Highly Unusual and Inconsistant Behavior

I had a sample of adware.mirar. VT coverage was >98 percent. The file itself was even published by MIRAR(file properties). Symantec on VT detects it. Norton on my computer does not. what

I also downloaded some malware (virut), contained inside an achieve today.

Now, WinRar extracts the files to a temp. location, then copies it to where the user wants it.

I extract virut.Symantec detects and removes virut from the temp file location. However, the file, still makes it to my desktop. I upload to VT and coverage is very consistent. MD5 matches sample from temp. file location. And Norton does not flag the file as malicious. I forward to SSR, and after a human analysis, it's still deemed as clean.

Is there a reason for the unusual and inconsistent behavior I have experienced?

I'm know that I had the latest definitions; all my definitions were not outdated by more than 15 minutes in each scenario.

 

Norton's realtime (on-access) scanner doesn't scan inside archives (zip/rar...). But as soon as you extract the files, malware will be detected and quarantened.

Norton is not the only AV with this behaviour, I've seen many others do the same. It's probably done to minimize resource usage, because unpacking every file would require more CPU/RAM.

You shouldn't worry too much though, because a zipped virus can't do no harm. And as soon as it's unpacked it will be catched


EDIT: When you upload to VT it's different - they can probably unpack a whole range of archive types.

 

The mirar file was not inside an archieve. And how did Virut end up on my desktop? I would expect any AV to fully block it.