Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Bloodhound.Exploit.459 - false positive

Created: 08 May 2012 • Updated: 21 May 2012 | 163 comments
This issue has been solved. See solution.

Hi all,

does anyone else experience an increase in Bloodhound.Exploit.459 reporting throughout your networks?

As of tody, those errors start to popup when the Client-Computers open .xls-Files. Seems to be some sort of Exploit in a program is triggered when the file is read. Unfortunately there is no further explanation on the Symantec websites regarding this exploit, so I do not know what Exploit is triggered. I hope someone here can point me to a solution :-)

Regards

Stephan

Comments 163 CommentsJump to latest comment

jrudbecka's picture

Yes, we also see these FP, xls. file coming from mails.

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: XxXxX.xls
Location: Mail System
Computer: XxXxX
User: XxXxXX
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: 8. maj 2012  14:09:42

computrdood's picture

Confirmed.  We are having the same issue.  It does seem to be affecting XLS files only at this point.  Unfortunately I have not received a call back from Symantec as of yet.  We have not yet come across any specific threat in any of the files, and have not ruled out that it may be a false positive detection. 

Symantec, we sure could use an answer on this one....

SMKT's picture

Here too, triggered by a .xls file in Outlook.  Action Taked was "Left Alone" and log shows an exception was generated.

DKDK's picture

We are seeing this as well on .XLS files. We have scanned several of them with multiple online scanners and all report the files are clean. I'm certain these are false positives.

Mick2009's picture

Many thanks for opening this thread, Stephan-  We are looking into this matter now.

There is no need to contact Technical Support for this issue at the present time.

I will update this thread when there is more information available.

With thanks and best regards,

Mick

BenjaminBvalani's picture

Good Day Mick,

I am having the same issue an influx of these xls files alerts on some of my Endpoints, you help will be of great assistance,

Kindest Regards

Benjamin.

jrudbecka's picture

I'm in the wait for a technitican, it there any of you which have talked with Symantec about it?

scoraymo's picture

Have the same issue here. Left alone /Auto-Protect..

Joebishop's picture

Hopefully symantec comes up with a solution pretty quick.

harry89359's picture

i am getting the same problem just with excel files.

ihaver's picture

The same with files inside Notes, and annoying information about unsuccessfull quarantine in almost every email.

Enthernal's picture

We're having the same here, only excel files so far and the action is 'left alone'.

On a side note, only one part of our network has this problem, the other seems to be fine. On the part that's fine people aren't allowed to preview documents in outlook, the part where we get the reports they are.

Zinc666's picture

Yes, we're seeing this too.  Any time someone previews an Excel worksheet from within Outlook we're getting the 'Bloodhound.Exploit.459' SEP pop-up.  Opening the files outside of Outlook doesn't cause any problems and both a manual scan from SEP and other online scanners says the file is clean.

wendtcorp's picture

Same symptoms as everyone else. .XLS files inside emails are being flagged as Bloodhound.Exploit.459 . Quarantine fails. The files will open fine when you save them to local disk and open. 

We use:

Exchange 2008
Office 2010
Symantec Endpoint Protection 12

SE's picture

We are experiencing the same thing.  Outlook and xls files but nothing quarantined and everything comes up clean.

Chris Taylor-NES's picture

Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected

This is the message we are getting.  Hopefully Symantec does something soon

Mithun Sanghavi's picture

Hello All,

I agree with Mick. "Thumbs Up" to him.

Symantec Security Response Team is looking into this and we would update this Thread as soon as there is an update on this Issue.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Hubo Admins's picture

Exactly the same issue here. Only .xls files appear to be affected (no .xlsx). Event action Virus Found (Left Alone).

AmOr1984v0.1's picture

Hello All,

Here the same problems, the same "exploit" from different email/xls

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: *.xls
Location: Mail System
Computer: *
User: *
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: 08 май 2012 г.  15:59:59 ч.

....maybe a problem with the new  definitions ??

Waiting for answer... !

PrimeInc's picture

We're seeing this too.   It looks like Symante for Exchange is actually removing the attachments.  That's not good.

Big Show's picture

Although, here it doesn't seem to be triggered when I send .xlsx files.  Its only the .xls.  Can someone with excel 2k confirm?

Jason Andrew Smith's picture

we are running SEP 12.1 RU1 and are having Bloodhound.Exploit.459 being identified in XLS documents via Outlook 2010.

was this a bad definition update? when can we expect an update.

thank you, have an awesome Tuesday all.

heldstma's picture

We are seeing this false-positive as well.  SEP12.1 RU1.

aerospacemango's picture

This was brought to my attention, and couldn't find anything on it...the Hey presto!

This is just from opening from Outlook, at far as I can see.

Hyperama's picture

just had symantec on phone to me and confirmed they are aware of this and they are working on it for the fix globally, it seems the latest defination file they sent out might have got some issue. 

I will get an update on phone or email about the same asap.

keep you posted

bexterd14's picture

thanks for the info...will stay tuned.  It is bouncing all over the place here. Started around 10:ish...and seems to be spreading.

Medisys IT's picture

We are getting the same false positive messages as well since this morning, however users are still able to open .xls attatchments within outlook.

SymEndUser's picture

Unable to find anything wrong with the file, only when pulling it out of outlook does Symantec alert. After it has been moved out of Outlook manual scans return nothing. Although it looks like this is an experimental

Risk Type
Bloodhound.Exploit.459
Experimental heuristics

Action Source
Left alone
Auto-Protect

amazingme's picture

Lots of complaints today on this bloodhound issue. For starters I lowered the level of detection and emailed the plaintifs that it is a fals positive

ACL-Fred's picture

It started with update version R38 . Workstations with R22 have no problems.

We use SEP 12.1

Costarican's picture

Don't think for a minute that the problem is limited to .xls files, Yes, while most are .xls I have one reported on a .ppt...so keep your eyes open while we wait for Symantec to provide us with something

SecurityMike's picture

I have confirmed that with us all the alerts are with .xls files.  Also...I just created a brand new .xls file with just the words test file in a cell and as soon as I emailed it the alert was generated.  It seems to be related to emails as well as just opening the blank file didn't cause the problem.

SecurityMike's picture

The same TEST.xls file is not found as a threat when scanned or opened directly.  It is only found as a threat when sent via email.

Michalis Georgas's picture

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: xxx.xls
Location: Mail System
Computer: xxx
User: xxx
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: Tuesday, May 08, 2012  3:59:22 PM

techkat's picture

Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected

on Excel files attached within Outlook --beginning this morning.

pandher's picture

Hi, we faced the same 1 hour back and it is spreading like crazy. I am on call with a Symantec specialist on the phone.

efesefeldt's picture

Risk name: Bloodhound.Exploit.459
File path: Bookstore.xls
Event time: May 8, 2012 7:59:12 AM

Any updates yet?

pandher's picture
Security risk detected: Bloodhound.Exploit.459
 
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
 
File status: InfectedSymantec Endpoint Protection found a security risk in an attachment from XXXXXXX
pandher's picture
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: Overlapping Employee Data_VENKAT.xls
Location: Mail System
Computer: XXXXX
User: XXXX
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: Tuesday, May 08, 2012  7:01:40 PM
shortguy04's picture

We're having the same issue. I've called Symantec as well and am waiting on a tech to call back.

Simpson Homer's picture

The False positive would be gone as soon as the issue gets resolved by Symantec. Kindly Do not Panic.

Jason Andrew Smith's picture

"The False positive would be gone as soon as the issue gets resolved by Symantec"

This is like telling us the bleeding will stop once its healed. How about a little more information regarding ETA? Resources? Workarounds?

I've disabled Microsoft Outlook AutoProtect for the time being to see if we can get a functional workaround while Symantec sends out notices telling us the issue will be gone as soon as they fix it.

ThilmanyJim's picture

Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected
Attachment: COAL 5-4.XLW
Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected

InfoSecMerc's picture

Does Symantec have an ETA of when this fix will be pushed out?

Welsh's picture

Will the fix be pushed or will we have to manualy retreive it/them???

nm2lkoeln's picture

Same issue here.

Bloodhound.Exploit.459 message on 6 computers until now.

noamsan's picture

would just be nice to be informed within the console or the security response site that there is a problem with false positives. Have been wasting much of my afternoon hunting a ghost :(

Chris Taylor-NES's picture

A lot of people are gorwing really concerned on this.  Clients, Employees, Non-Tech People, Etc. are very worried we are infected.  We need answers!  We also need an ETA on the Fix?

Cakalaky's picture

Should we roll back on the definition until this is fixed?

efesefeldt's picture

My report server is sending out 100's of emails containing xls files, need a fix ASAP. Has anyone heard of anything yet?

McRae's picture

It's very strange, cause it's not happening on all systems, although the have the same product (version, RU, pathces, etc) installed, the same policy applied, an so on. The same xls' pop up on some machines, and on other do not..

by the way: 12.1.1000.157 RU1

10x

Costarican's picture

How can they be so sure that it is indeed a false positive??.....I would like to see Symantec post some kind of evidence to the Falso Positive theory.

PLEASE !!!!!

SecurityMike's picture

I'm sure they will release details once fixed.  If it's any comfort...I created a blank spreadsheet on a system that is not infected and verified the problem.  It only picks up with .xls files sent via emails as the same file when scanned as a document saved to disk does not pick up an alert.

InfoSecMerc's picture

Our organization wants an update as well. Many users are skeptical, please provide ETA.

Cakalaky's picture

After testing on several Excel files. It only happens from Outlook with .XLS files not on .XLSX files.

Ericxyz's picture

Having same problem.  Only work around I have found is to turn off Microsoft Outlook Auto-protection.

McRae's picture

Works, but not such a good ideea, exposes you too much I guess; maybe just except xls' from beeing scanned for the moment..

Costarican's picture

I think turning off Auto-protection could open the floodgates...know what I mean?

Ericxyz's picture

If you have Mail Security for Microsoft Exchange running and still have file auto-protection turned on you should be safe.  I like all the protection I can get so I wouldn't turn it off.

Sdullet1's picture

Same here.

I get an alert only on attachments on Lotus Notes.

If you have the attachemnts and scan the folder there is nothing.

---

ManSugieIT's picture

Getting notification of "CRITICAL: NETWORK VIRUS DETECTED"

Bloodhound.Exploit.459
Experimental heuristics

2 differernet users in 2 different offices accessing the same .xls file are reporting the same error...

darylzero's picture

Got this on an xlsx file over the network.

Bloodhound.Exploit.459
Experimental heuristics

Left alone
Auto-Protect

WingWizard's picture

I recently opened a case about this issue. Here is what I just got back.

"From the information I have, you have alert related to Bloodhound.Exploit.459. Do not worry since this is only a False Positive and currently our team is working on this issue"

"This is a known issue and these detections may be ignored.  Your security is not at risk. An announcement will be forthcoming as soon as the issue is resolved."

Hope this helps, not ready to drop my gaurd, but this might help to confirm this concern.

Cable2001's picture

I'm glad I found this thread. I thought we had a major infection underway, including calls from our customers who thought we infected them when they opened our spreadsheets.

I gotta say, it must suck to work in Symantec tech support department today.

Cakalaky's picture

Thanks for the link. I had trouble loading from the link you provided, just in case others have the same problem here is the direct url http://www.symantec.com/docs/TECH188271

 
Costarican's picture

Yeah, in order to open the previus link you must be logged-in to Symantec

Costarican's picture

That article starts by saying "Possible"

I'm not getting that warm fuzzy feeling !!!

SecurityMike's picture

Are you receiving multiple instances of this with powerpoint?  I was able to create a blank .xls file and duplicate the problem and that did not happen with a blank powerpoint sent via Outlook.  It's possible that you may have a real infection if it's only 1 or 2 users or the same powerpoint file.

Joebishop's picture

That link just brings you to the main support page .. theres nothing to do with this issue.

Costarican's picture

Copy the link and once it takes you to the main support page, paste the URL again....this worked for me

wolters's picture

Disabling "Enable Bloodhound (TM) heuristic virus detection" solves that problem in our environment but this is no final solution of course

Costarican's picture

Isn't doing that opening a can or worms??...What if other legitimate Bloodhound viruses attack??...you won't be protected....

My mama always told me to wear a raincoat when going out in the rain

wolters's picture

I disabled the Bloodhound option in order to check if this has any effect or not. After that I enabled it again. But perhaps for other companies it has more negative business impact when not being able to transmit Excel sheets than disabling one security option temporary!?

Costarican's picture

My company uses Excel heavily...a little heavily if you ask me...but what I did was instruct the end users to ignore the messages and let them know that it will be patches as soon as it becomes availble...

It is working for me

ejhardinsysadmin's picture

Symantec... Any update on this issue. Please release a new definition ASAP. 

t0ken407's picture

Glad I stumbled across this.  Am having the same issue on our network.  Looking forward to the new defs.