Endpoint Protection

Hi,

Found that Endpoint Protection cannot detect "HEUR_PDFEXP.B", but if using TrendMicro or AVG, it can be detected and deleted.

Anyone know what is this? Is it categorize as Virus? I tried to search this name from Symantec website but nothing return.

Thanks,

Edmond

You can send to security response

https://submit.symantec.com/websubmit/gold.cgi

Each vendor may have a different name for a virus

You can also try submitting to virustotal.com and threatexpert.com to see what the come back with

https://www.virustotal.com/

http://www.threatexpert.com/

HI,

You can submit file

How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)

http://www.symantec.com/business/support/index?page=content&id=TECH97449

Hello,

To catch the file, zip the container Folder and when you open the zipped folder, you may see the Threat file in it.

Submit the .zip folder to Symantec Security Response Team on 

https://submit.symantec.com/websubmit/essential.cgi

and 

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

I would suggest you to work on the Steps provided in the Article:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Hope that helps!!

Where was this file found? Was it downloaded or on a USB drive?

I would generally gree with the above, but wanted to add that the file name you mention is a product-specific heuristic detection:

This is a Trend Micro heuristic detection for suspicious Portable Document files (PDF) with embedded JavaScripts that may exploit vulnerabilities.

Sounds an awful lot like this (or something like it--I am not saying it is the same thing):

SONAR.PDF!gen1
http://www.symantec.com/security_response/writeup.jsp?docid=2010-031913-5355-99

Which version of SEP do you use, and are all protection components enabled?

sandra

"Thumbs up" to the above- also remember that this is a heuristic detection, judging by the name.  Heuristic detections are given when a file has characteristiocs of a threat, but it is not guaranteed that the file is in fact a threat.  This could be a False Positive by that other vendor's heuristic technology.  It is best to confirm by submitting, as described above. 

I agree with the other posters.  If this is heuristic, I'd make sure you have everything turned on.  In your anti-virus policy, make sure you have Heuristic scanning checked.  It should be on Global Scan Options and, I believe, it is refered to as "Bloodhound".  We set this on "Aggressive"  If you have it turned off, you will probably not catch any Heuristic stuff.

Hi all,

sorry for late reply.

We are using SEP 11.0 and have all protection turned-on, and I have configured every Wednesday will run the full scan for all servers and PC, however, it doesn't catch the "suspected virus" (since I am not sure it is virus or not), until someone send out an email with a PDF attachement, the mail gateway, which using another brand antivirus, detected risk in the E-mail attachment.

After that we use AVG to scan all PC and servers, found that some PC were infected by this HEUR_PDFEXP.B.

Edmond

Many thanks for the update, Edmond!  Please do submit the files fro examination to Symantec Security Response,as recommended above.

Also: be sure you are using the very latest release of Reader in your environment!  Older versions have vulnerabilities that can be exploited by some common threats, but those threats are harmless when trying their exploits against modern versions.