Time for new Virus Definitions

[tgbbz]

Hi
I´m writing a Documentation for my trainee (in german.. ) and need some information

in the security policies (for my project) must be defined, in what time the software-dealer publishes new virus-signatures.
Can anybody tell me the response time off symantec

the case: there´s a new virus, unknown by the antivirus
the only possibility not to get it, is to stop the mail services on the server, but how long does it take,until symantec publishes new definitions against the new virus???

has anybody experiences on that topic??

sorry for my english
german trainee

 

[Spirit]

The same amount of time it takes a pencil to hit the floor!

Changes for every virus, based on complexity percieved risk etc.

But how you would find out about it before Norton I do not know! And you shut down your server LOL thats going to be of PERMENANTLY!

Iain

 

[tgbbz]

i think
you missunderstood or ...

when there is a security info about a new virus
but no chance for the antivirus program to kill it...
then i want to know
did anyone ever had an unknown virus and how long time had he to wait for new definitions...?

or the case : the antivirus reports a virus in the mail, but it wasn´t able to delete or repaitr or quarantine it

only chance then, is to shut down the server before infecting other users
i hope it will not come true, but if, how many time will i have to wait for new definitions (i know, virus is not virus, .. same complexity)

tx

sorry for my english
german trainee

 

[polharris]

You can find every day an update on the ftp server from Symantec at the address : ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/beta/
Just take the file vdXXXXX.xdb, put it on the SAV folder on your server, stop the Defwatch service and Symantec antivirus server and restart them. all the client are updated in 2 minutes

 

[tgbbz]

thanks
but that´s what i´ve known before

having actual definitions but getting a virus
what´s then?
will symantec work fast for removaltools and definitions to kill the new virus

thats what i want to know

or simply : does symantec security center do his job ??(fast)

i´ve never had that problem, but here are some more companys

sorry for my english
german trainee

 

[dforney]

TGBBZ-

Perhaps we fully don't understand your question. There is a Live Update that may be automated to download the definition files - everyone knows that - and if I recall correctly - that is updated weekly (Tuesdays?), in-between Live Updates, the Intelligent Update can be utilized for up to the minute definitions (but not on 64-bit) or the FTP shown above by polharris.

If you are trying to find out how long it takes for the release of definitions to repair items in quarantine, don't hold your breath. In Lab I think I have only witnessed a later update repair a file that was in quaranteen twice. Bare in mind that if items are in quarantine such as e-mail attachments, the attachment is in fact the virus / worm (or virm) and will never be 'repaired'.

In the case of virus removal tools such as FxNetski.exe I think I have seen the tool published with the discovery announcement every time.

In recent lab test we ran SAV CE Server as a fresh install without updates and a Watchguard firewall to prevent outgoing packets, there were 27 attached clients. We release a 'Virm' exploiting the outlook database and random deletion of various Microsoft Office files, and executables (there were 1.7 million files held on the server alone - to give you an idea). Approximately 10 seconds after the release we triggered Live Update. The virus did not manage to end the SAV processes and was contained to a manageable level in about 7 minutes. 3 Workstations were damaged but recovered running the virus removal tool. The server remained operational, however, required a significant restore - approx 176,000 files were deleted.

I feel that may be a WORST case scenario for the Network Administrator that left his pants down with outdated definitions and was diligent enough to be paying attention to what was happening on his network and recognize the symptoms he was seeing.

Probably more than you wanted to know without answering your question - but hey, it's a slow day here.
David