Video Screencast Help

SEP 12.1 Insight not working?

Created: 13 Oct 2011 | 11 comments

Yesterday we found a variant of the Zeus malware that was not being detected by SAV10 or SEP11 clients. The file was an .exe and we copied it over to a SEP 12.1 system which has Insight turned up the the highest levels/settings. The file scan came back clean according the the SEP 12.1 client. After submitting this file to Symantec it was determined to be malicous and was added to a future defintion release.

My questions is why didn't Insight pickup on this file as suspicous? Is there a way to see what the reputation scan determined? What about a Symantec Insight website where you can upload suspicous files to be scanned by the Insight technology and provide output? I would have liked to seen the reputation for this file.

Comments 11 CommentsJump to latest comment

pete_4u2002's picture

My questions is why didn't Insight pickup on this file as suspicous?

could be the reptation did not have this file information

Is there a way to see what the reputation scan determined?

i assume its not possible

 

What about a Symantec Insight website where you can upload suspicous files to be scanned by the Insight technology and provide output?

the submission would be still the same

https://submit.symantec.com/websubmit/essential.cgi

 

 

I would have liked to seen the reputation for this file.

once added it should be detected, however you will not get to know file being submitted.

la_ripper's picture

Insight is nothing but what symantec has to say about the file or u could say what symantec has to rate about the file. 

This information is stored in the reputation database whcih is insight

Whe thre is no information with reputation database .. this file is submitted to the SRL but mind you these submitted files cannot be tracked .

Incase if te file turns out to be malicous it would be launched in the next defination release/

 

This is so far what I know about Insight and repuration database. Correct me if i am wrong

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

thatdude's picture

At the very least it should have been classified as unproven if it cant be determined to be malicous or good.

I scanned it with file sensitivity level of 9, and files with 5 or fewer users, files known for 2 or fewer days

.Brian's picture

Good question. I'm curious as to why it wasn't flagged. Was the file packed?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

what happens if you set it to 1 or fewer days

Lower the 5 or fewer users too, although i think the next option is 0 but i can't remember off the top of my head

Just curious to see if it's caught at all

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Paul Murgatroyd's picture

Right click scanning a file will only convict if the file is KNOWN BAD, that means we either have data in Insight telling us the file is bad OR we have definitions in rapid-release which we have made available in the cloud.

We are looking to implement an "Insight Lookup" for individual files in an upcoming version of SEP12 which would allow you to get the information you are trying to get.

If you rollback the client definitions and try the scan again, it should now be picked up as a threat, because we have the definitions available.  You could also try downloading the file from a website (internal or external) and then Download Insight will do the full lookup for you.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

.Brian's picture

Just an update, I've been getting a ton of these "traffic tickets" in my personal inbox.

http://www.virustotal.com/file-scan/report.html?id...

I scanned with SEP 12.1 but nothing was found. I executed and it was flagged as Bloodhound.SONAR.9

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

its heuristic, any false positive by any chance? If yes remove the aggressive scanning,

.Brian's picture

It's not an FP. The end result was what I was hoping for.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.