Full Disclosure mailing list archives
Re: Symantec Contact?
From: "Joel R. Helgeson" <joel () helgeson com>
Date: Mon, 17 Sep 2007 13:30:58 -0500
Symantec is notoriously slow to release AV updates, because while they may have the AV signature available within the hour, they hold it back until they have the signature configured and working for all versions of all their products running on all platforms, which at last count was over 2.45 gazillion (and counting). They state that they don't want to issue partial releases for different products, which makes sense. If you have version xxx.yyyy.z of the definition file, then you're covered against the FOO variant of the BAR virus, irrespective of whatever Symantec application, platform, or version you're running. The downside is that they take a LONG time to release signatures, as you have now seen. I do not use Symantec, as too often they have been the single point of failure in the enterprise, and one should not underestimate the system slowdown brought on by 15 years of code bloat. -joel -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Beauchamp, Brian Sent: Monday, September 17, 2007 12:28 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Symantec Contact? That's where I submitted our file to yesterday. It's funny that less then 5 minutes ago I received an email that the defs had been updated to include this variant. ________________________________ From: Theodore Pham [mailto:telamon () CMU EDU] Sent: Mon 9/17/2007 1:13 PM To: Beauchamp, Brian Subject: Re: [Full-disclosure] Symantec Contact? Submit the sample to Symantec via http://www.symantec.com/avcenter/submit.html They've been pretty responsive in the past, though I haven't needed to submit a sample in over a year. Ted Pham Information Security Office Carnegie Mellon University Beauchamp, Brian wrote:
Does anyone have a contact within symantec? We have numerous infections of the W32/Sdbot-DHS worm (http://www.sophos.com/virusinfo/analyses/w32sdbotdhs.html). Most major AV vendors are updating their definitions to block it, one of them isn't Symantec. We have created a removal kit but the machines keep being reinfected since they cannot all be disinfected at once (limited network access). We have submitted a virus sample last week and have contacted our sales rep neither are giving a helpful response. Aside from cutting over to sophos AV client, Any ideas? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Symantec Contact? Beauchamp, Brian (Sep 17)
- Message not available
- Re: Symantec Contact? Beauchamp, Brian (Sep 17)
- Re: Symantec Contact? Joel R. Helgeson (Sep 17)
- Re: Symantec Contact? Social-D (Sep 17)
- Re: Symantec Contact? Steven Adair (Sep 18)
- Re: Symantec Contact? Morning Wood (Sep 18)
- Re: Symantec Contact? Simon Smith (Sep 18)
- Re: Symantec Contact? J. Oquendo (Sep 18)
- Re: Symantec Contact? Social-D (Sep 18)
- Re: Symantec Contact? Beauchamp, Brian (Sep 17)
- Message not available
- <Possible follow-ups>
- Re: Symantec Contact? tw34k3r (Sep 18)