Endpoint Protection

 View Only
Expand all | Collapse all

Need Old JDB file to clean Trojan.Win32.VB.gtw

Migration User

Migration UserNov 17, 2009 02:41 AM

  • 1.  Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 13, 2009 11:50 AM
    Good Day all.
    I need and old jdb file to put in the SEP Manager because i've been hit by this (Trojan.Win32.VB.gtw) and current AV definitions cannot clean it. SEP says nothing is wrong with the PCs even tough I have a bunch of them infected by it. Kaspersky could clean it and information I've found dates from early 2009 and december 2008.

    Is there an archive ftp I can log on to and get this jdb file?

    Thanks.



  • 2.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 13, 2009 11:54 AM

    Here is the link download whatever you want

    ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/jdb/

    How to update definitions for Symantec Endpoint Protection Manager using a JDB file
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007100820002048



  • 3.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 13, 2009 12:17 PM
    Thanks but those are current I need a file from january 2009 or december 2008


  • 4.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 13, 2009 12:31 PM
    Thanks but those are current I need a file from january 2009 or december 2008


  • 5.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 13, 2009 01:10 PM
     Nigel what ever you are trying to do will not resolve your issue.The dates what you are talking you must have seen on Symantec's write up about Trojan.Win32.VB.gtw.

    Whatever infection you have right now would be new variant (type) of the same virus.

    So to resolve this issue you need to test it will either Latest rapidrelease definitions or if not detected by that then.
    submit the suspected virus files to https://submit.symantec.com

    New definitions contain old definitions as well.


  • 6.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 13, 2009 01:39 PM
    Thanks but those are current I need a file from january 2009 or december 2008


  • 7.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 16, 2009 01:31 PM
    So I've sent the file to symantec for review...
    Now am I going to get a new signature by email or a new JDB to put in my SEP Server, how does this process works?

    Thanks a lot.


  • 8.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 16, 2009 01:42 PM
    Once you submitt the file you receive a Tracking Number.


    Title: 'The Symantec Security Response sample submission process'
    Document ID: 199822105339
    > Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/199822105339?Open&seg=ent


  • 9.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 16, 2009 01:55 PM
    Just as an FYI, the dates we display on the write-ups can be a little misleading.

    For example, Trojan.Win32.VB.gtw actually seems to be W32.Spybot (the other name is from a competitor).  If we look at the writeup for this threat:

    http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99

    it would appear that we found this in 2003 and haven't updated since 2007.  I can tell you with 100% certainty that we *have* updated the definitions for Spybot since 2007.  I'd be surprised, actually, if there was a single day that we *haven't* updated the Spybot definition.

    As Vikram indicated, current defs contain old defs.  The only time we remove definitions is if they generate false positive alerts, and even then it's only long enough to refine the signature so that the false positives stop, then the signature is back in the defs.

    If you have current definitions and a file suspected of being infected isn't being detected, submit the file(s) via the online scanner (as it appears you have).


  • 10.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 16, 2009 02:13 PM
    You'll get a email from Symantec about the RapidRelease definitions.On the same link you will see the JDB aswell. 


  • 11.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 16, 2009 09:26 PM
    OK I sent a sample last Friday (password protected zip file and of course I sent them the password) and today received the following note: Developer Notes: FILENAME.zip is a non extractable container file of type ZIP... So this means they could not open the zip file? :(

    I sent them another sample, this time unzipped. Man 3 days gone by already and still no signature for the SEP Server.
    Thanks a lot.


  • 12.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 17, 2009 02:41 AM
    Could you please paste the  Tracking ID ?


  • 13.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 17, 2009 06:40 PM
    Sure, Thanks.

    Tracking #13623735 This is the one with the Developer notes: USBvirus.zip is a non extractable container file of type  ZIP

    Tracking #13671360 This is the one I sent Yesterday with only the system.exe file


  • 14.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 18, 2009 11:13 AM
    Good Day Prachand.
    Do you have an update on these Tracking IDs?
    Thanks a lot.


  • 15.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 18, 2009 01:16 PM
    Nigelg, both of these submissions went to our retail queue.  You need to submit them (with your contact ID number) to the proper processing queue based on your support contract (basic, extended, etc) so we can process them.  As of right now, they are fairly close to the bottom of the list for processing.

    If you have any questions, please contact support so we can help you get the files submitted to the correct queue.


  • 16.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 19, 2009 01:23 PM

    [CLOSING]: Symantec Security Response Automation: Tracking #13671360

    HI I got this yesterday from Symantec:  So what does this "stored" mean will it be left there for days and then rescaned again? I Just want to remind you guys that this virus IS STILL ON MY NETWORK INFECTING MACHINES and the machine-by-machine cleaning process with the Kaspersky tool is slow since I have to load the tool on every infected machine. HOW CAN I SPEED UP THIS SUBMITING PROCESS IN ORDER TO GET THE SIGNATURE?
    Thanks a lot.

    Notes: Customer notes: Good Day. I have SEP MR3 installed and it cannot clean it The file contains Trojan.Win32.VB.gtw identified by Kaspersky Virus Removal Tool 7.0.0.290  Can you help me out Send it 3 days ago and still no signature to clean it. Thanks.

    Developer notes:  system.exe Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis.
    Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis



  • 17.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 19, 2009 01:33 PM
    Latest version of SEP is available 
    you can download it fro https://fileconnect.symantec.com/ give the SL NUM and download the RU version. It has lot of enhancement...
    and
    open a case with symantec and give the tracking id to them.. then process may speed up....



  • 18.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 19, 2009 02:25 PM

    About the MR5, some PCs have MR5 already (BloodHound to MAX and TrueScan Sensitivity at 50) that is one of the first things I tried to "Kill it" but nothing happened the SEP Client Says Everything is OK  :(

    ... but Kaspersky and Threat Expert say the opposite!!!

    Threat Expert: http://www.threatexpert.com/report.aspx?md5=e9c3e8fed718d38f3a58dc2c39f9b355

    Thanks for the reply


  • 19.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 19, 2009 02:39 PM
    Nigelg, because you submitted the files from the retail "queue" (that is, you didn't include a contact ID), your submissions are very, very low on the priority list.

    As it is, we're are currently being bombarded by numerous submissions.  We're working on getting them all handled as quickly as possible, but as your submission is a retail submission, it may be quite awhile before we're able to reverse engineer it.

    Please contact support.  Once your support contract has been verified you can work with one of our engineers who can, in turn, work to get your submissions switched up in priority to match your entitlement level and thus get processed faster.

    We try to be as proactive as we can about detecting new threats that we don't have definitions for, but there's only so much that can be done.  We really need you to contact support so we can get the samples investigated and definitions written for them if they turn out to be viral.

    As for our competitors detecting it while we don't, it could be, as I indicated earlier, simply that they had samples and definitions written before we did.  It is also possible, however, that we do not detect the file as infected because it isn't.  Let me give you an example.

    Let's say that VirusX infects your computer.  This virus changes your desktop to a picture of an airplane, then scans your network and spreads to any open share.

    In this case, unless the picture itself contains virus code, Symantec will not detect it as viral?  Why?  Because it is not infected, and doesn't contain code that can be used to propogate the virus.  We will scan it, of course, but since it is not infected, we don't remove it.  Some of our compeditors do...they'd indicate that the file is infected (since it may have come as part of the virus) and remove it.  However, we don't.

    While I don't believe that's the case with your submissions, that's something to be aware of.

    Additionally, while sites like virustotal may be useful to help identify suspicious files, again, the other scanners may be detecting a file that we decided isn't actually infected.  Finally, we have no control over what sites like virustotal use to scan with...looking at their information, they're using our consumer scanner, but there is no way for us (Symantec) to ensure that they're using a current definition set, the current version of the program, current scanning engines, etc...and the same can be said of the other scanners.

    Please contact support so we can get these files submitted to the proper queue and ensure that an engineer looks at these files.



  • 20.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 19, 2009 05:32 PM
    OK I just got an email from symantec, they finally catch the bug and sent me a link to download the rapid release definitions.
    Do I have to download these on the SEP Server so it will distribute them to All the clients?

    Thanks.


  • 21.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 19, 2009 11:23 PM
    Before updating the server download the exe file and update one infected client...
    If the virus is cleared without any problem.. then you can update the server by jdb file....


  • 22.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw
    Best Answer

    Posted Nov 20, 2009 01:26 AM
    I already used the file marked in purple on a PC and it cleaned the System.exe virus, great!
    So now I have to use the JDB file in the SEP Server? Thanks a lot.

    Defs on Sym FTP site.JPG


  • 23.  RE: Need Old JDB file to clean Trojan.Win32.VB.gtw

    Posted Nov 20, 2009 01:47 AM
    Its good to here that problem solved....... Use the jdb file and copy it in program Files\symantec\symantec Endpoint Protection Manager\data\inbox\content\incoming

    Have a great day...