Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • September 03, 2015, 04:28:11 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Symantec False positive...  (Read 3605 times)

olaer069

  • Participant
  • Joined in 2006
  • *
  • default avatar
  • Posts: 7
    • View Profile
    • Donate to Member
Symantec False positive...
« on: July 30, 2012, 07:57:29 AM »
Hello there.

After an virusdef update I'm getting reports from Symantec that fsekrit v 1.2 and related files are Backdoor.Graybird.

I saw in an earlier post that the paths reported on this matter was consistent with normal usage. These are clients on a windows domain and CSC is the offline files cache.


c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-75fd.exe
C:\WINDOWS\CSC\d1\80001590
C:\WINDOWS\CSC\d1\80001590>>fSekrit.exe
c:\windows\csc\d1\800044d8
c:\windows\csc\d2\80000729
c:\windows\csc\d2\80000729
C:\WINDOWS\CSC\d2\800044D9
C:\WINDOWS\CSC\d2\800044D9>>fSekrit.exe
C:\WINDOWS\CSC\d3\8000072A
C:\WINDOWS\CSC\d3\8000072A>>fSekrit.exe
c:\windows\csc\d3\8000348a
c:\windows\csc\d3\801c02ea
c:\windows\csc\d3\801c02ea
C:\WINDOWS\CSC\d4\8000348B
C:\WINDOWS\CSC\d4\8000348B>>fSekrit.exe
C:\WINDOWS\CSC\d4\801C02EB
C:\WINDOWS\CSC\d4\801C02EB>>fSekrit.exe
c:\windows\csc\d5\80000814
c:\windows\csc\d5\80000814
c:\windows\csc\d6\80000375
c:\windows\csc\d6\80000375
C:\WINDOWS\CSC\d6\80000815
C:\WINDOWS\CSC\d6\80000815>>fSekrit.exe
C:\WINDOWS\CSC\d7\80000376
C:\WINDOWS\CSC\d7\80000376>>fSekrit.exe
c:\windows\csc\d7\80000666
c:\windows\csc\d7\80000666
C:\WINDOWS\CSC\d8\80000667
C:\WINDOWS\CSC\d8\80000667>>fSekrit.exe
c:\windows\csc\d8\8000158f

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,539
    • View Profile
    • Donate to Member
Re: Symantec False positive...
« Reply #1 on: July 30, 2012, 12:07:30 PM »
False positives should be reported to the manufacturer of the AV package, Symantec's false positive page in this case. That's the most reliable way to remove this anomaly from their package.
All assuming you have checked your files not to be contaminated, ofcourse, an on-line scanning service like Jotti's is a good way to have your files checked independently if unsure.

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 8,858
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Donate to Member
Re: Symantec False positive...
« Reply #2 on: July 31, 2012, 02:32:34 PM »
I've just had another user report problems with Symantec after their latest update, so you're most likely not suffering from malware. Darned AV companies and their false positives!

I don't know if there's much to do about this, except reporting a false positive and crossing your fingers. You can try running fSekrit in "portable mode" (which means the temporary editor-executable is created in the same folder as the document instead of %temp%), it might reduce the paranoia level of Symantec's heuristics a bit. You activate this mode by creating a file called "fSekrit.portable" in the same folder as the document you want to operate in portable mode.
- carpe noctem

olaer069

  • Participant
  • Joined in 2006
  • *
  • default avatar
  • Posts: 7
    • View Profile
    • Donate to Member
Re: Symantec False positive...
« Reply #3 on: August 01, 2012, 12:52:42 PM »
reported this and got this today:


We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version

olaer069

  • Participant
  • Joined in 2006
  • *
  • default avatar
  • Posts: 7
    • View Profile
    • Donate to Member
Re: Symantec False positive...
« Reply #4 on: August 01, 2012, 01:01:04 PM »
FYI I had the file in "my documents" in my admin profile on a network and the contents was in offline cache on most of the machines. AV lit up as a christmas tree after the virdef update in the middle of the night...

Thats behaviour that could be misinterpreted...


Maybe Symantec had some summer interns working on this ;-) neverthelss, they responded pretty fast and fixed the issue, thats what they are supposed to do. This time they came through.

cheers guys


f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 8,858
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Donate to Member
Re: Symantec False positive...
« Reply #5 on: August 01, 2012, 01:25:02 PM »
Wow, nice to hear that a false-positive report might actually be taken serious - I hadn't really expected that, especially with small piece of freeware like fSekrit :-O

And yeah, it definitely must have been scary to see all those warning lights go off. I got a "Wtf, that doesn't look good!" from the CSC entries until I saw the "These are clients on a windows domain and CSC is the offline files cache." part of your post, and looked up what the CSC stuff is.

Let us know when the false positive is gone (or if it doesn't disappear after a couple of updates).

PS: you should upgrade your documents to fSekrit 1.4, there's been a couple of fixes since 1.2. The most important one being file save done robustly (save to tempfile, rename/move to destination if successful) - prior to 1.4, your document was saved directly to the destination, which meant you could lose data if the save failed (saving to a network location or external drive that disappeared just at the wrong time... or a pesky AV product blocking write access at the wrong moment).

I really should have received a beating for not doing it properly the first time round :)
- carpe noctem