Here are some of the ways that a threat may infect a system and not be detected by an installed antivirus:

The first and most likely situation is that, even if you have the latest build and latest virus definitions installed, you have a new, undetected threat in your network. Virus makers can take a known threat and manipulate the code in such a way that it no longer matches the definition signatures available in any antivirus program. This can be limited in many cases by an advanced heuristics detection such as Proactive Threat Protection or may be blocked from entry by Network Threat Protection's IPSec firewall signatures. These are both good tools, but they unable to catch every possible scenario. For example, a trojan horse is executed from the local machine and would not trigger an inbound firewall rule.

These can also be missed when a threat takes advantage of open vulnerabilities in installed software on individual machines. This software can include the operating system as well as any component running on it such as an internet browser, email software or any other program. It is very important to make sure that all vendor software patches are applied to installed applications and the OS as soon as they become available. A threat entering through a vulnerability is less likely to be detected and prevented.

Another possibility is that the antivirus on a given system could have been tampered with, turned off or something as simple as the definitions not having updated for a couple of days. Certified virus definitions are presently released by Symantec 1-3 times a day. If a machine is found out of date it should be updated as quickly as possible.

The first line of defense for every antivirus manufacturer is the submission and collection of suspicious files whenever possible. When you encounter a threat that has not been detected there are steps that should be taken to minimize the impact and expedite recovery. We offer a submission service which analyzes any files you submit for known and unknown threats and variants. It is by these submissions that we can create a new definition set that will detect and remove those threats. If the issue must be resolved before a certified definition file is available, we offer Rapid Release definitions that can be manually applied to the affected machines or network. For an explanation of the submission process using https://submit.symantec.com/basic, please see the following KB document:

Title: 'How to Use the Web Submission Process'
Document ID: TECH102419
> Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH102419&locale=en_US

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it. This could provide enough information to allow you to create firewall rules preventing the threat from downloading additional threats or contacting a third party. You could also use the threat's unique MD5 hash value to block the process from running with the SEP Application and Device Control component which may help prevent it from spreading. This hash value is included in the email response from Threat Expert. For more information on blocking a process, please see Chapters 33 and 34 of the SEP Administration Guide, or see Technical Information below.

Symantec Endpoint Protection detects and removes over four million known threats. Our definition updates add thousands of new detections each day. By working with our customers to troubleshoot a virus infection we assist the customer to:

• Identify the threat and submit any undetected files that look suspicious.
• Identify the computers infected.
• Quarantine the computers infected.
• Clean the computers infected using Rapid Release definitions based on file submissions..
• Determine the infection vector and take steps to prevent recurrence.

These steps are outlined in this KB document:

Title: 'Best practices for troubleshooting viruses on a network'
Document ID: TECH122466
> Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH122466&locale=en_US


For additional troubleshooting steps and information, please follow the directions in the document What to do when you suspect that a Symantec antivirus product is not detecting viruses.




Technical Information
Title: 'How to use Application and Device Control to limit the spread of a threat.'

Document ID: TECH93451

http://www.symantec.com/business/support/index?page=content&id=TECH93451&locale=en_US