Symantec Antivirus Corporate -- two problems

Question

We have a Windows network with a domain and about 50 clients. A few months ago, we installed Symantec Antivirus, Corporate Edition ver. 10.1.8.8000.

There are two problems. The larger problem is that the software isn't very good at stopping viruses. In the last month, four different machines have become infected with those viruses that masquerade as antivirus software. Two machines I was able to clean with MalWareBytes. The other two were hopeless, and I had to reinstall Windows. Is there something I can do to make the Symantec product more effective? As far as I can tell, it successfully updates definitions nightly and pushes the definitions to the clients.

The smaller problem is that the Symantec client applications sometimes initiate scans at random (and inappropriate) times. One of my co-workers complained to me yesterday that her computer was running very slow. I looked at the scan history and found that Symantec had scanned the computer three times during the past two days, and each time during the workday. No threats were found. Not sure why it's doing this, but I'd like it to stop.

Any help would be appreciated. Thanks.

Answer 1

You shouldn't be "cleaning up" machines that have had malicious software installed, but that's probably a religious discussion better left for another question.

It sounds like your users are running w/ "Administrator" rights. I'm inferring this from the statement "...other two were hopeless, and I had to reinstall Windows." If the users aren't running as "Administrator" and you're up-to-date on security updates you're going to much less vulnerable to having the machine's configuration damaged by malicious software. (There are malicious programs that use security vulnerabilities to gain "Administrator" or SYSTEM rights, but they're much less common that most of the junk out there today.) The user's profile will get trashed, and there might be some junk dropped into one of the machine-wide needlessly-world-writable directories (hello "C:\Documents and Settings\All Users\Application Data"), but the machine itself will be fine.

Malicious software is an arms race. If you allow users-- even w/o "Administrator" rights-- to execute arbitrary code you will end up with unwanted software, no matter how hard you try. Something like Software Restriction Policies, or its new "big brother" in Windows 7, AppLocker in combination with antivirus software and users running in non-privileged contexts will help tremendously.

Answer 2

In truth AV software is only a single part of your defense against malware. Leaving aside opinions on Symantec stuff (I personally despise it, but that's another story) you need to supplement your AV with internet access control, not running as an administrator, firewall rules, security updates and good old-fashioned user education ("don't click on the pop-up that says 'you may be infected'" might be a good one in your case) in order to have an effective solution. It also sounds as though you don't have any centralised admin of your corporate AV, which is why you're getting scans at awkward times.

I'd suggest that maybe you post another question about effective (and cost-effective!) malware defense strategies for a network of your size.

Answer 3

I'm running version 10.2.0.276 in our environment.

I'm sorry to say, but we have had the same problems with the malware that masquerade's as antivirus software infecting a few of our systems as well.

In Symantec's defense this is not a virus -- it's malware.

I'm currently looking for alternatives that will hopefully be better about blocking virus and malware.