Is NAV "Scan and Deliver" Fake?

[Chris Shearer Cooper]

Norton Anti-Virus 2005 has a feature where you can submit suspected viruses
to them, called "Scan and Deliver". I have recently received some emails
that contained extremely suspicious attachments, and so thought I would
submit them to see if I was right.

However, every time I tried to submit a virus, NAV gives me the same helpful
error message - "Error in creating the Symantec Security Response package".

I tried contacting Symantec tech support, their first response was a generic
one about how NAV doesn't block spam, and how I should contact the Symantec
Store if I was having trouble purchasing the product. Upon further
prodding, they said I could put the suspect file on a floppy and mail it to
them. They never had any interest in figuring out why "Scan and Deliver"
wouldn't work for me. Their tech support guy also had this to say -
"if you are using a current version of Norton AntiVirus and have the most
recent virus definitions, and Norton AntiVirus set to provide maximum
protection does not find anything in your emails, then you can be confident
that those mails are not infected. " which, as I pointed out to them, is not
only blatantly incorrect, but a legally risky thing to be saying.

I spent some time in the Symantec knowledge base, the only relevant articles
said (1) don't send them zipped files (which seems odd) but I tried
unzipping the attachment and sending the EXE within, but got the same
message, and (2) the system may be down "during a virus outbreak or during
emergency maintenance" and to try again later, but I've tried probably 8
times and always got the same error message.

Which got me thinking - they probably don't really need customers to submit
suspected viruses to them, so maybe the whole feature is really just there
to make people _think_ that they have a virus submission function? Maybe it
doesn't work for anyone?

Has anyone out there successfully submitted a suspected virus using the
"Scan and Deliver" system?

Thanks!
Chris

p.s. For the curious, here's why I found the attachment suspicious.
1) Emails sent to an address I only use when posting to newsgroups
2) Emails not sent from anybody I know
3) Contents of email either blank or obvious come-on ("See Paris Hilton
Naked")
4) Attachment is a zipped EXE

 

[Vanguard]

Norton Anti-Virus 2005 has a feature where you can submit suspected
viruses to them, called "Scan and Deliver". I have recently received
some emails that contained extremely suspicious attachments, and so
thought I would submit them to see if I was right.

However, every time I tried to submit a virus, NAV gives me the same
helpful error message - "Error in creating the Symantec Security
Response package".

I tried contacting Symantec tech support, their first response was a
generic one about how NAV doesn't block spam, and how I should contact
the Symantec Store if I was having trouble purchasing the product.
Upon further prodding, they said I could put the suspect file on a
floppy and mail it to them. They never had any interest in figuring
out why "Scan and Deliver" wouldn't work for me. Their tech support
guy also had this to say -
"if you are using a current version of Norton AntiVirus and have the
most recent virus definitions, and Norton AntiVirus set to provide
maximum protection does not find anything in your emails, then you can
be confident that those mails are not infected. " which, as I pointed
out to them, is not only blatantly incorrect, but a legally risky
thing to be saying.

I spent some time in the Symantec knowledge base, the only relevant
articles said (1) don't send them zipped files (which seems odd) but I
tried unzipping the attachment and sending the EXE within, but got the
same message, and (2) the system may be down "during a virus outbreak
or during emergency maintenance" and to try again later, but I've
tried probably 8 times and always got the same error message.

Which got me thinking - they probably don't really need customers to
submit suspected viruses to them, so maybe the whole feature is really
just there to make people _think_ that they have a virus submission
function? Maybe it doesn't work for anyone?

Has anyone out there successfully submitted a suspected virus using
the "Scan and Deliver" system?

Thanks!
Chris

p.s. For the curious, here's why I found the attachment suspicious.
1) Emails sent to an address I only use when posting to newsgroups
2) Emails not sent from anybody I know
3) Contents of email either blank or obvious come-on ("See Paris
Hilton Naked")
4) Attachment is a zipped EXE

Maybe the virus is interfering with NAV. Did you read their KB article
at http://snipurl.com/g66l to try sending the virus to them via Internet
using their sarcret.exe program? Or follow those instructions to send
it as an e-mail attachment to (e-mail address removed)?

The delivery methods for the .exe is suspicious but that doesn't
necessitate a virus infects that attachment (but it a very good
indicator of such). Maybe it is a trojan instead of a virus. Have you
tried TDS-3 or TrojanHunter against this file (both for the .zip file
and .exe file extracted from it)? Have you tried saving the attachment
(as the non-executable .zip file) and using the various freebie online
virus scanners (TrendMicro, McAfee, Symantec), or submitted the file to
www.kaspersky.com/scanforvirus and www.VirusTotal.com (both as a .zip
and as an .exe file)?

There is always a chance that it is a zero-day virus and no anti-virus
product will detect it. Since it is in an e-mail that you don't want,
from someone you don't know, and contains an executable file (within a
..zip file), then your first line of defense regarding security is YOU.
It is an unimportant e-mail so just delete it permanently from your
local e-mail store. If you want more protection against viruses for
those that are unknown to AV products, get an IPS (intrusion prevention
system) product, like PrevX (the Home edition is free) but it's not for
newbies (or lazy users unwilling or inexperienced with the contents of
the prompts).

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Norton Anti-Virus 2005 has a feature where you can submit suspected viruses
to them, called "Scan and Deliver". I have recently received some emails
that contained extremely suspicious attachments, and so thought I would
submit them to see if I was right.

However, every time I tried to submit a virus, NAV gives me the same helpful
error message - "Error in creating the Symantec Security Response package".

Gotta love them helpful error messages. It could be that your outgoing
email ISP is blocking the submission, but from the error it looks like it
might not even get that far.

Are you running any other anti-virus product? You could try downloading the
EICAR test file from http://www.eicar.org and seeing if you can submit that.

I tried contacting Symantec tech support

You'd be surprised how one stops even considering ringing Symantec after a
few tries

Their tech support guy also had this to say -
"if you are using a current version of Norton AntiVirus and have the most
recent virus definitions, and Norton AntiVirus set to provide maximum
protection does not find anything in your emails, then you can be confident
that those mails are not infected. " which, as I pointed out to them, is not
only blatantly incorrect, but a legally risky thing to be saying.

I can confirm the tech support's statement is incorrect. To go further, I
once found two suspicious programs running on a (new) customer's computer
which had NAV 2005 with up-to-date definitions. Not only did NAV not think
they were viruses, I was also told after submitting them to SARC that they
were benign. Two weeks later they were added as some Kasbot variant I think.

You can also try emailing any suspect files to (e-mail address removed) with the
subject: SCAN
....to have them scanned by numerous different anti-virus products or go to
Norman's "sandbox" technology page which gives you an analysis of what a
program does:

http://sandbox.norman.no/live_4.html

Which got me thinking - they probably don't really need customers to submit
suspected viruses to them, so maybe the whole feature is really just there
to make people _think_ that they have a virus submission function? Maybe it
doesn't work for anyone?

I'm using NAV 2002 and submitting a suspect file via the Quarantine does
work. Although it does only allow you to do it once a day which can be
annoying.

Symantec also provide a utility called SACERT.exe which is a stand-alone
program for submitting suspect files. If you can't find a link to download
it on Symantec's site and would like it, let me know by email.

p.s. For the curious, here's why I found the attachment suspicious.
1) Emails sent to an address I only use when posting to newsgroups
2) Emails not sent from anybody I know
3) Contents of email either blank or obvious come-on ("See Paris Hilton
Naked")
4) Attachment is a zipped EXE

You're quite right, although the term "definitely a virus" would be more
pertinent that "suspicious" ;-)

Cheers
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFC0nuj7uRVdtPsXDkRArALAKCD2LSb1X5qcF3pjQrIdXUlfxFG4QCbBbk6
VHCxWx/H1sRG8SGcGzxY03Y=
=fZDN
-----END PGP SIGNATURE-----

 

[* * Chas]

<snip>
| > Their tech support guy also had this to say -
| > "if you are using a current version of Norton AntiVirus and have the
most
| > recent virus definitions, and Norton AntiVirus set to provide
maximum
| > protection does not find anything in your emails, then you can be
confident
| > that those mails are not infected. " which, as I pointed out to
them, is not
| > only blatantly incorrect, but a legally risky thing to be saying.
|
| I can confirm the tech support's statement is incorrect. To go
further, I
| once found two suspicious programs running on a (new) customer's
computer
| which had NAV 2005 with up-to-date definitions. Not only did NAV not
think
| they were viruses, I was also told after submitting them to SARC that
they
| were benign. Two weeks later they were added as some Kasbot variant I
think.

I had similar experiences several times that I submitted files. I got
back a report on one of them and never heard back on the other. Weeks
later, they where added to the definition update.

I suspect that AV companies add definitions for malware that's running
amok and those zoo viruses that they find interesting but are not and
probably will never be in the wild. A large portion of they thousands of
viruses that AV providers claim to protect you from are zoo viruses.

From what I've heard about Symantec and others, they run submitted files
through an automatic scanner that uses heuristics. If nothing pops up
they ignore it.

Chas.

 

[Art]

I suspect that AV companies add definitions for malware that's running
amok and those zoo viruses that they find interesting but are not and
probably will never be in the wild. A large portion of they thousands of
viruses that AV providers claim to protect you from are zoo viruses.

You seem to have a couple of false impressions. No wonder, since the
Symantec site has, or at least used to have, an abosutley false
definintion of zoo viruses. It says or said that zoo viruses are only
found in laboratories. That's nonsense. Zoo viruses are those that
never make it to the official ITW (In The Wild) list. That's all.
There have been some glaring cases of malware out there causing
problems that never made it to the ITW list. You'd probably even
recognize their names, if I could recall what they were.

Secondly, virus researchers hardly sit in some ivory tower deciding
to provide detection based on samples that are merely "interesting"
to them. Remember that they are under presure to have their
products test well comparatively and competively to other products.
There are at least a couple of test agencies (VTC at uni Hamburg and
av-test.org at uni Magdeburg) that use large zoo virus collections in
their tests, as well as ITW. They know damn well that ITW testing
is only a part of the story. The best av scanners do well in zoo
tests, as well they should.

Art

http://home.epix.net/~artnpeg

 

[* * Chas]

| On Mon, 11 Jul 2005 08:32:19 -0700, "* * Chas" <[email protected]>
| wrote:
|
| >I suspect that AV companies add definitions for malware that's
running
| >amok and those zoo viruses that they find interesting but are not and
| >probably will never be in the wild. A large portion of they thousands
of
| >viruses that AV providers claim to protect you from are zoo viruses.
|
| You seem to have a couple of false impressions. No wonder, since the
| Symantec site has, or at least used to have, an abosutley false
| definintion of zoo viruses. It says or said that zoo viruses are only
| found in laboratories. That's nonsense. Zoo viruses are those that
| never make it to the official ITW (In The Wild) list. That's all.
<snip>

Correct, Good call. I'd read that kind of info at a number of AV
vendor's web sites and seen it discussed in the Compuserve Antivirus
Forum.

| Secondly, virus researchers hardly sit in some ivory tower deciding
| to provide detection based on samples that are merely "interesting"
| to them. Remember that they are under presure to have their
| products test well comparatively and competively to other products.
| There are at least a couple of test agencies (VTC at uni Hamburg and
| av-test.org at uni Magdeburg) that use large zoo virus collections in
| their tests, as well as ITW. They know damn well that ITW testing
| is only a part of the story. The best av scanners do well in zoo
| tests, as well they should.
|
| Art
|
| http://home.epix.net/~artnpeg

I'd assumed that AV producers share info through different consortiums
but I haven't kept up on the organizations.

Getting back to the OP point, I too have submitted suspect files to
Symantec, F-Prot and Dr. Solomon on at least 4 occasions. I was told
that they didn't detect any problems with the files only to find out
some time later that definitions were created to detect the malware.

Last year for example, I had a hijacker attack that I was able to stop
but not before it replaced
my Notepad.exe file with a file named Notepad.exe that contained the
W32/Sillydl.dl Trojan.

The payload also infected another PC running either NT4 or Win2k, I
don't remember. I submitted this several times to F-Prot and SARC they
came back negative. 2-3 months later there were definitions for this
malware (I kept a "zoo" copy on my sheep dip PC and all of a sudden it
started to be detected).

Thanks for the heads up.

Chas.

 

[Art]

Getting back to the OP point, I too have submitted suspect files to
Symantec, F-Prot and Dr. Solomon

That would be NAI/McAfee. NAI purchased The Dr Solomon product
years ago.

on at least 4 occasions. I was told
that they didn't detect any problems with the files only to find out
some time later that definitions were created to detect the malware.

You mean four different malwares? What were their names and types?

Last year for example, I had a hijacker attack that I was able to stop
but not before it replaced
my Notepad.exe file with a file named Notepad.exe that contained the
W32/Sillydl.dl Trojan.

The payload also infected another PC running either NT4 or Win2k, I
don't remember. I submitted this several times to F-Prot and SARC they
came back negative. 2-3 months later there were definitions for this
malware (I kept a "zoo" copy on my sheep dip PC and all of a sudden it
started to be detected).

It may have been at a time when downloader Trojans were not
yet being addressed by some vendors. There has to be a explanation
that makes sense. It doesn't make sense that virus analysts actually
goofed, especially four times.

My own experience with McAfee submissions has been excellent.
Even better with Kaspersky. F-prot sometimes did not respond
one way or the other, and I gave up on them. F-prot is slow
in adding detection for Trojans in my experience, and it doesn't
detect many that McAfee and KAV do. But if they weren't about
to add detection, they should have told you so.

I have no experience with SARC submissions, and don't ever
intend to since NAV is way down the list of products I have
any interest in or respect for.

Art

http://home.epix.net/~artnpeg

 

[* * Chas]

<snip>
| It may have been at a time when downloader Trojans were not
| yet being addressed by some vendors. There has to be a explanation
| that makes sense. It doesn't make sense that virus analysts actually
| goofed, especially four times.

The W32/Sillydl.dl Trojan was last April or May. The other 3 were over
an 8 or 9 year period so there's no way I could remeber much about them.
None of them were earth shattering. I think one I sent to Dr Solomons
was a macro virus. That was close to the end of their run.

| My own experience with McAfee submissions has been excellent.
| Even better with Kaspersky. F-prot sometimes did not respond
| one way or the other, and I gave up on them. F-prot is slow
| in adding detection for Trojans in my experience, and it doesn't
| detect many that McAfee and KAV do. But if they weren't about
| to add detection, they should have told you so.
|
| I have no experience with SARC submissions, and don't ever
| intend to since NAV is way down the list of products I have
| any interest in or respect for.
|
| Art
|
| http://home.epix.net/~artnpeg

I switched the last PC that I had NAV running on over to NOD32 last
fall. I use F-Prot as a backup. I've been very pleased with NOD32. It's
prevented a number internet malware attacks.

Chas.

 

[Art]

I switched the last PC that I had NAV running on over to NOD32 last
fall. I use F-Prot as a backup. I've been very pleased with NOD32. It's
prevented a number internet malware attacks.

Well, I hope it's been vastly improved over the past couple of years.
When I looked at it, it was absolutely terrible with Trojans, droppers
and zoo detection. Hope to see it included in a good comprehensive
comparative one of these days.

Art

http://home.epix.net/~artnpeg

 

[* * Chas]

| On Thu, 14 Jul 2005 18:20:49 -0700, "* * Chas" <[email protected]>
| wrote:
|
| >I switched the last PC that I had NAV running on over to NOD32 last
| >fall. I use F-Prot as a backup. I've been very pleased with NOD32.
It's
| >prevented a number internet malware attacks.
|
| Well, I hope it's been vastly improved over the past couple of years.
| When I looked at it, it was absolutely terrible with Trojans, droppers
| and zoo detection. Hope to see it included in a good comprehensive
| comparative one of these days.

I Tried NOD32 a few years ago and wasn't impressed with it then. I tried
it again last fall and so far I bought 4 copies and I'm very pleased
with it.

Chas.