Norton is failing to catch an email bug

Jezmo · ‎02-15-2009

Hello all,

I am using Norton 2011 currently after experiencing problems with 2012. Had to downgrade temporarily. --- On with the problem. ---The issue is a known email scam going around purporting to be a message about trouble delivering a package from the USPS. The email contains a zip file named "USPS report.zip" which contains a file posing as a PDF named USPS report.exe that, when executed, will download a file from a Russian server. Nuff said about that but the trouble is Norton will scan this file and report it as SAFE and this is NOT SO. A friend at work attempted to "print the shipment label attached" as the email instructs and much trouble was caused. Now it's been a short time and the email arrives in my box. Knowing about it I decided to see why Norton Email scanning let it through without flagging it. Trouble is Norton won't flag it even with a manual/custom scan. In my eyes this is bad bad bad. If anyone can elevate this issue it needs to be looked into.

SendOfJive · ‎02-07-2009

Hi Jezmo,

This may be a new variant of something for which a signature has not yet been created, or it may be that the compressed file is not allowing detection. Please submit a sample for evaluation here, and go have a talk with your friend at work about bogus USPS and UPS delivery emails and opening unknown attachments:

http://www.symantec.com/business/security_response/submitsamples.jsp

Jezmo · ‎02-15-2009

Yes, I have talked with him and unfortunately he had recently sent a package and as is often the case, he followed through without sufficient thought. This particular fellow appears to have been out there for a while as it is on Symantec's list and is all over google although there may some minor change so that it slips by. I will send the sample from my email as requested.

Jezmo · ‎02-15-2009

WOW tha's a bit strange. Symantec had me download the Rapidrelease update file and run it. My Norton now sees the threat. Why would it not get this through a "normal" update. NIS had just updated itself less than one minute before I checked the ZIP file and it did not find the threat. I was going to update NIS before checking the file but the counter said it had just updated. That just seems really strange.

SendOfJive · ‎02-07-2009

Rapid Release definitions contain signatures for the very newest threats. These signatures have undergone basic quality assurance testing but have not yet been certified for qualitiy prior to inclusion in the Certified LiveUpdate files. Therefore, if the email attachment contained a very new malware variant, it is possilbe that the Rapid Release file would have a preliminary signature for the threat that has not yet been made available through LiveUpdate. The malicious email messages remain the same but the virus payloads are always evolving and changing in order to avoid detection. It is the nature of the battle that the malware writers are always one step ahead.

Jezmo · ‎02-15-2009

Thanks for the explanation. I had not thought of it that way. Have a fine one.

elsewhere · ‎05-30-2009

Jezmo wrote:

WOW tha's a bit strange. Symantec had me download the Rapidrelease update file and run it. My Norton now sees the threat. Why would it not get this through a "normal" update. NIS had just updated itself less than one minute before I checked the ZIP file and it did not find the threat. I was going to update NIS before checking the file but the counter said it had just updated. That just seems really strange.

Your Security History Log may be able to shed some light on this. I had a similar situation recently with two emails, each containing a 'USPS report' zip file. This is how events panned out under NIS 2012:

Two days ago, both suspicious emails arrived, yet no detection by the email scanner.
A check of the Security History, however, revealed the following entry for each email:

'Statistical Submission: USPS report.exe Exonerated'

Basically, this is Norton saying that this file has threat-like characteristics, but that Norton couldn't convict it outright at the time the file was scanned. This resulted in Norton making a Community Watch submission for this file. A word of caution here; under no circumstances should the use of the word 'Exonerated' be misinterpreted as automatically meaning that this file is 'SAFE' to run. The 'Exonerated' status only applies at the specific date/time that the file was scanned and does not extend beyond this.
Yesterday, after the normal LiveUpdates, both emails were manually scanned again with each email showing the following threat as being resolved:

'Downloader.Dromedan detected by Virus scanner'

So, check the 'LiveUpdate' section of your Security History for any 'Medium' Severity events and review these events, as this may indicate that an update eg. Virus Definitions has recently failed to apply. If everything is in order there, then please ensure that you run LiveUpdate first before manually scanning suspicious files in the the future.

car825 · ‎03-28-2009

elsewhere wrote:
Jezmo wrote:

WOW tha's a bit strange. Symantec had me download the Rapidrelease update file and run it. My Norton now sees the threat. Why would it not get this through a "normal" update. NIS had just updated itself less than one minute before I checked the ZIP file and it did not find the threat. I was going to update NIS before checking the file but the counter said it had just updated. That just seems really strange.
Your Security History Log may be able to shed some light on this. I had a similar situation recently with two emails, each containing a 'USPS report' zip file. This is how events panned out under NIS 2012:

Two days ago, both suspicious emails arrived, yet no detection by the email scanner.
A check of the Security History, however, revealed the following entry for each email:

'Statistical Submission: USPS report.exe Exonerated'

Basically, this is Norton saying that this file has threat-like characteristics, but that Norton couldn't convict it outright at the time the file was scanned. This resulted in Norton making a Community Watch submission for this file. A word of caution here; under no circumstances should the use of the word 'Exonerated' be misinterpreted as automatically meaning that this file is 'SAFE' to run. The 'Exonerated' status only applies at the specific date/time that the file was scanned and does not extend beyond this.

Yesterday, after the normal LiveUpdates, both emails were manually scanned again with each email showing the following threat as being resolved:

'Downloader.Dromedan detected by Virus scanner'
So, check the 'LiveUpdate' section of your Security History for any 'Medium' Severity events and review these events, as this may indicate that an update eg. Virus Definitions has recently failed to apply. If everything is in order there, then please ensure that you run LiveUpdate first before manually scanning suspicious files in the the future.