About the Load Point Analysis scan in Symantec Help
Threat Analysis Scan replaces Load Point Analysis
In SymHelp version 2.1.22 and later, the default options for the Threat Analysis Scan are equivalent to running Load Point Analysis. To learn more about the Threat Analysis Scan see:
TECH215550: 'About the Threat Analysis Scan'
TECH215519: 'How to run the Threat Analysis Scan in Symantec Help (SymHelp)'
Within each of the various versions of Windows, there are specific locations within the file system and registry that are used to load applications and related files. While these are used by legitimate programs, they are also commonly used as attack vectors for malware such as viruses, trojans, worms, and spyware. Load Point Analysis examines files that launch from these locations in order to narrow down which files are less likely to be legitimate.
In the past, identifying unknown threats on a potentially infected computer involved going through a plain text listing of the files launched from the load points. The thousands of items in that list, with no context, made the task a daunting one for customers and technical support alike. The Load Point Analysis scan in Symantec Help (SymHelp) relieves most of this burden by automatically narrowing down the list to the most likely candidates.
This functionality is intended to supplement standard troubleshooting methods, and is not to be used as a replacement either for troubleshooting or, more importantly, for securing a computer.
Load Point Analysis examines all of the files that start automatically on a computer and assigns a score to them. This score tells you which, if any, of those files should be investigated further in order to determine whether they are malicious.
The score that Load Point Analysis assigns comes from three criteria:
Load Point Analysis also flags any Autorun.inf files as a potential threat, and presents their contents for investigation.
When the analysis is complete, SymHelp presents a report that shows which files warrant further investigation.
Running Load Point Analysis in Symantec Help (SymHelp)
If the Load Point Analysis flags a file with a low score, the first thing to do is a common-sense check of the files in question.
If you are unable to determine the validity of the file, submit the files to Security Response for analysis. For Basic Maintenance, Essential Support, and Business Critical Services customers, contact Technical Support to submit the files.
If the file has a valid signature, then the file is assumed to be valid, and no further analysis is done.
If the file does not have a valid signature, the Support Tool looks up the file in the Reputation Database, to see whether it is known as a valid or a malicious file. The Reputation Database identifies the file by the file location and the SHA256 and MD5 hash values. The files themselves are not transmitted. Only executable and library files, and only those that are referenced by load points, are included in this analysis.
If the Reputation Database recognizes the file, it assigns one of the following scores:
Rank | Score |
Symantec Trusted | 300 |
Good | 200 |
>Unproven | 0 |
>Poor | -150 |
Untrusted | >-300 |
If the file is not listed in the Reputation Database, it is then compared to the following list of criteria:
This methodology skews the detection rate on the side of caution. This means that the tool will suggest files for further manual investigation that may not be malicious. This is normal and expected behavior. The benefit that the tool provides is that it reduces the number of data points that require manual investigation from thousands to dozens.
The Load Point Analysis does not determine whether files are or are not malicious. When the Load Point Analysis assigns a low score to a file, it is suggesting that further investigation is required.