Video Screencast Help

New York Times malware detection failure

Created: 01 Feb 2013 | 7 comments

Is anyone concerned about the report from NY Times regarding Symantec product? According to Antone Gonsalves, at, "Over the course of the attacks on The Times, the intruders installed 45 pieces of custom malware. With the exception of one instance, Symantec antivirus software being used detected none of the malware."

Now, we all know the limitations of signature-based protection on the Endpoint. Still, this is disturbing.

I wonder what Symantec's data indicates. SEP is supposed to not only rely on signature-based protection technology, but through Insight and Sonar there is supposed to be some capability of sniffing out certain behaviors and reputation-based results. Does Symantec have confirmation that NYT had these features enabled or not?

According to Silicon Valley Business Journal, Symantec's response is a kind of "duh, you have to have more than basic antivirus protection turned on" (my paraphrase).

Seems a bit strange that, at the time the hackers were detected someone at NYT made a decision to "follow" the hackers rather than shut them down. That during this time they discovered that Symantec Endpoint Protection wasn't detecting the malware. The NYT tech's didn't install additional antivirus or anti-malware to see if it could do a better job. I mean, if I'm the technician whose job is to come in every day and see what the hackers have been up to in the last 12 hours, I'm going to be curious if one antivirus program works where another fails. This would be useful, rather than simply stating Symantec software failed to detect.

The failure to do adequate testing in this real-world environment doesn't address the question of, was the failure due to the inadequacy of Symantec's specific product, or failure of signature-based protection software in general.

Presumably the purpose of letting the hackers roam their network for a time must have been to 1. see what the hackers wanted and how they operated and 2. how to block them with a good security posture going forward. Simply stating Symantec's failure to detect does not reveal anything useful in the 2nd aspect.

Comments 7 CommentsJump to latest comment

ᗺrian's picture

The article fails to say which components were in use (they will never say). If only AV, yea well, dead in the water just like they were. But you can't draw any conclusions until you know the full details of the configuration, which we will never get. I doubt Insight would've gotten it though. Nothing was actually downloaded. This goes beyond IPS signatures and Insight and firewall configs. They're that good. Everything is low and slow.

I think the thing you have to understand when it comes to APTs and specifically China, they run circles around everyone when it comes to hacking. Let's assume that they didn't disable SAV/SEP (doesn't specify which one was in use), they built custom scripts which of course are going to go undetected. Sites like virustotal for instance make it very easy for hackers to quickly check a signature against 43 AV vendors. If one is found to be malicious, they simply change the code and re-submit. I can show you how to easily evade AV detection using Metasploit. It's quite comical actually.

AV still relies heavily on the traditional signatures. Those days are gone, hackers dance around this quite easily (the good ones any way) Not to mention this type of activity is all funded by their government (or similar organisation) with unlimited resources.

APTs are the new breed and there is hardly one line of defense for it. They are very difficult to detect as it is but when no one is checking logs.

Some good articles here:

Nothing about this attack surprises me and neither will any others moving forward.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Vikram Kumar-SAV to SEP's picture

Symantec keeps tab on the changing Threat Landscape and incorporates relevant security on its products.Same

 is the story with SAV to SEP to now SEP 12..

When we had SAV in the market what our customer needed was just a Antivirus to protect their system from antivirus was looked more as a Availability facilitator than a core security product..till early 2000.

Even though we had SCS (firewall and IPS) selected people used the other features.

Starting from 2006-2007 that was a high rise in malware being created and vulnerabilities being exploited..slowly the trend changed and it all came down to money making malwares..

FakeAntivirus, Downadup, Various Blackmailing Trojans the audience was not high profile..and SEP 11 very well detect and blocks and does whatever it can..Slowly people started using IPS, ADC and found much more can be done with SEP and they are doing it..

However in last few years there has been targetted attacks, specific type of institutions, specfic country or region or sometimes specific company its more Advanced Persistent Threats (APTs)

which SEP with all features enabled and configured properly is capable of dealing with but SEP 12 is the correct product to deal with threats of today.

Signature based Antivirus will be here for long but they might even detect APT threats but it is not what you can rely on today with the way each day so many malwares are created (not even written now they are all tool based)

Heuristics and Insight is the present and future of Endpoint Security, not to forget how handy Application and Device Control is..

When we recommened an upgrade its not for our good but its for the customer..

Gartner report validates how good SEP 12.1 is..its has been on top since its release..So I strongly recommend you to upgrade to SEP 12.1 and follow the security best practices and most importantly use as many features of SEp as you can.

It is very important ot balance between Security and Performance but when you are leaning towards performace make sure Risk is transferred ..simply accepting the risk can lead to disastors.

Or else its really not safe out there in the wild :-)

To add to it SEP will only add security to your network..your companies security is not SEP but you need other layers of security as well..It doesnt has to be Symantec but here are few options..

Altiris -OS and Application (java,adobe etc) Patches

CCS-Open Shares,  Compliance checks, VA Scans

SCSP -Server Hardening and Security. (Security from any kind of exploit even without patches)

PGP WDE - Hard Disk Encryption

SBG and SMS - Email Security

Symantec web gateway - For detecting malwares and suspicious contents entering your network..

Network IPS/IDS - Very critical for any type of company.

DLP - We all know what DLP does It prevent Data Leakage, as we know how important it is to keep tab on company's confidentail data. But more than that it does a behavioral Change in employees. The sense that someone is looking at them, so employees would know understand and adhere to companies policy.

SSIM - To handle your SOC, manage and alert on critical security incidents and help in remediating its difficult to review Security Logs from all devices and co-relate but SSIM can do just that..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

cus000's picture

Hard to say, unless we know the whole story...

always funny the first to be blamed is AV ;D

Mick2009's picture

Followers of this thread will be very interested in this new blog post from Security Response

With thanks and best regards,