Endpoint Protection

I think The Detection rate of SEP should improve because I have seen most of the new threats can easily pass through sep and we have to submit the threat again and again. But when ever I complain symantec about this they give me an excuse saying that they try to keep false positives low for enterprise network.

So I request all of you to vote here for

(a) Need to improve detection rate in cost of higer false positives

(b) Keep false positive low in cost of poor detection rate


if you want option (a) then please vote for the forum
and
if you choose option (b) then vote against the forum


lets see how many people says that symantec should improve the poor detection rate.

@ Bijay - 

कीतनी बार आप यह टोपीक खोलेंगे ? अब बस कीजिए.

मेरे ख्याल से आपने इसको २-३ बार पहेले भी बोला हैं ! हम मानते हैं की detection rate जरूर अच्छा होना चाहीये, लेकीन बार बार यह 
बोल के कुछफायदा नहीं हैं, बलकी लोग आपके ऊपर गुस्सा हो जायेंगे.....

Hi,

in this post I don't want to influence the votes.

For a constructive discussion let me post these FAQ from a 3rd part organization.

AVIEN Malware Defense Guide for the Enterprise, 2007 by Elsevier, chapter 10:

Frequently Asked Questions
Q: Surely all antimalware products detect much the same range of malicious programs?
A: This is less true than it was a few years ago, for two main reasons.
■ The range of malicious programs commonly encountered now is much wider than
it used to be, and non-replicative programs in particular pose more problems in
terms of heuristic detection. Also, while what we used to call AV programs detect a
good many non-viral malicious programs, they aren’t all equally focused on the
whole range of malware. So while the major players all tend to perform comparably
on replicative malware, they may vary dramatically on other malware types.
■ Modern malware (replicative or not) presents quite different problems in detection.
Despite all the advances made in scanning technology (such as advanced
heuristics), it’s easier for the bad guys to evade detection with short spamming
runs, multiple packing, and so on.
Q: Who has the resources to do in-house testing?
A: Good, safe detection testing takes appreciable time as well as expertise, and an isolated
network. However, testing for compatibility, configuration, deployment, network impact,
update and upgrade, and so on can be carried out on spare machines on a production
network, and is fairly painless.
Q: I understand the need to get the best possible performance, but my budget is very
restricted.
A: Been there, done that, set fire to the tee shirt out of sheer frustration. In fact, once, after
negotiating a particularly good deal one year, I discovered the next year that my budget
had disappeared altogether, in the expectation that I’d be able to repeat the coup in
perpetuity. It’s true that most of us have to fight the bean counters tooth and nail every
time, and mostly they are infinitely more impressed by low unit cost than by
performance metrics.
Q: Can you recommend a resource for malware-related metrics?
A: There’ve been many attempts to provide easy plug-in spreadsheets and other forms of
modeling over the years. Unfortunately, the malware management field has proved
particularly resistant to standards of measurement. Andrew Jaquith’s book “Security
Metrics: Replacing Fear, Uncertainty and Doubt” (Addison-Wesley, 2007) won’t give
you all the answers, but it’s well worth reading as an introduction to metric techniques
in general.
Q: Why do you say that detection isn’t important?
A: That’s not quite what I said. What I’m trying to say is that it doesn’t matter how good
detection is if the product is unusable, or beats your business processes to a pulp.
Detection is very important, of course; however, the days of near-100 percent detection
of all the threats you need to worry about are long gone.
Q: What’s the difference between the latent malware problem and heterogeneous malware
transmission.
A: HMT is concerned with the spread of malware, especially replicative malware, from an
infective or infected system to a vulnerable system via systems that aren’t themselves
vulnerable. (The expression was probably coined by Peter Radatti: at any rate, I first
encountered it in the 1992 paper “Heterogeneous computer viruses in a networked
UNIX environment” in the Proceedings of the First International Virus Prevention
Conference and Exhibition (NCSA),Washington, DC.) A latent virus is one that hasn’t
been executed in its present environment, but that doesn’t necessarily mean it can’t be.
Q: How do latent viruses relate to latency in other virus issues.
A: In “Viruses Revealed” I suggested that “dormancy” might be a better term in this
respect, since the term latency is used to denote impact on performance (e.g., the impact
of firewall processing on network throughput).
Q: Isn’t it rather convenient for the AV industry to protest that virus testing methodology
and creation of viruses for test purposes is unethical?
A: You could look at it like that, but there are sound reasons for this viewpoint.
■ Many in the industry are adamant that it’s inappropriate for those within the
industry to create new malware, even for research purposes (that probably has a lot
to do with the persistent allegations that the AV industry creates viruses in order to
keep itself going).
■ There is a safety issue.You may not think it’s that hard to keep a test network
isolated, but there’s a feeling that those who don’t understand the other points may
not understand the importance of safe practice, either.
■ The use of invalidated samples, poorly conceived modifications to malware, and
newly created malware can seriously bias the results in obvious and less obvious
ways.The most obvious problem is that where there is an invalid sample which
is incorrectly identified as viral or malicious by product A and not by product B,
product B is unfairly and inappropriately disadvantaged. Even if there is no
intention to skew the results, there is a question of ethical responsibility.
Q: Aren’t macro viruses specific to multiple operating systems?
A: In a sense. Macro viruses and some forms of script virus are actually specific to an
application, not to an operating system. However, their ability to replicate and the effectiveness
of any payload may vary according to the operating system, or between versions
of a given operating system.
Q: Isn’t the fact that the WildList is published monthly at most a drawback in terms of
WildList testing?
A: It does lessen its usefulness as the main component of a detection test. But it still offers a
useful way of assessing a scanner’s ability to detect a baseline set of properly validated
samples that a front-running product shouldn’t normally miss.
Q: Why is there no WildList for Trojans?
A: The idea has been discussed.The difficulties include:
■ Sheer volume of samples, arising from present-day patterns of distribution, raising
resource difficulties in terms of validating a core test set.
■ The additional technical difficulties of defining and automating the detection of
Trojans

Regards,

With all the respect to symantec and Giuseppe.Axia and Abhishek Pradhan

Pls guys don't think that I am against symantec I still love SEP more than others because their support and  ease of using the product. And the SEP firewall is best in its catagory compititors.

I know in this forum I am the person who has said most about poor detection rate then others.but there is a reasn behiend it. when a new threat attacks our network I am the person who is attacked by our Management for this. and see the no. below how many times i have faced this kind of situation this year. and think about my situation it is atleast once a week.

Tracking #10134101
Date: December 19, 2008
result: This file is detected as W32.SillyFDC.

Tracking #10187268
Date: January 2, 2009
result: This file is detected as W32.SillyDC

Tracking #10203391
Date: January 8, 2009
result: This file is detected as Downloader

Tracking #10230181
Date: January 15, 2009
result: This file is detected as Trojan Horse

Tracking #9402712
Date: January 16, 2008
result: This file is detected as W32.Gammima.AG

Tracking #10233661
Date: January 16, 2009
This file is detected as W32.Harakit

Tracking #10233973
Date: January 17, 2009
result: This file is detected as Trojan Horse

Tracking #10268221
Date: January 27, 2009
result: This file is detected as Trojan Horse

Tracking #10272184
Date: January 28, 2009
This file is detected as W32.Harakit

Tracking #10272174
Date: January 28, 2009
result: This file is detected as Trojan Horse


Tracking #10293503
Date: February 9, 2009
result: This file is detected as Downloader
result: This file is detected as Trojan Horse


Tracking #10302698
Date: February 11, 2009
result: This file is detected as W32.Imaut.E

Tracking #10349095
Date: February 18, 2009
result: This file is detected as W32.Sality.AE.

Tracking #10356498
Date: February 23, 2009
result: This file is detected as W32.Harakit

Tracking #10392373
Date: March 2, 2009
result: This file is detected as Trojan.Mitglieder.C.
Tracking #10423035
Date: March 9, 2009
result: This file is detected as Trojan Horse

Tracking #10426248
Date: March 10, 2009
result: This file is detected as Trojan Horse.

Tracking #10442868
Date: March 14, 2009
result: This file is detected as Trojan Horse

Tracking #10442836
Date: March 16, 2009
result: This file is detected as Backdoor.Trojan

Tracking #10533413
Date: April 6, 2009
result: This file is detected as Trojan Horse

Tracking #10549425
Date: April 11, 2009
result: This file is detected as Downloader


Tracking #10560117
Date: April 13, 2009
result: This file is detected as Trojan.Dropper


Tracking #10775645
Date: May 5, 2009
result: This file is detected as W32.Harakit

Tracking #10901609
Date: May 12, 2009
result: This file is detected as W32.Netsky@mm
result: This file is detected as Backdoor.Trojan
result: This file is detected as Trojan.Dropper.

Tracking #11353641
June 11, 2009
result: This file is detected as Trojan Horse

Tracking #11263173
June 2, 2009
result: This file is detected as Infostealer.Gampass

I think people are getting angry in this forum when i talk about detection rate so I will not post again on this topic(detection rate). this one is my last post on detection rate.

@ Bijay: People dont get angry at you for posting, the reason you are seeing replies is because the more number of repititive posts you put up, it's termed as SHOUTING, and not everyone will like to see 10 posts with the same content on the main forum page when they come on the forums, or see the same topic trending in diff. posts over and over.

I'm still of the opinion that if you are getting threats on the systems and if the result is as shown in your post above, then SEP is detecting the threat. The issue lies in identifying from which computer / user are these threats coming on the network! I'll still say that you implement USB Blocking for all USB Drives, except USB HID's, you'll see a drastic drop altogether in the number of infection counts and more. It'll result in you getting a clean IT environment, and you'll be able to work more efficiently instead of ending up doing the same thing over and over again.

HTH and cheers.....hic :D

Ohh, BTW, if your management attacks you, attack them back / fight them with SEP :D . The APP Device control will be enuff to stop them from bringing over threats from their home computers, and you can also use the Firewall of SEP to block unwanted sites and stop people from doing nasty things while at work.....

HTH too..... :D

Hi there

We can't read this stuff. Please post in english, that everyone can enjoy it.
Thanks

Cheers

Were these systems patched up with the Windows Security patches.
Or did this threats took easy entry on these systems using one the known vulnerability.
If your Management cathes you for these virus then you need to educate them that Patch Management is as important as Updating virus definitions on a antivirus.
If still something sneaks in there Symantec Support is there 24/7 to help you resolve your virus issue or to control your outbreak.Which you are already using.
One more thing for Support you have to call them for quick resolution web cases are only for Non-Critical cases you cannot expect someone to call you within 1-2 days.If you get a call then you are lucky.

and whatever Abhishek wrote is actually true most of the times you sound like you are doing an advertisement for Kaspersky for eg in one post you stated "Kaspersky has 99.9% more detection rate than symantec." WTH
So first make sure you are using the product in the right manner and your company is following some COBIT, HIPPA or ISO standard for Security.
And whatever you are posting should have some facts.

We can't block USB as ALL of our employees use Pen drives and most of the pcs are connected to USB Deskjet and Laserjet Printers.

So EDUCATE your management about the sheer idiocy of allowing any tom / dick / harry from using USB drives. Havent you heard of Information Theft / Intellectual property theft / industrial espionage caused due to USB drives hence resulting in losses of crores of Rupees and Millions of Dollars ????? sheesh.....

You can exclude the USB deskjet and Laserjet printers in the App/Dev control policy where you can block everything else.

If you can bother to post so much about the detection rate, I believe you can definately bother reading the Solution Guide and Admin Manual of SEP. You'll get a fair enuff idea of how to use application device control to block specific devices, and allow others hence resulting in a secure environment!

we have implemented a wsus server in our network which is under testing now.but I don't think patching windows should be an excuse for symantec.

I am not advertising for any antivirus  and  I have faced problems with kaspersky so don't like it while it comes to troubleshoot.

and Abhishek can you tell me the process to block porn sites in our network through sep.

any single rule which will block all porn sites.

@ MichaelZ:

It means the following:

"How many times are you going to rake up this already discussed issue. Making multiple posts for the same is not going to help, and neither is constant complaining. Lets try to desist on this and move towards helping make SEP a better and more mature product."

Boss, you're going to have to create a lot of rules to block every darn pr0n site out there. :D

You can use keywords to filter the content and block certain websites. There is a Symantec KB and a forum thread already answered for the same. I dont have their links offhand, but I do believe you can follow the instructions there to resolve your query.

Am signing off now, have to catch a flight at the darndst of times early tomorrow: 5 AM. See you folks later.

Cheers.

BTW, Patching Windows will help is not an excuse that Symantec would give. Symantec software is there to protect your systems from known / newly detected threats. It's not going to help a lot if the threat spreads over windows based systems due to an inherent security flaw that exists, but that you as an administrator haven't gone ahead to fix.

If the OS is vulnerable, even if you implement a 100 security products in the environment is not going to help. For an example, tell me if you'd take an antibiotic for jaundice???? It'll most certainly help in killing you, not curing the infection / outbreak.

Like they say, a healthy mind leads to a healthy body, so does a healthy and patched OS lead to a healthy and secure IT environment.

It's a bit like Baskin Robbins: Something for everyone..... :D

 "but I don't think patching windows should be an excuse for symantec."

Hi,

I am not angry and I think Symantec needs customers' feedback especially regarding a so delicate discussion.
Because it is a delicate discussion I think that who wants to contribute in this discussion, has to know more about antimalware softwares comparison and for this reason I wrote my previous post.

I know you like SEP for its strong points. Thanks.

From a technical point of view, I will not repeat what you already know from other posts, I know you are managing a very weak IT infrastructure, I hope you will receive further answers to your main concern to improve your satisfation.

Regards,

I posted in the wrong position, sorry...

@Bijay.Swain: we need this kind of thinking also..
this forums needs not to be one sided..
I am also a 100 % Symantec fan but also nice to see other discussion that would help us more...
The good thing about symantec... iuf we submit this.. they will help asap..
thanks

@Bijaiy.swain

I must say that you biggest problem is not viruses spreading because them you can delete/remove in with different methods.

No your main concern is that you have to many people in your organisation that is preading the viruses.

I could just go on like the rest of the guys in hear and tell you that you need to have a safe environement concerning filtered webtraffic (proxied), filtered e-mailserver, disabled autorun for usb and prompt for prescan any usb devices that you want to use. Do not let any guests connect to your internal network and so on.

But your main concern is still the same. Your users! I know companies that have very poor network security and still manages to not have that many viruses spreading around. It comes down to corporate policies and education. You need to get the managers (at least the manager of IT) involved and help you create and follow strict IT policies. Education is also important. If someone spreads viruses in your environment you need to educate this user to make sure he/she does not do the same mistake again. 

It sounds to me that with the amount of virus spreads you have in your organisation your users do not give a damn about the damage they cause right?

I agree with Bijay: SEP's detection rate is unacceptable for the product of such magnitude and impact. I am not going to bore you with technicalities or statistics, but we are currently looking for a low-footprint, cloud-based, on-demand product to offset SEP's inability to detect and remove threats. 
Regardless of the rationale behind low detection rate (reduction of false-positives, etc.), Symantec needs to rethink it's technique when it comes to pro-actively combating malware in modern enterprise. I have more then a dozen of tickets where machines had SEP with latest definition and are infected with something; current solution for those systems is to scan them with A-squared, Hitman Pro and MalwareBytes. Again, the mitigating factors are irrelevant here to a degree (i.e. user control, education, prevention, etc.): the protection mechanism that we've put in place fails to do its only job -- detect viruses, and this is the end of story.
I too like SEP's system management mechanisms (when they are working), along with other items, but it seems that Symantec forgot along the way that the product is ANTI-VIRUS first, and everything else second. I'd love to be proven otherwise with MR5 and future developments of SEP.

Dimitri

 @Dimitri

Symantec already have a lot of new technologies to spot and detect malware.

Did you read this article?
https://www-secure.symantec.com/connect/articles/so-what-krypton-anyway

Do you have SEP installed with all features or only the Antivirus part? Depending on how you setup SEP (and configure it of course) has the most impact on how you will handle and get affected with viruses(malware).

The more loose and open you let your environment be the easier you will get the malware "on board". You can blame SEP how much you like but did you do your job proberly as an admin? (Dimitri this is not an attack on you I rather put it out in the air for all to reflect about)

I agree with the fact that SEP is unable to remove some of the malware that gets stuck on a computer and for this you can use either a removal tool (like MalwareBytes) or manual removal. With inability to detect malware I have never seen this so there you have to prove me wrong. I have never found a malware that Symantec did not detect however it may have infected the computer and was unable to remove it but that is not the same.

But you know just as good as anybody that the there is no software that will stop these malwares 100% especially not the removal tools you describe.

Maximilian,
I did read the article and am excited about these things coming up, in my opinion these features can't come soon enough.
Our SEP is configured to the maximum security, as far as the anti-virus goes. We update DATs constantly and scan files on access and execution. We also have many other layers that protect users, SEP being the final frontier.
I disagree with you about detection rate of the tools I listed: both A-squared and G-Data have significantly higher detection rates then SEP and are able to detect/clean infections SEP leaves behind or allows in the first place. Hitman PRO is a simple multi-engined cloud scanner, I use it to confirm that infected files are indeed infected and not false positives. MalwareBytes has much better rootkit detection then SEP, too. I have screenshots and statistic to back it all up, too, but honestly, I wish I was making it up.
The bottom line, SEP needs to have a better detection, better heuristics and behavior-based engine to combat modern malware. In its current state, I don't see it being effective as a virus scanner for a modern enterprise.

Dimitri 

I know this is a sore subject, but even with SEP, latest MS updates, and a web filter, I STILL get an occasional user who gets the Antivirus 2009 rogue AV.

I'm beginning to think malware has beaten the AV industry.

MaxStr - same here!
The solution - flood your goverment officials with complaints, phone calls, letters, emails - increasing fines for anyone caught putting that stuff on their servers and fines for administrators allowing it to be put onto their servers.
Jail time for the writers of such things.
Isn't this an intrusion into your PRIVACY and PRIVATELY OWNED PROPERTY?
Don't we have the rights to own, hold and enjoy property without fear of someone damaging or taking it away?
Would you allow someone to come into your home, stain your carpet, mar your wood floors, kick the dog and then thumb their nose at you while you simply sat and watched?
Isn't this an intrusion into private property and in some cases, the destruction of said property?

AV companies, ALL of them, need to focus more on heuristics, and if there's any sort of install or files being placed on a computer outside of the normal web cache area when IE is being used, block it. Period. Unless the user checks a box from SEP stating that it's ok, I'm updating windows, etc.

I'm serious, though - contact your government rep............. hound them.

It's out of control, worldwide. 

Part of the problem is that much of today's malware is written in countries that lack a well-funded computer crime police division. We can't expect the Nigerian government to spend serious resources on cracking down on cyber criminals, because they have more important things to worry about. Also, Russia and China has a large population of cyber criminals, but their governments are either apathetic, turn a blind eye, or secretely support it.

As for wealthy countries, you have the problem of the government invading privacy, because they have the money and the power to extensively monitor civilians. But, do you really want the government monitoring EVERYTHING you do online, at home and at work? Obviously there is a fuzzy line between security and privacy. What's worse: A few machines at work getting infected, or a government agent demanding your admin passwords for remote access?

And secondly, most people that use the internet are either untrained, or just ignorant of threats, or both. We, as IT professionals, have the responsibiliy to train our users. After all, we have to fix their messes :P




 

Did you know that according to a Eurpoean research group, most of the world's SPAM comes from the United States?
True.

Do you keep erecting fences until it's impossible to walk anyplace, or do you work to find a solution to the root of the problem to begin with? Crime.
The solution isn't drugs after you get sick - the solution is removing the desease like was done with several human illnesses.

Regardless of what the rags (so-called news papers and so-called "media" ) may say no our government is not looking on our computers and spying on us. That's an old wive's tale perpetuated out of fear, media that is clueless and can barely boot a computer let alone understand it, and people looking for juicy stories. Oh there's stuff that does go on, but we're not as bad off as you make it appear, or at least we were not until the last few months - when the cash for clunkers program web site originally had a warning that stated that by connecting to that network you were giving the government full rights to your computer! LOL. That lasted a few hours until a certain media person got his hands on it and broadcast it!

For some interesting facts:

https://www-secure.symantec.com/connect/blogs/united-states-still-leads-all-countries-spam-0
 
http://www.symantec.com/business/theme.jsp?themeid=threatreport

http://www.pcworld.com/businesscenter/article/171505/where_in_the_world_do_viruses_come_from.html

http://www.spamhaus.org/statistics/countries.lasso

http://images.businessweek.com/ss/09/02/0211_spam_countries/index.htm

Thanks Max for the links...
They really are very good materials...

The outbreaks are due to insufficient security configs in your organization.  It's not SEP's fault, and if it's ONLY SEP that you use for enterprise security, you're doomed.

Layers of defense.  Heard of it?  The WebGate device looks promising, as are services from WebSense and/or SonicWall.

SEP alone isn't enough.

It is the same as saying that you only need malwarebytes or A-squared/G-Data as your only defense. Removal tools are for removal of viruses not a security suite. SEP can do much more that this but is not the best tool for removal and that is why those other tools even exist. I am sure SEP will be better in also removing the malware in the future and by then the other removal tools will not be that important any more.

may be able to have someone look at it there - post the idea URL back here and we can continue to discuss.

It's not Symantec AV, or Symantec Firewall... it's Symantec Endpoint Protection. It should have multiple layers itself, that's the whole point of this product. If this isn't multilayer protection, then Symantec needs to rename this to Symantec Protection Bundle or something, but it's not Endpoint Protection.

Other venders that create UTM (Unified Threat Management) solutions use multiple scanners, like two different AV scanners and two different malware scanners, sometimes three (like Astaro).

Symantec needs to create/buy other scanning engines that can run side by side in the clients. If that creates a performance issue, then create/buy a UTM server instead and call THAT Endpoint Protection.

 

I don't think SEP can protect your infrastructure against stupidity...

I assume you're managing a corporate network ?
Why do your users even have the idea that they can download and install anything on their work machines.
Why do your users think they can make beter decisions with regards to the deployed anti-virus solution.

I looked after client infrastructure, and the IT company that I worked for's infrastructure before coming to Symantec.
My clients, and our part of the corporate network NEVER had outbreaks, and only ever saw a handfull of infections, and always when the users did not follow corporate policy.

Patch Everything.
Enforce Security Best Practices.
Configure your AV correctly.
Monitor your Environment and Applications.

Beat the living daylights out of anyone that steps out of line.
My boss thought I was unreasonable... Till Mellisa took the rest of the corporate network down, as did Slammer, and I love you...
and it was only when he was singled out at management exco meetings as having the ONLY part of the network functioning through each outbreak that he appreciated my efforts.
After that he had my policies added to new employees contracts.

You either manage IT or IT manages you.

Bringing back from the dead...

Symantec does have have layers of defense, it's called Multi-TIer Protection, or now Symantec Protection Suite Enterprise Edition.

A webgate filtering device, brightmail for email filtering, email AV software, and then SEP with NAC capabilities.  About the only thing Symc hasn't gotten into, is the hardware firewall business...  
Oh wait there was that old raptor that was cool but overpriced and lacked what SonicWall and Watchguard were doing at the time. ;-)

Again, SEP alone is insufficient, and if you think it's all you need, again, you're doomed.  

 Symantec has a Hardware Firewall with IPS/IDS, Antivirus, VPN, Content Filtering..etc etc  called Symantec Gateway  Security or Symantec SGS 5100 etc.
and its doing good..
http://www.symantec.com/press/2004/n040413.html

 Discontinued, end of life this Dec 2009.
http://www.symantec.com/business/support/release_details.jsp?pid=51963

 May be by then they launch 7000 series as 6000 series would be for enforcers.....who knows