Endpoint Protection

I've seen two of these today. In the first case, it attempted to write a file to the DESKTOP called "a.exe"
I was not able to determine the web site.
In the second case, I was able to get the exact web site and page, and a screen shot.
So I submit this file, yes, got my codes to work, and got a tracking number.
So the person here visits the site,
a file called wtW[1].exe  was placed on the desktop.
SEP said hold the phone, this is a suspect file! I'm going to quarantine it and send an alert.

This is the alert:

Risk name: Suspicious.MH690

Event time: 2009-04-01 19:21:08 GMT

Database insert time: 2009-04-01 19:23:09 GMT

User: Tom.xxxxxx

Computer: VR0332xxxxxx

IP Address: 10.xxx.xxx.xxx.xxx

Domain: IVRS-SEP1

Server: VRDSMSEP1

Client Group: My Company\Client Computers\Desktop Action taken on risk: Quarantined

It went to our quarnentine server.
I restored the file to a test computer and manually submitted it to Symantec.
Here's their response (don't laugh TOO hard, please!)

Dear Bill Dickerson,

We have analyzed your submission.  The following is a report of our findings for each file you have submitted:

filename:  wtW[1].exe

machine: Machine

result: See the developer notes

Customer notes:

Placed on desktop by web site www.expertvocational.com/witness.shtml
SEP triggered and quarantined as suspicious.

Developer notes:

 C:\wtW[1].exe  is corrupted. Please delete this file, and re-copy the file from a known clean backup.

Oh, like I'm going to call our user and say, sorry, that virus file seems to be corrupted, please go BACK to that web site and see if it will place a good copy of that virus on your computer. Thanks.

Fellows - what's with this re-copy the file from a known clean backup bit?
It was a virus submission. Might want to taylor your response to the file type, location and method of infection!
Thanks! LOL Sorry, I'm having too much fun with this!

I submitted the FIRST one as well, the A.EXE and have yet to get a response back on that one. If I did, I'm too sore from laughing over the other response to read it.

Sorry, guys. Sometimes things just hit you wrong. I mean, submit a file that SEP quarantines, placed there by a web site attempting to get software installed without asking the user, and the response, as innocent and polite as it is was just funny. I guess they just didn't read my message is all  that means, they are probably over-worked.
MAYBE in my submission I just didn't explain well enough - did not state that our user did NOT ask for the file, was not expecting it, and didn't want it, and dind't know it was happening.
Is it 4:30 yet?

Hehehe, they want you to re-copy the file (not corrupted) and send back to them? We also received this type of viruses, but it's properly quarantined or deleteed by symantec.

I am glad I am not the only one having a problem with the Security Response feedback after you submit a sample.
We had a nice one: submitted a sample, got a response back that was useless.
The write-up on the website stated that 'the infection might download additional malware', no word on WHAT it might download, or how to detect that.
No word on what URL it would use, nothing. And of course the same bull about deleting the file and re-copying the file.
Tech Support is excelent. The TAM we have is the best. Which is good when you have to deal with Security Response...
Another one is a sample of Spyware Guard submitted to Security Response.
Sample came back as 'infected'. New defs were published. So SEP/SAV started to delete teh Spyware Guard executable. It just did nothing about the process that was creating the executable. So we have 90% utilization of SEP/SAV removing the executable and Spyware Guard re-creating that same executable...
Job Well Done....
I have plenty of these samples. It is as if some of the most simple malware is not worth their time to write detection for it: AntiVirus 2009, SpywareGuard, ANGantivirus, to name a few Symantec either does not pick up on variants or it takes them months longer than competitors.

I just got a response back today and was confused - I didn't recognize it, why did I get this - then looked at my notes, I'd submitted it almost 2 weeks ago,  - the response email said ->

"C:\TEMP\1[1].pdf is a non-repairable threat"

Correct!  ;-)  good for 10 points - I had to laugh again - Oh, well.............

I'd love to see some detail - what threat? NAme it? typical source? How did it get here?
That info is helpful to aid in locking out threats or future threats.

Seriously, one reason to submit is to get back technical info, details, the name and so on so I can figure out - where's our hole? Or to help build defs that fix things....
Forensics - that's what i'm after, and to aid in creating better definitions that can actually recognize threats by name or behaviour.

Hi,

the answer you receive are just some templates used by the automatic analyzer, when it fails the submission goes to a human but the answer is always a template... not clear, I agree with you.
The time they spend to write the write-ups is proportional to the complexity and the severity of the malware.
I think you already noticed it.
Unfortunately there is no way to synchronize the detections between the AV vendors, any of them takes the malwares it can (it means the ones submitted by the customers) and it doesn't share the samples with the competitors... this is the business...
If you are not satisfied of the Security Response's answer, as you know, you can call the Support to have a human interaction.

Regards,

Giuseppe
I agree with you totally that they can't create write-ups when they do not have the infections and worked on it. But when I submit dozens of samples, including an explanation of the symptoms, it should be do-able for them to take the right actions.
And I expect, as a platinum customer, to get useful information. There is a reason I am a platinum customer: Support! Not just the technical support, but support on infections, outbreaks, information to resolve and prevent infections Not just by running the applications, but also multilayered support. And, in my opinion, that should include data about a specific infection and what steps to take once an infection has hit.  Information like: It's a key logger, it gathers data and send that data to {ipaddress}. So in that case we can actually block that IP address. But what we got is: it is a malicious application, please remove it from your system.
Not very helpful, in my opinion, because whatever data was gathered, has gone out. And the infection(s) might still be active while we are trying to get SR to respond with useful information. Contacting the TAM, no matter how good he or she is, is delaying the counter activities that are needed.
Remarks in the write-ups like "It might download additional malware" are plain wrong. Write-ups about a specific piece of malware that has different behaviour with each variant should be explained per different variant. Generalizations in the write-up like, one variant infectes EXE file, another variant behaves like a key logger and sends data to an IP addres while the first variant did not, warrants a separate write-up. All in all, I am convinced that SR can do a lot better in their responses.

They can always open an office here in Iowa and hire me................
I've done technical writing in the past.

Shadows,

I have been looking at all the "states" inside of all the great call center regions: India, China and the neighbourhood...  Than I thought, oh, maybe some other third world country where they can exploit cheap labour and started looking in the middle east, north africa and the lot...

Cannot find Iowa anywhere!

You can't possibly mean Iowa, the state in the US.  A big company, in the US, open up a Contact Center or business unit in the US to help stimulate the economy and bring jobs back from over seas...  That would be, uncapitalistic!!  Just think, they would make hundreds of millions in profit instead of biliions!  That's just not capitalistic. 

Imagine that.  Pfft.  If at&t, and all the major telcos, and most large corporations, GM, Ford, IBM and so many others closed their business units in other countries and brought them home...  Blasphemy.

Sorry, one of those days.  I think I am going to take a long weekend.

I think it's where they grow all the potatos! ;-)
CORNy, I know..........
Folks will have a FIELD day with that.

Hi Guiseppe,
You are right. Problem is that I am not talking about rare infections. While I was writing the previous posting, I got a call from one of our locations. They had a new variant of WinPCDefender. I forgot how many variants there are now... And again, in this case SAV 10 is detecting something, but is not able to remove it. It detects it as one variant while it is another one. (Would that be called a 'false negative'? 8-))

I would almost bet a year's pay that when I submit a sample for this, I will get the standard "File is malicious, please remove it from your system" answer. No matter what I write in the comment box. This is not a rare infection, new variants are popping up just about every week. And there are more malware 'families' where new variants are created every week. Just visit any Russian warez site, you will get all the fun you can handle. (You have to know what to expect and what your users might try to install, right?)

Not only that, but if one of the 25K users in the organization runs into these variants, why is it that it can take Symantec literally months to come up with a detection, let alone a removal? It means that I have to rely on Symantec's competitors to get rid of that infection. I do not want to do that, I HAVE to...

But you are absolutely right: SAV/SEP is just a tool. One in many we have to use (unfortunately). And just to be clear: I am not bashing Symantec, I think I am actually one of the few people that likes them (judging by what I read on the forums and such). They do have a good product for the Enterprise environment, in my opinion. And I know that the Malware is getting more and more sophisticated which does make it more difficult to fight it. But that does not take away anything from the fact that in the last 2 years, their detection has gone down and their response to some threats has been well below par.

The Spysheriff family, the WinPCDefender family, and a few more have been around for a while, but the SAV/SEP detection is lagging way behind.

I know these last examples are not realy damaging, more extremely annoying, but they are there, generating user calls to helpdesks all over the country. And that is just in my organisation of 25K users. While the 'tool of choice (SAV/SEP)' is not working...

Alright, enough of this rant. Got to work on this new WinPCDefender variant so I can submit it.

Happy hunting, y'all.

A couple comments on some of the things raised in this thread.

Corrupted submission: A email template is an email template.  Hard to build too many smarts into it.  But it awkwardly speaks the truth.  If the file Symantec received is corrupted there is no way to analysis it.  I'm glad you don't have any more samples laying around.  It means your no longer infected.  But a corrupted file can't be analyzed.  I'd be interested to know if anyone else has had issues with a submission to Symantec that we reported back as corrupted.

Write-ups: We create 10,000-25,000 signatures a day.  How many tech-writers are there in Iowa? Seriously, we can't do a write-up for every threat.  And most of them are not different enough from other threats to justify the write-up.  We focus on things that are widespread and/or significantly different than existing threats.  What would people think about something that was automated?  It might look like it was written by the same guy that did the email submission templates, and it probably won't be able to give a threat name, but it could include details on what the threat does on a machine.

Discovering variants: We write generic signatures and targeted signatures to capture as many variants as we can.  We are good enough to get a lot of variants without ever seeing them.  But we can't get all of them with generic signature (yet!).  We've run into some variants that have appeared on less than 20 machines in the wild.  If you got one of those and the other 19 people infected have not sent it to us, it's up to you.  We'll have to see it first to add detection.

I see some good points there, however........ perhaps the template could be modified on the corrupted file? State that it's corrupted and you can't analyze it. If it's a program or operating system file, it will need to be installed. If not, delete it  (or something similar)
In this case, corruption was good - SEP at least messed it up.....

It's hard to see, however, in the last month, how 3 computers got actually really infected and SEP didn't even pause to block it, and I took a month old product from my thumbdrive and removed the threats in each case, and in one case, VUNDO was found by the other product and had been on the computer that was infected by ANOTHER bug. Vundo had been on that computer for over a week according to the file dates, etc. and it was only because SEP missed a fairly well known (at least a couple of days old) that I found VUNDO on that computer with a month old other product. I think that's what is bugging a number of folks. I can take Tronjan Remover that is not current, for example, and remove VUNDO that's been there on that computer for a while and remove the old bug and the new infection with TR.
I do find it interesting, coincidence (I'm asking here!) that several hours later or the next morning, SEP now finds the traces of VUNDO left from my removal efforts.
Is it the submissions I've been making?
2 times, I've submitted things missed by SEP, and manually removed by me, then within hours, suddenly SEP will detect those things! The a.exe SEP didn't recognize when I submitted, found the file "suspisious" so I submitted it. I forgot to remove the file from the server desktop after submission and funny enough, that evening SEP alerts me to the Trojan downloader on the server desktop! And just hours earlier it knew nothing about it.
Are the submissions working that fast?? Or was it a better chance that someone else had already submitted it and the defs were in process when I submitted?

BTW - a LOT of technical writers in Iowa - mostly unemployed now! LOL. Come on in.  I used to assist with such things back in the early 90's and one article I wrote on Trojan Horses and viruses was posted on CompuServe as a FAQ for NAV 2.0 and I believe 3.0

We're stressed out here and our people are getting bad things on their computer nearly daily now and the number that are being missed is almost scary. Yes, we have IPS, firewalls, and SEP - but they still cause problems.........

And I'm finding the responses to my submissions range from taking a day or two, to over a week to get a response, that's a very long time. Is the system THAT stressed? I'm curious.

KHaley, you made some very good points. I actually agree with most of what you say.
But that is also where the problem is. How do users submit infections? Using the platinum account number? I don't think so. Using the consumer way to submit a sample? You never get a response back. And that is IF we can get the 'normal average' user to even attempt to submit a sample.
Auto-submit is not an option for us, attachements are filtered out so they never reach Symantec. But that is our problem, not Symantec's.

Write-ups: you are correct. It is nearly impossible to have a detailed write-up for every piece of Malware and all the variants. Akamai does not have that amount of storage...8-) But when variants are different enough, i.e. Variant A only copies itself to shares, Variant B only logs keystrokes and send data to a URL, that should warrant a separate write-up or at least a separate explanation in the write-up.
And not this: "HumptyDumpy worm. Some variant deletes all .DOC files, other variants may collect data OR download additional Malware OR send out data".
Sometimes it makes the differense between 'just' cleaning the PC and getting law enforcement involved. (Okay, just to be clear: this is an example....Don't want people to panic over a HumptyDumpty worm....)

And again, you are right about the amount of infected PC's. It should play a role.
Do you want to use up all your resources on 25 infected PC's? Or do you use those resources on 20K infected PC's?

Oh well. I am just glad I can nag Symantec about it and not have to make the desicions 8-{0

Tnank you khaley for your input. IT helps. It makes sense. I can't always agree, but when I know where things are coming from, I can at least respect it. In this case, I see more to agree with than not.

>>Oh well. I am just glad I can nag Symantec about it and not have to make the desicions<<

Now that I AGREE with! LOL

Oh, great, now we have a NEW worm to deal with? humpty-dumpty?

I'd only ask Symantec this now - I do the forensics, the clean-up, etc. A big part of my job is prevention, however, if that can't be done, then knowing EXACTLY how something acts can allow me to STOP the spread, or prevent FURTHER infections. So I need to know as much as possible ASAP. If it spreads over port xxx on a network but only under conditions xyz, I need that info and need it badly - especially is SEP has missed it! If it comes ONLY through a visit to WEB SITES, I need that info too. If it is passed ONLY though email attachments of file type .ppp then I need that info and I'll block attachments *.ppp.
IF I don't know what it does, how it acts, how it GETS IN (the most critical part) then I can't prevent or clean. Sorry, but SEP has missed a few, and what it doesn't catch, I need to.
I think we need to WORK TOGETHER on this to find common ground, common ways to deal with it from a vendor AND customer standpoint.
If you saw how tense it is here, and how "well, if it's not going to protect us, we just need something else" is always in the air, you see how critical it is that I have KNOWLEDGE - the most and best I can get to use this TOOL called SEP.
If I was a home builder, I'd need to know everything I could about lumber, how it's used, the saws I use, their care and use, etc. NAILS, their various types - when to use them, when NOT to use them......
Same here..........................................
Let's see how to take both sides and make it better for us all.
I'm a HIGH-LEVEL user, I need details and facts. By the time I call support for almost anything, it's pretty critical and complex..........

This is an hard question. I think it is impossible for Symantec to say where a virus comes from.
For example you click on a suspicious link in a bad web site and you download the malware in your IE cache, then you send it to Symantec but, of course, they don't know what was the visited web page or, another sample, who send an infected email to an employee of yours. We already know other infection vectors like USB drives, autorun.inf etc.
I agree with you that when they run the malware in their laboratories they could write down more details on what the virus does especially when they use an original way to spread out in the net.
The URL or they IP used by the malwares for external connections are not so important, they are used just for a couple of days and then changed again and again.

I was not clear... I mean, they spend time on write-ups proportionally to the complexity and the severity of the malwares they have.
For example the write-up of Downadup.B is more detailed than the others.

Likely for them it is not worth spending time on rare malwares. They just create the definitions (the most important thing), put the malware in a big family of malwares and maybe write down some technical details.
I'd like too to have better technical review of viruses but, as I've written, it is seems not worth for the SR.

When you write "And the infection(s) might still be active while we are trying to get SR to respond with useful information." you are right, an IT admin cannot wait for them.
I believe is his responsibility to take care of his systems, monitor them to detect strange behaviors, find out and isolate the infection, send the sample to the AV vendor and clean up it by ourselves.
A good IT manager has to be able to do this research and I see you are.

Most of the IT managers are totally unskilled to manage security events and they need a strong support from Symantec just to understand that they are infected.
For me the AV is just a tool to automatically detect and clean up the known infections.

Regards,

Hi Jason,

it is not true for Symantec.
Symantec has to provide 24h support to customers in all countries of the world. We cannot stay only in USA.
The Security Response has important and operative offices in USA, Japan, Ireland and Australia that are not the cheapest countries of the world. Further Support sites are based in big markets like East Europe, India and China.

Regars,

I wonder if Marise is still there in the Ireland lab..........

Don't need specific URL or web site or IP address because there could be thousands of them, but the "typical means of infection" would be handy. Does it come as an attachment, or is it pushed from an "infected site".
Other vendors state how they typically get in, Symantec starts telling about it from the point after you already have the infection. So I often need to go to other vendor sites to learn how the new bug got in. Does it take advantage of an OS hole or a browser hole or a bad PDF or PowerPoint file?
How does it infect, what's the process. No, they don't list them ALL, but list a lot.
Do check around - I have all the major vendors bookmarked because many of them offer a whole lot of detailed technical info.
I want to know the file names, registry keys, what launches it, and how it got in - web, email, etc. Don't need the specific email message or the specific site as often, they come from GOOD sites that have been compromised- and if that's the means of infection, that is what I need.

I did not compare write-ups of different vendors yet. Most of the viruses are not so original to require a really new write-up and I still believe that there are only few cases where knowing a malware comes from is worth.
From example if we write "it exploits the OS vulnerabilty XYZ", it is really worth!
But if we write "it comes from a web site, then it copy itself in the autorun.inf of any removable storage devices, then it try to send itself via email..." yes, it is nice and useful to know, but not so worth because you still don't know if you get the virus from a web site, from a removable disk or from an email and you cannot stop all of them. Then you have only to believe that SEP will detect it for you in the future.
When you are infected and the definitions are not ready yet you would like to have more details about the malware to stop it asap, you are totally right, but it seems that SR is faster to release the definitions for the automatic detection and removal than to release a detailed write-ups for the manual removal.
I am not telling that write-ups are useless at all but just that most of the times they are not so critical as we believe (unless someone still does not know how to stop the autoplay in all machines).
Technical details to allow a manual removal are useful.

I believe in prevention more than clean-up.
Knowing how to remove is critical indeed, especially lately, however, if we get a NEW or fairly new bug, I want to know what they did to get it, so I can send an email out.
To know how valuable it is, you have to work where I do, or where I have worked. Here, and at my last job - that's the very very first thing management wanted to know. It was 10 years ago and it is today "how did it get in here". And that's also what I want. From there, I know how to prevent at least in SOME cases. IF your kids are getting sick, yes, cure is nice, but more critical, HOW are they getting sick? Is it spread by air, by touch, etc. - medical people want to know that as badly as how to cure it! Same for us on the frontline, in the field.

Sorry, it's my job, no one else can tell me how important it is to know or not know how something got in. It is important, trust me. It's important to ME, and it's important to management. When management asks, I had better know or I'm seen as ineffective, so it's critical for job security. Work for the government or a financial company - it's important to us. I guess when someone suggests that something that I veiw as important isn't important, I bristle - no one is doing this job but me, and I've done it for many years and was so good at it, Platinum used to contact ME for input!

04/17/09
SEP 11.0.4014.26 latest defs 04/17/09
Still does not stop or detect pcdefender.exe
Had to clean another PC with Malwarebytes
My customers are questioning me as to why did they have to pay for an "upgrade"??
We will not be "upgrading" any more customers, this version does not do any better than the 10x version at detecting malware.
We waited for over a year for this product to be stable, and less resource hungry, now I am afraid to install it anywhere as it does not detect anything. I am always cleaning up PC's with Malwarebytes or Combofix or something else other than a Symantec product. To say we are disappointed is an understatement.
Any ideas on who has the best all around Virus, Spyware, Malware, etc.?

Hi Ronald, its seems your netwrok may already been infected by some type of virus, btw, do you do blocking on restricted sites?

Our network is clean
This was a brand new stand alone laptop that lasted less than 24 hours with the user before being infected
The laptop was XP SP3, IE7, with the Phishing filter on, SEP 11.0.4014.26 with defs 04/17/09
Malwarebytes found and removed the infection without issue SEP did nothing.
Sorry but this product does not find a whole lot IMHO.It is no better at stopping malware than the 10x version was