Greeting to this board. I have just got Symanatec Internet security suite for my Wifes Computer.
I have a couple of questions.
Am I better off sending Virus samples by adding them in to quaratine or using the submit website on this site?
Also when I have used the website in the past, somtimes I get a auto reply saying 'machine has found file clean' being stored for humun analaysis?
Could someone explain what happens when you submit a sample. does it go thorugh some automatic sandboxing to see if it can be automatically determined malicious? Just interested in how it all works?
It will be better to add the files to Quarantine and then submit it from there. Quarantine is a special, protected area of Norton AntiVirus. Files in Quarantine cannot interact with the rest of your system. If files in the Quarantine are infected, then the virus, worm, or Trojan cannot spread. Once a file has been quarantined, it can be sent over the Internet, using Scan and Deliver, directly to Symantec Security Response for analysis. Symantec Security Response will determine whether the submitted file is infected. Files sent to Symantec Security Response for analysis are isolated. After receiving the results of the analysis, you can determine what to do with the item.
The Symantec Security Response uses Automated Threat assessment first. I am not sure how this automated thing works, hope some one from Symantec gives you more explanation. If this check clears the file as Safe one, then it will be send for Manual threat assessment(Human analysis). You can get more information on Threat Severity Assessment in this link:
Security Response expert analysts will review sample malware or other suspicious code submitted by users and deliver a custom, in-depth incident analysis report. If a new virus is discovered in your submission, then you will be sent updated virus definition files to detect and eliminate the new virus on your computer. If the file is not infected, then you will receive an email reply indicating this.
That is the web address I have been submitting samples to. However just bought a copy of NIS for my Wifes Laptop and notice that if you manually quaritine files they get submitted via Norton Security watch. At the moment when I look at Norton Community watch it says 'Status' 'Processing. I assume that once the threat is identified by Symantec this is updated? Is that correct?
Norton Community Watch allows Norton security product users from around the world to help speed identification and further reduce the time to deliver protection against new security risks trying to infect your computer. The program collects selected security and application data and submits the data to Symantec for analysis to identify new threats and their sources, and to help improve user security and product functionality.
Read more information on Norton Community Watch in this LINK.
Just to report back on this subject, I found a new fake malware rogue. I submitted it manually via NIS 2009 and also sent it via the web submit web address.
I got a reply today below which is great. However there was no rescan option in quaratine and the only way I could see if the file was now detected was to restore the file and rescan. NIS detected it straight away.
Firsty its good to know that they update sigs quickly and respond to submissions, however maybe in future products a rescan option in Quaratine would be a nice idea (Unless there is one and I am missing it!)
Best wishes
James (Jlo)
We have analyzed your submission. The following is a report of our findings for each file you have submitted:
filename: C:\Users\James\Downloads\Possible Virus\totalprotect2009_setup\totalprotect2009_setup.exe machine: Machine result: This file is detected as Downloader.Misleadapp.
Customer notes: HiLooks like a rogue antivirus. Sending on.
Developer notes: C:\Users\James\Downloads\Possible Virus\totalprotect2009_setup\totalprotect2009_setup.exe is a non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions.