SEP found virtumonde on a few computers and removed it with no issues.

Anyone who is well versed in dealing with malware/viruses knows that no single program will find/remove everything.  Even Malwarebytes (which I like a lot) misses things.

With the fast pace malware/viruses are being created....its impossible for any one program to keep up with everything.  This is why there are so many programs that do the same thing.  The main thing is to have some kind of protect in place to help control the problem.

The virus definitions created by Symantec are the result of the suspecious files submitted by the customers all over the globe.
The response team of Symantec is determined to analyze the submissions and create the definitions of the latest threats present on the Internet.

Cheers,
Aniket

Almost answered your own question -

>>to use the combined effort of spybot,  malwarebytes, sdfix, sysclean, ad-aware, combo fix, smitfraudfix, spy sweeper and so forth<<

in that you have to use several other products to clean what SEP misses.......... won't just one do it?

Machines like people get sick.  Infections, viruses, trojans, spyware, worms, data miners, essentially all different types of Malware.  Think of SEP as a doctor.  A general practitionner at the Emergency room in a hospital. 

You don't feel so good, so you go in.  They run a bunch of tests and tell you are sick.  Based on your symptoms and the eventual diagnosis, they send you to a specialist.  Osteopaths, Psychiatry/Psychology, Dermatology, Oncology and so many more sub divisions of medicine. 

Behind them, we have Pharmaceutical companies.  Making "breakthroughs" daily to find new cures to evolving, changing and mutating, diseases, viruses, illnesses, etc.  Each developping their own brands and eventually spin-offs to generics. 

Well the same thing applies to a computer.  Unfortunately, new "malware" of every shape and size is develop daily, with a million different intentions and purposes.  It is simply impossible to expect a single application to find them all.  Not to mention, taken with a grain of salt, half the application mentionned earlier don't find them all either.  Some of them can even be "false positives".  Malware written with legitimate code to justly get around AV scanning.  The legit code gets flag as being malicious. 

For malwares to be successful, the coders will first look for an exploit to an OS, then assume what AV majority of the world uses and reverse-engineer that. They can't reverse engineer all the AV-AS in the market and put it on one small file.

I bet you've already checked that the other AVs don't have false positives. the trojans you mentioned - vundo and packed.generic are already in the definitions of SAV and SEP, I'm just not sure which version is infecting your system. And if there are any followup actions made by SEP. It might fail on the first detection but check the logs to be sure.

Hi  Jazzwineman

I agree with you I also do face this problem regularly . and everytime symantec guys  say  to patch the windows. I know patching windows is important but Symantec guys are not ready to accept that they are geting behiend some other AV vendors.

We are the end users and they should take our words seriously ,which will benifit them.

I forgot to mention onething
 I like SEP more than other AV products because of  its firewall and Custom IPS .which do save me  many times.

I appreciate all of your comments and doing what we all do, am aware of what you are saying. It is disheartening to find that Endpoint will run right over and miss what some of the free programs pick up and remove. All of us know what the scene is like and I think a couple of you hit the nail on the head- Symantec does not seem to be keeping up. How would they otherwise explain that what they missed is picked up by 6 free programs. Something is rotten in the state of Symantec (as well as Denmark).

The standard default configurations on Endpoint also tell me that despite all of their testing, the code producers at Symantec have no practical hands on experience in dealing with day to day computer or network problems.

I'd like to suggest you formally make an enhancement request for the products you are discussing through the ideas portal.  We have PMs that review and "change status" of the ideas submitted, and short of guaranteeing it, I am quite confident your idea(s) will be reviewed/considered if you aire on the side of helpful.

https://www-secure.symantec.com/connect/node/add/idea?add_context=691   Look forward to seeing those ideas!

Best,

Eric

As I recall, this has been discussed before. The discussion title was "Done with Symantec Products" or something. It contains statistical information on new threats found and how Symantec collects new malwares.

Again, you've also hit it with this:
>>some of the free programs pick up and remove. All of us know what the scene is like and I think a couple of you hit the nail on the head- Symantec does not seem to be keeping up.<<

SOME of the free programs catch it.
I've had stuff in here that even the free apps missed! Some of them older ones, relatively speaking.
So while I basically agree, I submit to you that NO ONE, NOT ONE single company or product can or will catch them all.
But that being said - SEP seems to miss a lot of common stuff............they don't deal well with the phony or rogue AV, BHOs, and other things that appear to be friendly installs. Click on a bad web button and SEP seems to ignore it, but should ask - do you REALLY want to install this???? Instead, it gets blindly installed or downloaded and only after the files are installed and the registry entries made does it alert. But then the apps is installed and SEP can't keep up they are SO fast.
I think they need to be LESS trusting and MORE agressive. I'd rather have SEP alert me to a REAL friendly install that I REALLY wanted instead of assuming since it's from the web, I must have asked for it.
Block them ALL, let me choose the exception.
We are to the point of needing to operate from WHITELISTS, and not BLACKLISTS.
Block everything unless I tell SEP it's ok.
OR, if it comes from the web, port 80, block it unless I choose to tell SEP it's ok.
But again, everyone here seems to be missing their own statements - SOME of the free apps catch SOME of these things SOME of the time. Isn't that what they are complaining that SEP is doing?
And again - we've had stuff here that even the very very best of the other free apps have ben unable to remove or find, I had to do those manaully. So even the best misses now and then, in SEP's defense.

My beef - the heuristics seem to not do anything, PTP doesn't do anything. Never once seen an alert from either and they are all set to the max. I should be having false alerts or even real alerts up the wazzoo, but instead, nothing have been caught by proactive threat protection and not a single thing from heuristics, nuttin in nearly a year.

Well, Windows already asks "Do you REALLY want to run this application from Internet?" and Vista is more annoying than XP with this kind of questions. Add another identical question in SEP will be very annoying.
You are right that a white list is a better option, actually it is possible to lockdown the system in SEP under Client > Policies > system lockdown (in blue).

Regards,

We have to disable those warnings in Vista due to the fact it asks every time you want to do ANYTHING at all.....
Only our IT staff uses Vista, then we use it unwillingly.....

We never have seen such warnings in XP.

Why not make it an option anyway - then we could DISALBE the REALLY annoying ones in Vista that ask if you want to really get a cup of coffee and enable the SEP ones that can be CONFIGURED.........

Microsoft always seems to go the all or none route. It's either no security, or so tight you can't even print without being hounded "are you REALLY REALLY sure" and "are you sure you are sure, did you mean to click "I'm sure""
LOL
At least SEP allows us to configure the message and configure or choose when we see the message.
MS is simply annoying.

XP let's anything and everything run, never asks a thing at all -

NTP is doing a great job in our end of the world... and so is Proactive threat...
Symantec might had missed some like OGARD.exe, but several miss would not make me look at the product less since it had detected almost 99% of all infections... We even get false positive that we put to exeptions once operations confirm that it is legit...

That is why this site exist... for us guys to help in dealing with issues on this product...
I value Jazzwineman concern... since everyone does not want both his feet nailed to the ground...
If I were in his shoes, I too would be worried...

ACTION always comes first before REACTION...
Like viruses... it is just the same...
The only difference is how we HANDLE the concern...

Guys let us face it that there is no perfect AV/AS in the world...
They could only do much...

The rest is up to us...
Help them mitigate issues or drag them down to the ground...

It is good that all our opinions are welcomed in this forum...
at least we could weigh from both ends of the spectrum... 
thanks... 

Someone above mentioned the way we in Support repeatedly insist on making sure all critical Windows updates be installed.   That's very true, and that's considered a best practice--no point in locking the door if all of the windows are open.  What is also important is to make sure all software in use is patched for security vulnerabilities: Adobe Reader, Microsoft Word, etc. 

If non-admin users are able to download and install software from the web without prompt, I'd say it is probably time to examine Internet Explorer and other security settings via AD.  :-)  (And/or use an alternate browser that is not quite so tied into the operating system, but that is just my personal opinion.)

Bear in mind that, as someone mentioned, our definitions are created primarily in response to submissions made.  If something that is really that old is making it onto a hard drive and is not being detected, I would wonder whether or not AutoProtect is functioning as it should.  Try dropping an eicar test file on one or more computers that seem to be affected.

If any of these machines have had detections of threats involving backdoor capabilities, there may be security holes open that no antivirus can detect or protect against.  Rootkits are similarly dangerous to the security of a system/network.  Please see:

Title: 'Backdoors and What They Mean to You'
Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008120313315548

I hope these documents will also provide some assistance and guidance:

Title: 'General security practices for network administrators'
Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004070210271548

Title: 'Example of an Emergency Containment Plan to respond to a virus infection'
Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2001081711235448

Regards,
sandra

>>

If non-admin users are able to download and install software from the web without prompt, I'd say it is probably time to examine Internet Explorer and other security settings via AD.  :-)  (And/or use an alternate browser that is not quite so tied into the operating system, but that is just my personal opinion.)<<

Even Firefox allows TMP and other files to download in the background when visiting a site, and the site then executes the files - probably through a script of some sort.
I've seen it myself. 
Yes, this could be blocked in AD, but then updates wouldn't work either, thus my complaints about MS even allowing such things to download or run in a users profile area.

(see my article on blocking bad BHOs via SEP application control. It's how I get around some of this)

The next step would be to create a rule that says NO EXE and NO TMP files can ever be in the web cache area........ but then I'm afraid updates and other things would break!

I fully agree with and 100% support tech support's wanting the OS and apps to have the latest patches! After-all, some of these threats exist and/or get in due to holes in products, Adobe are the worst, MS is right there, there are others.
If you don't keep reader, flash, IE and Office current, you are asking for trouble and allowing known holes to persist.

(All of the above being said.................. I still believe SEP is the best out there "overall". Just that things could be better.....)

"WHY do things that are over a month, at times, over a YEAR old even get through the door and onto the hard drive? Why are these files not recognized and blocked at the door?"

This is my biggest beef with SEP AV protection.  The PC gets infected and SEP does nothing until I force a scan then multiple hits are detected.  I don't understand why it blocks some from ever getting onto the PC and others just run rampant until a scheduled scan runs or a user clicks on an infected file.

I manage over 3,000 PCs spread over the globe (an in particular SE asia which is virus heaven) and I spend way too much time fighting infections that IMHO should never happened in the first place.  We have a very mixed environment but I have seen this on fully patched WinXP SP3 machines that do not have admin rights, open shares etc.  Most ports are open only to our server VLAN's. 

It's not a case of the definition not being able to detect it since as soon as you scan the PC SEP blows up with detections.  It's a problem with the threat getting on the PC to begin with.

Any suggestions for helping prevent this are welcome, other than going with a different AV product.  We're simply too embedded now and we run mfg 24x7 so changing anything is exceptionally painful.

Why do you think these AV Doctor, Personal Antivirus, AV360 XPAntivirus and these Fake AV are the only one that you complain about the most rather Worms and Vundo and other Spywares like MisleadingApp , Infostealer etc..

You will get a idea if you read the Symantec report on Underground Economy.

From last year it has been noticied that these Fake Av or Fake Security/System Application  have become very common everywhere.Because nowadays this is not just for frun this is real business.

People who create this Application also keep track of which antivirus are detecting them don't just think there is just one person sitting somewhere and creating this Malware and posting it everywhere..there is a huge network spread across the world who are doing this.
They have the websites hacked if one Malware gets detected they simply change a bit in the code and replace it on the Web so that now it shouldn't be detected.
Don't forget Even they have access to virustotal.com.
Once the file is changed it will survive for few days and again get detected and again the program will be replaced.
People who are making money out of it are not that stupid that if their products gets detected they are out of market.
When they change the program sometimes they change the whole program giving it a new name opr sometimes they just change the internal coding leaving the filenames and registry entries same with some slight changes in locations sometimes even location won't change of any file.

The very first thing they do is add a IE pluggin to your browser that makes its work easier to work efficeintly in the background and control your computer.
So you shouldn't be surprised to see a malware getting detected on a computer and the same malware download from some other location not getting detected.

A. Note I said "over-all" - there are still some weak spots - each has weak spots.

B. I agree - when you run a manual scan or a scheduled scan these are often then found!
But how did they get there?  I get a call that a user says their machine is infected - it was a web rogue app warning and it worries them. It's NOT a warning from SEP. However if I right away trigger a full manual scan, SEP then says it found infected files.
Really? How did they get there?  AP misses, manual scans or scheduled scan may catch them (and I'm not talking days later with new defs, either - I'm taking minutes later)

So one says the files are different because of encryption or packing differences - what about heuristics? Back in the 90's it was stated that definitions would be old skool and gone by the next century. This is the next century, 10 years into it.... and heuristics is still a "oh, by the way" thing with the emphasis on definitions.
If I'm browsing the web, and a TMP file is created and executed, RED FLAG!

I'm in the same boat as you are, just multiply x10+...and throw in terrible security from the factories in SE Asia we acquired...

*aside*  Is that a GTO in your pic?

I am doing 'virus' schtuff for an agency that has about 25K workstations.
Most still using SAV 10. We are also running SEP in a Pilot.
What I do notice is that SEP is not picking up as much as SAV.
About Symantec's response to outbreaks... Well, we had a bad one here. And they were doing what they could. And it worked. We got information from US-CERT that was by far not as good (laughable is the word I was looking for) as what Symantec was providing us. With this outbreak, the makers were publishing new variants faster than what any AV vendor could keep up with. In this case, Symantec was the only major player that actually detected this Malware. None of the others did. It took McAfee about a week to catch the same infection. Same as the other major players.... Symantec did a great job on this one.
Point is that no AV vendor will detect everything all the time, every time. If you expect that, you are stupid.
But I do have to agree with some of the comments: Symantec is behind a lot of the other in detecting some of the Malware. Spysherif variants, you name it. The 'fake' AV software crap. They should and can do a lot better.
From some of teh comments from teh Symantec empployees, you could think that Symantec waits till customers submit a sample. That is not the case I hope. And Symantec cannot expect that all customers are able to submit samples. Sometime the knowledge is just not there. How do you recognise a false positive? Or a false negative? What files do you need to submit? If you can even find them. Not all customers have that knowledge. Some customer solely rely on their AV vendor to prevent infections, that is why they bought the application in the first place. They do not want to be bothered with hunting down infections.. That is what they pay companies like Symantec for... And that is what I am seeing in the comments.. SEP is not doing what it is supposed to do. At leat that is the perception. And it is mine as well. Too many variants of known Malware are getting thru and infect worksations.

johnsn well said, I agree. That's been my experiences, too. They DO respond and respond well. Defs have arrived here within minutes after submissions, shocked the #$^% out of me!
And I agree that not all can submit - some just like you said, just aren't there yet technically.
I spend an incredible amount of time on "clean-up" and investigations.
Multiple reasons, I know........ some is the changing face of threats.

 First of all Virus Definitions used by SAV and SEP are the same.So it can't be one is detecting more than other..(if the defs are old on SEP then thats a diffrent case..)

Proactive Threat Protection was a feature I was really not sure whay Symantec added in SEP untill this january when actually PTP Scan started detecting few bloodhoud heuristics..Lately i have seen not many but few detection from PTP and there were questions like how to get rid of them and so on..However I do agree heuristics should be increased ( maintaning the level of False Positive )

Its not that Symantec completely relies on Submissions from customers it has More than 240,000 sensors in over 200 countries
but the number of files submitted by the customers are more than the sensors ..just because symantec has so many customers all across the globe.
Its not about which files i should submit and false positives etc.
Submit anyfiles that you want to if it is already submitted or if it is a kown good file you will get a response within 2 minutes.
Only if it is a new file then only it goes to the Security reponse people to create the definitions for it..So you can submit any file you want.
if you don't have any support contratc simply submit it to https://submit.symantec.com/retail

So after all this dicussion should we come to a conclusion that we should add an IDEA to Increase PTP Heuritics.

Definition content may technically be the same, but trust me - it's working out differently! I agree with JohnSn.

>>

Its not that Symantec completely relies on Submissions from customers it has More than 240,000 sensors in over 200 countries<<

They may have "sensors" and honeypots, but that won't catch much of what comes down from sites and email, etc. Again, I know all about their honeypots and how many and where, etc......... they've been around for quite some time. But not everything can be caught that way. So customers DO need to submit - anything that SEP or SAV don't already fully catch or block should be submitted, IMO. I've received updated definitions more than once in the last couple of months due to manual submissions.

Submissions brings up another thing - I don't have time to submit literally dozens of files constantly - that's what Quarantine server should be doing. They need to revive that and develope it. It's crazy to expect we administrators with so many things to do already, so much responsibility to sit and submit files constantly. AUTOMATE IT! Oh, wait, they already did that with SAV, ok, then support it! Give it DEFINITIONS updates! It was a brilliant addition to SAV, not sure who's *not so brilliant idea* it was that it wasn't needed or wasn't worth keeping...
Make defs for q-server! Keep it current! Let us use it! We need it!

I don't have time to sit here and submit samples all week. Q-server should do that for me - it did for SAV. Why abandon it now?

PTP does nothing for us - it's never caught a thing. Not sure it even works.

For system lock down, why don't you use Microsoft GPO to do it? It is easy and flexible. 

Vikram,
you are right. Symantec has a large network of sensors. And they find tens of thousands of samples they use. Just the sheer number of what they find is a pretty impressive amount of work. What customers submit is just more to work with. And working those findings.. Well, picture yourself finding one piece of persistent Malware on your network... The amount of work it takes to clear it. Picture this tens of thousands of times.. Finding out what that Malware is doing, how it behaves, is it possible to prevent infection or is it better to let the infection happen and clean up afterwards? It is mind boggeling.
I think that in general, Symantec is doing a good job. Particular Business Critical Systems and Security Response, although Security Response can use a few more Tech writers to keep their write-ups up to date.
And about virus definition files. Yeah, they might be the same but the technology is different. SAV uses an old Intel library. SEP is not. SEP was a new design. And Symantec has a lot riding on it. And just that part is making the differense. It is a new design, new detection methods.

Shadowpapa,
SEP also has a Central Quarantine. It is actually the 'old' CQ that was used wth SAV. Works the same way, including all its restrictions. It is a separate installation. I am using it.

ChenH,
GPO's work nice for lock down and preventing users from 'playing'. It does nothing for holes in the OS that can be used by Malware.
GPO's in general are like locks on the front door: they keep honest people out.

Is symantec working any new technology to improve its detection rate or the same wait and watch game and release a signature when they recieve a new file.

If system lockdown was the answer to all prayers we would not need any SEP or AV products anymore. This feature could be hardcoded to the motherboard on delivery and when all software that the admin has approved is done you just "lock the system" with a switch. After this nothing can change the software. Any virus that you might get in to your system could only affect your ram and would be cleared after a reboot (since it could never write to hdd or affect any boot or system files).

For this feature you really do not need SEP. The big challenge is to really make this approach work and still be able to change your software on the machine. I do not believe in system lockdown at present. Not until it will be easier and faster to administrate.

Did you who got viruses slipping through to your pc's have the latest Microsoft patches?

One thing that Symantec will never be able to do is to protect a pc from vulnerabilities that a patch is causing. Since the vulnerability is on such a  level (for instance in IE) that it is invisible to SEP until it infects the pc and turns itself visible.

Why is the virus invisible? Because it does not act as a virus when it uses the vulnerability. It acts as an allowed component and does not do anything illegal.

And if Microsoft is fully patched did you also check Adobe Reader and all other stuff that is communicating with Internet if they are fully patched?

When you (Jazzwineman) say that there are other programs that get rid of these viruses and that SEP cannot do it you are talking about removal tools specialized in particular infections. They are limited to a certain number of known infections. These removal tools does not do much to protect your pc but mainly focuses on removing after the pc has been infected.

SEP is focusing on protecting the pc before it gets infected. But I agree that I think that Symantec should make more removal tools themselves and either integrate them in to SEP or make simple links from SEP (when you are infected) to a removal tool.

I am tired of all the generic messages from Symantec about how to protect your self from viruses and stop system restore and reboot do full scan etc.

Other vendors have better information (and removal tools) for most of the common viruses that are difficult to remove. Here Symantec need to improve a lot.

Nobody has yet properly explained why Symantec missed some malwares that is almost a year old. I'm not even sure if it is really true or just caused by a faulty install.
Add to these the number of legitimate softwares used for administration, auditing, interconnectivity that seems to be using malware technologies to do their thing. And then the security holes in the legitimate softwares. An example of this is the one on Flash that was found only last year that has been around for more than that. Like several versions back. And that the patch would mean to update to a whole new version. Think how many have already created a script to exploit that. The ones usually downloading the latest app and then trying to find security holes in that (Day zero) and then hope he's a good guy and report the problem, not get sued in the process and have it fixed. Not one that would really try to exploit it for other motives.

In my organisation we have sites maintained by different admins. All should follow a certain standard but they all do it their own way.

We all run SEP centrally with the same policys and so on. What we do not run centrally is the patching of Windows.

We have had the same scenario where one site suddenly got infected by a one year old virus spreading from one pc to the other but they never infected anybody that was not maintained by that site. The reason to the spreading was that these machines had not been patched for years! These machines were vulnerable to many different viruses and even though SEP could detect the virus it could not stop them from entering.

Keeping a machine patched is more important now than ever. The source to where the virus comes from can sometimes be difficult to find. If you for instance have an infected pc in your network that you do not know of (could be an old production machine with no virus protection on it) forgot about. It can easily infect each new installed system before it is patched and installed with SEP.

Hi Max, I have to disagree with you somewhat.
Symantec is protecting against a lot of vulnerabilities in the OS. What they do is design detection against the exploits of that vulnerability. Unfortunatly, they are not always able to do that because of the characteristics of the vulnerability (MS09-034 for example).
So basically, Symantec is offering a solution to a problem that is caused by Microsoft. Not bad, I would say.

You can patch workstations before you hook them up to the network. Look for something called Patchmate. There is an XP and win2k3 version. Works great. And you can update virus definitions before you hook that workstation on the network. That way you should be protected from 'resident evil' (aka Malware roaming around your network). This procedure can save you alot of headaches.
Another pointer: never make the 'Everyone' group member of the local Administrators group. Or if you are using Active Directory: never put 'Authenticated Users' in the local Administrators group. Your company does not have a big enough budget to buy the aspirine you need to fight the headaches you will have.

I am currently in a similar situation as Maximillian. Our client does not have patch management. And they will only patch their OS if it goes to the necessary approval from management, one request per department and a separate on for each server. And they're having problems on delegating the task. We're in charge of Symantec Products and another set of contractors are in charge of everything else. It's like playing 'Hot Potato'!!!

BTW: I like JohnSn's term 'Resident Evil' - I think I'll start using that here. :P

I read your Blog as well...the client you are working with right now ..must be a real headache...I still remember a client which was infected with Downadup and still they were not approving the MS patch for that worm...We had to struggle a lot to get that approved and that too quality team said we can update the patch on the clients but not on the critical servers...to patch the critical servers we again had to wait a month.
What a nighmare that was...

>>Shadowpapa,
SEP also has a Central Quarantine. It is actually the 'old' CQ that was used wth SAV. Works the same way, including all its restrictions. It is a separate installation. I am using it. <<

I guess you have not followed Symantec's own admissions - they have not kept it up and do not furnish definition for it except weekly! That's hardly working, IMO.
I use it too - but it can't and won't submit over half of what's put in there, and it can't get defs but one time a week, and can't actually integrate with SEP like it did with SAV.
Their own admission is that they would like to see it die and no one use it.
That actually made me quite upset - almost angry that they would tell me it's not a good tool and I don't need it.
See, when a company tells me what I do or don't need, and how I should do a job I've been doing since the late 80's - longer than almost ANY of THEM have been at it, and they have NEVER been in the trenches like we out here have, I get a bit testy.

@Vikram Kumar-SAV to SEP

" First of all Virus Definitions used by SAV and SEP are the same.So it can't be one is detecting more than other..(if the defs are old on SEP then thats a diffrent case..)"

I have confirmed this on several occasions both with SAV and w\ SEP.  Goes back as far as v7.  We've verified this many times.  You'll have SAV Vx with current definitions and as soon as you upgrade it starts detecting threats that have been on the PC for some time.  Happened going from SAV 7 to 8, 8 to 9, 9 to 10...

With SEP we've seen it a lot with the fake AV threats and SEP MR2.  Upgrade it to MR4 and it instantly starts detecting the threats.  Not sure with MR3, we jumped from MR2 to MR4.

It makes me wonder what MR5 will detect that MR4 is now missing...

Rgds...

I hear ya. We are not using the CQ full circle. Just to see what is out in our environment. We have disabled automatic submissions to Symantec. So how it works from Symantec to us. It does not because we have blocked that. So if there are any changes there, we are not aware of it.
But I definitely agree with you that they need to expland on the CQ, give it more capabilities, or at least increase the number of samples it can hold. In our organisation, 5K samples is not a lot. Specially when you are dealing with an outbreak.

@Mon: Resident Evil can be seen as Malware or "Mallicious Users" 8-))) (you know, those users that will, no matter what, have the latest and greatest Malware infections, over and over again...)

Let's stay on topic please.... :)

Hi all...first time poster here, but I've been peeking at threads on and off. I thought I would chime in a little here.

First off - Be careful when you say that Symantec cannot protect a pc from vulnerabilities because we actually can, just not with SEP. Our Critical Systems Protection software has the ability to do this. It has been proven in thousands of tests that with a hardened SCSP policy applied to a completely unpatched XP or Server 2003 machine left in the wild with no AV software on it at all, that it was never infected or exploited.

A lot of the times, and I'm not saying this is the case here, we see environments grossly misconfigured. I've seen policies deployed and the lock for Auto Protect was left off. We ran a report and 30% of the environment had Auto Protect disabled. I've seen scans changed from "All Files" to specific file types. Then when something like Conficker comes around and starts dropping QSP files which are not in the listing of file types, the infections spread like mad. Vulnerabilities are major contributors as well. And then there are the unmanaged machines that connect to guest wireless, and with poor security boundaries at the network level, the infected PC starts to spread.

I've also unfortunately been part of 1 or 2 new variants where its my customer that is submitting infected files to Security Reponse in order for us to generate new definitions. It doesn't happen too often, but it does. Our GEB was catching the threat and identifying it as a previous variant, but the payload was different, so bits and pieces of the new variant were getting left behind and re-infecting.

So yes, I know I still haven't answered your original question of why does our engine miss some malware while others don't. I'd be happy to take this back to product management and see if they have any thoughts. I will point you to an independent AV comparison site for you to take a peek at a test they ran in February (yes, I hope they run a new report soon). http://www.av-comparatives.org/images/stories/test/ondret/avc_report21.pdf

One thing to note is that the top two most effective AV solutions also have a false positive rate of 'many' vs ours and other well known competitors which have a false positive rate of 'few.' I'm sure we could be more effective as well if we wanted to take the extra risk of catching files that were not malicious. You'll also notice that we're 1 of 3 vendors that rated a scan speed of 'fast.' We are improving our detection and eraser engines all the time. Making them faster while taking up less resources. We're also looking into new protection capabilities like whitelisting and reputation scanning.

I'm obviously biased because I work for Symantec, but I truly do see good things to come down the road. It's a contant cat and mouse game, but make no mistake about it, we have hundreds of engineers working to make our security products better each day.

Sorry for the novel. I hope this answers some questions. :)

Mike

EXCELLENT points.
Now, can you make a visit to Des Moines and come and take a look at our configuration - an "audit" if you will, to see "how we're doing"?
SAV I knew inside and out, I was an expert that was probably better versed at SAV 7 through 10 than Symantec was, but SEP 11 is almost like moving from a paper back novel to Encyclopedia Brittanica overnight (Or  Funk & Wagnalls if that's your fave)
I think I'm getting there, but I do agree - configuration is at least as important as product!
Even the best product will miss simple common things if a doofus configures it. I need to make sure I'm not that doofus..........

AV is pretty close to dead. As noted earlier, a new tactic is to spew forth so many variants that the vendors cannot keep up. Sites like virustotal.com allow attackers to test their malware against many AV vendors. I read about a non-US clone of virustotal.com that was subscription-based: Their value proposition was that they guaranteed they would never submit your binaries to the anti-virus vendors.
Our third-party PCI pen tester showed us how they modify their binaries to guarantee no AV will pick them up. They wrote a custom packer that bypassed all vendor file-based scans. They very slightly modify binaries such as GSECDUMP and no vendor picks them up even if they're not custom packed. Attackers specifically targeting your organization do precisely the same thing.

AV on the desktop or server has two main functions:

1. Act as a last resort sentry against malware that has slipped through other defenses.
2. Let the auditors check off their little box.

White-listing web sites on a proxy is OK, but not 100% with so many major sites getting malicious code injected into their sites through vulnerabilities of their own. Or because their revenue-producting banner ads are infected. Hack one banner ad company and you get thousands of legitimate sites to serve it up for you.

File-based protections like parts of AV and Tripwire are useless against a lot of malware that only runs in memory and never touches the disk. It can't survive a reboot but who cares? It can be put back or maybe the server is "up" for a month at a time. Core Security and Fast-Track have these tools built in.

Rapid patching is the only real way to mitigate the risk. Unfortunately vendors sometimes don't patch things they know about and you pay the consequences. And sometimes we remember how back in the mid-1990's that NT 4 SP2 broke a lot of things. At my last company one of the admins said "I never patch anything that's working." and was very proud of it.

If you're relying on ANY anti-virus/anti-malware desktop vendor as anything other than a last resort protection, you're setting yourself up for failure. If you can't afford other layers of protections at your organization, it's up to you to make the business case to add them, accept the risk that you will have some intrusions from malware or move on to a different organization.

And if you don't keep your systems up to date by installing the most current version of SEP (or educating the business side why it needs to be done), then shame on you. Security is not "set it and forget it."

Ray

Its probably been said already but client protection is only as good as the systems, policy & administrators in place.

SEP or any client security product is only one part of the puzzle & requires the rest of the pieces to be in place for it to be sucessful - it is a last ditch product when all fails & is often a mask for the vendors/software devlopers failings.

If you adopt best working practises with firewalls, IPS/IDS, NAC, web & mail scanning at the gateways; educate your users on using the web, e-mail and bringing USB devices etc into work then it makes the task a great deal easier.

Workstation config plays a significant part, correctly configured policy, WSUS, & local user rights/configuration are key.

I work with Symantec, Sophos, F-Secure, McAfee & Trend - all have different merits, some adopt slightly different product strategies and none really stand out technically - where you do see a difference is in the support.

An "attaboy" for you Justin.
Well said.

>>client protection is only as good as the systems, policy & administrators in place<<
>>if  you adopt best working practises with firewalls, IPS/IDS, NAC, web & mail scanning at the gateways; educate your users on using the web, e-mail and bringing USB devices etc into work then it makes the task a great deal easier.

Workstation config plays a significant part, correctly configured policy, WSUS, & local user rights/configuration are key.<<

Yes.
SEP is a tool.
And like a good friend of mine in the car forums is fond of saying "just because it says professional grade on the box doesn't make you one"
The best hammer can be improperly used................. and bend nails or dent boards if your aim is off.

I currently about 3500 networked computers and I am, starting tomorrow, removing Symantec SEP and Corporate version 10 from everyone of them. I do not know what Symantec is or is not doing, but the assorted problems fro the Internet are clearly too much for the product to handle. I do not know why they even try to deal with Spyware and Malware- they catches none of it and that is just window dressing and not substantive. Even when it does catch a virus- like the WinAntiVirus 2009- it only catches part and you can run scans until the moon falls and if you don't use other products and waste hours of time- well, It is almost like being naked. I am very disappointed and find all of this a complete waste of time to deal with a company that is about something other than what they are supposed to be.

Jazzwineman: It will be interesting to see how your situation will change now that you move away from Symantec.  You mentioned KAV and AV in the topics and I guess it is short of Kaspersky and Avira. How on earth do you think your situation will change just by changing software vendor. They all fight the same battle and still none of them is 100% perfect.

The recipe goes like this: Configure your policies tight, patch your OS's and other vulnerabilities in software (Adobe, Java etc). Proxies that scan for viruses before the users are allowed to access the site and of course configure the firewalls to block whatever is not trusted to run. Enable system lockdown and you will have less to do with patching but more to do with administration if you want to keep your system updated with new software.

Conlusion: I am pretty sure that you will not be satisfied by removing Symantec at least not from a security point of view. 

 At todays time all antivirus companies are on the same level seing that so many malwares created everyday.You may say Malwarebytes has got a good name in removing malwares.But it just removes Rougue programs what about the bigger Worms and Trojans and rootkits..I don't think they have the capacity to handle these..
Big names are not tested with small ones..Symantec is the best when it comes to handling bigger names like Downadup..
So if you plan to change the AV company in early stages you might find it very good ..but when you'll hear the bigger names spreading across the world ...you might feel you were better with symantec..

Antivirus is last peice of defence you should have in your network..when malware has actually hit your host..but you should be more proactive on stopping it on the gateway level.have a layered security approach.
every Antivirus has its own issues...Frankly speaking i don't know anyone who is better than symantec in AV /Security industry...Trend,Macafee and Kaspersky...I have seen many switching from them to SEP. I am no talking abt the SMB's i have seen VAR's shifting.

websense - white lists and black lists and gray lists. Things go through it before even touching the desktop.
However, we, as a government agency, have 2 problems.
We can't afford it,
and it won't work well with our spread out offices and network design.
But for many, it's a good solution. There are also FREE solutions that run on Linux..............

Limiting end user rights is paramount, particularly if your admins login to their computers using their domain admin accounts. One piece of malware installed to a domain admin account can compromise or destroy EVERY Windows desktop, laptop and server in your organization. How long would it take you to recover from that?

If it can run in end user space, it cannot run at a reboot if they are a restricted user. If your end users don't shut down or log off at night, well, that's another issue. :-)

Our proxy scanner uses engines from Kaspersky, Bitdefender and Norman. We run SEP on the desktops. The proxy scanner has several "stops" every week (approx. 1,000 employees). If you're not stopping it at the proxy, then the malware gets to the internal LAN where only SEP or restricted user rights can stop it. Maybe.

It is very rare for all three proxy scanners to pick up the same malware. Usually it's just one and sometimes it's two. And occasionally, once or twice a month, it slips through to the desktop.That's the value of using multiple vendors simultaneously. If we didn't have the proxy scanner, everything it stops would otherwise get to the desktop and our internal LAN.

My philosophy is that if something gets to SEP, it's passed through all of my other protection levels, so I need to look at more hurdles.

One hurdle you can add is to drop inbound and outbound traffic on your firewall to IP ranges you don't need. We do it because we're a US-only business. A recent "headliner" business supposedly let their Linux point-of-sale terminals talk to an IP address in China. When you look at it from this point of view, I'm sure they didn't do it on purpose but it happened nevertheless and they lost millions of card numbers. I'm sure no one said "Hey, let's let our cash registers talk to Chinese IP address.es" but they probably had that all-too-common "let all outbound traffic go unimpeded" firewall rule

You also should be restricting outbound traffic in general from specified devices on specified ports to specified destinations.

Ray

 A layered approach is always more secure..Different vendors does helpsas the Definition set is diffrent for Diffrent vendors.So the probability of catching malwares are high.
Websense really has a good name..

Windows will be always a soft target coz 1. They are not open source so not much is document thinking that nobody will know but the fact is people do reverse engineer and find what are they made up of then exploit them..2. 90% people use Widows..So malware writers intention is met ( mass infection ) 3.high GUI mode and user firendly leads to less security.

That is one of the reasons you will see a very small amont of threat infecting Vista/2k8 well 2k8 and Win7 is still new..Still there will be less infection due to major changes made in the kernel.

You can also use Symantec Critical System Protection to prevent thes exploits as they work very well for Intrution Prevention. Its monitors the behaviour of known process and application and blocks any abnormal behaviour thus protection you from 0 day Vulnerabilities.

Even in SEP make sure you make use of all the features present in SEP to all the limit mainly Application and Deivce Control and Firewall ( including HIPS ).

>>If it can run in end user space, it cannot run at a reboot if they are a restricted user.<<

Not true.
BHOs and other items run in the end users profile area. They are launched in their individual profile areas under their user name. Opening IE launches them.  Thus my rule for blocking DLLs and BHOs per the article I wrote here.
Even Google's browser INSTALLS to the profile area. MS runs many things from there, DLLs esp for individual users.
You'd have to lock them down so hard that they couldn't even change menu settings or screen colors to prevent such things. Thus, a rule in SEP to prevent such things - but hten you have to have 100 exclusions for HTML files, for example, that Outlook uses for signatures in email, among other things. Even JAVA processes in the user profile.
If the user can change their Outlook signature or wallpaper, etc. - then these things can install to and RUN from their profile.
NONE of our users have admin or even power user rights.

Apparently our defintion of "at reboot" is different. :-)

Yes, I was thinking of RUN key malware and not BHO's. That is a good point.

I noticed you said "users". How do your admins login? Our PCI pen test company said they typically snarf domain admin credentials (once they have compromised a server) is by stopping a service. It only takes a few minutes before some domain admin RDPs in using domain credentials and then they own the domain.

Ray

A good system would only perform as what it is told to do...
Even though how costly or how many the features any system has, if it is not set to its maximum potential then it would not give what the vendor has promised. The weakest link would be traced how the system was designed and administered.

We tend to blame it to something or someone but nit checking if it was us...
True that some things might had been resolved if the definitions came earlier...
The question is... did we sent the new threat sampl fast enough for the vendor to quickly react on it?

Just my thoughts...
thanks...
  

Hi Shadowpapa,
I can offer a bit of insight there.
The file you submitted is one EXE file.
However, it is very likely that this is a self-extracting zip file.
It can contain more than 7 file.. Could be hundreds actually.
Just use Winzip and open it up. It will show you the contents.
It might even contain more Zip files....
And yeah, you are right, Symantec needs to update their submission capabilities. That file limit is killing everyone who has self-extracting zip files that contain more than 6 files....

It gets worse!
Yes, I submitted the one EXE straight from quarantine.
So the Symantec comes back and says "ZIP it and give it a non-standard password and include the password in your notes"
So I did, I ZIP'd the EXE, put the password in the notes/comments and submitted.
Ya wanna know what I LEARNED?
I learned that I submitted a ZIP FILE!
HERE is the exact email I got back (changed a few things to XXXXX's) - and they CLOSED THE CASE!@!@!  NOTE THE LAST LINE! They told me I submitted a ZIP file, and closed the tracking case. It's a container file of type ZIP. Yes, silly boys, you TOLD me to submit the ZIP I wanna know what's IN that zip.

(UPDATE - HUMAN intervention has finally perhaps resolved this! I finally now think I know what's going on with that file, something the automation sure could not and did not handle. I know PEOPLE can't be involved in everty submission - totally not possible, but the automation is sorely in need of an upgrade!  ;-)  MAYBE they need to run LiveUpdate on their software a the receiving end............)

(PS - we don't have WINZIP since it's no longer free - we simply use Windows XP's abilities. Budgets, ya know.......)

------------------------------------------------------------

We have analyzed your submission.  The following is a report of our findings for each file you have submitted:

filename:  xxxxxxxxxxxx.zip

machine: Machine

result: See the developer notes

Customer notes:

unknown xxxxxxxxx  password is - xxxxxxxx

Developer notes:

 Antivirus-9ec30_2004-ivrs.zip is a container file of type  ZIP