Endpoint Protection

Hi

We had often the problem, that Symantec don't discover viruses or malware as other products.
As example we have done a fullscan with SEP 11.0.4015.26 and he detects only one file:

Packed.Generic.200  - Heuristic 1 13.05.2009 15:29:19 - cleaned with delete - Scan globalroot/systemroot/system32/uacwaawjwweucerilw.dll

After that we installed the free AVG scan engine and this product detects 6 files more:

AVG 8.5 Anti-Virus command line scanner
Program version 8.0.300, engine 8.0.319
Virus Database: Version 270.12.27/2112 2009-05-13

\\?\globalroot\systemroot\system32\UACwaawjwweucerilw.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACnvnonxwejqepbii.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
C:\WINDOWS\system32\svchost.exe (444) Virus found Win32/Cryptor Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACwaawjwweucerilw.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACnvnonxwejqepbii.dll Virus found Win32/Cryptor Object was moved to Virus Vault.
C:\WINDOWS\system32\svchost.exe (680) Virus found Win32/Cryptor Object was moved to Virus Vault.

We had the same problems with Antivirus Corporate Edition 9.x / 10.x :-(
Why has the leader of Antivirus Software such a bad detection rate?

Regards
Wayne

Hi Wayne,

IT all depends upon the signatures.

If there are new variants then unless and untill someone submits the sample, signatures won't be added in the definition.

I did have experience about AVG but sometime it too detects false positive which symantec doesn't.

Also you can't rely on Freeware as there is limited/no support from the developers.

Rgrds,
SAM

If the airus varient is new it will not get detected with your AV.
Your responcibility is to submitt the virus sample.
Free avg displays some files as virus which are not actually infected.

OK, so how does a person know that they need to submit a sample if SEP doesn't detect it???

You need to have another AV installed for you to know that your machine is infected?

I've seen countless posts here that says SEP/SAV wasn't able to detect a particular (probably new) variant of a worm/virus. And the reply is always "submit your sample" to Symantec. But if SEP/SAV doesn't find the particular virus, how are you supposed to submit it to symantec? Basically you need another AV program to detect these risks and then submit it to Symantec? Am I confused?

One can use AVZ and HiJackThis. Given enough expirience and luck one can find something and submit it.

P.S. There is no silver bullet.

@SAM_SHAIKH + Peter_007

Symantec discovered this type in November 2008

Discovered: November 20, 2008
Updated: April 8, 2009 9:36:30 AM

My intention was not to rely SEP with Freeware AV engines, but it's very frustraiting if a freeware product discover viruses and Symantec doesn't!

Quote Peter_007 "Free avg displays some files as virus which are not actually infected."

Do you think files named like "UACwaawjwweucerilw.dll" are not realy infected?
Belive me, they were.

And our definitions become updated every 2h so we are up to date!

I think same as bjohn, if we have SEP as virus detection system, we must can trust this product and not only hope, that it would detect only 80% or less of all viruses.

Last week a Trojan Horse attached to an email made it through to our local Outlook.
I found the message intact with attachment in my inbox. SEP didn't say a word.

(OF COURSE any message with a ZIP file attached saying "Please open me, I'm important" is SO lame, only a real dummy would open it!)

Anyway, my real point is that our email goes through central IT - ITE.
They manage Exchange and the A-V product protecting Exchange - SOPHOS.
Now how in the world did that make it through if Symantec is the only one missing things?
I knew the score - experience saves my skin as much if not more than products, so I saved the file (again, SEP didn't balk about me saving it to my desktop), submitted it, and within minutes, literally, the rapid release defs detected it.
I got a nice email back explaining what was found, the defs version that would detect, complete instructions on what to do, etc.
With DLL names like the examples above - you won't take too long to get experience enough to know those sure aren't microsoft standard issue!

We have 3 levels of AV scanning on all our email as it makes its way to the users desk.  Just like ShadowsPapa I have ran into things that we looked at and where screaming at me hey I am a virus.  Submitted the sample to symantec for analyis and they came back with what they found.  Some times it was clean others they found something and the defintions were updated quickly to reflect what was found.  The best prevention for viruses is always patch your systems quickly after patch tuesday,  and user training.   AV in my opinion is the final line of defence.  I go through this argument at my place all the time to get the various groups to patch their severs some say they trust the AV to protect their servers.  My thought is I would rather the virus not be able to execute on a known vulnerability.

How can we protect ourselves from zero-day exploits then?
Admins cannot monitor all the whereabouts of all the PCs in their network. So we really have to rely on the detecting capabilities of the AV.

Guys,

there is a trade-off between false positives and detections...

it is always the same story:

there is no 100% protection against malwares... there are only some best practices: avoid to open suspicious email, use a firewall, patch the OS, etc.

Usually a malware does some strange activities and a good administrator has to monitor his systems for example to see a strange peack of network traffic... ops... from some internal PCs... ops... it is from this port... what is behind this port? Uhm... this is an unknown process... here's your suspicious file for your AV vendor.

Now the AV vendor writes down new signatures based on your sample and the malware will be detected.
Our job is mainly to automatize the detection of something already known, not viruses hunting.

It is rare that a malware is so silent that nobody notices it... malwares are bugged too...

Unfortunately someone has to take the latest malwares...

Now, someone is thinking: why SEP does not detect a strange behaviour? There are some euhristic engines like our Proactive Threat Protection in the market but these products have to manage the trade-off between false positives and real detections. Symantec prefers the lowest false positive rate.

Who does not believe me and who really want to understand the malwares' world can read this book:
AVIEN Malware Defense Guide for the Enterprise

It is an academic book about malware forensics, AV vendors, etc. have a look. AVIEN is a 3rd part organization interested in IT security.

Cheers,

Quote from Giuseppe
"Our job is mainly to automatize the detection of something already known, not viruses hunting."

Really? LOL, well there's the reason that Symantec doesn't detect things like it should.
So having honeypots and actively hunting for viruses is not Symantec's job, I guess it's our job.

Maybe you don't know but most of our customers open and collect any kind of malwares faster than us, they don't patch their systems, they don't use a firewall, they browse any kind of website... this is not our fault but they are already the best honeypot we can have! How can some artificial honeypots be better than this?

Now, if millions of machines constantly get thousands of malwares per day and they need our quick response to detect what it is already in the wild and clean it, and customers always complain because they want the solution in one hour without knowing anything about IT security and so on, how can we go around to hunt some malwares that nobody has? What we do is already a big job.

Symantec is too big for me, I don't know if we have some teams that proactivly go for virus hunting in the backline but in my department, Tech Support, we activly do viruses hunting... a lot of customers call us because they see some suspicious behaviours and they don't suspect they are totally infected but we spend time with them to track this strange activities, mitigate their conseguences, find the files of the malware and send them to us, this is another big part of our job. We help our customer in this, try to get the same support from a freeware AV company.

Guiseppe

Sorry, but I can't belive what you are writing here! Your customers are your honeypots and software beta-tester? They are noobs, don't use firewalls and never patch their systems? Is that what Symantec think about their customers?

How many customers and employees has AVG as a freeware product and how many customers and employees Symantec has?
Please tell me why in so many cases all other AV vendors detect a malware or a virus and you don't? The same Virus! They have the signature since weeks or months with much less customers...ähm honeypots...than Symantec.

How do all others their job like Avira, AVG, Kaspersky, Fortinet?

Customers being honeypots. I'm not for or against it. Look at it this way - there are more customers than Symantec employees. So customers would more likely get the threat first. Plus, if I were a virus maker, I'd make sure that the antivirus companies would be the last to know. The problem is whether the client is prepared for that. Like when your system detects a virus named Bloodhound. ;)

Some AVs get more virus and false-positives. I recall an AV (not Symantec) mistook a critical Windows file to be a malware after a definition update and promptly quarantines the file. Users cannot start their machines after that, even in safe mode. I'm just glad I didn't do an update that time. And as an end-user, I was annoyed with the tracking.cookie being found everytime I use the computer. The only time the AVs could be 100% secure is when they probably pass the Turing test and by then, I'm not even sure of that.


@Wayne: I can't speak for the other companies, but AVGfree uses its forums to troubleshoot too. And since they're using the free version and is un-supported, they have no other option but to rely on other users for a solution and AVG uses that as their honeypot...and they don't get iPods (LOL).

Btw. Have you tried increasing the detection level? One of the adjustments you can do:

I don't want start a fundamental discussion but for me it's incomprehensible why many other AV vendors can detect some malicious code or virus and Symantec don't now anything about the same code at the same time! Symantec is a big player in AV detection so why the hell they are often to late?
And it's not only a time problem because as I posted above, other products know this example since weeks and SEP don't recognize today!

@mon_raralio
Yep, we have the Bloodhound function active.

Anyway, we can only wait for the next such case or change the product.

This is the world... as Mon_ralio noticed, we have more customers than employees, we got more viruses from our customers just for a statistical reason...
I don't know where are you from, but I work in Europe, we say "an educated continent", and here we have any kind of business customers: hospitals, airports, big factories, and, for example, a small office with five lawyers... of course the small enterprises are a lot more of the big ones...do you think that five lawyers without an employed IT technician are more skilled than an IT administrator of a medium company? or more skilled than a simple employee of a small IT company? Of course no.

A lot of non skilled guys call us every day and ask "do I have to patch Windows? I have your AV...". Again, I am just talking about business customers. Try to add the home users. In our generation there was not Computer Science  in our shools. Because the non IT skilled people are more than the IT skilled people, again, for a statistical reason they are a honeypot. Don't write "is that what Symantec think about their customers?", we help all of our customers but, again, it is not our fault if most of them are not IT skilled at all, I see this situation every day.
Does an IT admin, employed in a non IT company, have a good opinion of the end users they manage? Be honest, you are their god even to just save a document in a USB storage device.

For other questions it is better to have a look on the book I suggested. It's worth. All AV companies work more or less in the same way.

Maybe what you feel is just your natural point of view. I mean, because you use our product it is normal that you notice when it does not detect a virus and the other products do. Likely, if you will use another product, you will start to notice the opposite... this is just my personal opinion, maybe, a manager of mine will give us others opinions.

Regarding the Bloodhound function it is useful but it is less sensitive than competitors' products in order to avoid false positives. I am borring you but this topic is well explained in the AVIEN malware guide. As someone wrote here, to have the best detection rate of zero-days viruses, we should pass the Turing test.

addendum:

Malwarebytes detect the UACINIT.DLL on this XP computer and this is a known code since February 2009!
uacinit.dll is a component of UACd.sys trojan/rootkit (windowsclick.com hijacker)

infected memorymodules:
\\?\globalroot\systemroot\system32\UACnvnonxwejqepbii.dll (Spyware.OnlineGames) -> Delete on reboot.

infected registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

infected fileobjects in registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

infected files:
\\?\globalroot\systemroot\system32\UACnvnonxwejqepbii.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsdelete.exe (Virus.Virut.T) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

For everybody who has the same problems, here ist the solution and a very interesting discussion:

www.myantispyware.com/2009/01/24/how-to-remove-windowsclickcom-redirect-uacdsys-trojan/

Malwares writers are very active, they update their "products" very often to avoid the AV detection. The AV signatures are able to detect some possible new variants of a sample we already have but every AV vendors have different technologies, therefore it is possible that we detect some variants and competitors others variants... not able to say, but if I were a malware writer I will test my new malware versus the most common AV products, better if they are used in a lot of banks as well... like Symantec.

For the above reason it is not so important when the malware was first detected, it is more important comparing when the latest definitions were released to detect the latest variant of malwares, unfortunately the lack of a naming standard makes this comparison harder in fact I was not able to do for the UACd.sys trojan (or I have to spend more time on it but I can't now).

Malwarebytes product is about the best there is for rootkits. Honestly, I don't think the "mainstream av" products do well with rootkits at all, and aren't so good with the phoney AV things.
The other threats they are pretty good at, but I've yet to see the "major players" do worth a darned on the rootkits.

If I may, I'd like to know just what the heck happened to heuristics?
Back in the 90's there was a very good product that touted itself as not using signatures at all but relying on heuristics, and their detection rate was fantastic.
The main players were supposedly going that direction, too.
But little is said about it now.
These phoney av threats among many others could be easily detected simply because they INSTALL an exe or dll without permission.
Why not have the AV prompt " xxx is attempting to install yyy on this computer - do you want to allow it?"
OR, set it to block all such things and to allow it would be an exception - especially in SEP, let me set it to block anything like a browser helper or a phoney av app from installing, and if a customer complaines, I put in a temporary exception.
This garbage about allowing anything and everything to install on a computer where the user isn't even an admin is bogus. Especially in a governemnt or corporate environment.

Sorry ShadowsPapa, but what you say is always in place.
My browsers always ask me if I am sure to install a plug-in, if I am sure to run an .exe file just downloaded from Internet, etc. and my Windows Vista already asks me if I really want to install an application, if I am sure to disable some features, etc.
Do you know what is the side-effect? Most of end-users just read these advices once and then they start to click "YES" by default or put a tick in the option "Don't ask this anymore".
Education is the best prevention.

A full heuristics AV with the highest detectiond rate and the lowest false positives rate is the dream of the IT security, I don't know what is the current status of this technology but the AVIEN Malware Guide has a chapter for this topic as well.

I don't remember where I read that there are more malicious files than the good ones in the world... therefore we can start to think about an AV engine based on good files signatures...

Making an scan engine based on good file signatures is a good option. You just need a standardization body for the common files they make and have it registered as a legitimate part of the OS and applications. The only drawback would be that most companies, wanting to be competitive, would make unique files that would suit their goals and sometimes monopolizing, say, a particular dll.

With the current AV technology, the user still plays a major part in  preventing malwares from entering his or her system.

Sorry guys, I'm with Wayne1 on this one. Symantec is really down on the list of companies that are great at catching viruses, this is not a secret to anyone. We have SAV currently and it's absolutely horrible at the only job it's designed to do: catch viruses. I was hoping SEP was better but our preliminary tests show that while it's better then SAV, it's significantly worse then Kaspersky, Trend Micro or even freeware scanners like Avast or AVG.
We've run numerous tests with infected VMs where we ran various virus scanners against it; SEP was always the worst in "on access" prevention as well as manual scanning. One thing SEP doesn't do, for example, is scanning nested archives on access or on extract. So if you have a virus deep down in archive within an archive, SEP won't catch it while you donwload it, nor when you exctract it. Only when you execute infected file, it will be scanned and (hopefully) caught.
Another weak point of SEP is adavnced malware and rootkit detection. We've tested various rootkits and "smart" malware programs and yet again, SEP came in last.
So, not to start the flame war, test and identify SEP's limitations and treat SEP as your last line of defense and use other layered protection methods that are available, like web and attachment filtering, web proxies, intrustion protection, etc. FWIW, we're using SEP mostly for its host intrustion prevention and host integrity and compliance capabilities. Not much faith lies in its anti-virus detection and malware prevention, and this is the same notion I get from talking to my peers from other companies.
My $0.02.

Dimitri

@Wayne1 & Dimitri: Did you try to set the Bloodhound detection to maximum?

I hate to think that there IS a malware in our system not being detected. I hope the firewall and IPS does it's job. :(

So I'd like to add some data here.

One of the things that makes us different to the other and particularly some of the smaller vendors out there is our approach to false positives.  We will not put a signature into our definitions if we think it has the potential to cause false positives.  If you were to ask the vast majority of our customers what would be worse for them, a virus outbreak on a small number of PC's (or even a large number, particularly with todays types of threats) versus a false positive on a system or executable file I am fairly sure they would choose the virus option.  We are very proud of our false positive ratio, its currently around 0.1%  When you protect over 130million endpoints around the world, thats no mean feat!  Other vendors can potentially afford a higher FP ratio, since their customer numbers will be lower.

Now, thats not to say we aren't changing the way we work, we are constantly looking for new ways to detect and pickup threats - whether that is sharing code with other vendors or taking a feed from VirusTotal.  Sadly, the nature of todays changing threat landscape means we are seeing more and more variants of the same virus.  As most traditional AV blacklisting is done based on file signatures, a quick change to the code gives you a new signature and a variant.  However, what we have been doing recently is extending the detection capabilities of each signature, rather than creating a new one for each variant (anybody remember the days of NetSky or MyDoom and their huge numbers of variants?) so when you see something was listed as being detected since February 2009 or similar, thats only when the signature was first written - we have no easy way of telling if the specific variant you are seeing is in there.  Thats the problem, by the time you get a signature out, the malware has gone and changed again.  To give you an idea of the effect that variants have, in the year 2002, we wrote just over 20,000 signatures for the whole year.  In 2005, that number increased to around 110,000.  Now comes the jump!  In 2007, we wrote 600,000 signatures and in 2008 we added 1.6 million!  Put another way, in 2000 we were writing about 5 signatures per day and in 2007 that number was 1431.  Now, in 2008 we were averaging around 12,000 signatures PER DAY!  Thats a 239% increase on 2007 and the numbers are still going up.  Our current estimates are that we will peak at 25,000 per day this year.  In addition to that, we recieve 200,000 file submissions per day - most of these are processed automatically - they are analysed and where required, definitions are updated or written and automatically put into the next set of rapid release definitions.

For those of you talking about honeypots, of course we have our own honeypot, but we also take data from our customers and their networks - we have over 240,000 sensors on customer networks and the Internet spread across 200 countries, add to that over 2.5million decoy email accounts and the fact that via brightmail we process in excess of 150 BILLION emails per day (http://www.symantec.com/business/security_response/landing/spam/index.jsp) thats a huge amount of information we have on the threat landscape.

Having said that, can we do better?  Sure we can, any vendor who says they can't simply doesn't understand the scale of the problem.  Over the last few months, some of you have probably noticed more detections from Bloodhound signatures or "Suspicious.something" signatures - these are new heuristic signatures in action.  We are currently working on more signatures like this to better protect our customers - however our FP policy still stands and for that reason we release these signatures in stages, if you want to get these sigs as quick as possible, (but at the small but potential risk of FP) then set your bloodhound settings to the highest and they will be active.  Once we have tested at that level and confirmed there are no major issues, then we release to the normal bloodhound levels too.  These signatures are already having good effects on customers networks, one particularly long running threat has seen a marked drop since we did this - its also a threat that has specifically targetted us and our detection methods in the past.

Going further, I'm sure you are all aware of the Krypton IPS engine in SEP, if not then you should read this: https://www-secure.symantec.com/connect/articles/so-what-krypton-anyway  As others have mentioned, we are now at the point where there IS more BAD code than GOOD code so have you to start wondering if blacklisting is the answer anymore.  Its clearly not going to go anyway anytime soon, but we think it can start to take more of a back seat when you start to look at technologies like reputation based whitelisting.  You can see our "first version" of this technology in the Norton 2009 and N360 v3.0 products - its called Norton Insight and we are using it to control the number of files we scan.  If we know based on our whitelist that 80% of the files on your machine are clean then we don't need to scan them and can concentrate more effort of checking the remaining 20%... the reputation side comes in based on how many people are running those files or have downloaded them, etc.  Its a very complicated set of critieria, but it works very well.  Again, this is where our size comes in handy, we have been building this whitelist over the last few years, based on information from third parties and huge amounts of consumer data that is submitted via Norton Community Watch.

I do just want to cover off the point around zip files.  Its true, we do not scan them when you download the file.  Is there really a point in slowing down the download/copy/write to scan the file when its harmless at that point?  If you extract the files OR attempt to launch the malcode direct from the zip then we will pick it up since its accessed or written to the temp folder.  If you run a scheduled scan, then you have the option of scanning inside these files - by default we will scan 3 levels into a nested archive, but you can increase that if you wish.

Lastly, we can never please everyone, I realise that, but please take a look at the independent reviews - AV Comparatives (http://av-comparatives.org/comparativesreviews/main-tests) where we get one of the highest detection ratios with one of the lowest FP ratios - thats the key, ANY product can claim 100% detection if they say every file on a PC is a threat, you must take the FP rate into account too.  Andreas Marx over at AV-Test also does similar reviews (http://www.virusbtn.com/news/2008/09_02).  In a recent PC Magazine test (http://www.pcmag.com/article2/0,2817,2345349,00.asp), MalwareBytes got a great writeup and it was noted that their particular strength was with clearing up threats already on the machines - thats something we are wanting to fix soon and have tasked our Security Technology and Response (STAR) group to fix.  Lastly, for those Germans here you will know that we recently achieved a 99.8% detection record in the Computerbild long term test.

I hope you found the above interesting and informative, it took a while to write - if you have questions then please post them and I will do my best to answer them.  In the meantime, what can you do to help us (if you are that way inclined)?  If you see something strange or suspicious on your machine then please please please submit it to us for analysis, even if it turns out to be clean we don't mind, we have the resources to deal with it.  Who knows, you might actually help to protect another member of this forum.  This is a war, and like it or not, we are all in it together - on a more serious note, it truly is no better for other vendors - I know from the number of customers I talk to day in day out.

For good, bad, or indifferent, AV detection is still reliant upon definitions that target specific threats as the main means of detection.  This makes AV a reactive set of technologies rather than proactive.  These definitions are written after a sample has been obtained.  You can't detect/block things that don't yet exist. All of the AV vendors put a lot of resources into collecting malware and writing definitions.  Symantec, McAfee, TrendMicro, Kaspersky, etc.  They all do this and, to at least some extent, many even share information with the others, their direct competitors.

When no definition exists yet for a new threat, heuristics come into play.  These look for behavioral patterns and can cause as much, if not more, havoc as a true malware threat. 

SEP/SEPM is at its' heart a product targetted at businesses.  This means that the design has to be different than an AV product geared towards individual/home users.  One of the ways that they are different is the false positives vs. higher detection rates argument.

It is very rare to see a piece of malware that is efficiently self replicating to the point that it can infect every system on a users LAN if best practices are followed (timely patching of software, users NOT running as admins, defense-in-depth, etc.).  On the other hand, a definition set for business-class AV will be on every system soon after release.

At a particular company I worked for, I occasionally saw an infection get through.  Usually this led to a minor amount of down-time for one or two workstations.  That same company was hit by a definition set that was way too broad in its scope.  The effect of this was a vicious false positive that caused all excel spreadsheet to be seen as malware.  This caused a major work slow-down at the company for several hours until a new definition set was released that cost in the tens of thousands of dollars.

I personally appreciate the more delicate hand of Symantec, having experienced both sides of the equation. 

That being said, if you wish SEP to be more stringent in its' checks, you do have options to make that happen.  You can dial up the heuristics and switch to using the RapidRelease definitions.  I don't recommend the later though.  RR defs are works in progress (read beta) and I have seen those cause issues at times.  

Hi Paul,

No one is dismissing Symantec's efforts in having less false-positive with sacrifice of us being infected. But as you correctly point out in your statistics we are in great danger and it is getting worse everyday.

I believe the area that Symantec is still lagging is Proactive protection. I don't understand what is proactive protection doing while a virus runs, modifies critical system registry keys one-by-one in a sequence, tries to enumerate and end security software processes, and copies itself to root of every drive and removable disk and meanwhile Proactive protection is still watching!! If you revise and boost this part it will solve most of the problem since number of attack vectors are so much smaller that number of threats and if Symantec can block all attack vectors (and programs trying to utilize them) then we'll have much more effective antimalware solution.

 Paul

Thx for taking the time to explain us! Again, I don't expect a scan ratio from 100% because that's unrealistic and naive, but I still can not understand why some other vendors can detect more than 3 different malicious codes, virus or malware on a cumputer where SEP told me it's clean! If this happens once or twice a year, ok, no problem, but we have experienced over the last years with SAV CE 7.x, 8.x, 9.x that this happens too often and more than once or twice a year!
I will demonstrate what this magazin testing reports where Symantec always should be under the bests, means for us customers!
In this test from the Malware Search Group malwareresearchgroup.com/  Symantec had a detection rate from 99,0% and the winner has 99,6%!
That's looks very well for Symantec, wow, 99,0 % great! But they tested 395.844 Malware samples and 99,0% means 391.885 detected an 99,6% means 394.260 detected! That makes a difference from 2.374 !!! So many more Malware has detected your direct competitor what means, that they have done a better job as Symantec, they have more signatures written as Symantec with fewer staff and less budget! That's the facts!

Paul, I'm Symantec customer since many years and I think your makes a good work, mostly ;-) but the detection rate should be urgently improved!
Or simply buy once again a company such as Avira and win so that their know-how about detection ;-)

Hi,

of course my "Symantec Employee" label says that I am not a 3rd part in this discussion... but the already mentioned AVIEN Malware Guide has a chapter about the AV products comparisons and their value.

Unfortunately I am not in the position to properly answer regarding AV products comparisons but I have noticed a big noise around Norton Internet Security 2009 and its great performances. This is not SEP but it means that Symantec is working hard to improve the quality of its products with revolutionary results in the Symantec's story. Business market requires more reliable products but  I guess you will get some innovations too in the medium period.

@Wayne1: I'm just curious as how you could be so unlucky to get those false-positives and new malwares.

@everyone
Anyway, I undestand how Symantec could sometimes lag in the release of definitions given the statistics. It would probably take a normal person 2 to 3 days to figure out what is wrong with his PC and a few more hours or days to fix it.

Heuristic scanning or proactive protection, I believe, is still not yet refined to scan for new variants and with little or no false positives. Back when I did a proof-of-concept for another company (3 or 4 years ago), we currently have no AVs as it conflicts with one of the applications. Most vendors boast of their very strict realtime scanning policy but when tested on my PC, it nearly ground to a halt. I can't check emails, open a spreadsheet, let alone browse the internet on my P2. Not everyone can have ALL their corporate PCs upgraded every year. I bet some companies still have P2s in use. So bottomline, trying to put myself in the managements shoes, I chose one that doesn't hog the memory. I'd rather have little than no protection and I will rather have no protection than have a protected but unusable PC that would freeze everytime I open an application.

I wonder how i missed this thread..Some great reading..
But whatever file names Wayne1 has listed above
like globalroot/systemroot/system32/uacwaawjwweucerilw.dll  and UAC..sys and other file..
I remember about 3-4 months backs I got a call with this same threat
It was a rootkit.
SEP was not detecting any file and it showed auto-protect Malfuntioning I took a closer look and found nothing..
I ran Loadpoint utility ..Took 30 minutes t oread it found nothing..NOthing was found using Procexp or Autoruns as well..

The customer was getting frustrated as all this took 3 hours...and still no resolution..
The customer had just called for Auto-Protect Maulfuntioning issue..
Then I ran Sysinternals Rootkit-Revealer
I found some entries that looked a bit ODD..
I ran Icesword..checked the services in the registry
I found a service called UAC ...( bingo ) this PC was XP.
Then i looked at the sub-options for this registry value and I found Disallowed
I highlighted Disallowed and I was shocked to see more than 100 entries were there
AVG,Sophos...I scrolled down and i was not much surprised to see RTVSCAN.exe in the list.

I deleted that entry rebooted the PC all the files came out of Kernel layer to user layer..
Then I submitted around 8-9 files mostly starting with UAC...few DLLs and few SYS files..

Once that was removed SEP was working perfectly fine...

But yes offcourse if you got the same file then it might be variant of this threat..
But i can quarantee you I submitted the same file and got definitions for the same that too long before you got this problem..