Endpoint Protection

 View Only
Expand all | Collapse all

Symantec not detect new virus

  • 1.  Symantec not detect new virus

    Posted Sep 30, 2009 07:10 AM

    Hi
    I sent to symantec 4 sample infected file that other antivirus detected they in past week.
    But I didn't receive any response from Symantec for detect they until now.
    I re sent today by following tracking number:
    Tracking #12984470

    Tracking #12984496
    You can see the other antivirus report in following address:

    http://www.virscan.org/report/88a3b6f389b00ad3d56a0ec8f10014fa.html

    http://www.virscan.org/report/4df6a3f11ed1f3d092e4ab7c7150efa7.html

    Thanks you
     
    ******************
    Eventually Symantec detect this malware as Backdoor.Trojan in 2009.10.22.
    Resolved problem.



  • 2.  RE: Symantec not detect new virus



  • 3.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 07:44 AM
     You can use below article also for troubleshooting
    How to find Suspected Threats on your computer.
    http://www.symantec.com/connect/articles/how-find-suspected-threats-your-computer




  • 4.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 08:02 AM

    For the submission 

    Tracking #12984470
    desktop.in  clean file
    svchost.exe   Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis

    Tracking #12984496
    reboot.eee  Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis
    nvda.eee    Our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis



  • 5.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 08:30 AM
    ierc, looking at the submissions themselves, they have been classified as "retail" submissions, instead of having the proper entitlement (such as basic, extended, etc).

    I would recommend that you contact support so that we can your support contract entitlement can be confirmed and, once that is confirmed, get your submissions moved over to the appropriate queue to be examined by an engineer.


  • 6.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 08:42 AM
    I think MAYBE folks are missing the point - he's wondering - WHY did all these other AV apps find something bad, when Symantec didn't find anything wrong with the files.
    70% found content, but not SAV/SEP  and the question is "why".
    Was it REALLY missed?
    Was it a FALSE positive from all the others?
    Is it something new enough Symantec didn't catch it?
    Or is it like these phony AV apps - technically not a virus, but still malware - that is often missed..........

    Ideally, what needs to be done is determine WHY did the customer even think or suspect they had a virus to begin with?
    What made them think there was a problem? Did the computer do funky things?
    Were there pop-ups?
    Or was it just mystery files that were not explained and otherwise no real indications of a virus?
    IMO, until the above is answered, we really can't say or do more!
    Sometimes mystery files are called "virus" even by sites that should know better.

    So - I'd ask - what prompted the thought of virus, what were the symptoms?


  • 7.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 08:45 AM
    I won't even go into the FIASCO I've had attempting to get files analyzed, and it's prompted me to resist even trying any more.
    Took nearly TWO WEEKS and several Symantec employees to finally get an answer beyond "you submitted a zip file" sort of an answer.
    Your system for submissions is SERIOUSLY lacking........ needs to be totally re-organized and re-thought.
    I won't get into it here as each time I have, the thread was moved! LOL. Too sensitive, I guess.
    I'll just say-   I FULLY understand customer frustration at the complexity of submissions and lack of useful information.
    I'd have some changes there real quickly if I were put in charge of restructuring it.

    (edited for darned typos - and my spelling stinks)


  • 8.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 09:12 AM

    Dear Symatec employee
    My problem is:
    My favorite antivirus (Symantec company)  detecting new virus speed is lower than other antivirus and it is not suitable.



  • 9.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 09:31 AM
    Ierc, I'm not completely clear on what you mean.

    If you mean to say that we're slow to detect (such as scans taking longer than acceptable), I'd recommend contacting support via phone so we can open a ticket and try to get to the bottom of why that is happening.

    If you mean that we lag behind some of our competitors on detections (they have detections and we don't), frankly, that's going to happen with some viruses.  We do our best to be as proactive as we can be about seeking out and detecting threats BEFORE they become widespread, as well as offer tools to help mitigate threats before they even happen.

    The new threat detection issue is one that we've dealt with since we first released our first virus scanner.  It's a "who gets the first submission" game...whichever company gets the first submission will usually, in turn, detect it first.  There is no common "clearing house" for threat submissions...files submitted to, say, McAfee, are theirs to do as they like.  I *believe* we do share some submissions, but I don't know of the logistics behind that.

    Are there going to be other vendors that detect things before we do?  Certainly.  It's unfortunate, but that's the nature of the technology.  We have other things in place to help proactively prevent a threat from even entering the system (such as Intrusion Prevention and Network Threat Protection), but ultimately it comes down to "do we have a submission that we can use to create a definition to detect and deal with this threat"?

    Bear in mind, too, that for each threat you see like this (where we're not the first to market with definitions), there's posts just like this on our competitor's forums..."darn it McAfee, why did Symantec have definitions before you did....AGAIN!??!?".  This is not a situation unique to Symantec...all AV vendors will have detections that will be out before their competitors, and they will have detections that will come out after their competitors.

    I see that you've submitted these suspicious files several times, all of which to the retail submission queue.  Please contact technical support via phone so that we can confirm your support contract entitlement and get these files over to a developer who can examine the files and, if found to be viral, create new definitions for them.


  • 10.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 11:06 AM
    I find submitting things to http://www.virustotal.com/ and/or http://www.virscan.org to be one of the best ways to help the whole internet community.  Symatec appears to participate in both services (otherwise why would their scanner be there?).


  • 11.  RE: Symantec not detect new virus

    Posted Sep 30, 2009 11:50 AM

    Thanks all
    I think the best way for resolve this problem is:
    1-Symantec detect this infections very soon and update virus definitions for all customers.
    2-when symantec received suspected file from anybody do action very soon



  • 12.  RE: Symantec not detect new virus

    Posted Oct 03, 2009 08:11 AM
    Hi All
    For help to resolve this problem I will explain this malware behavior at below.
    1-This malware attempt to copy itself to writable share network folders.
    2-Make a folder  S-1-5-21-9863885585-3973551872-812495160-4487 in recycler folder.
    3-Copy svchost.exe and desktop.ini to this directory.
    4-Add a registry string value:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
    and with data value:C:\RECYCLER\S-1-5-21-9863885585-3973551872-812495160-4487\svchost.exe
    5-When I delete this registry string the unknown proccess will add it again.


  • 13.  RE: Symantec not detect new virus

    Posted Oct 04, 2009 11:28 AM

    Any Antivirus company will not detect the virus unless & untill we submit to them.

     In a day there may be lac's & lac's of new variants may be coming it is not that every variant will be detected by Symantec.

    If we submit the variant which is detected by other Antivirus company symantec will also detect that virus.

    If I get a new virus sample, my habit is to submit it to Symantec, Trend Micro, Norman, Sophos, & Mcafee

    Regards...
    Ramji Iyyer



  • 14.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 06:41 AM
    Hi Ramji

    You must be attention to first post on this topic.
    I sent suspicious files several times but symantec not detect they until now.
    And this is Testimony:
    http://www.virustotal.com/analisis/d6b0532fadee30f3ca5894ae5d7066c91b034171ac300aba62e216f796230f6a-1254737055

    Regards...


  • 15.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 06:42 AM
    This also depends in what type of support you are. Gold or Platinum.

    Open a case with symantec support & give the tracing ID & escalte it to critical.

    Regards...
    Ramji Iyyer


  • 16.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 09:13 AM
    I think problem in this issues not type of support and Gold or Platinum.
    When new threat spread  Through Internet  and receive symantec  sample it this company must update virus definitions for all the world and all customers.
    Symantec do it for many malware each day but do not any actions on this specified threat.


  • 17.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 10:16 AM
    Ierc, because you submitted the files from the retail "queue" (that is, you didn't include a contact ID), your submissions are very, very low on the priority list.

    As it is, we're are currently being bombarded by numerous submissions.  We're working on getting them all handled as quickly as possible, but as your submission is a retail submission, it may be quite awhile before we're able to reverse engineer it.

    Please contact support.  Once your support contract has been verified you can work with one of our engineers who can, in turn, work to get your submissions switched up in priority to match your entitlement level and thus get processed faster.

    We try to be as proactive as we can about detecting new threats that we don't have definitions for, but there's only so much that can be done.  We really need you to contact support so we can get the samples investigated and definitions written for them if they turn out to be viral.

    As for our competitors detecting it while we don't, it could be, as I indicated earlier, simply that they had samples and definitions written before we did.  It is also possible, however, that we do not detect the file as infected because it isn't.  Let me give you an example.

    Let's say that VirusX infects your computer.  This virus changes your desktop to a picture of an airplane, then scans your network and spreads to any open share.

    In this case, unless the picture itself contains virus code, Symantec will not detect it as viral?  Why?  Because it is not infected, and doesn't contain code that can be used to propogate the virus.  We will scan it, of course, but since it is not infected, we don't remove it.  Some of our compeditors do...they'd indicate that the file is infected (since it may have come as part of the virus) and remove it.  However, we don't.

    While I don't believe that's the case with your submissions, that's something to be aware of.

    Additionally, while sites like virustotal may be useful to help identify suspicious files, again, the other scanners may be detecting a file that we decided isn't actually infected.  Finally, we have no control over what sites like virustotal use to scan with...looking at their information, they're using our consumer scanner, but there is no way for us (Symantec) to ensure that they're using a current definition set, the current version of the program, current scanning engines, etc...and the same can be said of the other scanners.

    Please contact support so we can get these files submitted to the proper queue and ensure that an engineer looks at these files.


  • 18.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 10:37 AM
    It seems that Symantec are saying that submissions from retail customers may not be looked at for several weeks.

    I appreciate that there is a pecking order, but placing retail so far down that order as to be ineffectual seems to be somewhat counter intuitive?

    I have a strong suspicion that retail customers are the ones far more likely to encounter new viruses that corporate ones, purely due to the types of activity they are likely to partake in. If this premise is correct, then speedy examination of retail submissions (even if the ratio of false positives to real viruses is low) is essential for all of us.





  • 19.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 10:54 AM
    Retail submissions are not ineffectual, they are also examined.  However, given that SEP is a corporate product (not consumer), it behooves people to submit files with their support entitlement, thus getting the files examined quicker.


  • 20.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 10:59 AM
     The number of Sample Submissions everyday is very huge Unimaginable.

    So its very obvious Symantec Customers will have first priority for the Review.


  • 21.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 11:37 AM
    Dear Chris delay
    Thank for your response.
    Since I do not live in USA and I can not call with your support.
    Therefore,  I am waiting for detect this new threats in future days.
    Regards...


  • 22.  RE: Symantec not detect new virus

    Posted Oct 05, 2009 12:32 PM
    Ierc, you're quite welcome.

    We do have support available in different regions of the world, along with web-based support available via the mysupport site.  I highly recommend setting up a web case, if nothing else, so we can get the submissions moved over.

    Here's a link to the mysupport page:

    https://mysupport.symantec.com/


  • 23.  RE: Symantec not detect new virus

    Posted Oct 06, 2009 05:26 AM
    Dear Chris delay
    I did do so.
    This is  my account  in mysupport: ads@sabaa.com
    But I can not submit a web case.
    Please enable the submit case for me or move this case to it.
    Thanks


  • 24.  RE: Symantec not detect new virus

    Posted Oct 06, 2009 08:15 AM
    Ierc, I can see the account in the backend tools that I have access to, but I cannot see any additional information (which, to my knowledge, should have been populated when you created the account).

    At this point you really need to contact us by phone.  If you're unable to call us, contact your salesperson and he or she can assist you in getting set up with support so we can get your submissions moving.


  • 25.  RE: Symantec not detect new virus

    Posted Oct 06, 2009 10:58 AM
    Hi Chris
    I can not access to any salesperson.
    Please help to resolve this problem.
    You must  only send the sample of this suspicious files to engineer for examinations.
    This is the best way for all your customers in the world  that infected by this malware.
    Thanks


  • 26.  RE: Symantec not detect new virus

    Posted Oct 06, 2009 02:08 PM
    Ierc, we're at an end as far as what help we can provide.  In order to fully assit you we need to verify your support contract entitlement and get you to the proper group of support engineers.  If you don't have this information, you'll need to contact your salesperson to help get this information.

    If you aren't the point person for your company, you'll need to work with the proper personnel within your company to get a case dispatched so we can assist you further.


  • 27.  RE: Symantec not detect new virus

    Posted Oct 20, 2009 11:28 AM
    Today is the twentieth day that symantec does not detect a new malware submitted by retail customer.
    Tracking #12984470 & Tracking #12984496
    What's the meaning of this?
    This is not a malware or retail submissions are ineffectual or...

     


  • 28.  RE: Symantec not detect new virus

    Posted Oct 20, 2009 11:41 AM

    You need to identify this information as has been requested by a few on this thread for weeks now.  Not providing that info will only delay a resolution to your issue.  There are support folks all over the world, so you don't necessarily have to call into a support organization that is on a different continent.
    Eric