Video Screencast Help

"HEUR_PDFEXP.B" cannot detect by Endpoint Protection

Created: 25 Oct 2012 | 9 comments


Found that Endpoint Protection cannot detect "HEUR_PDFEXP.B", but if using TrendMicro or AVG, it can be detected and deleted.

Anyone know what is this? Is it categorize as Virus? I tried to search this name from Symantec website but nothing return.



Comments 9 CommentsJump to latest comment

Ashish-Sharma's picture


You can submit file

How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
Check this thread

Thanks In Advance

Ashish Sharma

ᗺrian's picture

You can send to security response

Each vendor may have a different name for a virus

You can also try submitting to and to see what the come back with

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


To catch the file, zip the container Folder and when you open the zipped folder, you may see the Threat file in it.

Submit the .zip folder to Symantec Security Response Team on


Note: ThreatExpert is owned by Symantec.

I would suggest you to work on the Steps provided in the Article:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

We also offer a self-service site to analyze files, at, which can give you more information on the files you submit to it.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ᗺrian's picture

Where was this file found? Was it downloaded or on a USB drive?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

I would generally gree with the above, but wanted to add that the file name you mention is a product-specific heuristic detection:

This is a Trend Micro heuristic detection for suspicious Portable Document files (PDF) with embedded JavaScripts that may exploit vulnerabilities.

Sounds an awful lot like this (or something like it--I am not saying it is the same thing):


Which version of SEP do you use, and are all protection components enabled?


Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Mick2009's picture

"Thumbs up" to the above- also remember that this is a heuristic detection, judging by the name.  Heuristic detections are given when a file has characteristiocs of a threat, but it is not guaranteed that the file is in fact a threat.  This could be a False Positive by that other vendor's heuristic technology.  It is best to confirm by submitting, as described above. 

With thanks and best regards,


hforman's picture

I agree with the other posters.  If this is heuristic, I'd make sure you have everything turned on.  In your anti-virus policy, make sure you have Heuristic scanning checked.  It should be on Global Scan Options and, I believe, it is refered to as "Bloodhound".  We set this on "Aggressive"  If you have it turned off, you will probably not catch any Heuristic stuff.

Edmond Chan's picture

Hi all,

sorry for late reply.

We are using SEP 11.0 and have all protection turned-on, and I have configured every Wednesday will run the full scan for all servers and PC, however, it doesn't catch the "suspected virus" (since I am not sure it is virus or not), until someone send out an email with a PDF attachement, the mail gateway, which using another brand antivirus, detected risk in the E-mail attachment.

After that we use AVG to scan all PC and servers, found that some PC were infected by this HEUR_PDFEXP.B.


Mick2009's picture

Many thanks for the update, Edmond!  Please do submit the files fro examination to Symantec Security Response,as recommended above.

Also: be sure you are using the very latest release of Reader in your environment!  Older versions have vulnerabilities that can be exploited by some common threats, but those threats are harmless when trying their exploits against modern versions.

With thanks and best regards,