Norton AV Oddities.

I downloaded a massive archive of malware.

I extracted all of them. Many were blocked by Norton. The ones that were left were uploaded to VT for analysis.

I zipped the leftover files; the files that were deemed clean by Norton even after a selective on-demand scan.

I put 9 files to a .zip; I was going to send them to SSR.

I wound up with 7 archives. Now, that was yesterday.

I ran a full system scan today, out of no particular reason, and Norton came up with several detections of malware inside those archives ...

From my prior experience, SSR takes a long time to process samples. And I have received no e-mail from SSR, except for the tracking #s. It seems like something went wrong here.

So, my question is directed to anyone with internal knowledge at SSR. Were the files I sent in processed within hours and added to the defs? If they were, then kudos. Or are selective on-demand scans different from full-system scans? Does Norton scan deeper with full-system scans?

And I only received 1 heuristic detection ... packed.generic.187. From Symantec's site, the def was last updated on Sept. 24, 2008. Why wasn't Norton able to detect it yesterday, but today?

Woah ... I just scanned the zip again today and this time Norton detected 125 threats; compared to ~30 yesterday.

 

Have you contacted Norton about this?
I'd be interested in their response.
Hugger

 

Chat is for technical issues, and their answers offer no depth. Mostly canned responses. Useful, however not in a case like this.

I've been banned from their forums.

 

There is a details about the updated definitions. you can find it on your computer

 

Looking at this:

http://www.symantec.com/business/security_response/definitions/rapidrelease/index.jsp

All of the added/modified defs seem to match what Norton detected.

Still doesn't explain the Packed.Generic.XX detection; I am concerned about it.

 

Sorry for off topic question
@ TechOutsider
can u tell me from where did u download those Malware

 

We are not allowed to share links to malware

 

'archives of malware' contain much (usually over half) of corrupted/inactive/junk malware, and in no way can be relied upon for any form of testing or submission

 

Only way to find out is to execute them

 

I agree and then you find out how good your AV is in fact- not based on tests that use varying parameters, samples, etc. It shows you reality.