Symantec on Monday said that while worm-scanning activity against its corporate antivirus software had increased over the weekend, the number of infected systems had dropped.

According to the security company's own DeepSight sensor network, scanning activity on TCP port 2967 is up. That scanning, said Symantec, is thought to originate with what it calls the "Sagevo" worm, also known as "Big Yellow."

"We're seeing a decrease in the number of unique IP addresses," says Vincent Weafer, senior director with Symantec's security response team. "But we're seeing more scanning activity. That actually makes sense, because as there are fewer unpatched systems, the remaining [infected systems] send out even more scans looking for a target. It eventually reaches a saturation [point]."

The number of IP addresses associated with port 2967 scanning has fallen off 80% since late last week, Weafer said.

Friday, eEye Digital Security issued a warning that a new worm was on the loose and attacked enterprise systems that hadn't been patched for flaws first revealed in May for Symantec AntiVirus and Symantec Client Security, two of the vendor's business security products. The vulnerabilities were patched in June.

"We have received only three submissions [of Sagevo] from customers," said Weafer. "It's just not significant."

Sagevo/Big Yellow is the second threat to exploit the patched flaws in AntiVirus and Client Security. The first, "Spybot.acyr," began circulating Nov. 28. "We saw the same kind of peak two weeks ago with Spybot, but that quickly died down," Weafer says, because it ran out of possible targets.

"Product updates are made available to enterprises," says Weafer in answer to criticisms last week by eEye's chief technology officer Marc Maiffret, who said too many software developers don't take patching seriously. "But we have to give the control to them." Pushing patches on businesses is the wrong approach, Weafer says.

Instead, Symantec relies on e-mailed alerts to inform business customers of its software updates, and the corporate-only portal that the company maintains. The scheme seems to work. When Symantec touched base with its larger enterprise customers to verify that they had deployed the June patches for AntiVirus and Client Security, most had, Weafer said.

"But," admits Weafer, "there are pockets [of unprotected systems]."