Symantec is not detecting a malware
Updated: 21 May 2010 | 13 comments
This issue has been solved. See solution.
This is not exactly a propriate place to post that, but what else can i do if Suspicious file upload is not working for this. More than a week ago i have uploaded a zip file with a spambot to Symantec. So far i've got an automatic response with status CLOSED, which says automatic analysis didnt find anything and it will be stored for a further human review. I'm sorry, but this is just very dissapointing, 10 days and no approval and no updated definitions. We already had a lot of problems because of that virus (IP added to spamlists), so we want to eliminate this vulnerability, because a user can go to the same infected page again, etc.
Virustotal results (24/40) including AVG, Avira, McAfee, NOD32, Kaspersky:
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| a-squared | 4.0.0.101 | 2009.03.30 | Trojan.Waledac!IK |
| AhnLab-V3 | 5.0.0.2 | 2009.03.30 | - |
| AntiVir | 7.9.0.129 | 2009.03.30 | TR/Waledac.29696.1 |
| Antiy-AVL | 2.0.3.1 | 2009.03.30 | - |
| Authentium | 5.1.2.4 | 2009.03.29 | - |
| Avast | 4.8.1335.0 | 2009.03.29 | Win32:Walpak |
| AVG | 8.5.0.285 | 2009.03.30 | Injector.CD |
| BitDefender | 7.2 | 2009.03.30 | Trojan.Waledac.Gen.1 |
| CAT-QuickHeal | 10.00 | 2009.03.30 | - |
| ClamAV | 0.94.1 | 2009.03.29 | - |
| Comodo | 1089 | 2009.03.29 | - |
| DrWeb | 4.44.0.09170 | 2009.03.30 | Trojan.DownLoad.32942 |
| eSafe | 7.0.17.0 | 2009.03.27 | - |
| eTrust-Vet | 31.6.6424 | 2009.03.30 | - |
| F-Prot | 4.4.4.56 | 2009.03.29 | - |
| F-Secure | 8.0.14470.0 | 2009.03.30 | Packed.Win32.Krap.m |
| Fortinet | 3.117.0.0 | 2009.03.30 | PossibleThreat |
| GData | 19 | 2009.03.30 | Trojan.Waledac.Gen.1 |
| Ikarus | T3.1.1.49.0 | 2009.03.30 | Trojan.Waledac |
| K7AntiVirus | 7.10.684 | 2009.03.28 | Trojan.Win32.Malware.1 |
| Kaspersky | 7.0.0.125 | 2009.03.30 | Packed.Win32.Krap.m |
| McAfee | 5568 | 2009.03.29 | W32/Waledac.gen.e |
| McAfee+Artemis | 5568 | 2009.03.29 | W32/Waledac.gen.e |
| McAfee-GW-Edition | 6.7.6 | 2009.03.30 | Trojan.Waledac.29696.1 |
| Microsoft | 1.4502 | 2009.03.30 | TrojanDownloader:Win32/Cutwail.AJ |
| NOD32 | 3974 | 2009.03.30 | a variant of Win32/Kryptik.KV |
| Norman | 6.00.06 | 2009.03.27 | - |
| nProtect | 2009.1.8.0 | 2009.03.30 | - |
| Panda | 10.0.0.14 | 2009.03.30 | - |
| PCTools | 4.4.2.0 | 2009.03.30 | - |
| Prevx1 | V2 | 2009.03.30 | High Risk Cloaked Malware |
| Rising | 21.23.03.00 | 2009.03.30 | Trojan.Win32.Nodef.ghy |
| Sophos | 4.40.0 | 2009.03.30 | Mal/TibsPk-A |
| Sunbelt | 3.2.1858.2 | 2009.03.29 | Trojan.Waledac.Gen.1 |
| Symantec | 1.4.4.12 | 2009.03.30 | - |
| TheHacker | 6.3.3.9.296 | 2009.03.30 | - |
| TrendMicro | 8.700.0.1004 | 2009.03.30 | - |
| VBA32 | 3.12.10.1 | 2009.03.29 | Malware-Cryptor.Win32.Qas.c |
| ViRobot | 2009.3.30.1668 | 2009.03.30 | - |
| VirusBuster | 4.6.5.0 | 2009.03.30 | Trojan.Waledac.Gen!Pac.8 |
Symantec Tracking #10462755
discussion Filed Under:
Comments
Your best bet, if you haven't
Your best bet, if you haven't already, would be to log a Tech support call with the tracking number and the info from the Virus Total results and advise your account manager ( if you have one ) of the details and get them to chase.
m00
Unfortunately, I got a
Unfortunately, I got a similar response. Trojan Remover found and removed a bit of nasty, showed me the registry load points and the files. I grabbed one of the files and forwarded via the web submit process. Came back just like yours - didn't find viral code. No, it's not a virus or a worm, it's worse.
So I agree - get a human involved.
They are missing those adware things, like the antivirus 2009 variants and other web browser "helpers" that come in and plug into IE and cause all sorts of problems.
At least with a human, you can argue the point and prove something with facts - can't argue with the automation, and I've never seen human review actually find it either. In my case, it took 3 days to get a response from automation, so I must wonder if it's a bit overwhelmed?
But make a phone call and you'll get somewhere, I'm sure.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
BTW - if you get a
BTW - if you get a cooperative user and get the site's IP address, block it in SEP's firewall................
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
Retail submission
Looks like it got submitted to the retail queue?
Do you have a support contract with us? If so, did you submit the file using the appropriate URL?
https://submit.symantec.com/basic
https://submit.symantec.com/gold
https://submit.symantec.com/essential
https://submit.symantec.com/platinum
https://submit.symantec.com/bcs
These help the submission to be queued and dealt with appropriately.
Alternatively, please just call in and we can escalate this with Security Response and get the file appropriately classified.
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
In my case, it won't let me
In my case, it won't let me submit in any way other than retail or "home user" because we don't have anything but basic support- I try to plug in numbers, etc. and it just says sorry, not good info.
So I resort to the retail page.
Odd that the retail would be SO SIMPLE, easy to use, and let me submit, but our government contract numbers won't.
I've tried many times, for many months, and same thing. My only recourse is to use the home submission form/page.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
Is this the ID you are using?
Is this the ID you are using? (with some numbers removed, for obvious reasons)
**81-495*-433*
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Wow, you guys sure are into
Wow, you guys sure are into info sharing! LOL
That's one - I tried that, tried our "serial number", etc. and got nowhere. when I tried to "register" or whatever that number you just posted, it erred out on me said not valid. But that was so long ago, I've given up and not tried the last few months.
OK, so what am I doing wrong! ;-)
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
I dont know
Not sure.. but thats the Contact ID you had on your last call with us, with basic entitlement, so it should work.
I've tried your ERP too.. and that doesnt work either..
might be worth contacting support to find out why... mine works without issue...
Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint
Technical ID
If I understood correctly the latest posts...
When you want to submit a malware sample via the URL like https://submit.symantec.com/... your technical ID is required to complete the submission but it is rejected, did you try to type your technical ID without the "-"? Usually it works in this way.
Regards,
Regards,
Giuseppe
I'm not sure what number
I'm not sure what number shoud i call and how much will it cost for us. I prefer just to submit a file and have a response by email. I won't be able to sumbit a file by a phone :) In the last SEP order we have such product description:
SYMC ENDPOINT PROTECTION 11.0 BASIC- 12 MONTHS GOV BAND A
and similar 2 lines
So i assume we have Basic support. I have tried basic submit url, and both of our Support IDs. We have 2 as we have upgraded old licenses and have bought new. First ID is 0000-****-****-****. I have tried with leading zeros and without, with "-" and wihtout. And i tried second one 2***-****-****, also various variations. No luck.
any insights about how should
any insights about how should i get my support?
This will happened many times
This will happened many times in our envoirement but when we submit to Symantec Security Response Team we get the Rapid Release within 3 hours and this will resolve our issue,
I agreed that all AntiVirus works on Signatures, so those who have the signature then it will detect the virus but those who doesn't then its wont detect.
Regards, M.R
update: finally, yesterday
update: finally, yesterday Symantec has detected this malware.
Would you like to reply?
Login or Register to post your comment.