Friday
29Jan2010
False positives in Symantec Endpoint Security
The other day I started noticing that our SEP clients were saying that install_flash_player.exe was a Trojan Horse. I got a lot of alerts like the below;
At least one security risk found:
Risk name: Trojan Horse
File path: C:\Documents and Settings\username\My Documents\Downloads\install_flash_player.exe
Event time: 2010-01-28 09:35:13 GMT
Database insert time: 2010-01-28 15:25:05 GMT
User: SYSTEM
Computer: XXXXXXXXXX
IP Address: 0.0.0.0
Domain: system
Server: XXXXXXXXXX
Client Group: My Company\XXXX
Action taken on risk: Quarantined
We found this thread on Symantec's forum;
And this on Internet Storm Center;
To eliminate this issue you need to update your virus definitions to 1/28/2010 rev. 20 and above and it will take care of the False Postive detection.
Unfortunately today I started seeing Spotify.exe get captured on our UK machines. Spotify is a music service in the UK. The file name and location, and that 3 machines sent an alert all at once make me think that this might be another false positive so now we need to open a ticket with Symantec and work with our UK folks to find out. For anyone running SEP I strongly encourage you to enable Single Risk Event emails and read them. That's how I caught the Flash issue and now the Spotify possible issue.
Update on Friday, January 29, 2010 at 12:50PM by
Joshua Levitsky
Joshua Levitsky
It appears that the latest virus definitions that address the flash false positive also address the spotify false positive so all is well in antivirus land now.
tagged 
Endpoint Security, False Positive, SEP, Symantec, Virus in Software, Work
Endpoint Security, False Positive, SEP, Symantec, Virus in Software, Work 