SAV cant handle trojans - looking for supplement

Discussion in 'other anti-virus software' started by cfp999, Oct 21, 2007.

Thread Status:
Not open for further replies.
  1. cfp999

    cfp999 Registered Member

    Joined:
    Jul 12, 2002
    Posts:
    36
    I am running Symantec Antivirus Corporate on some workstations. Until now I have never had an infection on any of them. Today I discovered that one of the PCs had a couple of trojans running. Lots of random popups about "Antivir Gear" amongst other things. From the SAV log I can see, that it in fact detected these threats and quarantined them, but apparently this didnt work very well. If Symantec Antivirus cannot handle well known trojans like Antivir Gear or Cyberlog, what kind of software should I consider as a supplement? Or should I go for another AV with better built-in anti-trojan features? And if so, which one would you suggest?
     
  2. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    SUPERAntiSpyware (SAS) is an excellent supplement. The detection rates are exceptional, frequent definition updates, extremely low resource usage, & one of the best support packages in the industry. It removes AntivirGear and thousands of other rogue products.

    Do a search for superantispyware in the other anti-malware software forum for countless threads filled with nothing but praise for this remarkable piece of software. The pay version can be had for as little as $19.95 w/ lifetime updates.
     
  3. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i found out with the 2003 version of norton that it detected the trojans but couldnt get rid of them.
    i thought it would of improved by now.
    plus 1 on the idea of superantispyware.
    lodore
     
  4. Badcompany

    Badcompany Registered Member

    Joined:
    Nov 18, 2005
    Posts:
    752
    Location:
    RUNCORN UK.
    SuperAntiSpyware Pro, Simply the best IMO.
    Badcompany. :thumb:
     
  5. ASpace

    ASpace Guest


    There are two possibilities here:

    FIRST -> Antivir Gear is already installed

    SECOND -> Antivir Gear is still not installed but you have an Adware (NOT trojan) which advertises this rogue program to you.


    Antivir Gear is part of the Smithfraud family - a complicated infection . Most antiviruses have difficulties with Zlob/Smithfraud variants.

    I woud suggest that you:
    1. Run Smithfraudfix on these workstations
    http://siri.geekstogo.com/SmitfraudFix.php

    2. Run ESET Online scanner from www.eset.com/onlinescan

    3. Ensure your workstations have Anti-Spyware protections

    4. If these workstations are in a corporate environment , tight-up your security policy - start by using limited user account(s) , limit the web-pages the user can access (web filtering)
     
  6. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    185
    Location:
    Bangladesh
    Last edited: Oct 21, 2007
  7. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Another recommendation for SUPERAntiSpyware as a supplement.:thumb:
     
  8. cfp999

    cfp999 Registered Member

    Joined:
    Jul 12, 2002
    Posts:
    36
    Thank you very much for the advice. I will check out SUPERAntiSpyware and the other links suggested. To be honest I havent been thinking about spyware since the craze a couple of years ago.
     
  9. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Kaspersky or NOD32. Failure to deal with ad/spyware well with our corporate clients....is one of the reasons we moved them all away from SAV..beginning around version 9.
     
  10. dNor

    dNor Registered Member

    Joined:
    Oct 3, 2007
    Posts:
    212
    Location:
    Irvine, CA, USA
    I just moved our company from SAV+SD to NOD32, with hundreds of missed infections. Definiately recommend NOD32.
     
  11. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    420
    Location:
    Terre Haute, IN
    CFP999 could you please tell me what version of Symantec AntiVirus Corporate you have? The reason I ask is that I also have Symantec Antivirus Corporate; version 10.1.6.6000 and I became concerned for my system security after reading your post. In the past, with previous versions of Symantec AntiVirus Corporate, I remember seeing trojans being quarantined. When this happened I deleted them and since my personal security software, Comodo BoClean, AVG, TrendMicro, and online scans with a-squared, BitDefender and ESET detected nothing I believed no harm was done. After reading your post I am thinking that perhaps I should rethink Symantec and look for some other security. Thanks in advance.
     
    Last edited: Oct 22, 2007
  12. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I wonder if that would be the result today. Symantec/Norrton's test percentage scores have been consistently better than Nod32's on several recent tests. Not by a huge amount, but better. The latest SAV has a proactive detection module, although it is relatively untested.

    I have tried them all, in daily use and on cleanup where there was no possibility to image the infected machine. Its hard to draw a conclusion of one's overall superiority, although each seems to have its strong points, and some like Kaspersky have weird issues like the extended file attributes.

    For whatever reason, Symantec remains the dominant player in the corporate sphere. Perhaps "it just works".
     
  13. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    It does "just work", that is why we still use it at work, well that and we still use Windows98 :O
    But, also SAV has a good reputation or name AND the most important of all is the low false positives, for us atleast.

    On topic we use TM sysclean randomly also along with spyware Dr.
     
  14. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    We still have a few networks we take care of that are on SAV and other AV products. The instance rate of "issues" that need cleaning are noticably higher. Not long ago we brought on a new client...that was on 10.something of SAV...moved them to the NOD...during that deploy...NOD clients were ringing in red alerts that SAV never even noticed.

    I'd make more money selling SAV..since it's more expensive, so higher profit in my pocket. Plus I get to make more calls at hourly rates since the PCs get infested more frequently.
     
  15. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Stonecat-

    How do you know all of these were not false positives, or positives on merely benign stuff whose presence in the signature files is debatable.

    This morning Nod32 picked up something as an unknown heur. The file was part of an AV signature base for some offbeat AV. I tested the file against, Antivir (heuristics on high), Symantec, McAfee and AVG. Nothing on any of them. What am I supposed to think?
     
  16. cfp999

    cfp999 Registered Member

    Joined:
    Jul 12, 2002
    Posts:
    36
    JPCUMMINS: We have Symantec Antivirus Corporate version 10.1.6.6000, same as you I guess. As I mentioned, SAV did in fact detect and quarantine the threats but was unable to remove them. The source of the infection is probably some unsafe site combined with IE / ActiveX. Unfortunately we rely on ActiveX for some external database/upload access. The decision is out of my hands, but I am trying to convince management to switch to something else. As for alternative AVs I have previously done experiments with KAV (I think it was v.2006). I found it to be unstable/incompatible with an somewhat obscure network printer application we use.
     
  17. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Recognizable bad stuff....I saw the names, common ones we in IT who aren't on our first day on the job come across often.
     
  18. tiagozt

    tiagozt Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    331
    Get a good and decent AV software (Kaspersky, Avira, F-Secure, BitDefender) and you'll see that the reality can be so different...
    Go to http://support.f-secure.com/enu/home/ols.shtml and scan your computer that "never gets infection with Symantec AV"... Maybe it will be a surprise...
     
  19. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    This is turning into Norton/Symantec bashing.

    Installing AV "x" after running AV "Y" and finding something does not prove all that much if for no other reason than the second AV has the advantage of having newer signatures. You also have no idea of how the original infection happened. There could have been a warning that was bypassed by the user. I can not think of a more unscientific way to test AV's.

    I have personally cleaned machines starting with Nod32 and then followed up with Symantec and found a bunch of stuff. Some of it was found by Nod32 but could not be removed bu it. However, Symantec removed all this stuff and more. A subsequent run with KAV found some things left behind in Symantec's quarantine and some no longer operational remnants of addware.
     
  20. dNor

    dNor Registered Member

    Joined:
    Oct 3, 2007
    Posts:
    212
    Location:
    Irvine, CA, USA
    That's a pretty sweeping statement, especially considering non of that applied to my case. Full updates, and logs presented on when and where the infections were found. The client wasn't informed of the situation nor asked for input, as they could do nothing positive. That's the administrator's job.

    Really, that's how most network enviroments are run, or are suppose to be. Not updating software or checking logs and allowing client interaction where it isn't needed is a recipe for disaster, no matter what AV you're running.

    Yeah, different software works best in different situations. There isn't an end all be all. Use what works best for you.
     
    Last edited: Oct 26, 2007
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I agree when we know that Symantec has vastly improved in their malware detection fairly quick.
     
  22. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    I do know that me and my SysAdmin at work has had a lot less malware cleaning on workstations since we went from SAV9 to SAV10.
     
  23. dNor

    dNor Registered Member

    Joined:
    Oct 3, 2007
    Posts:
    212
    Location:
    Irvine, CA, USA
    That is one thing I noticed as well. Each subsequent release brought large, noticable improvements.
     
  24. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    A couple of months ago I noticed something weird on one of the workstations in my department. A red shield with an 'x' was in the systray with a balloon announcing something about updates were ready to install. I almost clicked on it when I remembered that the Windows Update icon was a yellow shield (it was similar to these malware programs discussed in this Symantec blog). Sure enough, I downloaded SAS and ran it and it came up with a few trojans. But if I understand the blog right the actual malware only installs if you clicked on the red shield so SAV may have blocked it if that occurred (of course the notification itself is malware itself but to a lesser extent). Since I never clicked on it I will never know.

    We found out that the user that uses that workstation alot likes to surf MySpace where a lot of that kind of crap gets picked up. My SysAdmin blocked their domain soon afterward.
     
Loading...
Thread Status:
Not open for further replies.