Antivirus/Malware Help

Hi Experts,

We recently had one of our employees click on a link in a e-mail that took him to a fake site where he entered his credentials and his e-mail account was compromised.
Management hired a cyber security company who did scans on the systems, his e-mails and also other things on the web.
We have managed symantec Endpoint protection, intrustion, malware which is up to date and active.  
We also didn't have anything on the back end set up (per management) to protect our e-mail against spam, malware, all e-mails were to come through.
The cyber people are telling management that Symantec only gets 20% of intrusions, viruses and malware.  (I don't believe that, I have a e-mail box flooded with all the intrustions Symantec is getting and not one virus in 4 years which it caught).
Management from their advice is most likely going to force me to uninstall Symantec from all of our workstations and servers and deploy Carbon Black?

Can anyone tell me if this sounds as insane as it I think it is?  Anyone familiar with Carbon Black?  

Please help, I don't trust this at all and would love to be proven right or wrong.  I think this cyber company might be banking on management fears from my co-workers mistake.

Thank you
klsphotosAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
We recently had one of our employees click on a link in a e-mail that took him to a fake site

That is a user issue that compromised the email account.

Symantec Endpoint (we use it) protects against incoming email and attachments as well as files from USB keys and the like. Your experience here is good and so is ours.

But that does not stop users from doing silly things. You need training for that.

Management will do what they will do, but SEP is a top rated product, it works, and like ALL OTHER antivirus products, it is not perfect and is rear-guard protection. They all are.

Windows 10 Smart Screen can help here.
bbaoIT ConsultantCommented:
basically Carbon Black is just another name in the anti-virus market, like Symantec, and it is not a killer in the market. you may see below a third-party review agaisnt the two companies, their products and user/public reviews. they are at the same level, in technologies and customer review. actually Symantec’s review should be more accurate due to a lager amount of reviewers.

https://www.gartner.com/reviews/market/endpoint-protection-platforms/compare/bit9-carbon-black-vs-symantec-blue-coat

the consulting company you hired might have business interest with CB, might be a stakeholder, business partner or authorised reseller.

regarding the accident, any email account could be compromised once its credential is disclosed whatever endpoint security software is in use or not. simply because it is an authentication accident for email services at the backend, nothing to do with client security or other backend services.

to prevent this from happening again, two-step verification is required to be enabled for email authentication, therefore even an user’s password has been disclosed, other people still can’t access the mailbox from a untrusted device or location, except the other factor such as phone number can be verfiried.
JohnBusiness Consultant (Owner)Commented:
One way to approach this with management is that they could spend considerable money and resources and be no farther ahead. Ask them to consider that.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Upload samples to VirusTotal.com and watch 30+ (out of 60+) antivirus products MISS the infection.  ALL ANTIVIRUS SUCKS.  Carbon Black, McAfee, Symantec, BitDefender, EVERYTHING!!!!

That doesn't mean you shouldn't have SOMETHING because, like the flu shot in an off year, it will protect you from SOME things and MAY make things less severe... but Antivirus is a LAYER - you need TRAINING, EDGE Scanning with a different product, proper firewall defenses, proper policy defenses, and other methods of defense.  PERSONALLY, I would replace Symantec because they have had a history of issues in my experience - not just failing to catch things, but issues BREAKING aspects of Windows.  But if anyone tells you that Antivirus is effective - ANY antivirus - I call BS and wouldn't trust them.
Andrew LeniartIT Consultant & Freelance JournalistCommented:
I fully agree with and endorse the conclusions made by both bbao and Lee W.
We also didn't have anything on the back end set up (per management) to protect our e-mail against spam, malware, all e-mails were to come through.
If management are insisting on such a policy, then "they" were effectively complicit in causing the breach (along with the end user) in the first place, because of the policy they are forcing you to work under. This needs to be explained to them, along with the fact that whilst end point protection is still important to have, NO antivirus exists that can catch or prevent all types of infections, especially so when it comes to Phishing type emails that caused this particular breach.

I feel your frustration as I've experienced it myself with a few clients over the years. My resolution was always to try and educate the client first, and if that failed to work, to either make them sign in my agreement that stated I would only act as administrator for them with the knowledge that their policy was against my recommendations and that I was not responsible for the results of said policy, OR, I would simply decline to work with that company. Yes, I have sacked a few clients over the years. To me, the money wasn't worth the headaches.

Regards, Andrew
JohnBusiness Consultant (Owner)Commented:
While Anti Virus is not perfect and rear guard as I noted initially, do not go without a good product. We are always picking up viruses quarantined while user machines keep going. So it IS worth having Anti Virus - just know the limitations.

And the first example would not be caught because of the actions of the employee. Train people.
David Johnson, CD, MVPOwnerCommented:
You got off lucky in that the damage was minimal. In today's age, you would have probably been hit with some form of ransomware.
No antivirus/antimalware product (yes they are 2 different products) are 100% effective.  I tend to follow the security field with some interest and I've never heard of Carbon Black.  They don't seem to be on virustotal's list of AV products that they use to test files (that may tell you something)
Andrew LeniartIT Consultant & Freelance JournalistCommented:
Further to my last, I too, unfortunately, have had some bad experiences with the Symantec server and endpoint solutions not catching things at a company I worked at for 18+ years. I found the site endpoint administration module to be woeful as well, with scheduled scans often failing or endpoints not updating from the server like they were supposed to. False positives were another constant annoyance and support was poor. All problems disappeared when I switched to Avast's server and business solution, but even that had the odd hiccup or two over the years.

Like David, this is the first I've heard of Carbon Black and I frequently check security bulletins and reports as well. I strongly suspect they are using scare tactics to push a product they are invested in, especially since Symantec is a major player and one of the leaders in the field. What they should be doing is recommending endpoints and education for staff to your management - having failed to do that, I would conclude they are not trustworthy and that their interests are self-serving rather than focused on preventing a similar occurrence.

Finally, if your management "do" insist on switching to another AV because of this instance, I would point them to the following reports, so that they can at least make some type of informed decision.

AV Comparatives - September 2018 Results

Real-World Protection Test September 2018 – Factsheet
Malware Protection Test September 2018

While this can vary from month to month, you'll note that Symantec's scores are less than ideal.

Regards, Andrew
klsphotosAuthor Commented:
Thank you everyone so much for your help.   The consultant making the statement about Symantec only getting 20% of vunlerabilities and the push to deploy Carbon Black to our systems is what raised the red flag for me in addition to what some of you confirmed, I've never heard of this product either.  In 4 years at my current company with Symantec I can say that all of the monitoring on our servers and users systems NONE of the errors have come from Symantec and 1 virus which was user initiated.  I've had simular experience with Symantec since 2007. They want to address the wrong issue and remove a working product instead of addressing training and two point authentication and the fact that the "consultants" are pushing this instead of that is another red flag for me and I don't like this at all.

I will respond later after the meeting and close ticket.  Thank you again for your help.
bbaoIT ConsultantCommented:
forgot to mention, like Andrew and David, this is also my first time heard of the brand name of Carbon Black.
masnrockCommented:
We also didn't have anything on the back end set up (per management) to protect our e-mail against spam, malware, all e-mails were to come through.
This is your big miss right here. That along with user awareness training (I assume that you don't do that now)

The cyber people are telling management that Symantec only gets 20% of intrusions, viruses and malware.
Never heard a number like that, but no product is anywhere near perfect. I got a laugh out of Lee's comment, but what he said is perfectly true.

Management from their advice is most likely going to force me to uninstall Symantec from all of our workstations and servers and deploy Carbon Black?
From what is being mentioned I don't see anything that justifies switching to Carbon Black. Just some guys trying to make a sale.

Remedy the spam filter and user awareness issue, that should have you in a much better position. However, as David mentioned, you want to improve your antimalware protection also. If you replace Symantec at some point, so be it, but I wouldn't let this instance be the reasoning why you do it.

I've heard of Carbon Black, but could not tell you how good it is. We have Cisco AMP for Endpoints, which competes with them in that space (but we haven't started using the AV protection portion yet as we have kept McAfee for now).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
klsphotosAuthor Commented:
Thank you everyone so much - it was a misunderstanding, they want to implement it along side Symantec.  I've deployed it to several systems and we doing a 30 day trial with it along side symantec.  The consultant did mention again that Symantec only gets 14-20% of all vulnerabilities but where the confusion happened was management took that to mean it only works 20% of the time.  They meant out of all the vulnerabilities out there so best to have 2 layers of protection.  They are giving a full presentation on this this week so if they only mention this as a solution and not the other things mentioned here, I will speak up about that as well.

Fyi, I have one of the most highest amounts of RAM and CPU in my system and Carbon Black so far has slowed my system down drastically, I'm typing this from my mac :P  

Thank you all so much for your help, all of you confirmed what I knew and suspected.  I will figure out how to award points for all.

Karen
Andrew LeniartIT Consultant & Freelance JournalistCommented:
You're welcome Karen and good for you for challenging the status quo.

Fyi, I have one of the most highest amounts of RAM and CPU in my system and Carbon Black so far has slowed my system down drastically, I'm typing this from my mac

I'd be *very* interested to hear what their explanation is for that so please do update this thread if you can! :)
JohnBusiness Consultant (Owner)Commented:
Thanks and I was happy to help you with this
masnrockCommented:
Fyi, I have one of the most highest amounts of RAM and CPU in my system and Carbon Black so far has slowed my system down drastically, I'm typing this from my mac :P  
Check to see what policies exist in it. In our deployment of Cisco's solution, we disabled the AV protection, which still allowed us to keep the behavioral analysis and antimalware protection to work along side McAfee. Also, you probably need to create a number of exclusions in Carbon Black.
btanExec ConsultantCommented:
Carbon black go into remote forensic which can do a full memory dump of the processes which Symantec may not necessary have the full recording captures. Most still tends to go for carbon black for endpoint detect and response (EDR) such as remote forensic analysis purpose primarily. That is so far how much I see differs from between ATP and CB. Symantec will not rest on its laurel and will be building enhancement to compete in the EDR space.

Worthy to note is that both may not be foolproof as well as if you intent to do have indicator of compromise (IOC) threat hunting using hash of file, CB can only cover running executable file type or recently executed file - non executable will not be covered. Same for Symantec Advance Threat Protection which is EDR (not solely SEP).  You will likely still need to run script on machine.

As a whole, coverage for EDR should target minimally all critical servers and machine used by privileged user. These are key entry point for priority otherwise the idea is to have EDR in all endpoint. Search thru CB will be offloaded into the CB server that constantly poll the CB agent in each endpoint rather than trigger search command in the client as this can demand additional resource (existing ~10-16% footprint) in the client machine resource.
klsphotosAuthor Commented:
Whatever was slowing it down has ceased so I suppose it was just initially after I installed it.  I have access to the trial portal now from the company and am monitoring it this week.  It is showing me a lot of things that symantec doesn't, mostly on servers that do not surprise me, my machine is clean :)
Andrew LeniartIT Consultant & Freelance JournalistCommented:
Thanks for the update Karen. I'd appreciate it if you could update this thread and let us know how it goes moving forward. It's a relatively unknown name in Security (for me anyway) and I'll be interested to hear your opinions about it.

Regards, Andrew
btanExec ConsultantCommented:
What I see that EDR presence is to fend off sophisticated malware such as those that are memory based and fileless malware type. There are criteria for their installation but that would be seen as optimal balance as it should not be hindering the normal operation
Most EDR solutions use a complex agent that is tightly integrated into the endpoint’s operating system, meaning it can have serious performance impacts and cause instability if not well designed and tested. The vendor should be able to show you performance data of their product tested on similar operating systems, hardware, and running similar applications.

How much CPU does the agent use? (Should be < 1%, rarely ever spiking above that)

How large is the agent’s footprint? (Lightweight sensors are ~3Mb, heavy agents ~50Mb)

Does the sensor operate at the kernel level or in userspace?

Kernel level sensors provide greater visibility but require substantially more testing by the vendor to ensure they do not impact the endpoint operating system; user-space sensors are more prone to tampering and lack the visibility into kernel-level attack payloads..

ypu can check perfmon and questions the support if there are consistent slow down as it shouldbt on your critical server.

https://www.carbonblack.com/2016/01/25/13-essential-questions-to-guide-your-endpoint-detection-and-response-edr-evaluation/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.