Welcome Guest.   Make a donation to an author on the site October 31, 2014, 01:44:19 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2014! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Symantec False positive...  (Read 2814 times)
olaer069
Participant
*
Posts: 7

View Profile Give some DonationCredits to this forum member
« on: July 30, 2012, 07:57:29 AM »

Hello there.

After an virusdef update I'm getting reports from Symantec that fsekrit v 1.2 and related files are Backdoor.Graybird.

I saw in an earlier post that the paths reported on this matter was consistent with normal usage. These are clients on a windows domain and CSC is the offline files cache.


c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-75fd.exe
C:\WINDOWS\CSC\d1\80001590
C:\WINDOWS\CSC\d1\80001590>>fSekrit.exe
c:\windows\csc\d1\800044d8
c:\windows\csc\d2\80000729
c:\windows\csc\d2\80000729
C:\WINDOWS\CSC\d2\800044D9
C:\WINDOWS\CSC\d2\800044D9>>fSekrit.exe
C:\WINDOWS\CSC\d3\8000072A
C:\WINDOWS\CSC\d3\8000072A>>fSekrit.exe
c:\windows\csc\d3\8000348a
c:\windows\csc\d3\801c02ea
c:\windows\csc\d3\801c02ea
C:\WINDOWS\CSC\d4\8000348B
C:\WINDOWS\CSC\d4\8000348B>>fSekrit.exe
C:\WINDOWS\CSC\d4\801C02EB
C:\WINDOWS\CSC\d4\801C02EB>>fSekrit.exe
c:\windows\csc\d5\80000814
c:\windows\csc\d5\80000814
c:\windows\csc\d6\80000375
c:\windows\csc\d6\80000375
C:\WINDOWS\CSC\d6\80000815
C:\WINDOWS\CSC\d6\80000815>>fSekrit.exe
C:\WINDOWS\CSC\d7\80000376
C:\WINDOWS\CSC\d7\80000376>>fSekrit.exe
c:\windows\csc\d7\80000666
c:\windows\csc\d7\80000666
C:\WINDOWS\CSC\d8\80000667
C:\WINDOWS\CSC\d8\80000667>>fSekrit.exe
c:\windows\csc\d8\8000158f
Logged
Ath
Supporting Member
**
Posts: 2,241



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #1 on: July 30, 2012, 12:07:30 PM »

False positives should be reported to the manufacturer of the AV package, Symantec's false positive page in this case. That's the most reliable way to remove this anomaly from their package.
All assuming you have checked your files not to be contaminated, ofcourse, an on-line scanning service like Jotti's is a good way to have your files checked independently if unsure.
Logged

f0dder
Moderator
*****
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: July 31, 2012, 02:32:34 PM »

I've just had another user report problems with Symantec after their latest update, so you're most likely not suffering from malware. Darned AV companies and their false positives!

I don't know if there's much to do about this, except reporting a false positive and crossing your fingers. You can try running fSekrit in "portable mode" (which means the temporary editor-executable is created in the same folder as the document instead of %temp%), it might reduce the paranoia level of Symantec's heuristics a bit. You activate this mode by creating a file called "fSekrit.portable" in the same folder as the document you want to operate in portable mode.
Logged

- carpe noctem
olaer069
Participant
*
Posts: 7

View Profile Give some DonationCredits to this forum member
« Reply #3 on: August 01, 2012, 12:52:42 PM »

reported this and got this today:


We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version
Logged
olaer069
Participant
*
Posts: 7

View Profile Give some DonationCredits to this forum member
« Reply #4 on: August 01, 2012, 01:01:04 PM »

FYI I had the file in "my documents" in my admin profile on a network and the contents was in offline cache on most of the machines. AV lit up as a christmas tree after the virdef update in the middle of the night...

Thats behaviour that could be misinterpreted...


Maybe Symantec had some summer interns working on this ;-) neverthelss, they responded pretty fast and fixed the issue, thats what they are supposed to do. This time they came through.

cheers guys

Logged
f0dder
Moderator
*****
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: August 01, 2012, 01:25:02 PM »

Wow, nice to hear that a false-positive report might actually be taken serious - I hadn't really expected that, especially with small piece of freeware like fSekrit :-O

And yeah, it definitely must have been scary to see all those warning lights go off. I got a "Wtf, that doesn't look good!" from the CSC entries until I saw the "These are clients on a windows domain and CSC is the offline files cache." part of your post, and looked up what the CSC stuff is.

Let us know when the false positive is gone (or if it doesn't disappear after a couple of updates).

PS: you should upgrade your documents to fSekrit 1.4, there's been a couple of fixes since 1.2. The most important one being file save done robustly (save to tempfile, rename/move to destination if successful) - prior to 1.4, your document was saved directly to the destination, which meant you could lose data if the save failed (saving to a network location or external drive that disappeared just at the wrong time... or a pesky AV product blocking write access at the wrong moment).

I really should have received a beating for not doing it properly the first time round smiley
Logged

- carpe noctem
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.028s | Server load: 0 ]