Bloodhound.Exploit.459 - false positive
Hi all,
does anyone else experience an increase in Bloodhound.Exploit.459 reporting throughout your networks?
As of tody, those errors start to popup when the Client-Computers open .xls-Files. Seems to be some sort of Exploit in a program is triggered when the file is read. Unfortunately there is no further explanation on the Symantec websites regarding this exploit, so I do not know what Exploit is triggered. I hope someone here can point me to a solution :-)
Regards
Stephan
Issue Resolved.
Hello,
Rapid Release definitions which correct this FP are being posted now. The next build of definitions (available via LiveUpdate, ETA 4:00 PM PST, May 08) will also contain the fix for this issue.
Rapid Release Sequence number: 134129 Extended information: 2012-05-08 rev. 016
Instructions for how to apply RR defs:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 | Article URL http://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 | Article URL http://www.symantec.com/docs/TECH102607
FTP link to RR defs, if needed:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/
Please link any cases to this KB:
Possible False Positive for signature Bloodhound.Exploit.459
Article: TECH188271 | Created: 2012-05-08 | Updated: 2012-05-08 | Article URL http://www.symantec.com/docs/TECH188271
Hope that helps!!
Comments
Yes, we also see these FP,
Yes, we also see these FP, xls. file coming from mails.
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: XxXxX.xls
Location: Mail System
Computer: XxXxX
User: XxXxXX
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: 8. maj 2012 14:09:42
Bloodhound.Exploit.459
Yeap, Same here
Confirmed
Confirmed. We are having the same issue. It does seem to be affecting XLS files only at this point. Unfortunately I have not received a call back from Symantec as of yet. We have not yet come across any specific threat in any of the files, and have not ruled out that it may be a false positive detection.
Symantec, we sure could use an answer on this one....
Here too, triggered by a .xls
Here too, triggered by a .xls file in Outlook. Action Taked was "Left Alone" and log shows an exception was generated.
Same here.
We are seeing this as well on .XLS files. We have scanned several of them with multiple online scanners and all report the files are clean. I'm certain these are false positives.
Symantec is Aware
Many thanks for opening this thread, Stephan- We are looking into this matter now.
There is no need to contact Technical Support for this issue at the present time.
I will update this thread when there is more information available.
With thanks and best regards,
Mick
Enter subject (optional)
Good Day Mick,
I am having the same issue an influx of these xls files alerts on some of my Endpoints, you help will be of great assistance,
Kindest Regards
Benjamin.
I'm in the wait for a
I'm in the wait for a technitican, it there any of you which have talked with Symantec about it?
Have the same issue here.
Have the same issue here. Left alone /Auto-Protect..
Im having the same issue
Hopefully symantec comes up with a solution pretty quick.
i am getting the same problem
i am getting the same problem just with excel files.
The same with files inside
The same with files inside Notes, and annoying information about unsuccessfull quarantine in almost every email.
We're having the same here,
We're having the same here, only excel files so far and the action is 'left alone'.
On a side note, only one part of our network has this problem, the other seems to be fine. On the part that's fine people aren't allowed to preview documents in outlook, the part where we get the reports they are.
Yes, we're seeing this too.
Yes, we're seeing this too. Any time someone previews an Excel worksheet from within Outlook we're getting the 'Bloodhound.Exploit.459' SEP pop-up. Opening the files outside of Outlook doesn't cause any problems and both a manual scan from SEP and other online scanners says the file is clean.
Also experiencing Bloodhound.Exploit.459 false positives
Same symptoms as everyone else. .XLS files inside emails are being flagged as Bloodhound.Exploit.459 . Quarantine fails. The files will open fine when you save them to local disk and open.
We use:
Exchange 2008
Office 2010
Symantec Endpoint Protection 12
We are experiencing the same
We are experiencing the same thing. Outlook and xls files but nothing quarantined and everything comes up clean.
Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
This is the message we are getting. Hopefully Symantec does something soon
Same problem in here
I hope it will be solved as soon as possible
Agreed
Hello All,
I agree with Mick. "Thumbs Up" to him.
Symantec Security Response Team is looking into this and we would update this Thread as soon as there is an update on this Issue.
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Exactly the same issue here.
Exactly the same issue here. Only .xls files appear to be affected (no .xlsx). Event action Virus Found (Left Alone).
Exactly the same issue here
Only appears on xls files
The same problem all the day
Hello All,
Here the same problems, the same "exploit" from different email/xls
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: *.xls
Location: Mail System
Computer: *
User: *
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: 08 май 2012 г. 15:59:59 ч.
....maybe a problem with the new definitions ??
Waiting for answer... !
We're seeing this too. It
We're seeing this too. It looks like Symante for Exchange is actually removing the attachments. That's not good.
Same here.. waiting for fix /
Same here.. waiting for fix / update
Ditto Here
Although, here it doesn't seem to be triggered when I send .xlsx files. Its only the .xls. Can someone with excel 2k confirm?
Confirmed. XLSX-Files seem
Confirmed. XLSX-Files seem not to be effected.
we are running SEP 12.1 RU1
we are running SEP 12.1 RU1 and are having Bloodhound.Exploit.459 being identified in XLS documents via Outlook 2010.
was this a bad definition update? when can we expect an update.
thank you, have an awesome Tuesday all.
Same here
We are seeing this false-positive as well. SEP12.1 RU1.
Same here...
This was brought to my attention, and couldn't find anything on it...the Hey presto!
This is just from opening from Outlook, at far as I can see.
same here
just had symantec on phone to me and confirmed they are aware of this and they are working on it for the fix globally, it seems the latest defination file they sent out might have got some issue.
I will get an update on phone or email about the same asap.
keep you posted
thanks for the info...will
thanks for the info...will stay tuned. It is bouncing all over the place here. Started around 10:ish...and seems to be spreading.
Same here
We are getting the same false positive messages as well since this morning, however users are still able to open .xls attatchments within outlook.
Confirm same issue
Unable to find anything wrong with the file, only when pulling it out of outlook does Symantec alert. After it has been moved out of Outlook manual scans return nothing. Although it looks like this is an experimental
Risk Type
Bloodhound.Exploit.459
Experimental heuristics
Action Source
Left alone
Auto-Protect
.452, .459 it's like an outburst
Lots of complaints today on this bloodhound issue. For starters I lowered the level of detection and emailed the plaintifs that it is a fals positive
Same issue
It started with update version R38 . Workstations with R22 have no problems.
We use SEP 12.1
Same issue...but extended
Don't think for a minute that the problem is limited to .xls files, Yes, while most are .xls I have one reported on a .ppt...so keep your eyes open while we wait for Symantec to provide us with something
Not all excel files are causing the problem
I have confirmed that with us all the alerts are with .xls files. Also...I just created a brand new .xls file with just the words test file in a cell and as soon as I emailed it the alert was generated. It seems to be related to emails as well as just opening the blank file didn't cause the problem.
Problem looks limited to .xls files through email for us
The same TEST.xls file is not found as a threat when scanned or opened directly. It is only found as a threat when sent via email.
Same here
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: xxx.xls
Location: Mail System
Computer: xxx
User: xxx
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: Tuesday, May 08, 2012 3:59:22 PM
Same: IE8/IE9 - Win XP SP3 and Win 7 running Outlook 2007
Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected
on Excel files attached within Outlook --beginning this morning.
Same issue here
Hi, we faced the same 1 hour back and it is spreading like crazy. I am on call with a Symantec specialist on the phone.
Same Issue Here
Risk name: Bloodhound.Exploit.459
File path: Bookstore.xls
Event time: May 8, 2012 7:59:12 AM
Any updates yet?
Security risk detected: Bloodhound.Exploit.459
Neutralized by Quarantine failed
Same issue
We're having the same issue. I've called Symantec as well and am waiting on a tech to call back.
The False positive would be
The False positive would be gone as soon as the issue gets resolved by Symantec. Kindly Do not Panic.
"The False positive would be
"The False positive would be gone as soon as the issue gets resolved by Symantec"
This is like telling us the bleeding will stop once its healed. How about a little more information regarding ETA? Resources? Workarounds?
I've disabled Microsoft Outlook AutoProtect for the time being to see if we can get a functional workaround while Symantec sends out notices telling us the issue will be gone as soon as they fix it.
Same thing and more .XLW
Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected
Attachment: COAL 5-4.XLW
Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected
Any Update
Does Symantec have an ETA of when this fix will be pushed out?
Will the fix be pushed or
Will the fix be pushed or will we have to manualy retreive it/them???
Same issue
Same issue here.
Bloodhound.Exploit.459 message on 6 computers until now.
would just be nice to be
would just be nice to be informed within the console or the security response site that there is a problem with false positives. Have been wasting much of my afternoon hunting a ghost :(
Is there an ETA on the Fix?
A lot of people are gorwing really concerned on this. Clients, Employees, Non-Tech People, Etc. are very worried we are infected. We need answers! We also need an ETA on the Fix?
Should we roll back on the
Should we roll back on the definition until this is fixed?
Any Updates
My report server is sending out 100's of emails containing xls files, need a fix ASAP. Has anyone heard of anything yet?
Same issue, lots of workstaions affected..
It's very strange, cause it's not happening on all systems, although the have the same product (version, RU, pathces, etc) installed, the same policy applied, an so on. The same xls' pop up on some machines, and on other do not..
by the way: 12.1.1000.157 RU1
10x
False positive...is it really???
How can they be so sure that it is indeed a false positive??.....I would like to see Symantec post some kind of evidence to the Falso Positive theory.
PLEASE !!!!!
Evidence
I'm sure they will release details once fixed. If it's any comfort...I created a blank spreadsheet on a system that is not infected and verified the problem. It only picks up with .xls files sent via emails as the same file when scanned as a document saved to disk does not pick up an alert.
Waiting for update here as
Waiting for update here as well.
ETA
Our organization wants an update as well. Many users are skeptical, please provide ETA.
XLS not XLSX Files
After testing on several Excel files. It only happens from Outlook with .XLS files not on .XLSX files.
Same issue
Having same problem. Only work around I have found is to turn off Microsoft Outlook Auto-protection.
Works, but not such a good
Works, but not such a good ideea, exposes you too much I guess; maybe just except xls' from beeing scanned for the moment..
Agreed
I agree, I wouldn't turn it off
False sense of security
I think turning off Auto-protection could open the floodgates...know what I mean?
If you have Mail Security for
If you have Mail Security for Microsoft Exchange running and still have file auto-protection turned on you should be safe. I like all the protection I can get so I wouldn't turn it off.
Same here. I get an alert
Same here.
I get an alert only on attachments on Lotus Notes.
If you have the attachemnts and scan the folder there is nothing.
---
Same here
Getting notification of "CRITICAL: NETWORK VIRUS DETECTED"
Bloodhound.Exploit.459
Experimental heuristics
2 differernet users in 2 different offices accessing the same .xls file are reporting the same error...
Same here.
Got this on an xlsx file over the network.
Bloodhound.Exploit.459
Experimental heuristics
Left alone
Auto-Protect
Same issue with different mail client
Same issue with lotus notes mail client.
feedback from Symantec Support
I recently opened a case about this issue. Here is what I just got back.
"From the information I have, you have alert related to Bloodhound.Exploit.459. Do not worry since this is only a False Positive and currently our team is working on this issue"
"This is a known issue and these detections may be ignored. Your security is not at risk. An announcement will be forthcoming as soon as the issue is resolved."
Hope this helps, not ready to drop my gaurd, but this might help to confirm this concern.
Roll back is working
This artical is old but its working!
http://service1.symantec.com/support/ent-security.nsf/docid/2007111515160948
Article: TECH102935
not fun
I'm glad I found this thread. I thought we had a major infection underway, including calls from our customers who thought we infected them when they opened our spreadsheets.
I gotta say, it must suck to work in Symantec tech support department today.
KB Article just posted by Symantec
http://clientui-kb.symantec.com/kb/index?page=content&id=TECH188271&actp=RSS
Thanks for the link. I had
Thanks for the link. I had trouble loading from the link you provided, just in case others have the same problem here is the direct url http://www.symantec.com/docs/TECH188271
link
Yeah, in order to open the previus link you must be logged-in to Symantec
Noticed that Symantec covered their butt??
That article starts by saying "Possible"
I'm not getting that warm fuzzy feeling !!!
Dude move away from the keyboard!!
.
We are getting hits on .ppt
We are getting hits on .ppt as well.
Powerpoint issue
Are you receiving multiple instances of this with powerpoint? I was able to create a blank .xls file and duplicate the problem and that did not happen with a blank powerpoint sent via Outlook. It's possible that you may have a real infection if it's only 1 or 2 users or the same powerpoint file.
Link
That link just brings you to the main support page .. theres nothing to do with this issue.
Go here
http://www.symantec.com/docs/TECH188271
It Still take you to the main
It Still take you to the main support page
Link
Copy the link and once it takes you to the main support page, paste the URL again....this worked for me
interims solution ?
Disabling "Enable Bloodhound (TM) heuristic virus detection" solves that problem in our environment but this is no final solution of course
Do you really want to do that??
Isn't doing that opening a can or worms??...What if other legitimate Bloodhound viruses attack??...you won't be protected....
My mama always told me to wear a raincoat when going out in the rain
I disabled the Bloodhound
I disabled the Bloodhound option in order to check if this has any effect or not. After that I enabled it again. But perhaps for other companies it has more negative business impact when not being able to transmit Excel sheets than disabling one security option temporary!?
Use of Excel
My company uses Excel heavily...a little heavily if you ask me...but what I did was instruct the end users to ignore the messages and let them know that it will be patches as soon as it becomes availble...
It is working for me
Symantec... Any update on
Symantec... Any update on this issue. Please release a new definition ASAP.
Glad I stumbled across this.
Glad I stumbled across this. Am having the same issue on our network. Looking forward to the new defs.
Would you like to reply?
Login or Register to post your comment.