Endpoint Protection

Hello Symantec; please help

we are a big company uses SEP MR2 antivirus, we have about 3000 users also we have completed datacenter.

our problem:
1- some of users infected by viruses without any detection or action from symantec antivirus.
2- also there are so many of folder with .exe generated by this virus, when i tried to test this folders, i take a sample on my PC i scanned, symantec antivirus reported me no risk on this folder, i tried to opened it, the virus infected my PC. how?? --> disbaling run service, disbaling show hidden folder option. how i know that?? i run kaspersky on my PC i found it is infected by virus that is Trojan-Downloader.VBS.Agent.vz
3- the behavior this malware is generating a folders with *.exe
4- i opened case with symantec to create rapid defnition file but it will take time.

 

Our office was hit today with the Facebook Trojan, Koobface.  We are using SEP version 11.0.4202.75.  Definitions are updated nightly.  I see w32.Koobface.A and w32.Koobface.B listed in the known threats in SEP, however, it did not catch it.  I also found a couple other Trojan viruses on this laptop that SEP should have caught by SEP since they two were listed in threat list.

I ran a full SEP scan and they were not discovered, however, when I ran Malwarebytes, it found these Trojans and the other viruses and dealt with them.  I am real interested in knowing why SEP did not catch these Trojans and stop them?  Isn't this what we pay a subscription for?  To receive updates and current definitions!

My research of this Trojan reveal this strain has been around since last year!

What gives with this?  I am now concerned SEP will not catch any Trojans.

@ Douglas Painter

I am not sure why SEP failed to catch these threats. You should submit these to the Symantec Security Response team for analysis.

https://submit.symantec.com/websubmit/basic.cgi
https://submit.symantec.com/websubmit/gold.cgi
https://submit.symantec.com/websubmit/essential.cgi
 
Threat details -
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=1
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-4958-99&tabid=1

Also make sure that its not spread to other computer

Try this article!!

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Also submit the files to the prev links given by cycletech

Once the malware is wiped out, I recommend that you upgrade your Endpoint Protection to the latest version which is MR4 MP2... most of the bugs have been rectified in this version and the malware detection is more efficient ...

Check this link on how to accomplish this...
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009051906042048 

Regards,
Mac

Also access this link..
it is an article about how to find suspected threats in your computer...

https://www-secure.symantec.com/connect/articles/how-find-suspected-threats-your-computer

Must be a new threat .Submit the files to symantec and wait till they release the defination.

Thats why I  allways say that symantec should think about its detection rate/scan engine . but they are only giving excuses that it is impossible to give 100% protection as so many threats are coming regularly.

But others are giving better detection rate. 

@Bijay.Swain

In the discussion https://www-secure.symantec.com/connect/forums/bad-detection-rate-sep

Paul Murgatroyd wrote:

One of the things that makes us different to the other and particularly some of the smaller vendors out there is our approach to false positives. We will not put a signature into our definitions if we think it has the potential to cause false positives. If you were to ask the vast majority of our customers what would be worse for them, a virus outbreak on a small number of PC's (or even a large number, particularly with todays types of threats) versus a false positive on a system or executable file I am fairly sure they would choose the virus option. We are very proud of our false positive ratio, its currently around 0.1% When you protect over 130million endpoints around the world, thats no mean feat! Other vendors can potentially afford a higher FP ratio, since their customer numbers will be lower.
...
Thats the problem, by the time you get a signature out, the malware has gone and changed again. To give you an idea of the effect that variants have, in the year 2002, we wrote just over 20,000 signatures for the whole year. In 2005, that number increased to around 110,000. Now comes the jump! In 2007, we wrote 600,000 signatures and in 2008 we added 1.6 million! Put another way, in 2000 we were writing about 5 signatures per day and in 2007 that number was 1431. Now, in 2008 we were averaging around 12,000 signatures PER DAY! Thats a 239% increase on 2007 and the numbers are still going up. Our current estimates are that we will peak at 25,000 per day this year. In addition to that, we recieve 200,000 file submissions per day - most of these are processed automatically - they are analysed and where required, definitions are updated or written and automatically put into the next set of rapid release definitions.
...


You can learn more reading the cited discussion.

If you don't trust us you can read this 3rd part's book:
AVIEN Malware Defense Guide for the Enterprise

or change AV vendor...

You r are right Giuseppe.Axia

But Problem is when a new threat comes (which comes almost daily in our network ) and our antivirus doesn't detect the threat it spreads all over our network and after this users complain that Antivirus is not working and I can't go to each and every pc for  manual removal of the virus. false positive can create problem once in a while but virus comes daily .

Primary job of Antivirus is to detect virus which it should do .

Don't think that I am against Symantec , I am saying this because you might not be facing this problem so I am leting you know that this is the one area which symantec can improve.

when customer shows us that other antivirus is detecting while symantec is failing you can imagine the situation at that time , we are speechless near our customer finding an excuse for it.

If I am against Symantec then I might have moved to other AV product. I like your Support which is best in the industry but from past few years I am facing problem in detection part of Symantec.

When I browse through this connect forum ..I find everywhere you have shown disappointment of detection rate of Symantec..
The only reason i can think of is

Either you have never/not worked with other Enterprise Antivirus for long time
or
You think an Antivirus is a magical software that cleans all virus and knows about any virus even before anybody has written it.
or
Your meaning of security is Only Antivirus.IF everyday you are facing a Virus Outbreak doesn't mean your Antivirus software is not working ( i agree it is 50 % responsible ) but it means the Security Policy of this Steel Plant is very weak.Users are allowed to do anything..go to anywebsite and download anything..
You can't expect a computer on the internet cafe to be safe no matter whatever Antivirus software they are using.

I am not trying to be rude but this is only because I find you are the only one in the whole STN community who is having the most problem with the detection rate so it can't be just Antivirus software...

Hi Vikram
             It is true that our network is not secure as there are more than 100 entrypoints ( 100 direct broadband  connections) for virus to get entery. and also Our windows systems are not fully patched as latest is only sp2 no further patches , some pcs also running on winxpsp1 . No active directory domain so no group policy defined. Admin passwords are blank . All networked pcs are not protected by antivirus .

I know these are the main problems  due to which our network gets infected too easily .

can't do much about the above problems so may be  expecting more from symantec .

@ Bijay

All I can say in this case is "may GOD only help you".

You can't expect so much from Symantec!

Has Symantec provided you the broadband connections > NO

Has Symantec made the OS that you run > NO

Is Symantec responsible for patching your systems > NO - Microsoft made the WSUS LOB app free so that everyone can patch their systems centrally.

Is Symantec responsible for defining a Security Policy for your organization > NO

Is Symantec responsible for your IT policy to define that you should have a Domain env. for simplified and centralized Management > NO

As you can see, since all 5 options above have a NO answer, I really think you are expecting too much. Symantec makes software that'll HELP YOU to prevent KNOWN variants and traces of Malware of protecting your systems. Symantec strives and does provide the best support and the signatures to identify and remove new variants / new threats from systems. To remove them, YOU need to be MORE PROACTIVE.

You need to educate your users to stop surfing pr0n websites (if they do, apolgies if they don't) and tell them that what they are doing is Punishable under the Indian IT Act with Rigorous Imprisonment of UPTO 10 years, and a fine of Rs. 1 crore only. ;) Pretty decent amount I think. ;)

Also, you'll need to get things in order and define a proper IT policy for your organization, such as getting a firewal, may it be hardware / software and chanelling all your broadband connectiosn thru it hence filtering out unwanted stuff and EXE / CPM / BAT / DLL / etc. kinds of files.

I'm harping on this since this is THE absolute essential requirement for any organization in today's worldt o have a properly formulated and working IT and Info Sec policy. Or would you prefer that some employee(s) unwittingly introduces a worm in your env. and wrecks all the stuff thats working?!

Lets be very realistic adn practical, Symantec is NOT responsible for any Non Compliance issues at your IT end. If you want to tie up loose ends, use the Application / Device Control to block all USB drives and USB disks, and rsetict user browsing by creating a Firewall policy and block search / domains based on specific keyworks.

HTH.

Because, anyway, the number of malwares is raising too fast, we are working to create new technologies for you:

Paul Murgatroyd wrote:

Going further, I'm sure you are all aware of the Krypton IPS engine in SEP, if not then you should read this: https://www-secure.symantec.com/connect/articles/so-what-krypton-anyway As others have mentioned, we are now at the point where there IS more BAD code than GOOD code so have you to start wondering if blacklisting is the answer anymore. Its clearly not going to go anyway anytime soon, but we think it can start to take more of a back seat when you start to look at technologies like reputation based whitelisting. You can see our "first version" of this technology in the Norton 2009 and N360 v3.0 products - its called Norton Insight and we are using it to control the number of files we scan. If we know based on our whitelist that 80% of the files on your machine are clean then we don't need to scan them and can concentrate more effort of checking the remaining 20%... the reputation side comes in based on how many people are running those files or have downloaded them, etc. Its a very complicated set of critieria, but it works very well. Again, this is where our size comes in handy, we have been building this whitelist over the last few years, based on information from third parties and huge amounts of consumer data that is submitted via Norton Community Watch.

Be tuned.

Cheers,

@Bijay.Swain

Sorry, but this is not your seriously?
But if this is true, what you've written and you haven't ironically says, then runs this discussion in the wrong direction!
That's not the "normal" customer, sorry that I have to say that with such strong words Bijay ;-)

The complaint about the bad detection rate is nevertheless justified and it is a pity and to easy to play-down this fact now only because of such an bad example.

I think the most companies and Admin's in this world will do their best to patch their systems and make the network safe, black sheeps unfortunately, there are everywhere.

Again, I think the SEP detection rate has urgently to improve!

Regards
Wayne

this doesn't sound like a "SOLUTION" to me!
a few of our clients (in different locations) got well known viruses (like Vundo, Downloader, etc) under SEP 11.0.4; I tried everything to get rid of them. it seemed cleaned up ok one day, and the next few days, same virus "wake up" again. SEP catches it every time booting up the pc, but never stops the pop-ups caused by these viruses. I had to re-install Windows to clean it up.
My clean-up steps: (still not enough to control these Viruses)
1. disconnect the pc from network, boot to "Safe Mode", dissable "System Restore"
2. take out the hard drive (2.5" laptop drives or 3.5" desktop drives) from infected pc
3. use my tech pc with most latest version of SEP in master drive to scan the infected drive (on secondary channel), also mannualy delete suspious files under Windows, System32 folders.
4. clean temp files (including "Content.ie5" folders, clean "System32\Prefech" folder
5. put infected hard drive back to original pc, boot to safe mode, run "Regedit" to clean up startup keys.
6. restart to normal Windows with network. install update SEP, run full scan.

Symantec needs to step up! provide solutions before we stop the next renew of SEP and give our clients other solutions. all our clients are using SEP at this point.

I think more people need to learn to deploy NTP, and not just AV/AS. 
That alone has been the biggest improvement in detection and stoppage of modern infections for my customers.

That and turn on TruScan from Log to Quarantine as well as up the sensitivity.


Of course going to MR3 and later is a good thing too.

I am exactly in the same situation.
I have SEP MR4 MP2 installed and the infections get by the antivirus.
When I scan the computers with the SEP in Safe mode it doesnt detect the infections.
I am in the most outrageous situation that in order to clean a computer I have to uninstall the SEP client, install an antivrus from your competitors, clean the computer with that product and then reinstall the SEP client.
I stay with the SEP only because I alredy payed the subscrption.
I think that the product fails to do it's job.

Is Symantec listening  to all these comments about detectiion rate ?

Hi BiJay, Yeah, they are. We had the Territorial Manager over this week. Believe me, they listened alright. We are not a very large customer, but we are big enough for them to listen.
We are coming to the same conclusion: Detection rate of SEP is miserable, at best. Malware that has been detected by other vendors for months is still not being detected by SEP. Example: Bunches of SpySheriff variants are not being detected. Some rootkits are not detected a all. I have to rely on other vendor's products to remove infections. That is not a good thing. And yeah, the systems here are up to date on MS patches, Symantec virdefs, you name it. They are up to date.
Detection has been a problem from day 1 with SEP. It is just not as good in detecting malware as we hoped it would be.
Unfortunately, you will hear that customers need to submit infected files. Well, done that too. Hundreds. Some infections were being detected after Symantec repleased updated virdefs. Others were not. I do not know they Symantec criteria for determining what to put in the detection, but 'keep the risk for false detections low' is a wrong excuse. Not to say I want to be dealing with hundreds of false positives.... It is just very frustrating to have to deal with infections that should not have happened if we had another product. That is bugging the hell out of me. And no, I do not want to switch to another product. If you know what short comings teh product has, you can work with that most of the time. But detection of Malware not working, well, that is very dificult to work with.  It is kinda sad that we pay a lot of money for the product but have to rely on a freeware removal tool from another vendor to resolve infections...

We hear you, and as JohnSu is suggesting, visiting/contacting customers to understand exactly what's transpiring so we can provide an appropriate solution.

Eric

Good to hear abou that Hear4U...
Was the detection rate for MR4 MP2 improved?
We had not yet upgraded since not so many features were very prominent...
thanks

Detection rate is not that something that can be done via product upgrade.
It is something internal and external belevie me Symantec is working very hard on improving the detection rate.

Earlier I was not happy with the use of Proactive Threat Protection but from last few months I have seen the detection rate of Proactive Threat Protection has gone up
It has started detecting things called bloodhound.MH or something

this is on the part of Proactive threat protection
As far as AV is concerned Symantec is looking at all options available and its not that its not detecting anything


"Volume XIV HighlightsA significant spike in new malicious code threats occurred during 2008. Symantec created 1,656,227 new malicious code signatures during this time period. This is a 165 percent increase over 2007, when 624,267 new malicious code signatures were added. This means that of all the malicious code signatures created by Symantec, more than 60 percent of that total was created in 2008. The explosive growth can be attributed to the professionalism of malicious code development, supporting the demand for goods and services that facilitate online fraud "

This was till 2008 so just think about 2009.Its not that Symantec is not working fast but it is actually the Malware coders are woking much faster than even expected.

One proble is detection rate.
But the other frustrating problem, ant time consuming, is that SEP has problems cleaning infections in SafeMode, even those that itself detected in FullMode.