Endpoint Protection

We have a user who somehow (on purpose or not) has Personal Antivirus installed on their company machine.  It's one of those fake antivirus programs that normally comes up after you visited some malicious website or installed a video codec that has a trojan or virus attached.  My question is, why did Symantec Endpoint not catch that?  Has anyone else seen this? What do we need to do to ensure this doesn't happen again and how do we remove it?

We are running SEP v 11.0.4000.2295. This product has been pretty solid thus far.

plz go through the link.
http://www.symantec.com/security_response/writeup.jsp?docid=2002-071916-3525-99&tabid=3

@jbmwk75

Your question: why did Symantec Endpoint not catch that?

The answer would probably be because Symantec didnt have the definitions for it then.

The fake anti virus software variants are increasing enormously.

You need to narrow down on as many executables and dll's that the program has installed and submit them to Symantec.

I see the original post to this issue was some weeks back.  Today, July 20, 2009, a user on my network was hit with this fake virus.  We are using Endpoint 11.0 Maintenance Release 4 Maintenance Patch 2 version number 11.0.4202.75.  I can not understand why Endpoint did not trigger on this and stop it.  Any ideas?

Are you able to narrow the infection down and submit the file(s) to the Security Response Team for analysis?
Use the appropriate from below -

https://submit.symantec.com/websubmit/basic.cgi
https://submit.symantec.com/websubmit/gold.cgi
https://submit.symantec.com/websubmit/platinum.cgi
https://submit.symantec.com/websubmit/bcs.cgi

Thomas

-Update the definitions on the computer using the rapidrelease from  the following link.

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/symantec_antivirus_corp/rapidrelease/sequence/

From there open the folder with updated date and time.

Download symrapidreleasedefsv5i32.exe from there to update the definition the a local computer.

You can also use download vd2de860.jdb and follow the link :-

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f31aff6fdd7dc91d80257405003c0fce?OpenDocument

That will help you in updating the clients from the manager console.

After the client machines are update with the latest virus definition perform a full scan on safe mode.

You could try to uninstall it manually, go to Control Panel, Add/Remove Programs.

We're seeing a very similar issue.  Occasionally a few users will go to a website that notifies them that they need Windows Antivirus 2009 or 2010 (fake antivirus).  Irregardless what option the user selects, the fake antivirus installs.  If the user knew to close the window, it wouldn't install.

I, too wonder why Endpoint Protection v11.03 or 4 doesn't stop it.  I haven't seen it infect a PC with 11.05 yet, but imagine that it's just a matter of time.