Video Screencast Help

Why Endpoint security is not catching most of the Malware?

Created: 07 Apr 2011 | 7 comments

We have endpoint security installed with most current updates. ( 11.0.6100.645).  Most of the time SEP misses the malware and I have to malwarebytes ( ) to clean it up. Am I missing something or not setup my sep right?  I think malware bytes does a way better job than SEP.

Comments 7 CommentsJump to latest comment

Thomas K's picture

Bump up the AV Security Settings - See the Security Response Recommened Settings

Make sure all your systems are patched and running the latest updates.

Follow the Security Best practices -

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not -

If you have a file that SEP is still missing, then please submit it for analysis ASAP.

w-d's picture

I think this document can help:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

I would strongly suggest to check this document as well to ensure if the SEP configuration is correct:

Security Best Practice Recommendations

sandra.g's picture

...but I think we all agree that prevention is far better than remediation. smiley

It is essential that you use not just AV, but PTP and especially NTP for Intrusion Prevention (IPS). Code on fake AV programs and malware changes multiple times a day. AV detections are, for the most part, code-based, i.e. reactive (and I mean all traditional AV protection). IPS is proactive--looking for traffic patterns regardless of code.

Ensure all plugins that tie into Internet Explorer are updated (Quicktime, Adobe Flash / Reader, Java, etc). Make sure all critical system patches are applied.

Look too into using Application and Device control. There are links and details for all of this on this similar thread:

Most current build of SEP is 11.0.6300, by the way, though I don't believe that will have a significant impact on protection.


Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Mithun Sanghavi's picture


Same old story. Who comes first.... Thief or Cop?

Don't Take me otherwise, what I mean to say is; there may be cases where Symantec is not detecting the Threat. In that case, Symantec would need your Assistance. 

Let us know about it. We would like to hear from you.

If you feel there is a new varient of an old Threat or a new Threat and Symantec is not catching, you would have to submit suspicious files to verify whether those files are Clean or Malicious.

There are 2 ways to catch the suspicious files.

1) Manual - You may find some files which shouldn't be there on the computer. You could submit those files. Yes, sometimes you feel those files are hidden. in that case, go for option 2.

2) Automatted - Run the Symantec Support Tool with Loadpoint Analysis and it would collect the suspicious files for you. Check the Below:

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
As told above, Prevention is far better than Remediation. (Thanks Sandra...!), So what will you do to Preventing this thing from happening.
You may also find your answers in the Symantec Knowledgebase Article as given above:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

Few Documents which may be helpful in answering all your How, why, what and where questions.
1) About viruses and security risks
2) What to do when you suspect that a Symantec AntiVirus product is not detecting viruses
3) Security Best Practice Recommendations
4) Best practices for troubleshooting viruses on a network
5) Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003
6) About creating a plan to respond to viruses and security risks
7) How to prevent a virus from spreading using the "AutoRun" feature
Hope I have tried my Level Best to Answer you.

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ntripp's picture

We're seeing the same thing.  Our customers are constantly getting infected by the same malware every day.

I submit the infections to Symantec and they are never picked up.  When I analyze with Virus-Total competitors pickup the malware (most often Ransom Ware).

At this point I wouldn't be able to recommend Symantec, besides not detecting even most common malware that exists in the wild well after it is first introduced.

Antivirus Version Last Update Result
AhnLab-V3 2011.08.31.01 2011.08.31 -
AntiVir 2011.09.01 TR/Fake.Rean.AC
Antiy-AVL 2011.09.01 -
Avast 4.8.1351.0 2011.08.31 -
Avast5 5.0.677.0 2011.08.31 -
AVG 2011.09.01 -
BitDefender 7.2 2011.09.01 -
ByteHero 2011.08.22 -
CAT-QuickHeal 11.00 2011.08.31 (Suspicious) - DNAScan
ClamAV 2011.09.01 -
Commtouch 2011.09.01 -
Comodo 9947 2011.09.01 -
DrWeb 2011.09.01 -
Emsisoft 2011.09.01 -
eSafe 2011.08.31 -
eTrust-Vet 36.1.8534 2011.09.01 Win32/FraudSecurity.A!generic
F-Prot 2011.09.01 -
F-Secure 9.0.16440.0 2011.09.01 -
Fortinet 4.3.370.0 2011.08.31 -
GData 22 2011.09.01 -
Ikarus T3. 2011.09.01 -
Jiangmin 13.0.900 2011.08.31 -
K7AntiVirus 9.111.5077 2011.08.31 -
Kaspersky 2011.09.01 -
McAfee 5.400.0.1158 2011.09.01
McAfee-GW-Edition 2010.1D 2011.08.31 -
Microsoft 1.7604 2011.09.01 -
NOD32 6427 2011.09.01 a variant of Win32/Kryptik.RYF
Norman 6.07.11 2011.09.01 -
nProtect 2011-09-01.01 2011.09.01 -
Panda 2011.08.31 -
PCTools 2011.09.01 -
Prevx 3.0 2011.09.01 -
Rising 2011.08.30 -
Sophos 4.68.0 2011.09.01 Mal/FakeAV-NW
SUPERAntiSpyware 2011.09.01 -
Symantec 20111.2.0.82 2011.09.01 -
TheHacker 2011.09.01 -
TrendMicro 9.500.0.1008 2011.09.01 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.01 -
VBA32 2011.08.31 -
VIPRE 10335 2011.09.01 -
ViRobot 2011.9.1.4651 2011.09.01 -
VirusBuster 2011.08.31 -
Thomas K's picture

@ ntripp,

If you submit a file that is proven malicious, we will create definitions to protect. What you may be seeing are new variants of an existing threat that are getting through.

As you can see by the VirusTotal list that you posted, not every AV product will catch every threat 100% of the time.

Please submit the new file(s) to us for analysis ASAP, so that we can create the signatures to protect you.

It is not just about Antivirus these days. You need to educate your users on safe Web surfing and email practices.

Tighten your security settings on your AV policy -

Use plug-ins like Norton Safe Web Lite to help warn users of malicious websites -

Use features such as our facebook link scanner -

Add an email filtering product to your environment such as Symantec Mail Security for Microsoft Exchange or one of our Email Security products.

And most importantly, follow all the Security Best Practices  -



Austin2011's picture

We are a company. We have approximately 100 PCs that have internet access. We use SEP 11.0.5002.333. They are managed by a SEP server. We also use the proactive threat protection. We have approximately 3pcs a week that are incapacitated by Malware. We are extremly frustrated with SEP. We have increasingly relied on Malwarebytes to help us deal with the problem.

Today I spent 4 hours on a Laptop infected with Malware. SEP never recognized any file as a threat.

I was able to identify the time of the attack and identify the files created at that time and was able to delete them. I also installed Malwarebytes. It found 4 threats. SEP found 0.

What can I do to help Symantec help us?