Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Does anyone know of a way to make Symantec Endpoint actually stop viruses?

Posted on 2011-04-21
22
Medium Priority
?
736 Views
Last Modified: 2013-12-09
Just Curious, I'm rolling out win 7 to several hundred PCs....all with Endpoint.
Of the first 40, several already have viruses within the first 24 hours.
So I ask, is there a way to make Symantec Endpoint actually stop viruses?
Are there any customizations I can configure to make effective at all?

Also why I'm on the subject, I haven't actually seen a way to stop it from scanning GPO's, bonus if anyone can answer me that as well.  It really seems like a terrible product after having used it at over the years....but I've left  everything at almost defaults, perhaps I'm doing something wrong?
0
Comment
Question by:Lafflin
  • 7
  • 3
  • 3
  • +4
20 Comments
 
LVL 9

Expert Comment

by:Brian
ID: 35445987
Were the pcs previously unprotected and there for already infected? If reusing hardware were the harddrives erased and overwritte? Otherwise a root kit will just reinstall a virus on your new operating system.

If you don't like symantec and can make a change, move to something like AVG or one with a better rep. If you are stuck with it, try adding an anti-virus appliance on your Internet connection and try to manage USB and untrusted devices that can bring in viruses.
0
 
LVL 5

Expert Comment

by:scuthber
ID: 35446487
Symantec is hopeless. We used to go in to sites that had Corporate Edition that were riddled with viruses and use stinger or sysclean to scan infected computers. As soon as sysclean touched an infected file, Symantec would pop up and say "Oh look! I've found a virus!"
If you are going to stick with Symantec, you have to run a full scan of all files every day. I'd uninstall it and use something else. Even the free ones like AVG or Microsoft Security Essentials is better. And no, I'm not a MS/AVG employee...
0
 
LVL 10

Expert Comment

by:c_a_n_o_n
ID: 35448215
Years ago, I spoke with Symantec regarding their antivirus.  The way it worked back then, and still sounds like it works is like this.  If the virus, pest, or some other malicious software exists on the hard drive and it is dormant, where it is not running, a mouse over the file didn't touch it, or some other application touching the file in some way, the file is not a threat and Symantec will not detect it.  I had this call with them, because after performing a full system scan, I discovered one particular computer contained literally hundreds of virus bodies.

For corporate environments, I have used CA successfully, where McAfee and Symantec had failed.  CA also offers a PestPatrol which is a secondary product that worked quite well.

For personal use, AVG, Avira, however, Avast is a personal favorite (It doesn't seem to hog down system resources).
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 1

Author Comment

by:Lafflin
ID: 35449327
My CTO won't go for a new AV, I am looking into the policies to see if I can make them a bit stronger, if I find anything effective I'll be sure to post back.
0
 
LVL 10

Expert Comment

by:c_a_n_o_n
ID: 35450396
Ok, when you write that several already had virus', are these new infections or is Endpoint finding existing infections, either active or on a full system scan? If Endpoint is finding existing infections, it sounds like it is working.  If these are new infections, Endpoint must have identified them, as a virus generally does not identify itself.
0
 
LVL 1

Author Comment

by:Lafflin
ID: 35451499
Clarification: several PCs were infected within the first 24 hours, not identified by Endpoint. These are newly imaged clean machines. Endpoint never seems to identify any viruses. It just seems entirely ineffective.
0
 
LVL 1

Author Comment

by:Lafflin
ID: 35451522
When I say "Virus" I'm using it in the general sense to mean "maleware"....everything from Alias Alureon to fake Security Eseentials to link redirects etc.
0
 
LVL 9

Expert Comment

by:Brian
ID: 35451764
Can you restrict your users download or application install rights? Don't think much tweaking inside of Symantec is going to help. Good luck, tough situation.
0
 
LVL 62

Expert Comment

by:gheist
ID: 35455939
Symantec AV lags behind updates, lives along with stealthy viruses for years, its updater outdates and stops updating, it is extremely slow...
It does not scan in safe mode, so it is hopeless against most of today's malware
0
 
LVL 12

Expert Comment

by:jmlamb
ID: 35457731
What version of SEP are you using? Any version prior to RU6 (11.0.6) did not use strong defaults. What features of SEP are you using as well? Anti-Virus/Anti-Spyware alone does not cover today's threat landscape, and will only benefit you after the risk has been saved to the filesystem and/or executed where it already exists on a filesystem.

SEP is most successful when all features are used together. AV/AS, Proactive Threat Protection and Network Threat Protection. PTP covers the 0-day behavior based type risks. NTP provides you with Intrusion Prevention, download protection, application/device control and a firewall. All these components together give your endpoints the best chance at thwarting risks.

Also, an earlier comment was made about if a risk is dormant on the filesystem, SEP would not detect it outside of a full scan. This is true of any auto-protect/real-time anti-virus application. A risk cannot be detected by that feature if it is not executed. This is why it's equally important to perform weekly full scans regardless of the protection application you're using.

So, how can you make SEP run better? Use all of the features for starters. In the AV/AS policy, make sure all primary actions are clean or quarantine, and all secondary actions are quarantine or delete. In the Truscan section of the AV/AS policy, turn the sensitivity up to at least 50% and scan processes at least every 30 minutes, and check to scan new processes immediately.

You'll also want to add an Intrusion Prevention policy that blocks attackers automatically. While I also recommend a firewall policy, you don't have to use one right away if you're not already doing so. There's more involved with using a FW policy and you can wait until you're more comfortable with the product before jumping to it. But at least get the NTP feature installed so you can take advantage of the IPS policy.

Lastly, SEP can scan in safe mode. The earlier comment that it doesn't is not true. If you have infected systems now: disable System Restore, make sure SEP is up-to-date, boot to safe mode and perform a full scan.
0
 
LVL 1

Author Comment

by:Lafflin
ID: 35457740
That is very much along the lines of what I was looking for in an answer, I thank you very much. I will need to spend some time into looking into the policies we're using as I have inherited this network recently.
0
 
LVL 12

Expert Comment

by:jmlamb
ID: 35457764
You're welcome; glad it gives you a place to start. I will logon to my SEP environment in the morning to provide you additional specifics on policy configuration.

Another easy one to make sure is on, Tamper Protection. On and set to block. TP settings are located under General Settings of each client group. Also make sure you padlock (lock icon next to settings in a given policy) any setting you don't want your users (or a risk) to be able to change.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35462872
What did you use to tell you that the newly imaged machines had viruses on them?

What version of SEP are you using?  (This has been asked before, but you haven't answered this so far.)

Have you adjusted any of the default settings since the software was installed?

Are definitions up-to-date on the server and clients with the infections?

How often have you set the server to update definitions and can the clients manually launch LiveUpdate to update definitions themselves?

Alan
0
 
LVL 1

Author Comment

by:Lafflin
ID: 35463119
Sorry, I should answer if someone's going to be cool enough to try to help.

version 11.0.6

I actually just reverted back to the default settings as there were settings other than default configured by the last admin.

Definitions are up to date.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35463368
Thanks for the version.  Any feedback to the other questions?

Alan
0
 
LVL 1

Author Comment

by:Lafflin
ID: 35463944
Sorry, I'm working through this while in the middle of a roll out. I've got them updating every eight hours, they're all running on defaults now, and  client definitions are up to date for the most part, although I should qualify that statement with 1) once the PC becomes infected endpoint usually breaks and appears with the yellow dot in the sys tray, and 2) I have not been looking at these most recent infections myself.
 As for whether or not they're able to manually update, they are.
I will say also that my installation of the Endpoint Management Console is installed on a virtual machine which has very poor performance. I do not however want to touch that in this post. I was really looking for some best practices, or "common mistakes are usually" type of advice. I do that everyone who has taken the time to lend advice thus far.
0
 
LVL 12

Accepted Solution

by:
jmlamb earned 2000 total points
ID: 35464252
Sorry I couldn't provide the policy configuration today. Had some other issues to address. Here are some links to various Best Practices to get you going.

Symantec Endpoint Protection Best Practices

Client Hardening
SEP-Protecting-SEP-Client-rev1.0.pdf

Network Threat Protection
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

Firewall Policies Explained
http://www.symantec.com/business/support/index?page=content&id=TECH104433&locale=en_US

Application and Device Control
http://www.symantec.com/business/support/index?page=content&id=TECH145973

Installing the Client on Windows Servers
http://www.symantec.com/business/support/index?page=content&id=TECH92440
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35464860
Okay - thanks for the answers.

Whenever I install SEP - I usually lock the majority of Padlocks and adjust Liveupdate so that it runs every 4 hours or so and allows the clients to launch manually, other than that - it is pretty much left at default.

All the installations I have have never complained about viruses and as that is the product on pretty much every LAN we support, that is quite a few installations.

In all my years supporting Symantec A/V products and the last 2-3 with SEP - I have never come across the problems you are experiencing.

What might prove to be quite useful is to know the type of virus that you are dealing with and narrowing down where it has come from.  It may already be on your LAN somewhere.  Do you know the name . type of the virus as this could give a massive clue?
0
 
LVL 62

Expert Comment

by:gheist
ID: 35465555
Sometimes you need to reinstall latest version of liveupdate to get updates at all.
0
 
LVL 1

Author Comment

by:Lafflin
ID: 35469392
Thanks for the links.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question