This article describes the features of the Threat Analysis Scan found in the Symantec Diagnostic Tool (SymDiag)

The Symantec Diagnostic Tool (SymDiag) is a diagnostic utility used to help automate support for multiple Symantec products.  SymDiag features a utility, the Threat Analysis Scan, that can help to identify suspicious files on a system.  For more information about SymDiag...

Download SymDiag to detect product issues

Use the Threat Analysis Scan when you believe there might be malware on a system but security software is either unable to detect it or to remediate it. The Threat Analysis Scan can help to identify the following types of malware

• New variants of existing threats that are not detected by the current definition sets
• Fake antivirus applications and other rogueware
• Rootkits
• System settings that have been tampered with maliciously

Because the Threat Analysis Scan uses aggressive heuristics to detect these threats, there is a risk that it can select some legitimate programs for removal. You must always review the files identified as suspicious and clear those that are known to be safe applications before taking steps to further investigate or remove those files from a system.

By default the Threat Analysis Scan is configured to collect the required data when working with Symantec Support, but it can also be used to find and remove suspicious files without Support assistance.

Supported Operating Systems

The Threat Analysis Scan will run on Windows operating systems with .NET 3.0 or later.  The Threat Analysis Scan does not run on the following Windows operating systems:

• Windows 2000
• Windows XP RTM
• Windows XP SP1
• Windows 2003/R2 - an internal component of Threat Analysis Scan does not support this operating system.

The Threat Analysis Scan may not work as effectively in the following environments:

• Safe mode - Ensure that networking is available for the Symantec Power Eraser component
• System account - The default configuration of the Threat Analysis Scan examines only the current user account.  The system account will not provide this user context for identifying suspicious files.

What does the Threat Analysis Scan do?

Within each version of Windows, there are specific locations within the file system and registry that are used to load applications and related files automatically without a user’s explicit consent.  While these ‘load points’ are used by legitimate programs, they are also commonly used as attack vectors for malware such as viruses, trojans, worms, and spyware. The Threat Analysis scan examines files that launch from these locations in order to narrow down which files are less likely to be legitimate.

After determines which files are referenced by a load point, the Threat Analysis Scan uses the following methods and technologies to analyze and score files…

File signature checking

The Threat Analysis Scans determines if a file is signed with a valid Authenticode or Windows Security Catalog certificate, then the file is not likely to be a risk.

Symantec Insight

The Threat Analysis Scan uses Symantec Insight to help identify if a file can be trusted.  Symantec Insight is a reputation based rating system that is available to Symantec products as an online (cloud) service.  For this reason a Threat Analysis Scan must be run (or completed) on a system that is connected to the internet.  For more information see How Symantec Endpoint Protection uses Symantec Insight to make decisions about files.

Symantec Power Eraser

Symantec Power Eraser uses heuristics to help identify potential malware before it is detected by anti-malware software definitions.  These heuristics require immediate access to Symantec Insight. For this reason Symantec Power Eraser heuristics will only be applied when the Threat Analysis Scan is run on a system while it is online. If the Threat Analysis Scan is not run online then the Symantec Power Eraser heuristics are not applied to the system.

Symantec Power Eraser heuristics are defined in a set of updatable definitions.  Symantec Power Eraser downloads the latest definitions automatically when you run it. You can determine which definitions were applied to a scan by clicking on the Definitions link in the upper right corner of the Threat Analysis scan report window.

Symantec Power Eraser also supplies, as a separate option, special rootkit detection heuristics. Selecting this option requires that the system be rebooted. After the reboot the Threat Analysis Scan will use Symantec Power Eraser to examine additional files based on the data collected during the reboot.

Symantec Power Eraser also provides the means to remove a suspicious file from the system as well as restore it should its removal be later determined to be unnecessary.

Security Response manual heuristics (formerly known as Load Point Analysis)

The Security Response team at Symantec examines files that have been submitted as potential malware. Through their years of experience with finding such files, a number of simple file information checks were developed to aid in isolating files worth submitting to the online submission web site. Many of these manual heuristics have been automated in the Threat Analysis Scan. In the Threat Analysis Scan when an unsigned file that is not known to be safe by Symantec Insight is found, these heuristic checks are applied to the file to further specify the file’s overall score.

Running the Threat Analysis Scan

Identify suspicious files with the Threat Analysis Scan in SymDiag

What if the Threat Analysis Scan identifies a potential risk?

If the Threat Analysis Scan identifies files that require further investigation, the first thing to do is a common-sense check of the files in question:

• Do the files belong to a program that you recently installed?
• Do the files belong to a program that you know to be valid?

If you are unable to determine the validity of the file, submit the files to Security Response for analysis. In addition you can contact Technical Support for further assistance.

Scanning Other User Profiles

Sometimes a user cannot log into a system because undetected malware is causing the startup process to fail. If the potential malware is only using load points associated with that user then it may be necessary to scan that user’s load points to find the malware. The Threat Analysis Scan has the capability to scan user profiles other than the user profile that is currently logged into the system. To access this feature, prior to starting the scan, click on ‘Advanced Options’. In the Advanced options dialog check the box for 'Scan other user profiles'.  Checking this option reveals a further choice between scanning all profiles or adding one or more specific profiles to be scanned.  Either option will add the scanning of load points in other user profiles on that system to the scan. As part of the Symantec Power Eraser functionality, this feature requires immediate access to the internet from the system that the scan is run on.

Running the Threat Analysis Scan Offline

A system does not have to be online in order for a Threat Analysis Scan to be run. However, the Threat Analysis Scan will have to be completed on another system with access to the internet before the report results can be viewed (see Identify suspicious files with the Threat Analysis Scan in SymDiag …). This is because Symantec Insight is a critical technology that can accurately reduce the number of files requiring manual investigation significantly. The Threat Analysis Scan report will not appear unless Symantec reputation information is supplied.

The Symantec Power Eraser technology in the Threat Analysis Scan requires that there is an internet connection on the system that is being scanned. The following features of the Threat Analysis Scan that are supplied by Symantec Power Eraser technology are also only available with an internal connection on the scanned system…

• File removal and restoration
• Scanning other user profiles
• Symantec Power Eraser zero-day heuristics

With or without the availability of Symantec Power Eraser technology, the Security Response manual heuristics are applied allowing the user to make a good determination of which files should be examined further as potential malware. In all cases, File signature checking, Symantec Insight data and Security Response manual heuristics are applied to the scan results before the Threat Analysis Scan report is displayed.

Power Eraser and Autoruns

Autoruns is a SysInternals utility that scans load points and displays detailed information about how those load points are configured to start applications automatically. Power Eraser checks all the same load point/"auto-starting" locations as Autoruns.