Over the last few days we have had 4 PC 's get this virus and every single time Norton Internet Security 2010 does not stop it and it does not remove it.
It is incredibly worrying that Norton is not stopping this infection as it is very hard to remove.
So far we have not been able to remove the infection that Norton picks up in its history as Information warnings called W32.Ramnit!html
It see's it but does nothing.
WE have booted to safe mode updated norton done full system scans and it finds NOTHING it is useless. Run Malwarebytes it finds infections and removes it, however it comes back. We run the free online scan from eset which finds thousands of infected files and removes it but still doesn't. But a rival software does actually find the infection but fails to stop it from re infecting the system.
We have used norton for over 10 years never have i found it so useless on stopping detecting and removing an infection. Especially as symantecs website rates this infection as Low.
The only way so far to remove it is format a drive or, we have forund Symantec Endpoint protection on Corporate customers does infact block and remove the infection NIS10 does not.
Ramnit is extrmely difficult to get rid of. Norton is not allowed to delete explorer.exe or winlogon.exe for obvious reasons, and if there is a rootkit in behind, it will be part of a Windows system driver. Removal has to be done gingerly with this one.
According ti the OP Symantec Endpoint blocks and removes this rootkit but NIS does not. Is this true and if it is true WHY ??
Ramnit is not a Rootkit, and Norton does detect the Virus that infects all the .dll, .exe and now correctly deals with the .htm(l) files by removing the vscript without deleting the files.
Even it is using the likes of "desktoplayer.exe" or similar it is still not a Rootkit, It's funny when people give information on a Rootkit, that isn't a Rootkit and other info. Shows different levels.
One scanned Ramnit.html files I had kept in a zip folder, here is the result for people to see
However being only able to remove the infection by formatting i do NOT find this acceptable.
I also understand Norton is obviously not allowed to delete explorer.exe and winlogon however why is it not cleaning the files of the code that Ramnit has injected into these files?
Anyway so far i have clarified Symantec Endpoint Does Block this and removes anything to do with it as a corporate customer just had this issue and after checking it has kept the infection away.
I have 2 options currently go to bleeping computer and run through with them to see if we can get it removed or secondly see if paying Symantec if they can get rid of it, and watch to learn how they did it.
Over the last few days we have had 4 PC 's get this virus and every single time Norton Internet Security 2010 does not stop it and it does not remove it.
It is incredibly worrying that Norton is not stopping this infection as it is very hard to remove.
So far we have not been able to remove the infection that Norton picks up in its history as Information warnings called W32.Ramnit!html
It see's it but does nothing.
WE have booted to safe mode updated norton done full system scans and it finds NOTHING it is useless. Run Malwarebytes it finds infections and removes it, however it comes back. We run the free online scan from eset which finds thousands of infected files and removes it but still doesn't. But a rival software does actually find the infection but fails to stop it from re infecting the system.
We have used norton for over 10 years never have i found it so useless on stopping detecting and removing an infection. Especially as symantecs website rates this infection as Low.
The only way so far to remove it is format a drive or, we have forund Symantec Endpoint protection on Corporate customers does infact block and remove the infection NIS10 does not.
However being only able to remove the infection by formatting i do NOT find this acceptable.
I also understand Norton is obviously not allowed to delete explorer.exe and winlogon however why is it not cleaning the files of the code that Ramnit has injected into these files?
Anyway so far i have clarified Symantec Endpoint Does Block this and removes anything to do with it as a corporate customer just had this issue and after checking it has kept the infection away.
I find this apparent inferiority of NIS to Symantec Endpoint troubling.
Recently Symantec announced its new Ubiquity endpoint product. In its press releases Symantec says that Ubiquity is partly based on a library of 5 Million analyzed files. NIS has only 1.5 million analyzed files in its set of analyzed files.
In view of the fact that it appears that Symantec Endpoint successfully responds to this W32Ramnit and NIS apparently fails, I am wondering if NIS users receve less protection than Symantec's corporate customers. Is this so? Sure looks that way.
Recently Symantec announced its new Ubiquity endpoint product. In its press releases Symantec says that Ubiquity is partly based on a library of 5 Million analyzed files. NIS has only 1.5 million analyzed files in its set of analyzed files.
In view of the fact that it appears that Symantec Endpoint successfully responds to this W32Ramnit and NIS apparently fails, I am wondering if NIS users receve less protection than Symantec's corporate customers. Is this so? Sure looks that way.
Anyone have any insight (pun intended) into this?
.
I have been informed that NIS intially uses the same database as Ubiquity which is further refined in the NIS system for prevalence and security ratings, and that Symantec has not been showing the full number of the initial database in the NIS UI . The full data base is 1.5 billon not the 5 million I origibally wrote in the post above.
I find this apparent inferiority of NIS to Symantec Endpoint troubling
Recently Symantec announced its new Ubiquity endpoint product. In its press releases Symantec says that Ubiquity is partly based on a library of 5 Million analyzed files. NIS has only 1.5 million analyzed files in its set of analyzed files.
Actually Ubiquity technology was first rolled out in Norton products:
The newest addition to the suite of protection technologies developed by STAR, our Ubiquity reputation-based security system, has been in development for more than four years. The initial version of this technology was first deployed in our Norton products in September 2009. This reputation-based technology blocks access to malicious files and websites based on the “crowd-based” wisdom of over 100M+ million customers.
Following its successful deployment in the Norton 2011 consumer security products and more recently in Symantec Hosted Endpoint Protection, Symantec is readying Ubiquity for rollout across a wide range of enterprise products over the coming year, starting with Symantec Web Gate
Where are you getting the information about the corporate customer and Symantec Endpoint? Could you please post a link?
"Ubiquity is the first technology to use the collective intelligence of more than 100 million computer systems – Symantec’s participating customers – and the data from Symantec’s Global Intelligence Network to derive a highly accurate safety rating for virtually every single software file – good, bad and those in between – in existence. Ubiquity currently has safety ratings on more than 1.5 billion unique applications, making it one of the largest databases of its kind. This enables Ubiquity to address today’s explosion of targeted, mutating malware, including threats generated on-the-fly and targeting only a single user across the globe."
FWIW additional information is from a post on another well known security forum by a very knowledgeable poster who stated he had duscussed this issue with memebers of the Ubiquity Dev Team.
Norton as in NIS, NAV and N360 does detect Ramnit infected files as I have infected my PC with Ramnit in the real world, not sandboxed or VM, and let the infection run.
I then worked it out, first time in 7 steps as seen in my post on page 1, Realised once Norton did detect Ramnit.inf and Ramnit.html problems occurred after the repairing of the files, so told Symantec and also gave files for the vscript, and now Norton correctly repairs / cures the Ramnit infected files, no deleteing or screwed up system.
I also never reformatted my Hard Drive or reloaded a image, (I don't have an image of my PC).
I have SEP 11 running on my network and one of my clients got this worm. SEP sees it, doesn't clean it, and the file duplicates at an alarming rate. I figure I'll save a lot of time just rebuilding this machine. What a nasty worm.
I am not sure of Symantec Corporate (SEP) including older versions and it's ablity to repair the files Ramnit infects, I did the work on Ramnit and Norton, and the problems that occurred, saw the problems, and had them fixed for Norton testing with NIS 2011
I then tested Ramnit after Symantec made changes, including having Norton be able to remove the vscript inside htm(l) files instead of just deleting the files.
W32.Ramnit = the dropper \ installer
W32. Ramnit.inf = the infected legit .exe and .dll files that Norton repairs.
W32.Ramnit.html = the htm(l) file that have the vscript code inside that now (appox. 1 1/2 months ago) can repair.
Symantec Corporate has their own forum for problems.
The corporate info I got from watching it actually happen. WE had a corporate user getting this flashing up i remote in and watch as SEP detects Ramnit Blocks it and removes and of the infected files.
After having 6 Computers with NIS and watching them all fold like wet paper and having to format them our own infrastructure and corporate customers SEP has kept it at bay especially as 1 PC we have here, not on the domain but has SEP we plugged an infected pen drive in and SEP blocked it.
Quads you say you are removing it yet you don't seem to ever say how or prove you have. Everywhere i have read they recommend to format a drive, and personally i would rather an actual fix than having to format PC's every time.
I have been able to remove any Malware that I infect my PC with and never had to reformat, I also work out ways to break Malware so that it won't just reinfect a PC automatically.
I also have worked out problems in the past Norton with certain families.
Although at that it was the first test with Norton and I was not to use the browser and disable, rename and remove desktoplayer.exe and the winlogon entry which is self protecting.
Also see the link above.
I don't have to prove anything, I have done tons of Malware removal including combos and the likes of Virut and TDL3 before free tools were around.
A lot of people as we have seen on this forum also love to just say reformat, I have not reformatted another persons PC I have fixed in front of me either due to Malware. I have when it's a stuffed HD that needs a long winded data recovery and then fixed the HD, but that's different.