OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Symantec Contact?

From: Steven Adair (stevensecurityzone.org)
Date: Tue Sep 18 2007 - 10:00:43 CDT


I'm not sure exactly why they do not accept submissions from the general
non-customer public, but I am sure there is a good reason. Chances are
the most likely have the sample you are coming across from one source or
another. They probably also get a much larger number of duplicates for
something they already detect as a result too. If you're not a customer
and you're submitting it, you might not realize they already detect it.
If you put it in VirusTotal or one of those sites -- they're probably
going to get it from them anyway. :D

I have submitted through the Gold and Platinum support before and received
pretty quick updates to the general virus definitions. If not there, they
usually fire them out in an optional rapid release (not tested for
everyone or every product). Personally, I haven't really run into massive
delays in my past experiences with them.

Steven
securityzone.org

> What's really Sad is that Symantec does not have an option for the
> general public (i.e. Independent Virus Researchers) to submit virus
> samples .
>
> You have to either
> A. Submit it through their product.
> B. Have a Corporate Support contract.
>
> Guess they don't want new samples.
>
>
> -S
>
>
>
> On 9/17/07, Joel R. Helgeson <joelhelgeson.com> wrote:
>> Symantec is notoriously slow to release AV updates, because while they
>> may
>> have the AV signature available within the hour, they hold it back until
>> they have the signature configured and working for all versions of all
>> their
>> products running on all platforms, which at last count was over 2.45
>> gazillion (and counting).
>>
>> They state that they don't want to issue partial releases for different
>> products, which makes sense. If you have version xxx.yyyy.z of the
>> definition file, then you're covered against the FOO variant of the BAR
>> virus, irrespective of whatever Symantec application, platform, or
>> version
>> you're running.
>>
>> The downside is that they take a LONG time to release signatures, as you
>> have now seen.
>>
>> I do not use Symantec, as too often they have been the single point of
>> failure in the enterprise, and one should not underestimate the system
>> slowdown brought on by 15 years of code bloat.
>>
>> -joel
>>
>> -----Original Message-----
>> From: full-disclosure-bounceslists.grok.org.uk
>> [mailto:full-disclosure-bounceslists.grok.org.uk] On Behalf Of
>> Beauchamp,
>> Brian
>> Sent: Monday, September 17, 2007 12:28 PM
>> To: full-disclosurelists.grok.org.uk
>> Subject: Re: [Full-disclosure] Symantec Contact?
>>
>> That's where I submitted our file to yesterday. It's funny that less
>> then 5
>> minutes ago I received an email that the defs had been updated to
>> include
>> this variant.
>>
>> ________________________________
>>
>> From: Theodore Pham [mailto:telamonCMU.EDU]
>> Sent: Mon 9/17/2007 1:13 PM
>> To: Beauchamp, Brian
>> Subject: Re: [Full-disclosure] Symantec Contact?
>>
>>
>>
>> Submit the sample to Symantec via
>> http://www.symantec.com/avcenter/submit.html
>>
>> They've been pretty responsive in the past, though I haven't needed to
>> submit a sample in over a year.
>>
>> Ted Pham
>> Information Security Office
>> Carnegie Mellon University
>>
>> Beauchamp, Brian wrote:
>> > Does anyone have a contact within symantec?
>> >
>> > We have numerous infections of the W32/Sdbot-DHS worm
>> > (http://www.sophos.com/virusinfo/analyses/w32sdbotdhs.html). Most
>> major
>> > AV vendors are updating their definitions to block it, one of them
>> isn't
>> > Symantec. We have created a removal kit but the machines keep being
>> > reinfected since they cannot all be disinfected at once (limited
>> network
>> > access).
>> >
>> > We have submitted a virus sample last week and have contacted our
>> sales
>> > rep neither are giving a helpful response. Aside from cutting over to
>> > sophos AV client, Any ideas?
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/