Endpoint Protection

Is there a guide to harden the enterprise security policies that are deployed to managed client machines to avoid infections by this malware?  So far I've had 4 PC's that had SEP with the latest definitions be infected by this software after the user clicked on false security warning while surfing and installed IS2010.exe on their machines.  After a reboot, it effectively took over the machine and would not allow scans or other software to run.

Thanks.

Refer this discussion you should able to fix the issue

https://www-secure.symantec.com/connect/forums/internet-security-2010
block is2010.exe by using application and device control
How to configure Application Control in Symantec Endpoint Protection 11.0
http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/7049d06ba3c9e86f802573620054d9c2?OpenDocument

This one says virusdoctor but it is for IS2010
https://www-secure.symantec.com/connect/forums/virusdoctor

Make sure you edit the userinit in the registry. 

 For future reference this is a good article to keep the threat from spreading:

How to create custom policies in SEPM to prevent a threat from spreading
Http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120409304548

Cheers
Grant

So how do you remove once infected?

Run a full scan on the machine in safe mode with the latetest defintion

Safe more has worked for me.  But the most effective has been use a previous restore point.  This gave me a bit of problems with the AV.  It was slowing the computer down to a crawl.  So I uninstalled and reinstalled it and it fixed it.

If restore points are not endabled on the machine, a combination of malwarebytes and spybot S&D did it for me.

IS 2010 took over my wife's machine and disabled Task Manager and Outlook Express (among other problems). It infected the machine notwithstanding that NIS 2009 was running with the latest updates. Doing a full scan did not help. NIS did not find the presence of any malicious software.

I was only able to get rid of it, by finding websites that instructed me to download free malware software. This found all of the instances of IS 2010 and removed it.

This is the second time this year that a machine of mine went down this year where NIS was no help.

Not very happy.

IS2010 can be stopped using run msconfig start up tab disable all and exit and restart Then delete the folder for IS2010,exe under programfiles then empty trash bin.

the desktop will still be messed up. you has to use regedit to delete the disable regedit and  disable taskman. once you reboot you can do system restore.

it will not let you run any virus scan as most essential programmes has been disabled, including any virus scanners. i tried downloading a virus scanner but that was disabled also.

i was lucky i did a restore point the night before,  upon restore then i  was able to do a virus scan that quarentined the virus.

i did a google to restore desktop settings to find the files to restore the desktop once there in regedit  i had seen disable regedit and taskman where upon i deleted 'em

cha ching all better

IS2010.EXE disables any and all attempts to use a virus scanner even with windows in the safe mode.

any time i went to  a googled site to remove IS2010,EXE it blocked access to that page.

i found IS2010.EXE in msconfig under the startup tab and i disabled it in msconfig, upon reboot IS2010 DID NOT install.  all the damage it did was still there.

you would still has to do a system restore even when the scanner found it

wit this malware IS2010.EXE it disables regedit so system restore won't worky. even in the safemode you can't do anything.

i  got IS2010 just this morning my virus scanner didn't catch it. because IS2010.EXE was running i couldn't delete it. i used msconfig to disable and it shut down on reboot, then i deleted it and emptied the trash.

buh bye IS2010.EXE

to edit it's buried deep in HKEY_CURRENT_USER at least to get the taskman.exe back i deleted the disable regedit and disable taskman under desktop and was able to do a restore. before that restore was disabled.

I just would like to know what we are paying for when the AV software still allows a system to be infected and won't even clean it. To top it off there are FREE programs that will clean it after the fact. I've had systems with up to date SEP defs and they still get infected with things like "Antivirus Soft” “Internet security 2010". I'm just getting tired of having to manually or use other software to fix these so called protected systems with SEP.

 Its all the same with all softwares no one is good and no one is bad. Don't go by the name there would be hundreds of variants of Av2010 or Antivirus soft out of which any given Av vendor would catch 60-70% and none of the AV vendors catch the same 60-70%.
So go for a long term solution of submitting the files once rather than removing them everytime.

https://submit.symantec.com/gold

 
@ Russ Here is the official Symantec position on your concerns:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000100610314948

Really what this boils down to is the fact that NO anti-virus software is 100% effective. The best thing you can do is to submit the files like Vikram has stated. That way future users won't get hit by the same strain you did. Even some of the tools you are describing like Malwarebytes or some of the other free "after the fact" options don't always clean a specific fake av. However is you submit the file you WILL get a rapid release that will erradicate the virus. 

I hope this helps,
Grant

Thanks Grant for the interesting info (Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://service1.symantec.com/SUPPORT/ent-security.... )