Last week I received an alert email from SEP.cloud. It had blocked the following:
c:\program files (x86)\mysearchdial\1.8.29.0\uninstall.exe
I called support to find out why it had quarantined the uninstall file and not the base from which it originated.
Here's the response I got:
This program is a Potentially Unwanted Program (PUP) which piggybacks on installation of legitimate downloads and then installs. In itself it is not a threat until it attempts to download other programs or threats.
The main reason why these programs are not detected as threat is that they add an entry to the Program and Features where you can remove the unwanted program at any times. Normally they can be removed just by going to Program and features and removing the program.
The documents below explain some of the reason why Symantec does not detect as threats.
Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec Endpoint Protection does not
http://www.symantec.com/docs/TECH98929
How to run the Threat Analysis Scan in Symantec Help (SymHelp)
That all makes sense, in a less than security conscious way.
Because the originally described PUP continued to behave as it was designed, it did bring down more crapware. SEP.cloud quarantined the uninstall.exe of the second program, just like it did the first. That meant that it quarantined the programs that would let me use the Control Panel to remove the malware...
In the end, it took over 2 hours to fully clean out all of the residue before my client's computer was clean again.
> NPE did not find anything wrong during its scan
> Malwarebytes found 87 entries to correct and required a reboot
> HitMan Pro found an additional 8 entries to correct and required a reboot
This is not exactly a ringing endorsement for SEP.cloud's protection capabilities....
The thing is, Malwarebytes detects these PUPs and removes them.
But according to the "canons" of the product:
> I have to remove MBAM prior to installing SEP.cloud.
> TECH104806 says not to run two AV products because they could have the potential to cause an infinite loop.
My follow-up question is: Since SEP.cloud is not effective against this kind of threat, what am I supposed to use as a second line of defense?
I can't afford the time - and my clients can't afford the bill - for me to clean up after the fact.
Thanks!