Symantec Endpoint Protection 12.1 now RTM

Discussion in 'other anti-virus software' started by Zyrtec, Jun 23, 2011.

Thread Status:
Not open for further replies.
  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    I've been doing rather extensive testing on SEP 12.1 on a daily basis for the past 14 days. The sole purpose of the testing was to infect the test computer to oblivion and beyond using only malware detected in the preceding 18 hours prior to the daily testing. I totally failed.

    I was never a fan of Symantec's zero-day signature base and indeed somewhat over 50% of this malware was undetectable by SEP via a right click scan. But on running these items in no case was any malware able to do any damage. There was one piece of ransomware that was able to suppress Task Manager from opening, but after a reboot SEP detected it and cleaned it up in its entirety.

    Please understand that I am in no way a Symantec fangirl, but I have to give credit where credit is certainly due.
     
    Last edited: Jul 20, 2011
  2. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    I have been very happy with it too. It is NIS 2010 / 2011 without all the extra consumer features.
     
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Certainly a world of difference from SEP11, where the Proactive Defense module wouldn't even run on Server 2008, which was rather curious since it was an Enterprise Product.
     
  4. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    818
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Bad news on SEP. A new crop of ransomware just made its appearance today and trashed the machine. A sandbox function could (and actually did, but no comparisons) have stopped this infection. Inexcusable for a security suite protecting computers with mission critical applications and info.
     
  6. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Cruelsister,

    How are you testing SEP ? Do you download the malware and run it ? Or you have all these exes in a directory and are running them one by one.

    How do you have SEP's download insight configured ? I am curious how your "new" ransom ware made it past Download Insight since its "new", and DI doesn't look too kindly on any new.
     
  7. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Testing is being done according to parameters agreed on advance with the client:

    A total of 5 separate security applications are being tested. One is SEP, another has sandbox functionality

    We are supplied with a production machine- OS, all applications, some dummy data files, emails. etc. are as they would be in actual use. Current Sonar settings are: Aggressive Mode checked, Download Insight at default level 5. A high level of false positives is not an option for the client.

    Malware links are culled from the usual sources, likewise malicious exe's. Any exe's are saved and run as they occur. At the end of the testing day any gross failures (such as the ransomware mentioned, and the WhiteSmoke2011 that occurred today) are noted, Other changes are detected by in-house forensics (no offense to MB and HMP).

    One very disturbing thing that was found the other day was a piece of malware that when run spewed off 3 malware files ALL of which were fraudulently digitally signed by a major software company (obviously we are contacting those concerned). SEP detected this one, as did the product with the sandbox (still unbreached, but we are testing for another 2 weeks).
     
  8. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hello,

    This Trojan Ransom and its sibling Trojan Ransom/MBR Locker are the nastiest pieces of malware I've ever seen [excluding rootkit TDSS, of course]. Not all AVs detect them and once it's executing it's too late to stop it.

    It virtually holds your desktop hostage and, unless you fall for its scam and get your personal information out in the cold and your bank accounts drained it won't let you do anything.

    To make things worse, this nasty malware gets a different MD5 every HALF HOUR !!! Yes, I've been monitoring it at MDL and downloading it every 30 min form the malicious links provided and every time I get a copy of the .exe and run a utility to determine its MD5 it has changed. Even MBAM missed two copies of it I had.

    Although, it looks like you've got be be looking for porn sites to get hit by this thing. From what I've gathered, it mainly "resides" in those shady places.

    So I don't blame much SEP 12.1 for missing this thing, at times. Although, cranking up SEP's settings will undoubtedly produce FPs [ False Positives]. I increased its default settings on my test machine and it started detecting GMER, Combofix, RogueKiller and TdssKiller on my USB thumb drive as malign applications.

    Go figure



    Carlos
     
  9. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Hi Carlos/CruelSister,

    Could you PM me a link to this exe. I'd like to take a look.

    Thanks,

    Shane.
    SONAR Team, Symantec.
     
  10. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Sent already.


    Carlos
     
  11. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Shane- Your wish is my command. An example from a couple of hours ago, the same ransomware with the same results. Forget defs for this thing.

    Carlos- You are certainly correct that the target seems to be pervs hanging around porno sites, but this couldn't stop someone from doing a simple rename and emailing it to our client. Lights out without a sandbox (and I totally agree with you- this thing does Morph! It also totally ignores MB as you have pointed out as well as HMP).

    (seems like Kaspersky and Mcafee are monitoring this one closely)
     
  12. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Thanks CruelSister & Carlos.

    I dont have access to SEP 12.1 at the moment so I tested with NIS 2011 which hasn't been updated for the last 2 months (61 day old defs). You should see the same results since SEP 12.1 and NIS now share the same underlying technology. Both of you sent me the amazon one and that one is very interesting, I need to look into that further. The other two that Carlos sent were detected for me on download via Insight.

    1st screenshot shows that the defs are 61 days old.

    2nd screenshot shows detection of the 2nd link

    3rd screenshot shows detection of the 3rd link.

    Your testing on the other hand indicates that SEP missed all three, so I am confused by your results. Are you testing with an active internet connection. The reputation and cloud features need that.

    I need to look at the amazon one, that seems very interesting :)

    Thanks for your help.

    Best,

    Shane.
     

    Attached Files:

    Last edited: Jul 23, 2011
  13. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    FYI, 11.0.7000 RU7 was released
     
  14. zord

    zord Registered Member

    Joined:
    Oct 2, 2009
    Posts:
    47
    in the task of scanning, you can set the level of Insight, but even choosing high (9) do not affect the detectability ,So what is it at all ?
     
  15. syk69

    syk69 Registered Member

    Joined:
    Feb 7, 2010
    Posts:
    183
    Shane test it with NIS 2012 or SEP 12.1. I have the same results as zyrtec and cruel sister. The ransomware runs when I tested it against SEP 12.1 and NIS 2012 beta with active internet connection.
     
  16. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    A new variant out today. Unlike yesterday's this one will access System32/shutdown.exe in order to load on reboot. Detection very low, so Suite without strong HIPS or some Sandbox function is without defense.

    PM sent to Shane.
     
  17. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54

    Thanks all. There appears to be some difference between the way you guys/gals are testing and I am testing. I just tested again with NIS 2012, build 19.1.0.16, and the threat was detected by Insight. It didn't have a chance to even get to SONAR. Note that older builds of NIS 2012 Beta have a bug where SONAR doesn't work in many cases, so please retest with NIS 19.1.



    I will test with SEP 12.1 tomorrow.
     

    Attached Files:

  18. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    As you know NIS 2012 has multiple layers of protection. I disabled one of the layers ie.. Download Insight, to see how SONAR the behavioral-engine would deal with these threats. SONAR detected and blocked it automatically as well.

    See screenshot. So now I am even more curious what the difference is between our testing methodologies. All I did was download the exe via IE and click Run.
     

    Attached Files:

  19. syk69

    syk69 Registered Member

    Joined:
    Feb 7, 2010
    Posts:
    183
    That is very strange because when i have downloaded the ransomware exe Insight would pop up saying file is safe. I test on a virtual machine with win 7 32 bit enterprise and UAC disabled. With SONAR on aggressive. Everything else default.

    edit: see my 3 attachment screenshots
     

    Attached Files:

    Last edited: Jul 24, 2011
  20. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    To any following this thread (I've PM'd Shane) my work is solely on SEP 12.1, stock settings save for SONAR in aggressive mode. The results in no way cast any doubt as to the effectiveness of NIS 2012.

    As for SEP 12.1, aside from this problem I've been quite impressed with the accuracy and speed of dealing with all the diverse type of malware that we've tried to smash it with.

    ps to Shane- Just saw your post above. I also just downloaded, saved, and double-clicked. The only difference that instead of IE I am using SeaMonkey (don't ask!).
     
    Last edited: Jul 24, 2011
  21. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Hi syk69,

    Just to clarify, that as I mentioned in my post #37, I am able to repro the False Negative with the ransomware when it originates from amazonaws.com. We are looking into this.

    I am not able to repro when the exes originate from other domains. All of the ransomeware exes originating from other URLs are blocked by DI.

    Thanks,

    Shane.
     
  22. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Seamonkey :) Are you seeing any Download Insight alerts originating from SeaMonkey ?
     
  23. syk69

    syk69 Registered Member

    Joined:
    Feb 7, 2010
    Posts:
    183
    Glad you were able to so you guys can fix it. Would like to see 2012 and SEP 12.1 as good as NIS 2011 was and better.
     
  24. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    maybe someone can help me out... is sep supposed to pick up the installed applications for the firewall or does every one have to be manually done. i have yet to see a pop up for anything connecting out or see any apps in the applications tab its empty for testing this was installed as a standalone unmanaged version. imo if i have to manually create every rule from scratch thats a pain in the neck.. thoughts?

    edit okay there has to be a better way.... why no pop up with options to allow or deny? so you have to manually create a rule for EVERYTHING? with all the new stuff added in to sep you would think there would be the option for a pop up especially if its installed as a standalone client..? maybe a option i'm missing??

    edit again okay figured out how to get the pop ups. issue is i have blocked certain apps and they still are allowed to connect for instance the active@ updater. i have it set to block but yet it can connect and check to tell me there are no updateso_O REALLY wish it had a easier to configure firewall and i would consider this for my company

    thanks
     
    Last edited: Jul 25, 2011
  25. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Guess I should have made clear the purpose of the testing that we are doing. Our client mainly will be utilizing programs that are accessed via the Internet (not Intranet) from diverse worldwide locations, so a function such as Download Insight is of no value. For a valid application never seen before by Symantec will be handled in the same way (quarantined) as an actual Zero Day baddie. For our use a function that marks all as bad marks none as bad.

    Thus Seamonkey 2.2 is being used. Download Insight does not function in this (excellent) browser, letting us concentrate on the intrinsic strength of the product under review to prevent malware infection. We don't feel that this is in any way out of line as all of the 5 products we are testing are all Enterprise applications, and furthermore (so far) one has been faultless.

    I hope that no one thinks I'm mean, but a function of great use in a consumer grade product may not be a viable option in many production environments.

    ps- Download Insight works fine when using IE.
     
    Last edited: Jul 25, 2011
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.