Norton not detecting dangerous 'virus' despite being informed about it!

On 15th April 2010 I sent a suspected virus sample to Symantec through its website https://submit.symantec.com/websubmit/retail.cgi . Symatec confirmed receiving my sample through a automatically generated mail. My tracking number is 15356272. I will give you the screenshot of this mail as a proof at the last of this post .

 

Until 15 April only four little known Av's at Virustotal.com were detecting my sample as trojan and virus. Since these AVs are not in mainstream and little known I thought it could be false positive; therefore, I sent my sample to Avira on the same date (15 April) so that I could know the status of my sample at the earliest. 

 

Within 48 hours Avira replied via mail to me ( see the screenshot below) and detected my sample as some malware and told me they will add signature of this malware in their next update. However, it's another thing they didn't keep their words and add the signature after many updates. But nonetheless at least they added the signature for that sample, recently, which is a good thing.

 

Now my sample is being detected by seven AVs on Virustotal.com and this time by big and famous Avs but the Symantec is not one of them.

 

Yes, you have read right Symatec, despite being told about the suspected virus sample, has neither responded to me about the sample nor added signature for it. See the proofs below.

 

So the whole purpose of writing this post is to wake up Norton folks from slumber and informed its user about negligence of Symantec. Please don't take me wrong I hold no grudge against Norton and neither I'm spammer or its baiter.  Actually I'm a fan and a loyal user of Norton. I just couldn't tolerate such negligence from Norton that's why I feel compelled to write this post. Remember I've written this post after waiting roughly for a month for Symantec's reply.

 

So Norton folks tell me what you are going to do next ? Deleting my post :smileywink: or replying to my compliant ? :smileyhappy:  Hope you will react positively not negatively (won't delete my post)  :)

 

Proof one: Confirmation mail by Symantec  http://budurl.com/ht6y

 

Proof second:  Avira's reply to me http://budurl.com/gh4q and  http://budurl.com/jg8q -- my sample is on first number.

 

Proof third: Sample detection by Virustotal.com http://budurl.com/am6u

 

Thanks for taking time and reading,

 

Sincerely,

 

An Av tester and reviewer

Hi AVReviewer,

 

Thanks for the feedback. I wish we could assist you on the issue. However, the forum is for Norton Online Family, which helps parents to monitor their kids online activities. The product is not related to the issue that you're experiencing. I have asked the forum Administrator to move your post to an appropriate fourm, so you can get some further assistance.

 

Thanks,

Katie

AVreviewer:

 

1.  Keygens are not so much malware as illegal software, although the downloading of cracks and keygens also brings in actual malware as well.

 

2.  I don't think it is the business of Symantec to be the "police" and spend valuable dollars writing software to identify other user's keygens.  That just doesn't make sense, and where would it stop?

 

3.  I don't think our user's would support the stripping of keygens, some of which are for repair purposes, out of their systems.

 

 

 

 

To readers,

 

First of all, apology to readers for some parapraxises in my earlier reply. Don't know how to edit it but I will make sure it won't happen again.

 

 


 

 

To Symantec guy,

 

Sir/ Madam thanks for reply - and sorry for posting in wrong forum. I read some threads randomly and I got the impression that this forum is for all types of things. That is why I posted here. Please kindly shift the thread to the appropriate section.

 

 


 

 

To Trojan Terminator,

 

1) Whether it's keygens or illegal softwares I think both are dangerous. I consider using them as crime because it hurts software industry. I use them only to learn about new types of malwares, how they are being written and what techniques bad guys using to write these codes etc. My motive is honest, trust me

 

2) Sorry, I don't agree with you on this count I don't think it's only about policing "other user's keygens" . I think it's about new kind of malawares and the techinques used to circumsect modern and advanced AVs. Therefore Symantec must 'police' keygens, cracks, etc to gain knowledge about the malware writing techniques, zero day threats and for other purpose etc.

 

3) Agreed.


AVReviewer wrote:

1) Whether it's keygens or illegal softwares I think both are dangerous. I


 

I happen to agree with you. Some people will argue semantics, but as far as I am concerend they are all malware. I know others do not hold this view and will draw distrinction between keygenerators, trogans, virus, rootkits etc, but malware is the word which for me describes the whole plethora.

 

Moreover, I am supported in this description by Avira themselves.

 

Perhaps some readers have misinterpreted the issue. The file happens to include the word "keygen". Whether the file is actually a key generator or not is not the issue. Rather it is the fact that the file contains malware by virtue of its infection and not by virtue of its intension or purported intention i.e. to generate a key.  In other words, a key generator that simply generates a key is not in my book malware and may indeed be illegal software but a key generator that also happens to include malware is malware whatever else it may be.

 

So in conclusion I feel that Norton should be detecting this malware.

 

I suggest I ask Symantec to drop on by  and comment.

 

 

 

AVreviewer:

 

You make very good points, and I don't like illegal software any better than you do.  One thing about it is that those who do use them usually get more than they expected and exactly what they deserve, 

 

One of the gurus, dbrisendine, explained to me that most programs come with their own internal key generator to allow verification of the use of the program.  My point is that, since this kind of identification by an antivirus is based on behaviour, rather than signature, it would be too expensive and cause too many false positives to try to incorporate into the antivirus product.

 

In some ways we have seen similar issues when files in the recovery partition of some laptops have been identified as malicious because of the changes they can make to the registry, which has to be done in the case of a recovery.

 

Additionally, there seems to be the attitude among venders, that even if someone is using a keygen to use their product, it means that they may like the product enough to actually buy it.  Some are more protective of their licences, but most don't seem to worry about it enough to take steps for their own security.

 

So it is not that I disagree with you, but I can see the problems involved.

I have to say I agree with Delphinium on this one.

 

Although I totally agree that keygens used for illegal purposes are unethical, I also believe that Security comapanies (like Syamantec, GriSoft etc.) have to make the decision of either being the police, or simply defending your data against malicious software and attacks. I am, and have been for the past few years, under the impression that Syamantec has chosen to not be the police.

 

Obviously, if the code of a keygen is in fact malicious, then it would be a different matter completely, as it no longer only falls under 'policing' then.

 

My opinion anyway :-)

 

Matt

 

(But hey, maybe yours is malicious - we'll have to wait and see!)

Dear AVReviewer ,

 

Could you upload your sample somewhere in a password protected archive with password infected and then send me a private message with a link to it .

 

I would like to test the sample on my own . Thank you!

Dear 3play,

 

Done. Check your private message section.

More than 48 hours have passed but no reply from Symantex folks.:smileysurprised: It seems they are not worried about this virus sample and their users' security :smileywink: which could be expolited by using the techinque which is used in the sample I provided.


AVReviewer wrote:

More than 48 hours have passed but no reply from Symantex folks.:smileysurprised: It seems they are not worried about this virus sample and their users' security :smileywink: which could be expolited by using the techinque which is used in the sample I provided.


Please be patient. I have only become aware of your issue in the past few days. Two important persons are out of the Symantec office at the moment and they will not return until Monday at the earliest. I dont know their timetable or committments upon their return.

 

The Symantec team is also working hard on the new beta 2011 so resources may be stretched. Again I dont know for sure.

I feel confident that you will receive a response.

 

Detection added as Trojan.Adclicker. Thank you for the submission.

 

Henry


HenriB wrote:

Detection added as Trojan.Adclicker. Thank you for the submission.

 

Henry


You were faster ! :-)

 

AVReviewer , I submitted your samples to Symantec and got a reply that

 

File: Online Armor 4.0.0.35_KeyGen_.exe
Machine: Machine
Determination: This file will be detected as 'Trojan.Adclicker' with a
forthcoming Rapid Release definition set. Protection will be available in
Rapid Release definitions with a sequence number of 110652 or greater.

 

 

AVReviewer , you can wait a few hours and then apply the Rapid Release defintions:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

 

To AVReviewer

 

I hope you now have confidence in this forum and the short wait worthwhile

 

 If you found a post useful or worthy then please click the Kudos Star.

If you are the original poster and your problem has been resolved or answered to your satisfaction, select “Accept as Solution” on the post that best resolved your issue. In this way others will know that a solution was found against your posted issue. Thanks.


HenriB wrote:

Detection added as Trojan.Adclicker. Thank you for the submission.

 

Henry


Thanks for comming to the rescue.

Thanks forum members for your support and help, thank you Symantec especially cgoldman and 3play for your valuable time and help :smileyhappy:   Your positive responses will definately engourage me to "help" Symantec "better" its products in the future.

 

But that being said I want to tell Symantec that its must ponder why its product missed this threat despite having most superiour and advanced behaviour technology. I hope Norton 2011 would cover these defeciieces.  

 

Thanks

Dear 3play,

 

Mate, I just checked my mail and found that they have mailed me the same thing on 14 May. This is what they said:

 


"We have processed your submission (Tracking #15356272). The following is a
report of our findings for the files in your submission:

File: Online Armor 4.0.0.35_KeyGen_.exe
Machine: Machine
Determination: This file will be detected as 'Trojan.Adclicker' with a
forthcoming Rapid Release definition set. Protection will be available in
Rapid Release definitions with a sequence number of 110652 or greater.
URL: http://www.symantec.com/avcenter/venc/data/trojan.a.d.clicker.html  "