Security Experts:

Connect with us

Hi, what are you looking for?



Symantec Confirms Hackers Accessed Source Code of Two Enterprise Security Products

On Thursday evening, SecurityWeek and other news outlets reported on news that hackers claimed to have accessed the source code to an unspecified version of Symantec’s Norton Antivirus product. It turns out that the hackers did get their hands on some code, but their claims are off a bit.

On Thursday evening, SecurityWeek and other news outlets reported on news that hackers claimed to have accessed the source code to an unspecified version of Symantec’s Norton Antivirus product. It turns out that the hackers did get their hands on some code, but their claims are off a bit. Norton is a consumer-focused product, and Symantec has confirmed, that from what they have seen thus far, the code that has been accessed by the attackers was from their Enterprise product line.

In this case, Symantec confirmed with SecurityWeek early Friday morning that the products in question are Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, so this incident did NOT involve its consumer products which are “Norton” branded.

Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2.While many would expect the “FUD” factor to kick in, its important to realize a few facts. Symantec updates its products on a “.1 basis”, and its Endpoint Protection product is now at version 12.0 and 12.1. According to a Symantec spokesperson, “SEP 11 was four years ago to be exact.”

In addition, Symantec Antivirus 10.2 has been discontinued, though the company continues to service it.

“We’re taking this extremely seriously and are erring on the side of caution to develop and long-range plan to take care of customers still using those products,” Cris Paden, Senior Manager of Corporate Communications at Symantec told SecurityWeek.

“It’s also important to bear in mind that this is not a virus or false positive. The products are not broken. They perform just fine and work just fine.”

Unlike the RSA breach when hackers penetrated company networks to steal confidential data and intellectual property, Symantec confirmed that its systems had not been breached. “Symantec’s own network was not breached, but rather that of a third party entity,” the company said in a statement.

The hacker group assumed to be responsible is operating under the name Dharmaraja, and claims it found the data after compromising Indian military intelligence servers.

Subscribe to SecurityWeek

“We are still gathering information on the details and are not in a position to provide specifics on the third party involved,” the company said. “Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time. Symantec is working to develop remediation process to ensure long-term protection for our customers’ information,” the company said in a statement. “We will communicate that process once the steps have been finalized. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

Rob Rachwald, Director of Security Strategy at Imperva shared some comforting advice when news of the possible source code exposure was announced. “If the rumors turn out to be true, the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers,” he said. “After all, there isn’t much hackers can learn from the code which they hadn’t known before.” Why? “Most of the anti-virus product is based on attack signatures,” he said. “By basing defenses on signatures, malware authors continuously write malware to evade signature detection.”

“The workings of most of the anti-virus’ algorithms have also been studied already by hackers in order to write the malware that defeats them,” Rachwald added.

Symantec also highlighted that it distributed 10 million new signatures to respond to new threats in 2010 alone. The code in question is four and five years old and has evolved and changed significantly over the years.

More information from Symantec is expected Friday afternoon.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...