OT: Strange experience made with Symantec Endpoint Protection and their deficient virus detection
Tuesday, June 26, 2012, 06:30 PM
Posted by Administrator
Recently I was desperately looking for a possibility to resurrect my Turbo Delphi Explorer Installation. A long time ago I received from Borland a message with a key for it, and that worked perfectly. After my Thunderbird Archiv was not readable anymore (from a DVD-R), I thought it should be no problem to get a key again, but there is no chance to get it again from Embarcadero (they want to sell a $200 XE2 Starter version now - too expensive for a hobbyist programmer).
So I used Google to get an alternative solution and I found a Patch-Program from a Cracker group "FFF". My Symantec Antivirus immediately reported this as a "Trojan" malware program (this is definitely not the case, it's a false alarm - it changes only one file, BDE.EXE ).
I took a Hex Editor and looked into it, and I recognized the file was PECompact 2 packed.
So I unpacked it and uploaded it to Virustotal.com.
At this time it wasn't recognized from most of the antivirus solution anymore as malware, Symantec AV didn't found malware anymore, too.
This happened 2 month ago. Today I tried to copy this unpacked file again, and Symantec AV recognized it again as malware. So I looked again into the file itself, and I altered the string "PEC2", which was left over from my last unpacking try.
Guess what happened. Symantec AV immediately says nothing anymore (=it's clean).
So the bottom line of it: Symantecs pattern search mechanism is really rudimentary implemented, they look only for "PEC2" and that seems to be enough for them to detect an "exepacked" program ???
That's a reason why
I do NOT recommend Symantec and their Antivirus solution at this moment...
If you're interested in working Exepacker detection, just take a look >
here<.
P.S.: And btw. does Symantec also analyzing all results from Virustotal.com ??