Video Screencast Help

Suspicious file submission closed - SEP still doesn't detect trojans

Created: 28 Dec 2012 • Updated: 03 Jan 2013 | 12 comments
This issue has been solved. See solution.

I have submitted malware file today. Tracking number #27534670. I've got email, that my submission was closed and no malicious files were found. So, what else can i do to convince Symantec to do their job?! Maybe this

https://www.virustotal.com/file/9efdfb3c58c9a4087c...

Startup entry was created in user's registry pointing to this file, so this is not just a leftovers after virus elimination. I demand updating your definitions to detect and delete such files. Also waiting on another submissions:

Tracking #27525536

Tracking #27525537

Tracking #27525538

I had to divide thi submission into 3 parts (fighting with unreadable captcha, hewn you can't tell apart I and l ..), because surprise surprise, you can't submit more than 10 files. Maybe Symantec is living only on donations from generous people and i'm not paying thousands of dollars for my licenses? These 3 submissions are waiting for human analysis. Some of them already marked as not malicious (it seems Symantec is only considering ones with exe extensions as possibly malicious). Yet one of those files was also sitting in the registry and hijacking user's connection to e-bank site, maybe even stealing his credentials. Again, majority of other engines on Virus total detect those files as trojans.

Should i mention that i must make exceptions for some legitimate software so it won't be deleted by SEP, or new versions of SEP occasionally breaking my network connectivity or SMB protocol support, etc.

Comments 12 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Have you created a Support Case for this Issue??

If not, Create a Case with Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

You need to call Symantec so they can look at this. Have your ticket handy that they sent back to you regarding the submission.

Mick2009's picture

Hi Wroot,

(Thumbs up to the advice about opening a case with Tech Support- these forums are peer-to-peer, not an official way to contact Symantec.  There's no guarantee that any request entered into a forum thread will be seen or acted upon.  Contact Tech Support to open a case which will ensure that the request is followed through.)

Another best practice: please do submit files to Security Response using your contract details and the corresponding web portals... submissions that come in without these are treated with a much lower priority.

Please feel free to PM me the case number when you have created one! 

With thanks and best regards,

Mick

With thanks and best regards,

Mick

wroot's picture

Weird. On Friday while trying to post this the forums were time outing on me, so i thought i didn't post anything.

I have just filed a tech.support case, though the form was complaining they don't have my account info, etc. I suspect i must have some sort of support agreement? I don't have such, so maybe the forums is the only way for me. Will wait for a response. That's also a case with submitting. I'm using the simplier submit form, because in the past i wasn't able to find out what i should put into Support ID number field. There is another thread on this in the forums. Some were suggesting to put license number maybe. Nothing worked, so i ended up using simplier form. We are buying Basic licenses without any gold or whatever support which we probably won't need most of the time and we can't afford that. So i don't waste my time to find out about all these numbers, ids and go straight to the forums, because it is FASTER.

Mithun Sanghavi's picture

Hello,

I admit there were few Technical Issues with Symantec Forums on last Friday. However, they have been sorted out.

As Mick and others highlighted, it is best to create a case in such instances.

In your case, since you do not have any Account info, you can contact Symantec Customer Support on the phone numbers provided in the Link below-

http://www.symantec.com/business/support/assistance_care.jsp

OR Call

Regional Technical Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: 

http://www.symantec.com/business/support/contact_techsupp_static.jsp

and our Symantec Customer Support Team would be glad to assist you with all the required  information.

 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

wroot's picture

I'm already trying to communicate with a support via email. My English may be not perfect, but it is not a first time that it seems they can't understand what i want. I said, that i don't have infected computers and just need this virus to be added into definitions, yet he asks me how many computers are infected and sends me a tool to run on them. I suppose support must have access to submission tickets? Because i can't send this file via email. Our Fortigate firewall software is blocking this attachment, because it detects a virus in it..

Mick2009's picture

Please don't send suspected / virus files to Symantec by mail - the web submissions process is the only valid method.  &: )

Feel free to PM me the case number if you like- I will see if there is anything that can be done to facilitate.

The tool they are asking to be run is probably the SEP Support Tool with Load Point Analysis- that can help to identify any additional files that may be involved in the threats.  It's important to make sure there are no infected files left on the machine.

Here’s an illustrated article on running the SEP Support Tool: just make sure that Load Point Analysis is selected.  https://www-secure.symantec.com/connect/articles/sep-support-tool

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

In addition to above, I would also suggest you to Submit the file to Threat Expert (owned by Symantec).

Automated analysis can be performed for some types of threats through http://www.threatexpert.com. This step can quickly identify the sites the threat is coded to contact so they can be blocked at the firewall. Symantec Support does not provide troubleshooting for http://www.threatexpert.com, and this step does not replace the need to submit files to Symantec Security Response.
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

wroot's picture

I have ran Support Tool on both previously infected computers. The only issues reported were turned on UAC and that we are using 11 RU7 MP1 version. 11.0.7200 was breaking our internet connection and i haven't yet tested 11.0.7300 or newest 12.0 version (12 version had another issues).

Support replied that i should update my client and check if it detects that file. I will probably wait till tomorrow to check will it detect that file after the morning defs update.

Mick2009's picture

Hi wroot,

Many thanks for raising awareness about this and for running that support tool / sending the .sdbz file to Support.  I have been working with Security Resposne to have a second look at these.

Security Response has confirmed that several of those .exe's are malicious: we classify them as Trojan.Gen and Trojan.Gen.2.  Protection against these was added on 27 December 2012. 

There were also some data files among the submissions: Symantec has not added any signatures against those as they are not capable of causing any harm in themselves. Feel free to delete them or they can be safely ignored.

The unicode2.nls (MD5 96b034bdf6c6f6c8cc64b70552f7656c) file from Tracking number #27534670 has been determined on second look to meet the criteria for detection: it is detected as Backdoor.Trojan from Sequence 140528 onward: those Rapid Release definitions are available now.  This sequence appears in the SEP GUI as 1/2/2013 rev. 34, defs version 150102ah. 

Here are details on how to download and apply those Rapid Release definitions now!

How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
http://www.symantec.com/docs/TECH104979 
 

Cheers once again, wroot!

With thanks and best regards,

Mick  

With thanks and best regards,

Mick

SOLUTION
wroot's picture

Today after the definitions update this file was detected and removed. So my case is closed now. Thanks for your help Mick2009 ;)

Mick2009's picture

Glad to assist!  &: )

With thanks and best regards,

Mick