Video Screencast Help

"HEUR_PDFEXP.B" cannot detect by Endpoint Protection

Created: 25 Oct 2012 | 9 comments

Hi,

 

Found that Endpoint Protection cannot detect "HEUR_PDFEXP.B", but if using TrendMicro or AVG, it can be detected and deleted.

Anyone know what is this? Is it categorize as Virus? I tried to search this name from Symantec website but nothing return.

 

Thanks,

Edmond

Comments 9 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

You can submit file

How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV)

http://www.symantec.com/business/support/index?page=content&id=TECH97449

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
 
 
Check this thread

Thanks In Advance

Ashish Sharma

 

 

.Brian's picture

You can send to security response

https://submit.symantec.com/websubmit/gold.cgi

Each vendor may have a different name for a virus

You can also try submitting to virustotal.com and threatexpert.com to see what the come back with

https://www.virustotal.com/

http://www.threatexpert.com/

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

To catch the file, zip the container Folder and when you open the zipped folder, you may see the Threat file in it.

Submit the .zip folder to Symantec Security Response Team on 

https://submit.symantec.com/websubmit/essential.cgi

and 

http://www.threatexpert.com/submit.aspx

Note: ThreatExpert is owned by Symantec.

I would suggest you to work on the Steps provided in the Article:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

Where was this file found? Was it downloaded or on a USB drive?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

I would generally gree with the above, but wanted to add that the file name you mention is a product-specific heuristic detection:

This is a Trend Micro heuristic detection for suspicious Portable Document files (PDF) with embedded JavaScripts that may exploit vulnerabilities.

Sounds an awful lot like this (or something like it--I am not saying it is the same thing):

SONAR.PDF!gen1
http://www.symantec.com/security_response/writeup....

Which version of SEP do you use, and are all protection components enabled?

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Mick2009's picture

"Thumbs up" to the above- also remember that this is a heuristic detection, judging by the name.  Heuristic detections are given when a file has characteristiocs of a threat, but it is not guaranteed that the file is in fact a threat.  This could be a False Positive by that other vendor's heuristic technology.  It is best to confirm by submitting, as described above. 

With thanks and best regards,

Mick

hforman's picture

I agree with the other posters.  If this is heuristic, I'd make sure you have everything turned on.  In your anti-virus policy, make sure you have Heuristic scanning checked.  It should be on Global Scan Options and, I believe, it is refered to as "Bloodhound".  We set this on "Aggressive"  If you have it turned off, you will probably not catch any Heuristic stuff.

Edmond Chan's picture

Hi all,

 

sorry for late reply.

We are using SEP 11.0 and have all protection turned-on, and I have configured every Wednesday will run the full scan for all servers and PC, however, it doesn't catch the "suspected virus" (since I am not sure it is virus or not), until someone send out an email with a PDF attachement, the mail gateway, which using another brand antivirus, detected risk in the E-mail attachment.

 

After that we use AVG to scan all PC and servers, found that some PC were infected by this HEUR_PDFEXP.B.

 

Edmond

Mick2009's picture

Many thanks for the update, Edmond!  Please do submit the files fro examination to Symantec Security Response,as recommended above.

Also: be sure you are using the very latest release of Reader in your environment!  Older versions have vulnerabilities that can be exploited by some common threats, but those threats are harmless when trying their exploits against modern versions.

With thanks and best regards,

Mick