DonationCoder.com Software > fSekrit

Symantec False positive...

(1/2) > >>

olaer069:
Hello there.

After an virusdef update I'm getting reports from Symantec that fsekrit v 1.2 and related files are Backdoor.Graybird.

I saw in an earlier post that the paths reported on this matter was consistent with normal usage. These are clients on a windows domain and CSC is the offline files cache.


c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-75fd.exe
C:\WINDOWS\CSC\d1\80001590
C:\WINDOWS\CSC\d1\80001590>>fSekrit.exe
c:\windows\csc\d1\800044d8
c:\windows\csc\d2\80000729
c:\windows\csc\d2\80000729
C:\WINDOWS\CSC\d2\800044D9
C:\WINDOWS\CSC\d2\800044D9>>fSekrit.exe
C:\WINDOWS\CSC\d3\8000072A
C:\WINDOWS\CSC\d3\8000072A>>fSekrit.exe
c:\windows\csc\d3\8000348a
c:\windows\csc\d3\801c02ea
c:\windows\csc\d3\801c02ea
C:\WINDOWS\CSC\d4\8000348B
C:\WINDOWS\CSC\d4\8000348B>>fSekrit.exe
C:\WINDOWS\CSC\d4\801C02EB
C:\WINDOWS\CSC\d4\801C02EB>>fSekrit.exe
c:\windows\csc\d5\80000814
c:\windows\csc\d5\80000814
c:\windows\csc\d6\80000375
c:\windows\csc\d6\80000375
C:\WINDOWS\CSC\d6\80000815
C:\WINDOWS\CSC\d6\80000815>>fSekrit.exe
C:\WINDOWS\CSC\d7\80000376
C:\WINDOWS\CSC\d7\80000376>>fSekrit.exe
c:\windows\csc\d7\80000666
c:\windows\csc\d7\80000666
C:\WINDOWS\CSC\d8\80000667
C:\WINDOWS\CSC\d8\80000667>>fSekrit.exe
c:\windows\csc\d8\8000158f

Ath:
False positives should be reported to the manufacturer of the AV package, Symantec's false positive page in this case. That's the most reliable way to remove this anomaly from their package.
All assuming you have checked your files not to be contaminated, ofcourse, an on-line scanning service like Jotti's is a good way to have your files checked independently if unsure.

f0dder:
I've just had another user report problems with Symantec after their latest update, so you're most likely not suffering from malware. Darned AV companies and their false positives!

I don't know if there's much to do about this, except reporting a false positive and crossing your fingers. You can try running fSekrit in "portable mode" (which means the temporary editor-executable is created in the same folder as the document instead of %temp%), it might reduce the paranoia level of Symantec's heuristics a bit. You activate this mode by creating a file called "fSekrit.portable" in the same folder as the document you want to operate in portable mode.

olaer069:
reported this and got this today:


We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version

olaer069:
FYI I had the file in "my documents" in my admin profile on a network and the contents was in offline cache on most of the machines. AV lit up as a christmas tree after the virdef update in the middle of the night...

Thats behaviour that could be misinterpreted...


Maybe Symantec had some summer interns working on this ;-) neverthelss, they responded pretty fast and fixed the issue, thats what they are supposed to do. This time they came through.

cheers guys

Navigation

[0] Message Index

[#] Next page