Video Screencast Help

Antivirus not Detecting!!!!

Created: 18 Nov 2009 • Updated: 22 May 2010 | 14 comments
Hi people,

I'm going to throw a wobbler because I feel this is getting serious now.

I'm currently running SEP MR4.

Yesterday I had a call from a user regarding the Symantec email notification popup.
When I investigated the problem it seemed that the machine had a virus (an email virus).

So I used the SEP client and did a scan which found 'NOTHING', I repeat 'NOTHING.

I felt that there was a virus causing this so I downloaded MalwareBytes Antispyware software and installed it.

I couldn’t believe it, it found a mixture of 15 virus's and spyware of which NONE were picked up using the SEP Client.

Only when the MalwareBytes engine started to disinfect the files the Symantec client detected there was a problem and flagged the file.

Now I'm no brain surgeon but I’m sure that antivirus is supposed to catch the virus BEFORE it gets installed or at least warns you. Does this not apply to SEP?.

What I suggest to all of you out there is to check your machines because this isn’t the first time this has happened to me.

Oh by the way, due to the virus sending out emails one of my server IP's has now been blacklisted and the SEP client allowed it!!!!!. Thanks Symantec.

I am totally dissatisfied with this product and if I had the money to replace I would.

A seriously upset IT Admin

Comments 14 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

 It does happens sometimes that SEP misses a detection and other AV catches it MBAM in particular. But you will find thousand of cases where MBAM ( Malware-Bytes) won't catch the virus but SEP will. Any AV cannot be 100% secure and you can't expect it to catch 100% viruses however on your part you can have Latest defs and security policies applied.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

timbo's picture

Well I would generally agree but not this time.

All the clients are completely upto date so therefore the clients should be fully protected.

What worries me and all the other SEP users is that my workstations and servers are unprotected.

I've also found that when the SEP client detects a virus its too late. It allows the virus to install itself and then tries to disinfect it....WTF!!!

I'm not a happy bunny and until SEP improves I wont be recommending it to no-one.

groen's picture

I have to agree with Timbo, as we also have sep running. Since 4 days I have been having problems with some computers. Yesterday I installed AVG and it found 3 trojans. Today I installed Kaspersky 2010 and all my problems where gone(2 more trojans). BTW Im talking about 4 different Trojans!

Vikram Kumar-SAV to SEP's picture

 Run SEP on a Computer running Kaspersky Only or MBAM only even SEP might detect 2-3 trojans.
It also depends what they are detcting are they really trojans or false offence they might be trojans but that doesn't mean SEP doesn't detect anything. IF you expect your AV should catch all the viruses entering your will never find will end up switching 3-4 AV vendors or having 2-3 AV's installed on the same machine.

AV is not the only protection you should think about you should also make use of other SEP features to prohibit users downloading virueses and going to WebSites they are not supposed to go in office.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

BadAndy's picture

On one hand it bothers me that some AV programs will catch things that others won't and vice versa.

On the other I agree that in a work environment there are plenty of ways to prevent infections. AV for MS Exchange, Websense to block users from going to questionable websites, running Windows Vista with the UAC turned on AND keeping regular users from Admin rights has kept my companies PCs very safe from virus infections. Preventing users from being able to install anything they want since migrating to Vista has been the biggest improvement in our security.

Vikram Kumar-SAV to SEP's picture

 Well If the thread was created to just express the dis-satisfaction/Complaint then I guess this thread should be closed without making it juicy discussion and blame game.
I have already explained the cause of this.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

MIZSEP's picture

timbo - You can not rely on an endpoint security solution as your only defense against malware.  You need to layer IDS/IPS and/or a web content filtering solution to help protect and detect infections.  Yes it's more money, but your security posture is seriously going to be compromised only relying on SEP (or any endpoint product for that matter)

Also, you can block SMTP with the firewall to restrict outbound mail to network mail servers (that should be performing additional scanning) or block SMTP all together if another application/protocol should be handling mail.

CQ's picture

We have seen this same discussion in many different forms since SEP was released.  However, instead of just saying "It missed Trojans/malware and it stinks", could we have some specifics here that would lead to a more constructive conversation and possible solutions.  Very frustrating.    I am the IT Manager (by default lol) of a small/mid sized business and we have used AV 10 and now SEP.  It concerns me when I read these discussions and makes me wonder how effective this product really is.   I have a few questions (if they have been answered before please forgive me):

The consumer version of Symantec Norton Security Suite is highly rated.  Does SEP use a different AV engine/defs (I assume it does)?  If so,   I believe I have read that SEP is less aggressive to limit false positives.  Is this true?    Can it be made more aggressive particularly for mobile users and telecommuters (like me) who may not be behind a sophisticated router/firewall? 

How about the names of these Trojans and viruses?  Have they been submitted to Symantec?   Specifics would be so helpful!

Vikram Kumar-SAV to SEP's picture

 Yes..Norton and SEP have diffrent AV engine and yes it is due to False Positives. Norton is SOHO ( home user) products which can bare False Positives.
However you can tolerate your Critical Application being detected as Threat.

You can increase the sesitivity of the SEP client by increasing the bloodhoud sensitivity or by raising the Sensitivity Threshold of Proactive Threat Protection.

Bloodhound setting is in Advanced of File System Auto-Protect. in AV and Aspy policy.
you can increase PTP sensitivity from PTP ( truscan) policy.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

JohnSn's picture

Well, no one product will detect everything all the time.
If you believe that, I have some beach property for sale in Montana.
Oh, and a bridge in New York...

If you found an infection that your favorite AV product is not detecting, submit the infected file or files to the vendor. That is the only way you will get detection sooner rather then later.
If you just complain about the product not detecting an infection and do not submit a sample, well, sorry to say, but you are just part of the problem, not part of the solution.

Sometimes, it is easier to let a infection take place and then remove it.
Some infected files are morphed and are very difficult to detect. But the actual infection might be easier to detect and remove. So yeah, it does happen that the PC gets infected before the infection is removed.

As far as SEP not detecting 'schtuff'...
If you go to other vendor forums, you will see exactly the same 'complaints'. Sometimes it even looks as if the posting was copied and pasted with just a change of the vendor name.

Another thing is that some people use multiple products to detect infections.
Here is an example:
"SEP did not detect this XYZ infection!!, I checked with ABCD and THAT found the infection!!!"
Okay, nothing wrong with that.
But was there a consideration that XYZ was right, and that ABCD was a false positive?
Most times the answer is 'No'.

ANother thing is that some of the log files are misinterpreted.
Tracking cookies will be seen as 'virusses'. Or worse.

As for wondering if you can 'trust the product'.
Considder the source. Who is yelling? What are they screaming about?
If I listen to my neighbor, who has a son, who knows someone at school, who's cousin has a computer that was infected with a virus and that virus was removed by a product that he tried once and trusted, well, I should be listening to my neighbor, right? Or maybe not?

Oh well, just my 3 cents worth (inflation and such).

nordman's picture

I'm definitly not an expert but I thought my network was protected with SEP. What is the point when it does'nt catch all virusses?
I can not live with my website spreading worms! Today i got several messages from angry people reporting an Allaple.a worm catched from my website. What is Symantecs recommendation?

teiva-boy's picture

 nordman, your worm is a network based worm.  If you did not have NTP enabled, you are prone for infection, and AV will do 100% of nothing for you.

It's also your fault for not patching your system to prevent the specific RPC/DCOM vulnerability in Windows that this worm is exploiting.

That said, SEP provides layers of defense, but is not the end all be all solution.  You will still need good firewalls at your perimeter, perhaps some sort of HTTP scanning solution, email security, then desktop protection.  I dont care what vendor you use, but that is just good common security practice.  

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) "We backup data to restore, we don't backup data just to back it up."

JohnSn's picture

First step: Did you submit the infection to Symantec?
If not, do so asap. That way Symantec will write a detection for it so that when your virdefs are updated, the infection will be removed.
Second step: How come your server became infected?
Allaple.a is a pretty old infection that uses exploits.
Did you apply all updates to the server?
It might be a new variant if SEP is detecting it but not removing it (which makes it even more important to submit a sample)..