SAV cant handle trojans - looking for supplement

I am running Symantec Antivirus Corporate on some workstations. Until now I have never had an infection on any of them. Today I discovered that one of the PCs had a couple of trojans running. Lots of random popups about "Antivir Gear" amongst other things. From the SAV log I can see, that it in fact detected these threats and quarantined them, but apparently this didnt work very well. If Symantec Antivirus cannot handle well known trojans like Antivir Gear or Cyberlog, what kind of software should I consider as a supplement? Or should I go for another AV with better built-in anti-trojan features? And if so, which one would you suggest?

 

SUPERAntiSpyware (SAS) is an excellent supplement. The detection rates are exceptional, frequent definition updates, extremely low resource usage, & one of the best support packages in the industry. It removes AntivirGear and thousands of other rogue products.

Do a search for superantispyware in the other anti-malware software forum for countless threads filled with nothing but praise for this remarkable piece of software. The pay version can be had for as little as $19.95 w/ lifetime updates.

 

i found out with the 2003 version of norton that it detected the trojans but couldnt get rid of them.
i thought it would of improved by now.
plus 1 on the idea of superantispyware.
lodore

 

SuperAntiSpyware Pro, Simply the best IMO.
Badcompany.

 

There are two possibilities here:

FIRST -> Antivir Gear is already installed

SECOND -> Antivir Gear is still not installed but you have an Adware (NOT trojan) which advertises this rogue program to you.


Antivir Gear is part of the Smithfraud family - a complicated infection . Most antiviruses have difficulties with Zlob/Smithfraud variants.

I woud suggest that you:
1. Run Smithfraudfix on these workstations
http://siri.geekstogo.com/SmitfraudFix.php

2. Run ESET Online scanner from www.eset.com/onlinescan

3. Ensure your workstations have Anti-Spyware protections

4. If these workstations are in a corporate environment , tight-up your security policy - start by using limited user account(s) , limit the web-pages the user can access (web filtering)

 

from super antispyware site :
"Easily remove over 1 million pests and threat components such as AntiVirGear, VirusProtectPro, DriveCleaner, SmitFraud, Vundo, WinFixer, SpyAxe, SpyFalcon, WinAntiVirus, AntiVermins, AntiSpyGolden and thousands more!"
here is the link :
http://www.superantispyware.com/?tag=ANTIVIRGEAR
more information on PREVX blog .
http://www.prevx.com/blog/62/AntiVirGear-is-here.html
good luck

 

Another recommendation for SUPERAntiSpyware as a supplement.

 

Thank you very much for the advice. I will check out SUPERAntiSpyware and the other links suggested. To be honest I havent been thinking about spyware since the craze a couple of years ago.

 

Kaspersky or NOD32. Failure to deal with ad/spyware well with our corporate clients....is one of the reasons we moved them all away from SAV..beginning around version 9.

 

I just moved our company from SAV+SD to NOD32, with hundreds of missed infections. Definiately recommend NOD32.

 

CFP999 could you please tell me what version of Symantec AntiVirus Corporate you have? The reason I ask is that I also have Symantec Antivirus Corporate; version 10.1.6.6000 and I became concerned for my system security after reading your post. In the past, with previous versions of Symantec AntiVirus Corporate, I remember seeing trojans being quarantined. When this happened I deleted them and since my personal security software, Comodo BoClean, AVG, TrendMicro, and online scans with a-squared, BitDefender and ESET detected nothing I believed no harm was done. After reading your post I am thinking that perhaps I should rethink Symantec and look for some other security. Thanks in advance.

 

I wonder if that would be the result today. Symantec/Norrton's test percentage scores have been consistently better than Nod32's on several recent tests. Not by a huge amount, but better. The latest SAV has a proactive detection module, although it is relatively untested.

I have tried them all, in daily use and on cleanup where there was no possibility to image the infected machine. Its hard to draw a conclusion of one's overall superiority, although each seems to have its strong points, and some like Kaspersky have weird issues like the extended file attributes.

For whatever reason, Symantec remains the dominant player in the corporate sphere. Perhaps "it just works".

 

It does "just work", that is why we still use it at work, well that and we still use Windows98 :O
But, also SAV has a good reputation or name AND the most important of all is the low false positives, for us atleast.

On topic we use TM sysclean randomly also along with spyware Dr.

 

We still have a few networks we take care of that are on SAV and other AV products. The instance rate of "issues" that need cleaning are noticably higher. Not long ago we brought on a new client...that was on 10.something of SAV...moved them to the NOD...during that deploy...NOD clients were ringing in red alerts that SAV never even noticed.

I'd make more money selling SAV..since it's more expensive, so higher profit in my pocket. Plus I get to make more calls at hourly rates since the PCs get infested more frequently.

 

Stonecat-

How do you know all of these were not false positives, or positives on merely benign stuff whose presence in the signature files is debatable.

This morning Nod32 picked up something as an unknown heur. The file was part of an AV signature base for some offbeat AV. I tested the file against, Antivir (heuristics on high), Symantec, McAfee and AVG. Nothing on any of them. What am I supposed to think?

 

JPCUMMINS: We have Symantec Antivirus Corporate version 10.1.6.6000, same as you I guess. As I mentioned, SAV did in fact detect and quarantine the threats but was unable to remove them. The source of the infection is probably some unsafe site combined with IE / ActiveX. Unfortunately we rely on ActiveX for some external database/upload access. The decision is out of my hands, but I am trying to convince management to switch to something else. As for alternative AVs I have previously done experiments with KAV (I think it was v.2006). I found it to be unstable/incompatible with an somewhat obscure network printer application we use.

 

Recognizable bad stuff....I saw the names, common ones we in IT who aren't on our first day on the job come across often.

 

Get a good and decent AV software (Kaspersky, Avira, F-Secure, BitDefender) and you'll see that the reality can be so different...
Go to http://support.f-secure.com/enu/home/ols.shtml and scan your computer that "never gets infection with Symantec AV"... Maybe it will be a surprise...

 

This is turning into Norton/Symantec bashing.

Installing AV "x" after running AV "Y" and finding something does not prove all that much if for no other reason than the second AV has the advantage of having newer signatures. You also have no idea of how the original infection happened. There could have been a warning that was bypassed by the user. I can not think of a more unscientific way to test AV's.

I have personally cleaned machines starting with Nod32 and then followed up with Symantec and found a bunch of stuff. Some of it was found by Nod32 but could not be removed bu it. However, Symantec removed all this stuff and more. A subsequent run with KAV found some things left behind in Symantec's quarantine and some no longer operational remnants of addware.

 

That's a pretty sweeping statement, especially considering non of that applied to my case. Full updates, and logs presented on when and where the infections were found. The client wasn't informed of the situation nor asked for input, as they could do nothing positive. That's the administrator's job.

Really, that's how most network enviroments are run, or are suppose to be. Not updating software or checking logs and allowing client interaction where it isn't needed is a recipe for disaster, no matter what AV you're running.

Yeah, different software works best in different situations. There isn't an end all be all. Use what works best for you.

 

I agree when we know that Symantec has vastly improved in their malware detection fairly quick.

 

I do know that me and my SysAdmin at work has had a lot less malware cleaning on workstations since we went from SAV9 to SAV10.

 

That is one thing I noticed as well. Each subsequent release brought large, noticable improvements.

 

A couple of months ago I noticed something weird on one of the workstations in my department. A red shield with an 'x' was in the systray with a balloon announcing something about updates were ready to install. I almost clicked on it when I remembered that the Windows Update icon was a yellow shield (it was similar to these malware programs discussed in this Symantec blog). Sure enough, I downloaded SAS and ran it and it came up with a few trojans. But if I understand the blog right the actual malware only installs if you clicked on the red shield so SAV may have blocked it if that occurred (of course the notification itself is malware itself but to a lesser extent). Since I never clicked on it I will never know.

We found out that the user that uses that workstation alot likes to surf MySpace where a lot of that kind of crap gets picked up. My SysAdmin blocked their domain soon afterward.