Poor Detection with SEP, Revisited
Today I had a chance to get my hands on an actual rootkit that infected one of our honeypots. I was excited to test SEP against it on a controlled VM and to compare results to SAV that we're currently running.
First, I ran LiveUpdate and made sure SEP is up to date. I then manually scanned the infected exe, SEP reported file to be clean. I then EXECUTED it, again, SEP scanned it and reported NOTHING as trojan installed itself. This is with SEP's TruScan set to maximum and scanning ALL processes as they load. Get the popcorn, it only gets better.
I went on to virustotal.com and uploaded the EXE for analysis against multiple engine. Almost everyone picked it up, inlcuding their "Symantec" engine that identified the file as "Downloader.Trojan". Hmm, really weird.. So I figured, maybe SEP and SAV engines are different and scanned the file on a SAV machine, also making sure LiveUpdate just ran. Again, NOTHING.
At this point, I submitted file to Symantec response, and in few hours got an email back saying that file was already being identified as "Downloader.Trojan" and that new DATs would be available in 24 hours. If you go to:
http://www.symantec.com/security_response/writeup....
and check for Rapid and Certified Response releases, you will see that latest ones are from today, these were created from my submission.
Now, the million dollar question: why would virustotal.com's Symantec engine pick this up just fine, even a new variant of the trojan that's been out since 2002, but SEP (and SAV) engines required manual submission and consecutive DAT download? I have yet to verify that new DATs will catch it, but I'm hopeful they will.
Secondly, this is a really simple trojan and rootkit, it modifies Windows in the most simplest, ways and downloads all kinds of bad things from the Internet. Its behavior is as vanilla and descriptive of a rootkit as it can be; yet SEP's advanced malware/trojan/rootkit protection never picked up ANYTHING, leave alone caught the inital file. I thought the entire idea of Proactive Threat Protection and Bloodhound engine is to catch things like this.
Thirdly, I re-read Paul's explanation about SEP's poor detection in a threat few weeks ago, where he explained that Symantec's impact is not on detection per se, but on preventing false positives. For the record, I will take false positive ANY DAY over full-blown infection on a corporate network with tens of thousands of machines. Everyone I talked to in the field are saying the same: if false positive prevention stopped SEP from detecting this or similar threat, then SEP's ability to detect viruses and malware close to is non-existent and it is completely useless as an anti-virus product.
I'm not sure why would company pick a stance like Paul described; but I would prefer to have a product that does what it's supposed to: catch viruses, malware and other bad things. So far I can't see SEP being able to this adequately.
Please, feel free to respond with your expereinces and points of view. I am curious to see if we are somewhat alone in this struggle.
Dimitri
P.S. I have example of the kernel, Wireshark captures and other necessary information to back up my findings. If Symantec support requires copy of any of the above for further analysis, please contact me off the list. We are running the latest, greatest MP2 with all latest DATs.
Comments
Chances are that though the
Chances are that though the detection is confirmed in the updates, it may not necessarily be so.
Did yuo get the Rapid Release defs and then scan? Cox i've seen sometimes that the signatures that the SEPM downloads and those that are available on the Rapid Release site do differ. Still, I'm giving this issue the benefit of doubt.
Can someone from Security Response chip in on this if you're leafing thru this topic ?
Abhishek Pradhan, PMP, MCT
Consultant | Microsoft Corp.
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org
I have told so many times
I have told so many times that symantec is giving more features in their product but not thinking about the detection rate.
and Abhishek in a corporate enviroment we can't download a 50 MB rapid release file every hour or so. and can't go to each client to update those that's wht we have live update servers here.
they should provide it in live update as soon as they found new threat.
and seen so many times when other antivirus detecting virus and symantec failing.
Rapid Release definitions are
Rapid Release definitions are untested and provided as a courtesy for customers who need an immediate way to detect and remove a newly submitted virus or variant. Since they are not beta tested, they are not included in the definitions via LiveUpdate. Because of this, they are not designed, or recommended for regular useage, rather only for emergency situations. We would not expect anyone to download them every hour. Only after the Rapid Release Definitions are beta tested and determined not to cause issues will they be released via LiveUpdate.
Ted, Can you please explain
Ted,
Can you please explain why virustotal's Symantec engine detected the virus and SEP/SAV with the latest definitions did not? It's quite disconcerning that we need to potentially take a hit on a possible infection and submit virus manually to get new definitions, when other Symantec engine is detecting it just fine.
Is it possible that Symantec releases definitions to home users/Norton 360 at much faster rate then to corporate clients? If so, what is the reason for this?
Dimitri
From my experience i can
From my experience i can agree that Symantec response to the new threats is too long. https://www-secure.symantec.com/connect/forums/sym...
I agree with what you say.
I agree with what you say. More like a been there gone thru that thing.....Guess we can just wish that Symantec changes their bureaucratic detection and threat dealing ways. We really need this issue sorted, else the tag line Confidence In A Connected World is just.....
Abhishek Pradhan, PMP, MCT
Consultant | Microsoft Corp.
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org
Qucik update: new definitions
Qucik update: new definitions indeed find the file. I scanned file on my machine, just extracted from ZIP, not installed and it took close to half an hour to detect the rootkit in it. Again, file was never executed, it was never ran and SEP didn't have to terminate any processes; it was a static file in a temp directory and yet it took close to hald an hour to scan a 79k file. Can someone explain this one to me?
Did you scan the whole hard
Did you scan the whole hard drive, or just the temp folder the file was in?
I right-clicked on the file
I right-clicked on the file itlsef and selected "Scan for Viruses", so I assume it scanned just one file and not entire directory or drive.
I think, aside from scanning
I think, aside from scanning the file, it also scans the memory, running processes and system files.
But, it only took my PC a few seconds to scan so I guess that's not the case.
“Your most unhappy customers are your greatest source of learning.”
I agree that aside from
I agree that aside from having a heuristic scanner that have a low rate of false positives. It should have tha capability or at least give the end user the option to increase the level. The current available options are Minimum, Default and Maximum. Why not add Meh (Unsecure) and Paranoid levels of protection. :D
“Your most unhappy customers are your greatest source of learning.”
Symantec should do something
Symantec should do something to their detection rate . Everyone these days are complaing abut this.
I think they are ore focused on features then detection rate for which we are actually buying the product.
I agree, it would be good to
I agree, it would be good to hear official Symantec response on this. It appears we are not the only ones dissatisified with current detection techniques, or lack of thereof.
Dimitri
Another one got under SEP's
Another one got under SEP's radar. Full scan with SEP shows nothing, MalwareBytes finds it asd Gamevance.
SEP scan result:
Malware Bytes scan:
I submitted files to Symantec for analysis but this is gettting ridiculous. We can't afford to manually submit every single infection by hand!
Late night update: for every
Late night update: for every file I submitted, Symantec created Rapid Response definitions, which is great. What's NOT so great is the fact that I have to act as a guinea pig and a honeypot for SEP's detection shortcomings and, in a sense, do the work that Symantec engineers are supposed to be doing.
It's highly disconcerning this early in the pilot to find out that anti-virus application we're testing doesn't actually catch majority of the "bread and butter" viruses it should be able to recognize, and is becoming more of a host management tool with a list of fancy options that are useless, at least to us, if the core functionality of the product -- catching viruses -- is this poor.
I would really like to hear an official stance from Symantec on this. I have a feeling, based on responses above, we are not the only ones dissatisifed with SEP's detection rate, or lack of thereof.
Dimitri
In 2009 till now I have
In 2009 till now I have submitted 25 new threats . so i think i bought symantec to help them not my company.
Submitting files
I agree that Symantec's detection rate has gone a bit down due to large number Threat being created daily.
However I would encourage everybody to submit the threat to Symantec response this is not only helping symantec but it is helping you and many others like us who might get hit by the same virus or even home users who are not so much capable of removing viruses so they might just have to format their machine for the same virus that you just deleted and din't submit to symantec.
As a Security Administrators/Consultant we should also think about the over all security of the Web and not just our company..
Atleast this much we can do for the Community i think.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Figured I'd bring this one
Figured I'd bring this one from the dead with the last update.
Since SEP's Proactive Threat Protection and trojan detection is close to useless, as I found out, we've disabled both services as well as told it not to scan new applications for malware on startup. What a change in performance this provided to the end user! We had people complaining of COH32.EXE spiking CPU continuously, especially on new app load and now the SEP is content and no longer a CPU hog as it used to be, with exception of LiveUpdate intervals: despite promises to fix this in MP2, on all of out machines LUUPdate.EXE and LUProxy.EXE will peg the CPU throughout the update period.
But I degress.. We've de had few meetings within IS team and decided to not rely on SEP as our antivirus protection, as comical as it may sound for an antivirus product project. Unfortunately, times are tough for everyone and we're not in position to just swith to another vendor since we're already licensed for SAV.
We know SEP's ability to catch things is not any better then SAV, and we figured we'd treat it as such - nothing. We will concentrate on protecting endpoints against viruses and spyware on another levels altogether and treat SEP as the last, weakest line of defense. We will probably use integrity checking, compliance and application control to offset its shortcomings in virus detection, and will try to discuss our disappointment with the product with our account execs, but for now the case is lost and closed.
Good night everyone.
Since your inclined to
Since your inclined to disable the service. Have you tried adjusting the protection settings to a minimum level?
“Your most unhappy customers are your greatest source of learning.”
The good part is that
The good part is that Symantec would take fast action in giving a rapid release...
but the bad part is that if we are the first to encounter this, we need to submitt per new infection manually...
not to mention the low chance that a virus could even get detected...
like OgarD virus that plague us for weeks since none were submitting the virus sample because the virus was hard to get to...
just my thoughts..
thanks...
Nel Ramos
Would you like to reply?
Login or Register to post your comment.