I have a file, which, I submitted to VirusTotal :VirusTotal

 

As we can see Symantec detects the file as Packed.Generic.243 .

 

But Auto-Protect /Manual scan does not detect the file.....not even SONAR 2

 

Note : No scan exclusion , everything set to highest  level (settings)  , NIS 2010 17.0.0.136 fully updated.

 

How is that possible ? 

I believe that VirusTotal is using Symantec AV corporate edition, as there is no Norton product that I know of that is using version 1.4.4.12

Shridhar,

 

could you upload the file to threatexpert and submit it to Symantec as well? :-) it does seem a bit weird... and you are 100% sure that this is in fact malware, and not an FP? cause maybe VTotal only updates the definitions once daily or something like that. No idea, but as far as I know, the corporate edition and the home edition(s) use the same or similar definitions. if one detects something, so should the other.

 

Matt

Shridhar;just upload the file again. You probably get a message that the file has already been analyzed.

Push the button "reanalyse the file again". As I remember, the file will then be analyzed with the latest definitions.

 

 

Regards,

 

Ole Martin 

I uploaded the file again to VT and clicked "re-analyse file again" and now it has 12/41 detections compared to previous 10/41.

 

So, definitely, it's not a false positive ...New VirusTotal

 

And NIS 2010 has In-The Cloud  technology ,so it has the most latest definitions available compared to those of any corporate products.

 

Hence it should be detecting all those which are hit by corporate products plus some more.

 

I wonder how this thing is happening !!! 

Now NIS 2010 detects the file as Packed.Generic.243.

 

But This is more important than the detection.....If NIS has In-The Cloud technology, it should be getting the definitions earlier than every

 

other symantec product...then how did product used on VT get definitions way too earlier than NIS  (almost 15 Hrs earlier)?

 

Does NIS really have cloud technology which gives the latest updates ?  

The file you are speeking about is the one which i had submitted to symantec and that one got detected in short time after submission, check out another threat not detected with a screenshot…

Silver :

 

Hi.... 

 

The file , was ,in fact getting detected on VT but not by NIS 2010 ......for the first time.

 

Next time I again uploaded file to VT and clicked Reanalyse the file again  after about 4-6 Hrs.........still detection on VT but

 

no detection by NIS 2010 fully updated.

 

Now file is getting detected after say more 4-6 hrs.

 

So the question is: how product on VT can detect the file say approx 10-12 hrs (I come down a little) before NIS 

 

with the cloud technology can detect it ?

 

NIS is supposed to be the one detecting it earlier .........isn't it ? 

Not a single answer yet.......!!!!!

 

How does Symantec product on VirusTotal detect threats almost 10 Hrs.  before NIS 2010 could ? 

The difference may be caused by rapid release updates in the corporate version.                                                                                             
Rapid Release

Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. The primary focus of these detection signatures is the rapid detection of newly emerging threats. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, you should understand that Rapid Release virus definitions may pose some risks such as a higher potential for false positives. Rapid release definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast-spreading virus outbreaks. These signatures are released once or twice per hour.                                                    

 
Primary differences between Rapid Release Definitions and other virus definitions

All new detections are compiled into Rapid Release virus definitions as they are created. These definitions are released many times a day and represent the most current virus definitions available. Although these signatures go through a battery of tests, they do not go through the full Quality Assurance process that Daily Certified, Weekly Certified, and Intelligent Updater definitions go through. Using Rapid Release virus definitions may pose some risks, such as a higher potential for false positives.                                                      

Symantec recommends using Rapid Release virus definitions in the following circumstances:

On an Email or Gateway server, where false positives prove little or no risk.

On servers and workstations during a virus emergency, when Certified LiveUpdate definitions may not be available for the newest threats.