_______________
Background
This document describes how to handle suspected malware that is not detected by current virus definitions. Malware not detected by Anti-virus definitions is commonly referred to as 0-day malware or 0-day viruses. It is important to submit 0-day malware to Anti-virus vendors so they can create a definition capable of detecting the malware. This document outlines ideas for detecting 0-day malware as well as Anti-virus vendor submission procedures.
If you are looking for information on updating Symantec Antivirus definitions, please go here.
How to Identify Suspected Malware
Modern malware is very sophisticated and stealthy. There is no guarantee it can be detected. Once you have identified a suspicious file, the below outlines options for assisting you in determining if the file is malware.
- Submit the suspect file to Virustotal
Virustotal is an online service that scans suspected files using 32 different Anti-virus vendors. The detection rate and definitions vary widely between vendors. Many times, a few virus vendors are ahead of the rest in detection. Virustotal helps you to leverage the detection capabilities of all the Anti-virus vendors. You can see a screenshot here.
- Use Symantec rapid release definitions
If you have Symantec Anti-virus installed you can utilize early release versions of Anti-virus definitions. Symantec releases updated definitions to their ftp site much faster than they release definitions to Symantec clients. To download the Symantec rapid release definitions, visit the Symantec ftp site and download the rapid release definitions. Typically you will want the x86 version.
- Contact CPP for assistance at cppm@lbl.gov
CPP has several resources for identifying suspected malware. CPP has a virtual environment where we can run the suspected malware and observe its behavior. CPP also has access to technical experts to assist in identification.
Submitting Malware
The lab uses three Anti-virus vendors, ClamAV, Sophos, and Symantec. ClamAV and Sophos are used at the LBNL mail gateways to protect your mailbox from malware. Symantec is the LBNL desktop Anti-virus solution.
If you come across of piece of malware that is not detected by our virus vendors, please submit it to our Anti-virus vendors. Once submitted, the Anti-virus vendors create definitions to protect other computers. Below are the malware submission procedures for each of our vendors.
- Submit to ClamAV
Submit suspected malware to ClamAV by using the form here.
- Submit to Sophos
Submit suspected malware to Sophos by using the form here.
- Submit to Symantec
Submit suspected malware to Symantec by using the form here.
Help/Feedback
If you have questions or comments about this website, please contact the CPP group via email at cppm@lbl.gov.
If you need general computer assistance, please contact the LBNL Help Desk at x4357, help@lbl.gov, or online at http://www.lbl.gov/help
|
