Scanning a file with a competitor's antivirus program detects a virus, but scanning with Endpoint Protection does not
search cancel

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Endpoint Protection does not

book

Article ID: 178191

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You use a currently supported version of Symantec Endpoint Protection (SEP) with the most recent virus definitions. A competitor's antivirus program detects a virus, but SEP does not detect a virus. You want to know why.

Resolution

Why was this file not detected?

The first and most likely situation is that, even if you have the latest build and latest virus definitions installed, you have a new, undetected threat in your network. Virus makers can take a known threat and manipulate the code in such a way that it no longer matches the definition signatures available in any antivirus program.  Current estimates are that one million new malware variants are released into the wild every day.  A constant stream of new malware is a truth of today's threat landscape.

This can be limited in many cases by an advanced heuristics detection such as SEP's optional Proactive Threat Protection (PTP, also known as SONAR). Threat traffic may be blocked from entry by SEP's IPS signatures or by SEP's optional firewall component, Network Threat Protection (NTP).  In SEP 12.1, Insight technologies can block unknown files without the need of AV signatures and SEP 14 introduced Advanced Machine Learning.  To greatly increase SEP's effectiveness against today's threats, ensure that these optional components are deployed and enabled rather than just relying solely upon SEP's traditional signature-based AntiVirus component.

Another possibility for why SEP may have missed a detection is that the antivirus on a given system could have been tampered with, turned off or simply have not updated its definitions. Certified virus definitions are presently released by Symantec up to three times per day. If a computer is found to be out of date, it should be updated as quickly as possible (with Rapid Release definitions, if there is an outbreak underway) and a full system scan run.

Also note that different computer security vendors have different criteria for what files and behaviors are considered malicious or suspicious.  Symantec, for example, will only detect and remediate files that are in themselves harmful.  Threat artifacts, autorun files and similar are not universally detected.  This is by design.  (For more information, please see Why Symantec Endpoint Protection does not remove AT, INF, INI, and registry keys related to infections.)  Also see the article All About Grayware as different vendors have different criteria for detection of Potentially Unwanted Applications (PUA), also known as Potentially Unwanted Programs (PUP).

 

What to do next?

The first line of defense for every antivirus manufacturer is the submission and collection of suspicious files whenever possible. When you encounter a threat that has not been detected, there are steps that should be taken to minimize the impact and expedite recovery. We offer a submission service which analyzes any files you submit for known and unknown threats and variants. It is by these submissions that we can create a new definition set that will detect and remove those threats. If the issue must be resolved before a Certified definition file is available, we offer Rapid Release definitions that can be manually applied to the affected machines or network. For an explanation of the submission process using https://symsubmit.symantec.com/, please see the document How to Use the Web Submission Process.


Some customers based on entitlement, may receive a Scribe report (automated Technical Description) is provided when each submission closes. This could provide enough information to allow you to create firewall rules preventing the threat from downloading additional threats or contacting a third party. You could also use the threat's unique MD5 hash value to block the process from running with SEP's optional Application and Device Control (ADC) component which may help prevent it from spreading. (See How to use Application and Device Control to limit the spread of a threat.) For more information on blocking a process, please see Chapters 33 and 34 of the SEP Administration Guide.


Symantec Endpoint Protection detects and removes millions of known threats. By working with our customers to troubleshoot a virus infection we assist the customer to:

  • Identify the threat and submit any undetected files that look suspicious.
  • Identify the computers infected.
  • Quarantine the computers infected.
  • Clean the computers infected using Rapid Release definitions based on file submissions..
  • Determine the infection vector and take steps to prevent recurrence.


These steps are outlined in the document Virus removal and troubleshooting on a network.

For additional troubleshooting steps and information, please follow the directions in the document What to do when you suspect that a Symantec antivirus product is not detecting viruses.

One important note: many threats function by exploiting known vulnerabilities. This vulnerable software can include the operating system as well as any component running on it (such as an internet browser, email software or other program). To remain invulnerable to these threats, it is very important to make sure that all vendor software patches are applied to installed applications and the OS as soon as they become available.  Additional recommendations for how protect an organization with SEP can be found in the article Symantec Endpoint Protection – Best Practices.