Note: This is based on SEPM v12.1.6 console.
Your SEPM installation is running smoothly. There are no alerts going off from the Home page of the SEPM console. You sit back, feeling very pleased about how they are running.
Then all of sudden you’ve noticed a spike of network traffic. Stop reading the Dilbert comic script! Roll up your sleeves and start investigating.
You narrowed it down to an external email going around with an attachment, marked as ‘Invoice’ from an unknown source.
As many of us IT people know, standard users would double click the attachment to read it without checking where it came from or checking to see if it’s a known sender or not. And yourself, you knew straightaway that this is a dodgy e-mail where its aim is to infect your network. That’s not going to happen on your watch!
BUT! To your horror, the virus scanner did not catch it! This is a NEW threat and Symantec are not aware about it. Oh noes! Panic stations!
Relax…
Your mission, should you choose to accept it (well you’ve got no choice anyway), is to stop this spread before it’s too late.
Your first task is to STOP the email getting into your network. Depending on your e-mail setup, where possible, block the email address to stop them from reaching their mailboxes any further. If needed, send out a global email to alert the users not to open the email/attachment (and educate them at the same time about e-mail safety).
Then you will need to submit the file(s) to Symantec for investigation. Depending on your subscription package/contract with Symantec, there are two ways to do this, which you will need to pick one.
If you have…
If you’re just a member of public with no subscription package and just happen to be reading this page to find out how to submit files to Symantec, you can submit your files at https://submit.symantec.com/retail
The Gold subscription will process your files quicker while Essential may takes a bit longer. But ultimately, they all end up to the same place for processing, testing and releasing a Rapid Release definition file with the updated signature to catch these new viruses/threats.
When you have submitted the file(s) to Symantec, they will send you an email to let you know they have received your file(s) and is processing it.
Once they have processed it, they will send another e-mail update, explaining what they have found from the file(s) you submitted, associating the Signature Protection Name (i.e. W97M.Downloader in my case) with the file(s) you submitted and the Rapid Release Sequence Number so you will know which definition has the update to protect your network. The Scribe Report PDF from Symantec will have additional details of how it could have spread, what files they will drop on the computer, what registry has been changed, what URL it is trying to access, etc which will be very useful for your investigation on infected machine.
Now that you have the Rapid Release Sequence Number, what’s next?! Of course, you will need to grab the latest definition file. You can download it from their FTP site as it’s quick and straightforward.
ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/
You may need to refresh the page a few times to find the correct Rapid Release Sequence Number. Once found, click on the Sequence number to find the files listed. Again, you may need to refresh the page a few times while they upload the files at the same time. You need to look for the vdXXXXXX.jdb file (where XXXXXX are numbers) at the bottom of the page. They are around 570MB. When the file is available, download it to your desktop of the SEPM server.
Now that you have it… what’s next? You will need to put the *.jdb file in the ‘Incoming’ folder on the SEPM server. This will be located at:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming
As soon as you put the file in there, SEPM will access it instantly, extract the files and import into the database, ready to distribute to all online SEP clients. Once this has been processed, you will see the new details under “Windows Definitions” from the Homepage of SEPM console. (bottom).
Then sit back and watch the SEPM console showing you how many viruses has been caught/blocked/cleaned and feeling proud that you’ve stopped an epic breakout. You can now go back & carry on reading the Dilbert comic scripts. ;-)
Note: The e-mail attachment virus is one of many scenario examples, however they all end up to one main aim – submitting an unknown file to Symantec to receive the Rapid Release definition file to protect your network.
If it's not possible to upload the suspect fil(s) to Symantec (i.e. outgoing Internet is blocked for whatever reasons), then read & follow this article:
What to do when you suspect that a Symantec AntiVirus product is not detecting viruses - http://www.symantec.com/business/support/index?page=content&id=TECH99222
False Positives
But what about if you have a legit file that is being flagged as virus/suspect file? If you have a file that is a false positive, where possible, you can upload the file to https://submit.symantec.com/false_positive/ and they will investigate the file to mark it as false positive.
A useful website where you can see if the file you have is a known threat or not is to upload the file at https://www.virustotal.com
Note: VirusTotal is not run by Symantec but subsidiary of Google and please be aware that this is a VirusTotal’s second opinion website and is not a product substitute.
I hope this article helps you – if there is anything else you want to add to this, please feel free to leave a comment below.