OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Symantec Contact?

From: Joel R. Helgeson (joelhelgeson.com)
Date: Mon Sep 17 2007 - 13:30:58 CDT


Symantec is notoriously slow to release AV updates, because while they may
have the AV signature available within the hour, they hold it back until
they have the signature configured and working for all versions of all their
products running on all platforms, which at last count was over 2.45
gazillion (and counting).

They state that they don't want to issue partial releases for different
products, which makes sense. If you have version xxx.yyyy.z of the
definition file, then you're covered against the FOO variant of the BAR
virus, irrespective of whatever Symantec application, platform, or version
you're running.

The downside is that they take a LONG time to release signatures, as you
have now seen.

I do not use Symantec, as too often they have been the single point of
failure in the enterprise, and one should not underestimate the system
slowdown brought on by 15 years of code bloat.

-joel

-----Original Message-----
From: full-disclosure-bounceslists.grok.org.uk
[mailto:full-disclosure-bounceslists.grok.org.uk] On Behalf Of Beauchamp,
Brian
Sent: Monday, September 17, 2007 12:28 PM
To: full-disclosurelists.grok.org.uk
Subject: Re: [Full-disclosure] Symantec Contact?

That's where I submitted our file to yesterday. It's funny that less then 5
minutes ago I received an email that the defs had been updated to include
this variant.

________________________________

From: Theodore Pham [mailto:telamonCMU.EDU]
Sent: Mon 9/17/2007 1:13 PM
To: Beauchamp, Brian
Subject: Re: [Full-disclosure] Symantec Contact?

Submit the sample to Symantec via
http://www.symantec.com/avcenter/submit.html

They've been pretty responsive in the past, though I haven't needed to
submit a sample in over a year.

Ted Pham
Information Security Office
Carnegie Mellon University

Beauchamp, Brian wrote:
> Does anyone have a contact within symantec?
>
> We have numerous infections of the W32/Sdbot-DHS worm
> (http://www.sophos.com/virusinfo/analyses/w32sdbotdhs.html). Most major
> AV vendors are updating their definitions to block it, one of them isn't
> Symantec. We have created a removal kit but the machines keep being
> reinfected since they cannot all be disinfected at once (limited network
> access).
>
> We have submitted a virus sample last week and have contacted our sales
> rep neither are giving a helpful response. Aside from cutting over to
> sophos AV client, Any ideas?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/