Endpoint Protection

 View Only

  • 1.  Symantec Security Response Automation finds sample "Not a Threat"

    Posted Jan 31, 2014 05:26 AM
    We submitted a sample to Symantec Security Response (Tracking #38316728) on January 28, 2014 for analysis and the automated response was that the sample was "not a threat."  We disagreed with this determination without any path to ask Symantec for a closer look.
     
    Based on information we know about this sample:
    1. Virus total shows 9 AV engines that determined that this file was malicious (although most were heuristic engines)
    2. The file was compiled only 3 days ago
    3. It was executing from the user's AppData\Roaming directory
    4. It communicates to a dynamic DNS address, which points to an IP address in Brazil
     
    I don't have to see the file myself to say that this is 99% certainly bad.
     
    Sample MD5: 1c481505230953f110d89c4b6d2579a6
     
    Today, however, I checked VirusTotal and it shows the sample is a threat and Symantec does detect it as "WS.Reputation.1" with and update of 20140128.  Wait... what?!
     
    https://www.virustotal.com/en/file/e222c61162fc4d8a677f84576ed9bc55568b7f6165d04b837df7e7559e485bba/analysis/
     
    Do we have any alternative paths to get a file flagged as malicious for the purposes of getting it detected in our AV?  Sometimes this is the quickest way for us to remediate a virus infection and this severely increases the time to respond; this is not good for us.
     
    What is your recommended path of escalation for samples which we feel are a threat, but the automated analysis determines otherwise?


  • 2.  RE: Symantec Security Response Automation finds sample "Not a Threat"

    Posted Jan 31, 2014 06:17 AM

    You need to open a case with support to get this escalated.



  • 3.  RE: Symantec Security Response Automation finds sample "Not a Threat"

    Posted Jan 31, 2014 06:50 AM

    I see you have already escalated your submission - please get in contact with the support agent handling your escalation case to get more details upon latest status of it.



  • 4.  RE: Symantec Security Response Automation finds sample "Not a Threat"

    Trusted Advisor
    Posted Jan 31, 2014 07:10 AM

    Your submission says 27th this may have been a zero day virus that symantecs automated database did not pick up yet. An as you said was updated to 28th. 

    This might be the delivery system for the virus and not the actual virus itself. 



  • 5.  RE: Symantec Security Response Automation finds sample "Not a Threat"

    Posted Jan 31, 2014 07:27 AM

    Thank you for the quick response and suggestions.  We have teams that span the Atlantic, so the time may have been a few hours off.  Sorry 'bout that.

    We were able to escalate in a round about way and learn that it is now being detected.  However, I want to know how to do it properly.  I have received multiple paths for escalation.

    1. Re-submit the sample and add comments. (via email)

    2. Create a case through MySymantec. (via this forum post)

    Which is perferred or does it matter?



  • 6.  RE: Symantec Security Response Automation finds sample "Not a Threat"
    Best Answer

    Posted Jan 31, 2014 07:31 AM

    You can resubmit if you wish by I would call and reference the tracking number and explain what is going on



  • 7.  RE: Symantec Security Response Automation finds sample "Not a Threat"

    Trusted Advisor
    Posted Jan 31, 2014 07:50 AM

    I've found that submitting via the submissions form and then raising a case stating the submission number has always validated any discoveries.