning computers of Personal Security, or Total Security or whatever name it is this week but it's a LOT of time. I have plenty of time to write up this rant right now because I'm waiting for Malwarebytes to remove "Your PC Protector" from one of our computers.

"Your PC Protector" is the exact same thing as "Personal Security." I submitted "Personal Security" to Symantec last month and they created definitions based of my submission. Apparently all the bad guys have to do is CHANGE THE NAME and SEP is too stupid to realize it.

Symantec should be paying me as a consultant since I'm doing their work for them. These rogue security programs have been around for years and there are literally dozens of websites out there with instructions on how to remove them. WHY do they continue to slip past SEP again and again and again?!?!?

I agree.  These fake AV scanners are becoming to be a big pain in the butt.  Maybe V12 will have something that can protect against these?  I'm surprised there isn't anything built into SEP to protect your hosts file and IE proxy settings.  Espically IE proxy, these buggers like to put in a fake proxy so then the user things his computer is really hosed up.

The ideas utility on Connect is reviewed by product management, and often the status is set directly by the group responsible for potential future revisions. I'd start there.


Best,

Eric