search cancel

Symantec AntiVirus risk types: Risk Type = -1 meanings in Exported Risk log

book

Article ID: 151331

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What do the different "risk types" mean?

Symptoms
Symantec defines clearly what constitutes a threat. However, Symantec may not immediately categorize items such as those which are undefined or that pose no imminent security threat.


Resolution

Our Virus Category field in Reporting server DB schema contain the following items:

Category Category_Desc
0 Viral
1 Non-Viral malicious
2 Malicious
3 Heuristic
5 Hack tool
6 Spyware
7 Trackware
8 Dialer
9 Remote access
10 Adware
11 Jokeware
12 Client compliancy
13 Generic load point

Hence, for items that do not possess any of the above threats, Symantec will mark it as "NULL" or "-1"



Technical Information
In Reporting "server \export\export_events.php" we see the following value, which demonstrates the above.



#Type2 of virus table could be NULL for non viral threats, sav_query returns 0 for NULL values
#Get -1 for NULL value, so that it wont be applied to virustype
$query2 = "select Type2=-1 from virus where type2 is NULL and virusname_idx = '$Virusname_Idx'";
$result2 = sav_query ($query2, $conn_id);
if ($zeile2 = sav_fetch_array($result2)) {
$VType2 = $zeile2["Type2"];
}

One detection that is known to fall into this category is "BosonGetPass." See URL: http://www.symantec.com/security_response/writeup.jsp?docid=2006-080415-1730-99