What to do when a competitor's antivirus, adware scanner, or spyware scanner detects a threat that Symantec AntiVirus does not detect

Article:TECH99494  |  Created: 2001-01-17  |  Updated: 2010-01-09  |  Article URL http://www.symantec.com/docs/TECH99494
Article Type
Technical Solution

Product(s)

Environment

Issue



You want to know why a competitor's antivirus program detects a virus that Symantec AntiVirus does not detect.


Solution



There can be several reasons for this. The following are the most common causes. Please read each one carefully.
  1. Running more then one antivirus program on the same computer is not recommended. You may experience a false positive detection in one of the antivirus programs in this situation. See the following Symantec Knowledge Base documents for additional information.
  2. When you are not running more than one antivirus program, Symantec Technical Support recommends that you make sure you have the most current virus definitions installed and that the antivirus program is set up as recommended by the installation guide. See the Symantec Knowledge Base document What to do when you suspect that a Symantec AntiVirus product is not detecting viruses.
  3. The other antivirus program may have detected virus-like activity, and not a known virus. For example, you may receive a detection for W97M/Generic. In checking the other antivirus vendors Web site, you find that this is not a known virus, but rather a generic detection for virus-like activity.

    One reason this happens is the way that different antivirus programs detect and repair viruses. One program may leave harmless pieces of viral code or the macro name behind. Another antivirus program will detect this piece of viral code or the name, and report it as a virus.

    Symantec's Symantec AntiVirus (SAV) uses Bloodhound heuristics for detection of virus-like activity. See the Symantec Knowledge Base document Explanation of Bloodhound Alerts for additional information.
  4. Other vendors can detect files they flag as viral that we do not, such as cookie files or .inf files.
  5. Submit the suspect file to Symantec Security Response for analysis. See the following Symantec Knowledge Base documents for additional information on Symantec Security Response:
    How to submit a file to Symantec Security Response using Scan and Deliver
    What to do when Symantec Security Response responds to your submission.
  6. Be aware that third-party antivirus products are often designed with a different purpose in mind, and therefore employ a different scope of detection. Symantec security products such as SAV and Symantec Endpoint Protection (SEP) are intended to balance detection of legitimate threats with a level of false positive detection acceptable to enterprise-class computing environments with thousands or even hundreds of thousands of seats. A repair tool-type product that runs on a single machine and is not centrally monitored or managed may be far more aggressive - thus detecting some threats that SAV or even SEP may not - but often at the cost of a much higher false positive detection rate, sometimes as high as 40%. When evaluating the detection performance of antivirus products, it is important to understand that a straight apples-to-apples comparison between such third-party products and SAV or SEP is not valid, because the high false positive detection rate associated with such products would have an unacceptable impact on a large computing environment.







Legacy ID



2001101708255048


Article URL http://www.symantec.com/docs/TECH99494


Terms of use for this information are found in Legal Notices