Full Disclosure mailing list archives

Re: Symantec Contact?

From: "Steven Adair" <steven () securityzone org>
Date: Tue, 18 Sep 2007 11:00:43 -0400 (EDT)

I'm not sure exactly why they do not accept submissions from the general
non-customer public, but I am sure there is a good reason.  Chances are
the most likely have the sample you are coming across from one source or
another.  They probably also get a much larger number of duplicates for
something they already detect as a result too.  If you're not a customer
and you're submitting it, you might not realize they already detect it. 
If you put it in VirusTotal or one of those sites -- they're probably
going to get it from them anyway. :D

I have submitted through the Gold and Platinum support before and received
pretty quick updates to the general virus definitions.  If not there, they
usually fire them out in an optional rapid release (not tested for
everyone or every product).  Personally, I haven't really run into massive
delays in my past experiences with them.

Steven
securityzone.org

What's really Sad is that Symantec does not have an option for the
general public (i.e. Independent Virus Researchers) to submit virus
samples .

You have to either
 A. Submit it through their product.
 B. Have a Corporate Support contract.

Guess they don't want new samples.


-S



On 9/17/07, Joel R. Helgeson <joel () helgeson com> wrote:

Symantec is notoriously slow to release AV updates, because while they
may
have the AV signature available within the hour, they hold it back until
they have the signature configured and working for all versions of all
their
products running on all platforms, which at last count was over 2.45
gazillion (and counting).

They state that they don't want to issue partial releases for different
products, which makes sense. If you have version xxx.yyyy.z of the
definition file, then you're covered against the FOO variant of the BAR
virus, irrespective of whatever Symantec application, platform, or
version
you're running.

The downside is that they take a LONG time to release signatures, as you
have now seen.

I do not use Symantec, as too often they have been the single point of
failure in the enterprise, and one should not underestimate the system
slowdown brought on by 15 years of code bloat.

-joel

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
Beauchamp,
Brian
Sent: Monday, September 17, 2007 12:28 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Symantec Contact?

That's where I submitted our file to yesterday. It's funny that less
then 5
minutes ago I received an email that the defs had been updated to
include
this variant.

________________________________

From: Theodore Pham [mailto:telamon () CMU EDU]
Sent: Mon 9/17/2007 1:13 PM
To: Beauchamp, Brian
Subject: Re: [Full-disclosure] Symantec Contact?



Submit the sample to Symantec via
http://www.symantec.com/avcenter/submit.html

They've been pretty responsive in the past, though I haven't needed to
submit a sample in over a year.

Ted Pham
Information Security Office
Carnegie Mellon University

Beauchamp, Brian wrote:

Does anyone have a contact within symantec?

We have numerous infections of the W32/Sdbot-DHS worm
(http://www.sophos.com/virusinfo/analyses/w32sdbotdhs.html). Most

major

AV vendors are updating their definitions to block it, one of them

isn't

Symantec. We have created a removal kit but the machines keep being
reinfected since they cannot all be disinfected at once (limited

network

access).

We have submitted a virus sample last week and have contacted our

sales

rep neither are giving a helpful response. Aside from cutting over to
sophos AV client, Any ideas?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Symantec Contact? Beauchamp, Brian (Sep 17)
- Message not available
  - Re: Symantec Contact? Beauchamp, Brian (Sep 17)
    - Re: Symantec Contact? Joel R. Helgeson (Sep 17)
    - Re: Symantec Contact? Social-D (Sep 17)
    - Re: Symantec Contact? Steven Adair (Sep 18)
    - Re: Symantec Contact? Morning Wood (Sep 18)
    - Re: Symantec Contact? Simon Smith (Sep 18)
    - Re: Symantec Contact? J. Oquendo (Sep 18)
    - Re: Symantec Contact? Social-D (Sep 18)
- <Possible follow-ups>
- Re: Symantec Contact? tw34k3r (Sep 18)