Endpoint Protection

Doesn't make sense to "warn" me about threats if I can't figure out what the threat is.

PLEASE EXPLAIN IN PLAIN ENGLISH PLEASE!

(SID: 23973] HTTP FaveAV WebPage Request 1 detected. (Pop up warning on desktop.)

ALSO:

9    12/31/2010 1:42:14 PM    Intrusion Prevention    Critical    Outgoing    TCP    9*.***.***.**6    00-00-00-00-00-00    1**.***.1.64    00-1B-38-55-F1-6A    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe    d*****jl    D*****JL-WS    Default    1    12/31/2010 1:41:11 PM    12/31/2010 1:41:11 PM    [SID: 23979] HTTP Zombie Exploit Toolkit Request detected.

14    1/3/2011 7:01:04 AM    Intrusion Prevention    Critical    Outgoing    TCP    6*.***.**.**8    00-00-00-00-00-00    1**.***.1.64    00-1B-38-55-F1-6A    C:\Program Files\Mozilla Firefox\firefox.exe    d*****jl    D*****JL-WS     Default    10    1/3/2011 7:00:00 AM    1/3/2011 7:00:01 AM    [SID: 23973] HTTP FakeAV WebPage Request 1 detected.

Thank you.

Please download the latest virus definitions and perform a full scan on the machine where you receive these messages.

HTTP FaveAV WebPage Request 1 .....This signature detects HTTP redirects and/or web pages which misleading applications use to attempt to lure users into downloading applications which may compromise the target host.

Misleading applications intentionally misrepresent the security status of a computer. Misleading applications attempt to convince the user that he or she must remove potentially malware or security risks (usually nonexistent or fake) from the computer. The application will hold the user hostage by refusing to allow him or her to remove or fix the phantom problems until the 'required' software is purchased and installed. Misleading applications often look convincing - the programs may look like legitimate security programs and often have corresponding websites with user testimonials, lists of features, etc.

You visited a webpage which had a compromised link/ad which then re-directed you to another page where a malicious file was downloaded.

Since there is no indication of this being blocked, the exploit may have been successful and you should follow Sandip's advice on running a full scan.

You should post full logs here for review

Hi ralfnadir,

The log entries that you have posted are an excellent example of why AV protection alone is no longer enough in 2011.  As Sandip and Brian have correctly said, this was a FakeAV attempt to get your computer infected.  It was stopped by the optional firewall/IDS components of SEP.

A comprehensive defence (AV + heuristics + firewall + IDS + informed users) is a good defence!  :)

Here are some good "Best Practices" from Symantec Security Response:  http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

Also, you may wish to read: Does Symantec Endpoint Protection protect me from fake anti-virus programs? (http://www.symantec.com/docs/TECH122898)

Please let the forum community know if your question has been answered / solved or if there is anything else we can help with! :)

Thanks and best regards,

Mick

In the last 24 hours we have received a large number of reports both via our the Symantec and Norton forums and also via our FP reporting process regarding unexpected Intrusion Prevention detections for multiple trusted web locations. These sites were detected because of an errant detection on our part, aimed at targeting a specific type of malicious network traffic. We make great efforts to avoid detection of clean network traffic, testing each signature thoroughly against known good network traffic, including using both live and historical content from many popular websites. What happened in this case is the result of two specific problems that occurred:

1) an element of the malicious network traffic we targeted for detection was common to many clean websites, and

2) our detection was missing a key constraint that would have prevented detection of the clean sites

As of earlier this morning (PST) this issue has been fixed and an updated detection released via our LiveUpdate service. If you are still experiencing unexpected “HTTP Zombie Exploit Toolkit Request” detections and are skeptical about the issue, please update your Norton or Symantec product using LiveUpdate, and the issue should be corrected. Instructions on how to update your product using LiveUpdate can be found at the link below:

http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080417124026EN&ln=en_US

Please don’t hesitate to report this or any additional detections you believe to be False Positives if this fix does not resolve the issue for you.  Our False Positive reporting page is available here:

https://submit.symantec.com/false_positive

We sincerely apologize for any inconvenience this may have caused you or your customers, and we would like to thank each of the members in our user community responsible for bringing this to our attention so quickly.