Endpoint Protection

Hello,

We were impacted by a malware earlier this week and sent the file involved to Symantec. It was now added as a new threat but the report I now received mentions that the malware/virus was already known by a lot of other aliases (Script.Virus (DrWeb), Worm.Script ()Kaspersky),JS.Kryptic.AVA (Eset), KS/Bondat.I (McAfee), JS_EXJAYSEE.SMA (Trend)  MS) They all detect the script and prevent it from running.

On our W10 machines with SEP 12.1.6 and latest definitions the script can be run without any issues at all. Uninstalling SEP and then doubleclicking on the JSE file gives a Windows Defender Popup that the script is malicious and cannot be executed. It properly quarantaines the file.

Why wasn' this already in the definition files from Symantec so we would never had run into the issue in the first place ?

Does it happen a lot that known viruses/malware needs to be upload to the threat center of Symantec ? This should not be the case for this file I think as it was not a new threat. As far as we could tell the malware is from last year.

Now we had the hassle of wiping a few laptops and restoring files on the fileservers (and scanning all shares for JSE files)

Best regards,

Sven

I'm not going to speculate as to why Symantec doesn't have a signature for it. They can answer that question better than myself.

Do you have all SEP components installed and enabled?

Yes, all components are installed and enabled. (And running 12.1 RU6  MP5).

You'll also want to review your component policies to ensure they are set for higher security and not out of the box

Hello,

Submit the Suspicious file to Symantec Security Response Team on 

https://submit.symantec.com/websubmit/essential.cgi

We also offer a self-service site to analyze files, at http://www.threatexpert.com, which can give you more information on the files you submit to it.

I would suggest you to work on the Steps provided in the Article:

What to do when you suspect that a Symantec AntiVirus product is not detecting viruses

http://www.symantec.com/docs/TECH99222

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

http://www.symantec.com/docs/TECH98929

Later, incase of suspicious activity still happening, then follow the steps provided in the Article below:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Here's some advice from Security Response on how to make the best use of SEP.  Auto-Protect with traditional AV derfinitions alone is not enough for a complete defence against today's sophisticated threats: using IPS, Insight etc is crucial.  And, of course, educated users following best security practice... that';s the best protection.

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope that helps!!

Thanks for the feedback.

I did submit the file to Symantec Security Response Team. And the virus was later identified and has since then become available for detection via SEP. (The file is now correctly identified as Trojan Horse Virus). Still doesn't explain why McAfee, Microsoft, AVAST, and others were able to detect it and SEP was not even with Advanced Threat Protection, IPS, Sonarr, Firewall all enabled and configured.

As mentioned before, we find the content of the script to be identical to what was posted a year ago on several forums. (With the virus identified as KS/Bondat (which is what McAfee mentions when scanning the file)

It boils down to Symantec not having a detection signature for it. Whatever their process is on the backed to detect files, this type was not part of it.

You may need to schedule a meeting with your Symantec Account Rep to escalate complaints such as this so they get pushed up the chain of command.