What do I need to do to get SEP to get the Spy-ware protection to work at peak performance?

On the clients make sure you have all the 3 components installed. ( AV /AVS . NTP and PTP) Also the suspected files that you have submitt to symantec security response.

Title: 'What to do when a competitor's antivirus, adware scanner, or spyware scanner detects a threat that Symantec AntiVirus does not detect'
Document ID: 2001101708255048
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2001101708255048?Open&seg=ent
 

S & D nails it everytime and Malwarebytes put the final nail in the coffin on this one, but I really would like to see improvement made to the Spyware scan.

Please also understand that Symantec may not identify something as viral as, according to our definitions of what is considered viral, the file truly isn't.

Let's say, for an example, that when VirusX infects a computer, it drops a jpg of an adorable kitten, changes the desktop to that picture, then queries the network for open shares to spread to.

In that example, unless the kitten jpg contained viral code, Symantec would leave it alone.  Why?  Because it's a jpg...it does not contain malicious code that can be used, either to spread or as a "repository" of data for the virus to re-constitute itself.  If it DOES contain viral code we'll try to clean it if possible (thus leaving behind a cute kitten picture), or, if not, we'll quarantine the whole file.

Cookies are a perfect example of files that our competitors claim are viral that we do not.  These files are not infectious, and, in fact, numerous legitimate websites use them to help the overall experience on the website...be it maintaining a list of things you typically look at (so that, for example, when you go there, they'll show you ads based on the fact that you're constantly browsing, say, fishing tackle), setting screen resolution, or automatically supplying login credentials.  Cookies themselves are not malicious...they're just text files.

Now, again, using the VirusX example, if a cookie is found to contain malicious code, we'd deal with it accordingly.  To my knowledge, this hasn't happened (although we detect over 5 million viruses, so I could very easily have missed one or two here or there)...so we won't alert on these files.  Our compeditors, however, would have a field day..."*gasp* look at all these infected files Symantec missed!"

I've run S&D myself quite often at home.  The registry settings and cookies themselves cannot spread threats, and, as such, we don't detect them.

(Note: we do include registry "correction" instructions in the virus definitions...so if VirusX adds an entry to HKLM\Software\Microsoft\CurrentVersion\Run to ensure it loads at boot, the definitions and scan engine will remove that entry...but we don't scan the whole registry looking for entries like that)

If S&D (or really anything else) finds executable file types (such as .exe or .dll, for example), we really need to get those submitted to Security Response for detections.

Also, to speak to other programs finding things that we don't, there's usually about three reasons for it:

1.) One program is broken/disabled and the other isn't
2.) One program has definitions to detect and the other doesn't (old defs, broken defs or just simply don't have the detection in the defs yet)
3.) One program is "stricter" in what it detects (less potential for false positives) , the other isn't as "picky"

The first one is fairly self-explanitory.  The second one is really where the AV industry as a whole struggles...Company A will have a sample of VirusX first and release definitions for it before other vendors, and Company B will beat Company A to the punch with VirusY.  For every virus that gets "missed" by Symantec but picked up by a different vendor, there's one that we catch that the same other vendor has missed.  It's a back and forth that has been happening since this software really began.

The last one can be a big sticking point.  Symantec has standards that we adhere to when writing definitions...I can't give specifics because, frankly, I don't know what they are...I do, however, know that false positives are a huge concern for us as a company, and we work hard to try to limit them.  Other companies, however, while concerned about it, don't seem to be AS concerned, and their detections can be a little less strict, which can often result in false positive alerts.