Antivirus Experts needed!

[FastRedPonyCar]

OK so we've been having some issues recently with viruses that users don't know about showing up on our network via thumbdrives and portable harddrives.

We're using Symantec 10.2.xx right now and I was able to disable symantec's auto protection, download the EICAR test virus

http://www.rexswain.com/eicar.html

And download it both unzipped and the zipfile to a thumb drive... I re-enable auto protect and NOTHING. Plugged the thumb drive into another system with the latest definitions and nothing. Norton is quiet as a mouse.

Now I've disabled autoprotect once again, moved the eicar.com file onto my desktop and re-enable auto protect.... half an hour later, nothing.. not a peep.

We need a PROACTIVE solution that can look at not only thumb drives but quietly always be on the lookout in the background for suspcious activity.


In all fairness, it DOES come up when I try and download the file to my hdd, it says not so fast and auto protect kicks in. Same as when I try and unzip the file to my hdd or thumbdrive. It does it's thing but it required user interaction... there are a lot of viruses and worms that DONT require me to do ANYTHING to them.

If someone has such a worm or virus on their thumbdrive and bring it to work and plug it in, the malicious file has a playground to do it's dirty work without norton ever blinking an eye.

[AthlonXP1800]

Norton Internet Security 2009 has PROACTIVE feature built-in. I tested on a VirtualPC downloaded eicar virus file from eicar.com and NIS2009 blocked it when auto protect is enabled and the same thing happened when downloaded the zip file and extracted to folder on the desktop. When I disabled auto-protect it did nothing when extracted to a folder then I looked at NIS2009 settings and noticed both AntiVirus and Advanced Protection was off. I tried turned on Advanced Protection and see what happened, when it turned on, both AntiVirus turned on and the auto-protect enabled. Then I tried turned off Advanced Protection then both turned off and I turned on AntiVirus, see Advanced Protection still off and Auto-protect still disabled. I tested extracted the zip file to a folder and NIS2009 blocked it when Auto-protect is disabled.

Symantec 10.2.xx is old version, here is new version 11 available which now have PROACTIVE feature so I suggest you to upgrade to the latest version.

[FastRedPonyCar]

Quote:

Originally Posted by AthlonXP1800

Norton Internet Security 2009 has PROACTIVE feature built-in. I tested on a VirtualPC downloaded eicar virus file from eicar.com and NIS2009 blocked it when auto protect is enabled and the same thing happened when downloaded the zip file and extracted to folder on the desktop. When I disabled auto-protect it did nothing when extracted to a folder then I looked at NIS2009 settings and noticed both AntiVirus and Advanced Protection was off. I tried turned on Advanced Protection and see what happened, when it turned on, both AntiVirus turned on and the auto-protect enabled. Then I tried turned off Advanced Protection then both turned off and I turned on AntiVirus, see Advanced Protection still off and Auto-protect still disabled. I tested extracted the zip file to a folder and NIS2009 blocked it when Auto-protect is disabled.

Symantec 10.2.xx is old version, here is new version 11 available which now have PROACTIVE feature so I suggest you to upgrade to the latest version.

wellll..... its not as simple as running out and buying it on the store shelf... it's for an entire military base hahahah

[nekrosoft13]

[AthlonXP1800]

Quote:

Originally Posted by FastRedPonyCar

wellll..... its not as simple as running out and buying it on the store shelf... it's for an entire military base hahahah

wellll you dont have to running out to the store, you can either buy or upgrade to Symantec Endpoint Protection 11.0 for discount online at Symantec website. I didnt bought Norton Internet Security 2009 as it cost £45 in stores while I bought it at Symantec website online for just £21 with discount.

[FastRedPonyCar]

We have to use a coporate solution. Right now, 10.2 is the most current corporate version.

http://www.symantec.com/business/ant...porate-edition

You see, we have over 13,000 computers on our network so it's a bit more complicated than just downloading an update or new version. We'd have to test it and ensure that our symantec servers can maintain the new version correctly (see, I don't know if version 11 even gives you the option to have it managed by a parent server or not) and if our servers software version can talk with and take care of a machine with version 11.

[nekrosoft13]

Quote:

Originally Posted by FastRedPonyCar

We have to use a coporate solution. Right now, 10.2 is the most current corporate version.

http://www.symantec.com/business/ant...porate-edition

You see, we have over 13,000 computers on our network so it's a bit more complicated than just downloading an update or new version. We'd have to test it and ensure that our symantec servers can maintain the new version correctly (see, I don't know if version 11 even gives you the option to have it managed by a parent server or not) and if our servers software version can talk with and take care of a machine with version 11.

from your link

Quote:

For next generation antivirus protection, upgrade to Symantec Endpoint Protection 11.0, which combines Symantec AntiVirus with advanced threat prevention to protect endpoints from even the most sophisticated attacks.

10.2 is dead, and there will be no future upgraded, it was replaced with Endpoint Protection 11.

that is your next future upgrade

[FastRedPonyCar]

I found a copy of 11 w/endpoint on our network "testing software" and did a full install.

EICAR still sitting on my thumbdrive <_<


Most recent updates have been applied and proactive scan was set for 15 minute intervals and it's been an hour.



So back to my original problem here is that if an infected thumb drive or portable HHD gets plugged in, there's no scan done right away. THAT'S what I want to happen and if there's a virus on it, it has plenty of time to do whatever it wants with AV just sitting there with a thumb up its butt it seems.

[ninelven]

I would check out these in this order:

1) http://www.avira.com/en/pages/index.php

2) http://www.kaspersky.com

[AthlonXP1800]

Quote:

Originally Posted by FastRedPonyCar

So back to my original problem here is that if an infected thumb drive or portable HHD gets plugged in, there's no scan done right away. THAT'S what I want to happen and if there's a virus on it, it has plenty of time to do whatever it wants with AV just sitting there with a thumb up its butt it seems.

Looked like Endpoint Protection 11 not configured the way you wanted it. Check the settings to make sure that it check for virus when removable media is inserted enabled and also create custom scans to scan removable drives for viruses on thumb drive or portable HHD.

[RejZoR]

Antiviruses only scan accessed/modified files. Unless something or someone is accessing that very specific file on USB drive, nothing will detect it.
If you doubleclick it, it will be scanned. If there is an autorun located on USB drive and is pointing to that EXE (or whatever it is), it will be scanned.
Scanning everything because it's there is waste of resources. Thats why no one does it.
So don't worry about it.

[einstein_314]

Quote:

Originally Posted by RejZoR

Antiviruses only scan accessed/modified files. Unless something or someone is accessing that very specific file on USB drive, nothing will detect it.
If you doubleclick it, it will be scanned. If there is an autorun located on USB drive and is pointing to that EXE (or whatever it is), it will be scanned.
Scanning everything because it's there is waste of resources. Thats why no one does it.
So don't worry about it.

That's what I thought. It only gets scanned when it gets accessed. Whether by user interaction or automatically. ie autoruns etc. If you have a virus on your flash drive and you plug it in, it's not going to infect your computer until you try to do something with it. (That I'm aware of anyways). And as soon as you do try to do something to it (ie move, copy, open, etc) it will be detected and dealt with.