Endpoint Protection

I have submitted a few macro virus files two days ago. Have received an automatic replies that those files are already in the definitions (tracking 39879891). But after a few days and a few definitions updates in my client (already of July 27th) it still doesn't detect those files. What is this crap? Two days to include viruses in the database and propagate them to clients is not enough? Is this 1990?

Have filed this again, but probably will just receive same automatic response..

P.S. Yep, 39885281 closed also

you have to look for the sequence no in the automated email from security response and verify it with the sequence no in the following URL. your endpoint will be able to detect the infection only if it has the definition that matches or of greater no to the one in the auto response. 

https://www.symantec.com/security_response/definitions.jsp?inid=globalnav_scflyout_virusdef

Hi wroot,

Thanks for the post.  I can confirm that those files are absolutely detected as W97M.Downloader with any definitions from Rapid Release Sequence 179557 or higher.

https://www.virustotal.com/en/file/a3563f0984cd2a9abd9d30de72445765abd2b7acf46b5e41abaf3e656793d78e/analysis/

https://www.virustotal.com/en/file/40e087cf67ccc4cb2fae38113965dddd3f3ba5e6fe8b6ac8cf4782d5fb933c6d/analysis/

This article can help you check if the certified definitons include that protection:

Sequence Makes Sense
https://www.symantec.com/connect/articles/sequence-makes-sense
 

There are hundreds of millions of distinct malicious macro spam messages in circulation.  Every day there are countless new variants in terms of file name, hash, message body, URL links from which different malware is downloaded when an end user is tricked into enabling macros and clicking.... Take precautions to harden your defenses and educate end users to reduce the risk that your organization will be damaged!

Support Perspective: W97M.Downloader Battle Plan
https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

Please do keep this thread up-to-date with your progress, or mark it solved if you have received your answer! &: )

With thanks and best regards,

Mick

root,

show just a little bit of class and professionalism in your post.

Hi wroot,

Just a ping to see if you have received your answer or if you have any additional questions?  The thread is still marked "needs solution."

With thanks and best regards,

Mick

For some reason i'm not getting email notifications from this forum (i have only received one, that my thread was posted successfully).

Today i have opened the folder with both files sitting in there. Nothing happened and i left it like that for half a day. A few moment ago i went to that foldert again. Files were still in there. So i have tried to copy one of them to another folder and then SEP detected them and deleted all the files from both locations. Strange behavior of a resident.

working perfectly then. please mark mick as the solution so he stops begging, thanks.

Cheers wroot!

I recommend ensuring that scheduled scans are running in your environement, if they are not already.  This may sound like old fashioned advice, but malicious macros are an old fashioned threat (and still oddly viable).  Though SEP's autoprotect works well, scheduled scans are brilliant for catching threats like this that got onto computers before there were defs against them.

All the best,

Mick

Wouldn't call it perfect when you have to mess with the files to make SEP do something. Resident should detect files during the access (opening of a folder). I was under impression that client's definitions do not include this virus for some reason because of this nuance. Btw, it worked fine with the older version of SEP (it was detecting files right away). Using 12.1.7004.6500.

As about class and professionalism, i have a long story of various issues with Symantec, so sometimes it goes through.

We have a weekly full scan scheduled, but it was two days ago, so it couldn't find those files this way.