Symantec False positive...

[olaer069]

Hello there.

After an virusdef update I'm getting reports from Symantec that fsekrit v 1.2 and related files are Backdoor.Graybird.

I saw in an earlier post that the paths reported on this matter was consistent with normal usage. These are clients on a windows domain and CSC is the offline files cache.


c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-0f8e.exe
c:\documents and settings\elisabeth\lokala inställningar\temp\fsekrit-75fd.exe
C:\WINDOWS\CSC\d1\80001590
C:\WINDOWS\CSC\d1\80001590>>fSekrit.exe
c:\windows\csc\d1\800044d8
c:\windows\csc\d2\80000729
c:\windows\csc\d2\80000729
C:\WINDOWS\CSC\d2\800044D9
C:\WINDOWS\CSC\d2\800044D9>>fSekrit.exe
C:\WINDOWS\CSC\d3\8000072A
C:\WINDOWS\CSC\d3\8000072A>>fSekrit.exe
c:\windows\csc\d3\8000348a
c:\windows\csc\d3\801c02ea
c:\windows\csc\d3\801c02ea
C:\WINDOWS\CSC\d4\8000348B
C:\WINDOWS\CSC\d4\8000348B>>fSekrit.exe
C:\WINDOWS\CSC\d4\801C02EB
C:\WINDOWS\CSC\d4\801C02EB>>fSekrit.exe
c:\windows\csc\d5\80000814
c:\windows\csc\d5\80000814
c:\windows\csc\d6\80000375
c:\windows\csc\d6\80000375
C:\WINDOWS\CSC\d6\80000815
C:\WINDOWS\CSC\d6\80000815>>fSekrit.exe
C:\WINDOWS\CSC\d7\80000376
C:\WINDOWS\CSC\d7\80000376>>fSekrit.exe
c:\windows\csc\d7\80000666
c:\windows\csc\d7\80000666
C:\WINDOWS\CSC\d8\80000667
C:\WINDOWS\CSC\d8\80000667>>fSekrit.exe
c:\windows\csc\d8\8000158f

[Ath]

False positives should be reported to the manufacturer of the AV package, Symantec's false positive page in this case. That's the most reliable way to remove this anomaly from their package.
All assuming you have checked your files not to be contaminated, ofcourse, an on-line scanning service like Jotti's is a good way to have your files checked independently if unsure.

[f0dder]

I've just had another user report problems with Symantec after their latest update, so you're most likely not suffering from malware. Darned AV companies and their false positives!

I don't know if there's much to do about this, except reporting a false positive and crossing your fingers. You can try running fSekrit in "portable mode" (which means the temporary editor-executable is created in the same folder as the document instead of %temp%), it might reduce the paranoia level of Symantec's heuristics a bit. You activate this mode by creating a file called "fSekrit.portable" in the same folder as the document you want to operate in portable mode.

[olaer069]

reported this and got this today:


We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version

[olaer069]

FYI I had the file in "my documents" in my admin profile on a network and the contents was in offline cache on most of the machines. AV lit up as a christmas tree after the virdef update in the middle of the night...

Thats behaviour that could be misinterpreted...


Maybe Symantec had some summer interns working on this ;-) neverthelss, they responded pretty fast and fixed the issue, thats what they are supposed to do. This time they came through.

cheers guys

[f0dder]

Wow, nice to hear that a false-positive report might actually be taken serious - I hadn't really expected that, especially with small piece of freeware like fSekrit :-O

And yeah, it definitely must have been scary to see all those warning lights go off. I got a "Wtf, that doesn't look good!" from the CSC entries until I saw the "These are clients on a windows domain and CSC is the offline files cache." part of your post, and looked up what the CSC stuff is.

Let us know when the false positive is gone (or if it doesn't disappear after a couple of updates).

PS: you should upgrade your documents to fSekrit 1.4, there's been a couple of fixes since 1.2. The most important one being file save done robustly (save to tempfile, rename/move to destination if successful) - prior to 1.4, your document was saved directly to the destination, which meant you could lose data if the save failed (saving to a network location or external drive that disappeared just at the wrong time... or a pesky AV product blocking write access at the wrong moment).

I really should have received a beating for not doing it properly the first time round