Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Random detection by SYMANTEC !!!

  • 1.  Random detection by SYMANTEC !!!

    Posted Mar 23, 2017 06:03 AM

    Hello ,

    I try to understand a random detection behavior by the SEP12 via a VBS virus.

    -SEP detects a file "Manual.docx" as being a virus "VBS.Downloader.Trojan" =>The file is deleted : OK.

    - Often the same file is not deleted or detect by the SEP on other machine knowing that  SEP is up to date with the same definitions. (Windows 2012 server R2 and WIN7)

    -The hash of the Manual.doc Sha-256 is the same: E940B72D911B54625C630CAE426ABC623634DD02CC0021977ED227FC77ED3587

    On the workstations when SEP can not detect the file =>  another antivirus well detect it !!

    Could you hel me to explain  for this random SEP behavior?

    Note:

    All definitions are up to date.

    All SEP services are enabled.

    The SEP lisence is outdated : but not explain why SEP detects the same virus on some PCs and not on others



  • 2.  RE: Random detection by SYMANTEC !!!

    Posted Mar 23, 2017 12:29 PM

    Are the policies configured the same for these machines?



  • 3.  RE: Random detection by SYMANTEC !!!

    Posted Mar 23, 2017 12:51 PM
    Check for SONAR and autoprotect on both the machines. Also right click on the folder and scan the file on the machine where SEP is not detecting. Check if this helps


  • 4.  RE: Random detection by SYMANTEC !!!

    Posted Mar 24, 2017 04:34 AM

    WE have the same configuration SEP on all  the machines:

     

    -Check for SONAR and autoprotect : Actived on both machines.

    -Right click on the folder and scan the file : d'ont detect that the file is compromised

     

     



  • 5.  RE: Random detection by SYMANTEC !!!

    Posted Mar 24, 2017 04:36 AM

    Yes the same policies are applied on all the machines on network.



  • 6.  RE: Random detection by SYMANTEC !!!
    Best Answer

    Posted Mar 24, 2017 07:24 AM

    Hi GHZAL Mohamed Amine,

    Thanks for the post.  The same product with the same definitions and security features in place will behave identically when faced with identical malware files.  Only in circumstances where one computer has an exception/exclusion policy would the file not be scanned, or perhaps if one computer has access to online Reputation servers and the other does not. (Access to Reputation servers is a "must have" if SEP is going to function to its full potential.)

    The file you mention has been in circulation for more than one year.  You may wish to open a case with Technical Support if you are experiencing a persistent infection of this file.  They can provide advice, examine diagnostics, etc.

    You wrote:

    On the workstations when SEP can not detect the file =>  another antivirus well detect it !!   

    Please don't have more than one file scanning AV product installed on a computer at the same time.  They can conflict.

    Should you run more than one antivirus program at the same time?
    http://www.symantec.com/docs/TECH104806

    Hope this helps!  Please do keep this thread up-to-date with your progress!

     



  • 7.  RE: Random detection by SYMANTEC !!!

    Posted Mar 24, 2017 07:42 AM

    Alright, well run SymDiag on it to make sure all components are functioning correctly and if so, get a case open with support.



  • 8.  RE: Random detection by SYMANTEC !!!

    Posted Mar 24, 2017 08:28 AM
    I agree with MICK2009, Are these machines in same grp or different. If they are in different grps. Check for each policies configured. Also check if internet is accessible on the machine where SEP is not detecting and INSIGHT is enabled.


  • 9.  RE: Random detection by SYMANTEC !!!

    Posted Mar 24, 2017 10:11 AM

    Thank you for sharing your opinion

    Effectively I only use one AV symantec (the second AV is a scan without instalation).

    I think I have to check the policy applied to the machines if they are the same for both server and desktops

     



  • 10.  RE: Random detection by SYMANTEC !!!

    Posted Mar 24, 2017 10:53 AM

    Above, you said the policies were the same. Is it now detecting correctly?



  • 11.  RE: Random detection by SYMANTEC !!!

    Posted Mar 30, 2017 05:47 AM

    After cheking, the policies are the same boths servers and desktops:

    The file already not detected by symantec : Symantec detetec file only on USBs !!

    I try the analyse the file Manuel.doc and the results are : the file containt 2 files

    Size :10KiB (10556 bytes)

    Type :script vbs

    Description : ASCII text, with CRLF line terminators

    AV Scan Result :Labeled as "WinLNK.Trojan.Dinihou" (6/57)

    MD5 : a34b59988f579df9d94234c4c11a34c9

    SHA1 : 54bfa978d44588adb423f169bb9c8b53f00fa0f9

    SHA256 : a477d4a35157ca62da2a550974c61b155ac48bfe466b46e9ae5a84a443c70296=> not detected by symantec 

    Size : 11KiB (11195 bytes)

    Type: script, vbe

    Description:data

    AV Scan Result : Labeled as "VBS.Worm.Forbix" (47/79)

    MD5 :cc2db35f43b4a12700c431811a463439

    SHA1 :d838aaf8d656b7d8d0f48d13646e677eaad35f20

    SHA256 : fe9c78249937d57aaed2792238caeea298e715d9cf261add1fbfbaeeab084d40

    A basic free antivirus can detect the file when scanned at home !



  • 12.  RE: Random detection by SYMANTEC !!!

    Posted Mar 30, 2017 05:50 AM
      |   view attached

    Sonar and auto protect are Activated .

    The file already not detected by symantec !

    I try to analyse the file with a free antivirus  on a another PC : he detected and quarantined the files.