Why didn't VIPRE catch this threat?
While this sounds like a straight-forward question, the reality is there are many variables that come into play when protecting a machine against malware. It is almost impossible to give any one reason.
At this point there are over 13 million detections in the VIPRE signature files. There are hundreds of generic detections that can catch some new malcode before our analysts even see it. Also the MX-V technology in VIPRE can detect and stop a great deal of virus-like behavior.
There may be as many as 50,000 new pieces of malcode arriving somewhere on the Internet every single day. We do see cases in which new malcode does make it through the VIPRE defenses. This isn't a common occurrence. When malcode does make it through, many times we discover that an incorrect setup of the VIPRE installation is the problem. Based on our experience, here are several reasons why a threat may have made it through.
Is the latest version of VIPRE running with updated definitions?
It is important that the VIPRE Agents are kept up to date, for both the software version and the definitions. The Protected Computers list inside the VIPRE Console will display information on each Agent. To confirm if these are the latest versions, you can view our most recent software releases Here and the most recent definition versions Here.
Is Active Protection enabled?
This is the real-time protection inside VIPRE that scans files as they execute or are touched by the operating system. Ensure that Active Protection is enabled inside the VIPRE policy. It is recommended to use the setting of "High Risk Extensions Only" for workstations, "Execution Only" for servers, and "All Touched Files" when there is an active virus infection.
Is each agent scanning regularly?
It is recommended to run a Quick Scan daily and a Deep Scan weekly on each agent. A Quick Scan requires less resources and will check common threat locations for suspicious activity. A Deep Scan is the most thorough scan that VIPRE offers. By default the Deep Scan will scan the files on each local hard drive for threats. Ensure that both scans are configured to scan active Processes, scan Registry entries, and to check for Rootkits.
Is VIPRE set to quarantine threats?
This control is under the Remediation tab in the VIPRE console. If a category is set to "Report Only" then the offending program will not be stopped by VIPRE. The reason for this is so that new VIPRE installations don't delete certain diagnostic tools and other applications that systems administrators use, which can be considered malware under other circumstances. Having VIPRE report them gives the administrators an opportunity to white list them before making VIPRE fully functional (which would detect and possibly delete the diagnostic tools.)
I got infected by an old threat. Why did VIPRE fail to catch it?
Malware authors are very dedicated to making money at your expense. They monitor which AV companies are detecting their malcode, make changes, and then do their own testing until they feel there is a good chance that their malcode will evade detection by most antivirus products.
They then release that version into the wild. This is why threats seem to wax and wane. A particular malware author will continue to release new variants until it is caught by the majority of AV products. Then they will move on to a whole new project.
The fastest way for us to provide protection for any new variant is to obtain samples of the threat as soon as possible so that we may make the changes needed to allow VIPRE to identify this new code as malicious. We have teams assigned to hunting down and finding these new variants so we can be as proactive as possible, but with the number of new threats being released every day we have to also be very reactive.
How do I submit a new threat?
If you encounter a threat that you would like to have added to our definitions and you are able to locate the malicious files on your machine, they can be directly submitted Here.
If you are unsure whether a file is a threat, it is not necessary to run the file in a sandbox. A safer alternative would be to scan the file on a site such as VirusTotal. This site will scan the file against 50+ different scanners to determine if the file is malicious.
A threat is being detected over and over again. Why does it keep coming back?
If this is the case, it is likely that you are infected with a new variant of an existing threat and there has been something new added to it that we need to identify so that we can protect against it.
To help ensure that we are able to obtain samples of these threats as fast as possible we offer an incentive very rare to the antivirus industry. In the event that a threat is not completely removed by VIPRE we provide FREE remediation assistance. This means that we will collect information from your system and then, if need be, we will remote into it and remove the active virus infection. As a part of this remediation we collect any samples found on the system and use that to update our definitions. To obtain the fastest possible resolution, please Contact Support and open a case with a technician.
Without having extremely detailed network logging in place at the time of infection, it is virtually impossible for us here at Threattrack Security to tell you with certainty how you became infected. Here is a list of the more common methods of infection so that you know what to look out for:
Drive-by downloads: These are the download of spyware, a computer virus, or any kind of malware that happen without knowledge of the user. Drive-by downloads may happen when you visit a website, view an e-mail message or click on a deceptive popup window. Many users click on the window in the mistaken belief that, for instance, it is an error report from their own PC or that it is an innocuous advertisement popup. In such cases, the malicious "supplier" may claim that the user "consented" to the download though he or she was completely unaware of having initiated a malicious software download. Permitting unlimited browsing at work is a risk.
Exploits: These are pieces of malware that take advantage of a weakness in a web browser, e-mail client, Adobe Flash installation or operating system. They install themselves without any user intervention whatsoever. Many take advantage of older vulnerabilities in applications or operating systems that don t have the latest updates installed. This is why it s important to install updates promptly.
Email attachments: Infected attachments that arrive in spam emails can infect machines then send emails to everyone in the users address book. These spoofed email messages will contain some kind of enticing story to get you to follow a link to a malicious site or open an attachment which is actually the installer for the malware. Allowing access to personal email, such as Google Email or Yahoo mail, is a risk.
If there is an active infection in your environment, please Contact Support
What further steps can I take to protect against malware?
Security has always been a layered approach with the desktop antivirus being the last line of defense. The only proactive steps in security are the policies in the security plan. Best practices in security will aid in limiting threats in your network. The following documents can be used as a guideline to begin planning:
- Cyber Security Planning Guide
- Virus Infection Prevention Best Practices for Small and Midsize Organizations
- Manageable Network Plan