Endpoint Protection

Today I found a new threat which SEP with Latest Update is not detecting it. The virus is createing a Administrator.exe file in documents settings a.The exact  virus  I  had submited few days before and symantec realeased new defination for it but now I think a upgrade to the virus has been lunched and SEP is unable to detect it.

I have submited the file to symantec today let's see when they realease the defination.

Hi Bijay,

Thank you for submitting the information.  If/when you receive an update directly, please post back for the community.  If you see things with the threat getting more "interesting," and you'd like me to check-in with the folks, let me know. 

Best,

Eric

Hi All
         Quick Response From Symantec as they have now realeased the defination for the virus I have submited and that is too very fast.
Below is the detail.
This file is detected as Downloader. http://www.symantec.com/avcenter/venc/data/downloader.html

Virus definition detail:

Sequence Number Greater Than:    94089
Defs Version:        110410al
Extended Version:    04/10/2009 rev.38


But unfortunately this Def Version is not coming with live update yet so you have to manually download the rapid realease and update the clients. Which is not possible in a wider network like we have with more than 1500 clients.

hi, in that case why not update the system which is reported with the threat, else update the SEPM with RR in turn the clients will be updated with the latest RR definition.
SEP has three definiion release, hence it may take say 8 hours (24hrs/3 definitiions) to have the latest definition, let the SEPm shecvk for the updates every 6 hours.

Pete!

Hi Pete,

Why everytime we have to submit a samples and why the other small product detect a virus and our product doesn't,

I know everytime the new variant will come but third party AV will detect either than Symantec.

You are right mansoor

                                  I have seen so many times this happens when other av prodeuct detect the virus but not symantec. from january 2009 to now  i have submited atleast 15 virus which symantec didn't detected but others did( I don't want to mention the av name but that is too good in detection in comparison to symantec).

symantec should focus on detecting the new threats rather than adding new features for system management. as we are buying antivirus for detecting virus not system management.

SAV/SEP is Bread and Butter for Symantec.

Hence if symantec is not able to add signatures to there definition before other vendors, then there is no use of buying symantec.

I use to send samples to other vendors too and the good thing is they already have signatures for such threat/variants.

Rgrds,
SAM

Hey
       Today I found a new virus again and have submited the threat. lets see when they release the defination.

within two days this is the second one i got.

With the threat landscape reaching new peaks, It's not just Symantec who are battling against the writers. We know that well as we have always had a mixed environment. There is nothing much that can be done other than submitting the file to the vendor. It is possible that one vendor may have the sample's before the other, Thus the difference in the detection time. Also one thing that we have noted which I am sure everyone has, Symantec has very less false positives which is very positive and saves us lot of work.

Friday a manager here got a virus alert from SEP - unfortunately, the horse was already out when SEP closed the door - the beast was active, red circle with X in the middle, pop-ups all over the place, a VERY active desktop. SEP said it was infected, yes, but why did it not PREVENT it?
I've still, now, right now, running scans and doing a lot of manual work - as fast as it was infected, the infection seems to have "disappeared" - with NO changes made by me.
SEP was alerting every 60 minutes exactly on this infection, all weekend, then suddenly Sunday, it stopped sending hourly alerts. It saw this HTML file as the bug, but the HTML file could not have caused a tray icon and all those popups, there has to be other files involved that SEP didn't see.
All I could find was the HTML file to send in as a sample (I hate this constantly having to manually sendx in samples because the automation won't work) and it reported back as a known bug - if it was known, why was it allowed to be created on the computer, then allowed to run?
The computer today is showing up clean, but I can't believe it since nothing was cleaned off!
Even Trojan Remover said the computer was clean - but how can that be???? There were popups everywhere. There were hourly alerts, then it just stopped.......... and nothing was deleted. The computer was not rebooted.

MY point is - I run into this every week now, sometimes more than once a week. In each case I get a "yeah, we know about it" and I just want to respond - "if you know about it, then why did you let it in?"

I'm SO stressed and overworked here now, I don't need weekly infection cleaning added to my plate. That's what SEP is supposed to do, or prevent.  i've never in my life seen so many bugs get in, all since moving FROM SAV TO SEP. 
Coincidence? Is it just that at the time we switched all these new threats emerged? Or was SAV really better at PREVENTION?

Id love nothing more than an engineer come and visit us and look at the install, and see just what I'm seeing - the slow console, the virus misses each week, other strange things.

sandeep and bijay - can someone explain why a month old copy of Trojan Remover finds these bugs when SEP does not, and SEP lets the infection in?
I can take and run TR from my flash drive, do an install, and it finds the bug
And these are not new technology bugs - the DETAILS may change, but the means of infection, the installing as browser helpers, other means of infection, same old story. Why does SEP not block new browser helper installs? Or at least prompt an alert - do you REALLY want this installed?? sort of alert??
Instead, SEP sits back and lets every single variant of the phony AV apps install. Again, perhaps the file DETAILS change, but the MEANS do not, where's the HEURISTICS?? Get off the bloody finger prints or profiles, use HEURISTICS!
I'll deal with a false alert or two, that's nothing compared to the mess I face every week, and management breathing down my neck asking "how can this happen - we pay tens of thousands to prevent this".
With false alerts, it's a piece of cake to EXCLUDE the file it's alerting on. IT's not a piece of cake to perform cleanup or REIMAGE a computer that's been messed up!
Give me a false alert even once a month - I'll deal with it, exclusions are SIMPLE, but a weekly infection, I can't deal with, I just simply cannot.

Definately not a co-incidence. There is no difference between the scan engine of SEP and SAV other than the extra features which cannot make it work like what's happening in your environment.


We have a mixed environment of SAV, SEP and Trend ServerProtect depending on the architecture and configuration. Not every vendor is able to completely clean every threat the first time.

More important is to know where the threat came in from? If the user's keep visiting the websites they are not supposed to, It makes the AV job more tough. It's a more of a corporate AV and tuned that way. If you think that the employees are more like the end user's then go for the consumer Norton which keeps track of every user activity thus more resource hogging.

By the way, Symantec has a tool by the name Norton Security Scanner(NSS) which is couple a mb's to download and works the consumer way. It uses the same definitions as used by SEP. It's kept there up at their FTP. It goes deep in and finds out the suspicious files and entries that might be missed by SEP.

Anyway, I think it's time Eric, Paul or someone else from Symantec to get in this thread again.

It's no longer a matter of web sites that they are not supposed to.
How about:
www.expertvocational.com for example - witness.shtml

That is a valid voc rehab site, legit, normally clean.
something happened......... users were getting there and getting infections placed on their computers.
www.kcci.com - a television news site had a phony av app on it. (until I contacted the general manager and raised heck)

This isn't  a matter of tough - this is a matter of looking at sites that explain how these threats work - and finding that Symantec is a vendor not listed as able to catch them, while other vendors ARE listed.

IMO, there should be NO difference between protection for home as opposed to business as far as viruses are concerned. The same threats home users see, business users see. A business, state or federal agency, military branch, or home user is typically exposed to the exact same risks.
Businesses, especially those like this agency, rely HEAVILY on the Internet for research! In fact, I suspect in their JOBS, our users hit more web sites than an average home user in a day, and that's just their JOB releated searches and hits.
Granted, they aren't searching porn sites like the typical American is late at night at home, but it doesn't take adult sites to infect with some NASTY stuff -
One counselor was looking up information on the state of Kentuky for a client - using GOOGLE, and got his machine infected royally. Was that a different use of the computer than a home user? It WAS job related....... SEP alerted AFTER the infection.

When I say we migrated from SAV, I mean SAV the CORPORATE edition, 10.x.xxxx.  It's not a consumer or home use program - SAV was touted as the corporate and enterprise solution since about 1999 or so. And these threats are not new - and these infections are not the first time. Some are the 2nd and third time we've seen them. And it's not a matter that SEP always ignores them - it does trigger - but at times, after the infection.  So there's a disconnect between "detection" and "prevention". I prefer prevention.............. I don't have time for all this manual cleanup.
Them's my opinions and thoughts on the issue! ;-)

 

I agree with you - I am so very disappointed with Symantec as of late.  Time and time again Symantec has allowed infections into computers, only to let me know after the fact that it's been infected.  Usually results in a manual cleaning or a complete system reimage.  Not how I like to spend my days or my customers money.  I have 14 clients and all of them are using Symantec AV, so I guess it's time to look for something different!

Friday a manager here got a virus alert from SEP - unfortunately, the horse was already out when SEP closed the door - the beast was active, red circle with X in the middle, pop-ups all over the place, a VERY active desktop. SEP said it was infected, yes, but why did it not PREVENT it?
I've still, now, right now, running scans and doing a lot of manual work - as fast as it was infected, the infection seems to have "disappeared" - with NO changes made by me.
SEP was alerting every 60 minutes exactly on this infection, all weekend, then suddenly Sunday, it stopped sending hourly alerts. It saw this HTML file as the bug, but the HTML file could not have caused a tray icon and all those popups, there has to be other files involved that SEP didn't see.
All I could find was the HTML file to send in as a sample (I hate this constantly having to manually sendx in samples because the automation won't work) and it reported back as a known bug - if it was known, why was it allowed to be created on the computer, then allowed to run?
The computer today is showing up clean, but I can't believe it since nothing was cleaned off!
Even Trojan Remover said the computer was clean - but how can that be???? There were popups everywhere. There were hourly alerts, then it just stopped.......... and nothing was deleted. The computer was not rebooted.

MY point is - I run into this every week now, sometimes more than once a week. In each case I get a "yeah, we know about it" and I just want to respond - "if you know about it, then why did you let it in?"

I'm SO stressed and overworked here now, I don't need weekly infection cleaning added to my plate. That's what SEP is supposed to do, or prevent.  i've never in my life seen so many bugs get in, all since moving FROM SAV TO SEP. 
Coincidence? Is it just that at the time we switched all these new threats emerged? Or was SAV really better at PREVENTION?

Id love nothing more than an engineer come and visit us and look at the install, and see just what I'm seeing - the slow console, the virus misses each week, other strange things.

Shadwospapa
I feel for you, unfortunately I am experiencing similar activity as yourself, although not on the scale you appear to be.

One of my greater frustrations is receiving a report from the SEP server that indicates a rsik was found and SEP has decided to do nothing about it!

For example:

Message from:
Server name: ************
Server IP: 192.***.***.***
At least one security risk found:
Risk name: Trojan.KillAV
Event time: 2009-04-07 07:59:28 GMT
Database insert time: 2009-04-07 08:04:29 GMT
User: SYSTEM
Computer: ************
IP Address: 192.***.***.***
Domain: ************
Server: ************
Client Group: ************ Action taken on risk: Left alone

Nowhere in my configuration have I instructed SEP to leave anything alone, on the contrary, my first option is to delete, if that is not possible, to quarantine.

ALSO: If anyone can tell me how I configure SEP to report the filename that caused the alert please let me know. With SAV v10 it was (fairly) easy to customize alerts, if that is the case with this it escapes me. But things often do!

Tech2Tech,

The "New Risk Found" notification will email a *.MHT attachment that specifies the filename and path of the infected file.  I've had this action of "left alone" happen to me as well (my policies are like yours to first delete and then quarantine).  I cannot explain why it leaves it alone.  Rebooting the client and kicking off a manual scan erradicated the virus for me.  Not the best solution, but a working one.

The last time the "left alone" action happened for me was 9/18/08 so I'm guessing MR3 or MR4 fixed this.  What version is your client on?

Left Alone is quite simple to explain and I've always considered it a bad description of what we actually do...

For some reason, we have been unable to take your requested action (Primary or Secondary) on this file, perhaps its in use, perhaps something else is protecting it, perhaps you haven't allowed us to kill processes and services, there are many reasons.

The key though is that Left Alone means "prevent the application or process from executing on the machine, BUT leave it on the machine as we can't (for some reason) remove it."  SEP has not the let the threat through, we HAVE prevented it from infecting your machine but we need a little help to clean it up.  As others have pointed out, a scan after a reboot (to release the hold) will normally work fine - sometimes even AP will pick it up and get rid of it properly after a reboot.  The key point here though is we do not simply leave the file alone to wreak havoc on your machine - everytime the file is executed we will prevent it from doing what it wants to do.

You should always bear in mind, if SEP tells you something, its protected you.  No matter what the notification is, you are protected.

On the fake AV apps, is everyone here running IPS on their machines?   We do have heuristics and behavioural analysis in SEP, in multiple formats, and its pretty good.. it does have its downsides though and we are working on those at the moment.  I'd be interested to see the Virustotal report for some of these new threats - thats always interesting to see from an independent third party who does and doesn't pick things up :-)

Paul in our case we run every single piece-  IPS, firewall, AV, every module. I even have "bloodhound" set to the max and not the default medium.
Also in our most recent cases, SEP let it actually install and run.
It was running, not just found, it was running, pop-ups and the red circle in the task bar. SEP did give an alert, but the thing was already running on the computer. So no, it was not technically protected.
It mysteriously stopped running and all traces of it disappeared about 6pm Sunday evening.
I have at least 3 cases I can document, two SEP triggered an alert but it was installed, 1 SEP didn't even alert and the beast installed. All the phony AV app.

Sure understand about "left alone" that has not changed since what, NAV 2.0?
Sometimes it can't remove or move or quarantine if the file is in use or locked or protected by one of those multi-part buggers. They run several "modules" and protect itself - one part watches and protects the other part and keeps it installed.

The file  I have submited has came up as  Trojan.Dropper
see the documentation 

http://www.symantec.com/avcenter/venc/data/trojan.dropper.html

to clean below is needed

Virus definition detail:

Sequence Number Greater Than:    94199
Defs Version:        110413al
Extended Version:    04/13/2009 rev.38


Why so many times symantec is not detecting virus.

 

Paul
Thanks so much for the explanation. I had thought (and hoped) that the action was as you explained but concerned in case it was not.

Keith


Left Alone is quite simple to explain and I've always considered it a bad description of what we actually do...

For some reason, we have been unable to take your requested action (Primary or Secondary) on this file, perhaps its in use, perhaps something else is protecting it, perhaps you haven't allowed us to kill processes and services, there are many reasons.

The key though is that Left Alone means "prevent the application or process from executing on the machine, BUT leave it on the machine as we can't (for some reason) remove it."  SEP has not the let the threat through, we HAVE prevented it from infecting your machine but we need a little help to clean it up.  As others have pointed out, a scan after a reboot (to release the hold) will normally work fine - sometimes even AP will pick it up and get rid of it properly after a reboot.  The key point here though is we do not simply leave the file alone to wreak havoc on your machine - everytime the file is executed we will prevent it from doing what it wants to do.

You should always bear in mind, if SEP tells you something, its protected you.  No matter what the notification is, you are protected.

On the fake AV apps, is everyone here running IPS on their machines?   We do have heuristics and behavioural analysis in SEP, in multiple formats, and its pretty good.. it does have its downsides though and we are working on those at the moment.  I'd be interested to see the Virustotal report for some of these new threats - thats always interesting to see from an independent third party who does and doesn't pick things up :-)