Need Old JDB file to clean Trojan.Win32.VB.gtw
Updated: 21 May 2010 | 22 comments
This issue has been solved. See solution.
Good Day all.
I need and old jdb file to put in the SEP Manager because i've been hit by this (Trojan.Win32.VB.gtw) and current AV definitions cannot clean it. SEP says nothing is wrong with the PCs even tough I have a bunch of them infected by it. Kaspersky could clean it and information I've found dates from early 2009 and december 2008.
Is there an archive ftp I can log on to and get this jdb file?
Thanks.
discussion Filed Under:
Comments
Yes
Here is the link download whatever you want
ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/jdb/
How to update definitions for Symantec Endpoint Protection Manager using a JDB file
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Thanks but those are current
Thanks but those are current I need a file from january 2009 or december 2008
Thanks but those are current
Thanks but those are current I need a file from january 2009 or december 2008
Nigel what ever you are
Nigel what ever you are trying to do will not resolve your issue.The dates what you are talking you must have seen on Symantec's write up about Trojan.Win32.VB.gtw.
Whatever infection you have right now would be new variant (type) of the same virus.
So to resolve this issue you need to test it will either Latest rapidrelease definitions or if not detected by that then.
submit the suspected virus files to https://submit.symantec.com
New definitions contain old definitions as well.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Dates on writeups can be misleading as well
Just as an FYI, the dates we display on the write-ups can be a little misleading.
For example, Trojan.Win32.VB.gtw actually seems to be W32.Spybot (the other name is from a competitor). If we look at the writeup for this threat:
http://www.symantec.com/security_response/writeup....
it would appear that we found this in 2003 and haven't updated since 2007. I can tell you with 100% certainty that we *have* updated the definitions for Spybot since 2007. I'd be surprised, actually, if there was a single day that we *haven't* updated the Spybot definition.
As Vikram indicated, current defs contain old defs. The only time we remove definitions is if they generate false positive alerts, and even then it's only long enough to refine the signature so that the false positives stop, then the signature is back in the defs.
If you have current definitions and a file suspected of being infected isn't being detected, submit the file(s) via the online scanner (as it appears you have).
Thanks but those are current
Thanks but those are current I need a file from january 2009 or december 2008
So I've sent the file to
So I've sent the file to symantec for review...
Now am I going to get a new signature by email or a new JDB to put in my SEP Server, how does this process works?
Thanks a lot.
Once you submitt the file you
Once you submitt the file you receive a Tracking Number.
Title: 'The Symantec Security Response sample submission process'
Document ID: 199822105339
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/199822105339?Open&seg=ent
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
You'll get a email from
You'll get a email from Symantec about the RapidRelease definitions.On the same link you will see the JDB aswell.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
OK I sent a sample last
OK I sent a sample last Friday (password protected zip file and of course I sent them the password) and today received the following note: Developer Notes: FILENAME.zip is a non extractable container file of type ZIP... So this means they could not open the zip file? :(
I sent them another sample, this time unzipped. Man 3 days gone by already and still no signature for the SEP Server.
Thanks a lot.
Could you please paste the
Could you please paste the Tracking ID ?
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Sure, Thanks. Tracking
Sure, Thanks.
Tracking #13623735 This is the one with the Developer notes: USBvirus.zip is a non extractable container file of type ZIP
Tracking #13671360 This is the one I sent Yesterday with only the system.exe file
Good Day Prachand. Do you
Good Day Prachand.
Do you have an update on these Tracking IDs?
Thanks a lot.
Both were submitted to the wrong queue
Nigelg, both of these submissions went to our retail queue. You need to submit them (with your contact ID number) to the proper processing queue based on your support contract (basic, extended, etc) so we can process them. As of right now, they are fairly close to the bottom of the list for processing.
If you have any questions, please contact support so we can help you get the files submitted to the correct queue.
[CLOSING]: Symantec Security
[CLOSING]: Symantec Security Response Automation: Tracking #13671360
HI I got this yesterday from Symantec: So what does this "stored" mean will it be left there for days and then rescaned again? I Just want to remind you guys that this virus IS STILL ON MY NETWORK INFECTING MACHINES and the machine-by-machine cleaning process with the Kaspersky tool is slow since I have to load the tool on every infected machine. HOW CAN I SPEED UP THIS SUBMITING PROCESS IN ORDER TO GET THE SIGNATURE?
Thanks a lot.
Notes: Customer notes: Good Day. I have SEP MR3 installed and it cannot clean it The file contains Trojan.Win32.VB.gtw identified by Kaspersky Virus Removal Tool 7.0.0.290 Can you help me out Send it 3 days ago and still no signature to clean it. Thanks.
Developer notes: system.exe Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis.
Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis
Latest version of SEP is
Latest version of SEP is available
you can download it fro https://fileconnect.symantec.com/ give the SL NUM and download the RU version. It has lot of enhancement...
and
open a case with symantec and give the tracking id to them.. then process may speed up....
Regards,
Srinivas H.P.
HCL Infosystems Ltd
About the MR5, some PCs have
About the MR5, some PCs have MR5 already (BloodHound to MAX and TrueScan Sensitivity at 50) that is one of the first things I tried to "Kill it" but nothing happened the SEP Client Says Everything is OK :(
... but Kaspersky and Threat Expert say the opposite!!!
Threat Expert: http://www.threatexpert.com/report.aspx?md5=e9c3e8...
Thanks for the reply
Please contact support
Nigelg, because you submitted the files from the retail "queue" (that is, you didn't include a contact ID), your submissions are very, very low on the priority list.
As it is, we're are currently being bombarded by numerous submissions. We're working on getting them all handled as quickly as possible, but as your submission is a retail submission, it may be quite awhile before we're able to reverse engineer it.
Please contact support. Once your support contract has been verified you can work with one of our engineers who can, in turn, work to get your submissions switched up in priority to match your entitlement level and thus get processed faster.
We try to be as proactive as we can about detecting new threats that we don't have definitions for, but there's only so much that can be done. We really need you to contact support so we can get the samples investigated and definitions written for them if they turn out to be viral.
As for our competitors detecting it while we don't, it could be, as I indicated earlier, simply that they had samples and definitions written before we did. It is also possible, however, that we do not detect the file as infected because it isn't. Let me give you an example.
Let's say that VirusX infects your computer. This virus changes your desktop to a picture of an airplane, then scans your network and spreads to any open share.
In this case, unless the picture itself contains virus code, Symantec will not detect it as viral? Why? Because it is not infected, and doesn't contain code that can be used to propogate the virus. We will scan it, of course, but since it is not infected, we don't remove it. Some of our compeditors do...they'd indicate that the file is infected (since it may have come as part of the virus) and remove it. However, we don't.
While I don't believe that's the case with your submissions, that's something to be aware of.
Additionally, while sites like virustotal may be useful to help identify suspicious files, again, the other scanners may be detecting a file that we decided isn't actually infected. Finally, we have no control over what sites like virustotal use to scan with...looking at their information, they're using our consumer scanner, but there is no way for us (Symantec) to ensure that they're using a current definition set, the current version of the program, current scanning engines, etc...and the same can be said of the other scanners.
Please contact support so we can get these files submitted to the proper queue and ensure that an engineer looks at these files.
OK I just got an email from
OK I just got an email from symantec, they finally catch the bug and sent me a link to download the rapid release definitions.
Do I have to download these on the SEP Server so it will distribute them to All the clients?
Thanks.
Before updating the server
Before updating the server download the exe file and update one infected client...
If the virus is cleared without any problem.. then you can update the server by jdb file....
Regards,
Srinivas H.P.
HCL Infosystems Ltd
I already used the file
I already used the file marked in purple on a PC and it cleaned the System.exe virus, great!
So now I have to use the JDB file in the SEP Server? Thanks a lot.
Its good to here that problem
Its good to here that problem solved....... Use the jdb file and copy it in program Files\symantec\symantec Endpoint Protection Manager\data\inbox\content\incoming
Have a great day...
Regards,
Srinivas H.P.
HCL Infosystems Ltd
Would you like to reply?
Login or Register to post your comment.