Bloodhound.Exploit.459 - false positive
Created: 08 May 2012 | Updated: 21 May 2012 | 163 comments
This issue has been solved. See solution.
Hi all,
does anyone else experience an increase in Bloodhound.Exploit.459 reporting throughout your networks?
As of tody, those errors start to popup when the Client-Computers open .xls-Files. Seems to be some sort of Exploit in a program is triggered when the file is read. Unfortunately there is no further explanation on the Symantec websites regarding this exploit, so I do not know what Exploit is triggered. I hope someone here can point me to a solution :-)
Regards
Stephan
Discussion Filed Under:
Comments 163 Comments • Jump to latest comment
this also started happening around our organization world-wide
I rolled back for now...
It would be nice if the dates rolled back to were seen on the SEPM Windows Definitions Section.
This is the response i have:
http://www.symantec.com/security_response/definitions/rapidrelease/
http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=rr
Rapid Release definitions which correct this FP are being posted now.
Rapid Release Sequence number: 134129 Extended information: 2012-05-08 rev. 016
Instructions for how to apply RR defs:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 |
Article URL http://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 |
Article URL http://www.symantec.com/docs/TECH102607
FTP link to RR defs, if needed:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/
The next Anchor build of definitions (available via LiveUpdate later on today) will also contain the fix for this issue.
With thanks and best regards,
Mick
I just went into the SEPM (running version 12.1) and set an exception for all .xls files to be ignored and assigned the policy to all computers in our organization. Either the end user can wait for its policy to be updated or force the policy update and then users can open all .xls files without getting notified it's a virus.
Hopefully there will be a fix very soon and they will push it out in a virus definition file, once that comes out I will remove the exception rule.
This "bandaid fix" took about 30 seconds.
Rapid Release definitions which correct this FP are being posted now
Instructions for how to apply RR defs:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 |
Article URL http://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 |
Article URL http://www.symantec.com/docs/TECH102607
Possible False Positive for signature Bloodhound.Exploit.459
Article: TECH188271 | Created: 2012-05-08 | Updated: 2012-05-08 |
Article URL http://www.symantec.com/docs/TECH188271
Hello,
Rapid Release definitions which correct this FP are being posted now. The next build of definitions (available via LiveUpdate, ETA 4:00 PM PST, May 08) will also contain the fix for this issue.
Rapid Release Sequence number: 134129 Extended information: 2012-05-08 rev. 016
Instructions for how to apply RR defs:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 | Article URL http://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 | Article URL http://www.symantec.com/docs/TECH102607
FTP link to RR defs, if needed:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/
Please link any cases to this KB:
Possible False Positive for signature Bloodhound.Exploit.459
Article: TECH188271 | Created: 2012-05-08 | Updated: 2012-05-08 | Article URL http://www.symantec.com/docs/TECH188271
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
As a side note to this issue...this really opened my eyes to how many people are still using .xls files instead of .xlsx files. With all the benefits of .xlsx files (specifically the compression ratio), we are going to take this opportunity to make sure we put an effort into converting to .xlsx. Just a thought that might make sense to others as well.
Same issues corporate wide here. On the bright side this only affects Outlook attached Excel files. It would not be fun if this affected when any Excel file was opened...
Symantec Support says to install the rapid release definitions..
The problem is under investigation :
http://www.symantec.com/business/support/index?page=content&id=TECH188271
and I am happy to announce that the first set of rapid releases to fix this issue have just been released.
The Rapid releases are :
Rapid Release Sequence number: 134129 Extended information: 2012-05-08 rev. 016
Instructions for how to apply RR defs:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 |
Article URL http://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 |
Article URL http://www.symantec.com/docs/TECH102607
Be sure to pick the one that has SEP 11 or 12 in the description. It looks like they've added another one that doesn't have those listed. My 2 cents.
Is it better to download the Rapid Release now to my SEPM server or wait for the daily definition to be pulled by my SEPM server?
SEPM=12.1RU1 MP1
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming
is not a valid location!!!????
Make sure you are using the correct drive (if you have more than one partition on the server), C, D...etc...
It depends on how it was installed. Look for where Symantec Endpoint Protection Manager is installed and go from there. It may be Program Files (x86) as well
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 |
Article URL http://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 |
Article URL http://www.symantec.com/docs/TECH102607
If you have more than one server (we have several servers replicating) SEP 12.1, does this jdb file need to still be installed in all of them for the xls issue to be resolved?
Would someone care to comment on the attached screenie? This is generated after updating to the RR defs using a test/blank spreadsheet I created earlier.
I've restarted Outlook but not the test machine as yet.
http://www.cstl.com/
Yep!
I understand that Symantec is reporting this as a false positive and a not a threat. However users freak out over these popups and a ETA for a resolution would be great for those of us in IT management. Thanks.
RR is out which will fix the FP
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Downloaded and installed the latest 5/8 .16 def's... Says it was succesful but check out below after refreshing shouldn't my
.............be the LATEST definitions??
got an email from support team the fix is coming in on 4pm PST, if you need it earlier then download rapid release
...here it is again. The Rapid Release defs I have just downloaded and applied DO NOT appear to resolve the issue on my test machine.
Here's hoping the certified definitions sort it!
http://www.cstl.com/
Rapid Release definitions which correct this FP are being posted now. The next Anchor build of definitions (available via LiveUpdate, ETA 4:00 PM PST, May 08) will also contain the fix for this issue.
Rapid Release Sequence number: 134129 Extended information: 2012-05-08 rev. 016
...it would be useful to include information on any such delays in the posts declaring the issue to be resolved. Or even check to see that the fix has been released before posting that it's all been fixed.
It's not like we can see the sequence or revision number on the RR page. Guess I'll check back in the morning!
http://www.cstl.com/
Just ran this on one of our laptops, and the def file is now showing 5-8-2012. Sent a test email with excel attachment, and did not get the popup.
Going to test it on a few more machines now. Thanks!
still getting popup if someone sends excel from an external email address...
Seems ok when I send excel attachment through Lotus email now, but still getting popup when trying to open excel sheet that is attached to a Lotus database file. Will the later fix take care of this??
I am now at May 8, 2010 r35...is that the newest update? I tested our Lotus Notes database this morning and was able to open an attached excel file without the popup, but want to be sure that this is "really" fixed? Won't be able to test with users for a couple of hours...it is still early here and no one is in yet. Would like to have the "warm fuzzy feeling" before they get in.
i was all over searching for this issue and nothing the closesest it came was Bloodhound.Exploit.456?
come on symantec you are suppose to be ontop of these things i called support and he told me to use google to search this and found the symantec link?
i tried http://searchg.symantec.com
and http://www.symantec.com/security_response/
NOTHING!!!!!!!!!!!!!!!!!!!!!!!!
I have updated my SEPM. No more false positives. Thanks guys.
I have a 64 BIT OS/Install and moved the vd394e26.jdb into the incoming folder but nothing is happening. I see it works fine on the 32 BIT OS/Install.
Please advise
I think maybe 64-bit OS running SEP have to rename the file .exe and not .jdb as noted in the instructions posted?
Important Notes:
I am trying this right now as .jdb didn't seem to work for us either. Will try and post my results.
The fix works
A temporary KB doc has been created until the certified defs are released for today that resolve the issue.
http://www.symantec.com/docs/TECH188271
If I was able to help resolve your issue please mark my post as solution.
i got some of these to will this "Rapid Release Virus Definitions" fix this also or will there be another release?
Still no info on Symantec website
Our search engine was unable to find any pages related to Bloodhound.Exploit.458.
Nice
I'm still getting the false positives after the RR was installed. Hopefully the certified defs will actually fix this.
I haven't recieved any false positives for .459 since RR but now getting Bloodhound.Exploit.458.
I would expect that the attachment would be removed and the user sending the e-mail would get a message regarding the suspected exploit, but the user that the e-mail is getting sent to is seeing the warning as well, and is not receiving the message text.
ALL information written in the body of the message is replaced by the following (thankfully, the offending message only had one attachment):
____________________________________
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
Symantec Endpoint Protection found a security risk in an attachment from *****
Attachment: *****.xls
Security risk detected: Bloodhound.Exploit.459
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected
RR seems to working after SEPM pushed the new def to the SEP clients
SEP & SEPM=12.1.1101.401,RU1 MP1
Apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article URL http://www.symantec.com/docs/TECH104979
Or update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article URL http://www.symantec.com/docs/TECH102607
This will fix the false positive issue.
Information: Possible False Positive for signature Bloodhound.Exploit.459
Hope this help...
Oscar
Seems any xls file causes this to come up, definately a false positive from what I can tell.
Thanks for the thread on this. We just had this occur on a spread sheet that had been distributed to everyone on our LAN. I was haveing a panic attack to say the least. However I am not totally at ease as I wojld like to hear if there has been a resolution. Where are the Symantec reps on this.
yep we have it here also. Microsoft Outlook Auto Protec causing it. xls files only when being emailed.
Turned off notify by email for now. Clients can handle having a popup on their computer but our help desk call logging system is getting smashed by the notifications.
hi, my SEPM currently has May 8 2012 r18 defs version, as well as my clients. still the notification received by my users.
Post from Mithun: https://www-secure.symantec.com/connect/forums/sym...
Hello,
Rapid Release definitions which correct this FP are being posted now. The next build of definitions (available via LiveUpdate, ETA 4:00 PM PST, May 08) will also contain the fix for this issue.
Rapid Release Sequence number: 134129 Extended information: 2012-05-08 rev. 016
Instructions for how to apply RR defs:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 | Article URLhttp://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 | Article URLhttp://www.symantec.com/docs/TECH102607
FTP link to RR defs, if needed:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/
Please link any cases to this KB:
Possible False Positive for signature Bloodhound.Exploit.459
Article: TECH188271 | Created: 2012-05-08 | Updated: 2012-05-08 | Article URLhttp://www.symantec.com/docs/TECH188271
Regards,
S2S
Please don't forget to mark your thread solved with whatever answer helped you.
Problem still not solve and still pop-up with the same files detection.
Please make sure you have applied the latest rapid release above Sequence number: 134129 available on FTP url provide in above suggestions.
Regards,
S2S
Please don't forget to mark your thread solved with whatever answer helped you.
I just got an alert that said "Security risk detected: Bloodhound.Exploit.458 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected". All of the sudden I just got a 458 alert instead of 459. Might not be related but I hope that the most recent update didn't cause another issue. We are on May 08,2012 r18.
Even i saw a few odd incidents yesterday for Bloodhound.Exploit.458. Not sure where its going to lead us... Bad days..
I am on May 08, 2012 r18 now and I do not get any more Bloodhound.Exploit.459 Messages.
Seems like Symantec solved the problem.
Thanks Guys!
Anyone who is experiencing FP's on Bloodhound.Exploit.458, pleae update to a Rapid Release sequence after 20120508.038. That will resolve those detections as well.
With thanks and best regards,
Mick
With thanks and best regards,
Mick
Symantec, do we have definite confirmation that this fix is working?
We seem to have a high percentage of endpoints out of date?
Also had a report at 08:10:
"Found 3 or more infected computers in 1 minutes. Actual number of infected computers found was 3."
This is still an issue after following the method of the JDB file into SEPM yesterday afternoon..
Can anyone! confirm any facts or resolves please..
We are still reporting the errors.......
87 new notifications now!!??
The FP is resolved. Do make sure that the clients have the necessary definitions, and check the date on the events being being forwarded to the SEPM. Depending on heartbeat settings and other factors, SEP clients may be forwarding logs to the SEPM that date from before the defs were applied.
Hope this helps! &: )
With thanks and best regards,
Mick
My def file is showing May 8, 2010 r35...is that the newest? Need the "warm fuzzy" before users show up this morning...
Hello,
Here is the Symantec website, where you can check if you are carrying the Latest Definitions-
http://www.symantec.com/security_response/definitions.jsp
However, I believe you have a Typo - May 8, 2010 r35
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
should have been may 8, 2012 r35...way early this morning. Thanks for the info...definitely helps!
Since the above isssue has arrisen and posibly resolved, we have all of our endpoints out of date - so say??
Any advice on this Symantec?
I have tried to import the rapid release, but keep getting " all updates failed to install on machine" and it tells me to look for "log.intelligentupdater.txt" in the tmp directory, but there is no such file on the drive.
I am on version 05/08/2012 r35, does that mean I have the latest including the Rapid Release?
Hello,
As per the Symantec Website: http://www.symantec.com/security_response/definitions.jsp you are carrying the latest Certified Definitions.
There is a Difference between the Certified definitions and Rapid Release Definitions -
Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. The primary focus of these definitions are the rapid detection of newly emerging threats and they may be augmented later with more robust detection capabilities. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, you should understand that rapid release-quality virus definitions do pose some risks such as the higher potential for false positives. Rapid release definitions are most useful for perimeter defenses or for all protection tiers as a means of mitigating fast spreading virus outbreaks.
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
I had to run the rapid relesase exe file on the clients.
We don't get the messages about 459 anymore, but now we are seeing 458. Is there a fix for this?
The Rapid Release Sequence: 134157 or above (May 9 2012 Rev. 009 or above) should remove any remaining 458 detections that are being seen.
Hope this helps! &: )
With thanks and best regards,
Mick
Should vd395209.jdb cover it? for a 64BIT install?
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.458
File: "TEI NY May 10, 2012.pptx formatted edits AB v.2.ppt"
Location: Mail System
Computer: xxxx
User: xxxx
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: Wednesday, May 09, 2012 11:25:40 AM
Hello,
As suggested by Mick above, please Download the Rapid Release Sequence: 134157 or above (May 9 2012 Rev. 009 or above) which should remove any remaining 458 detections that are being seen.
Instructions for how to apply RR defs:
How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.
Article: TECH104979 | Created: 2008-01-21 | Updated: 2010-10-06 | Article URLhttp://www.symantec.com/docs/TECH104979
How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
Article: TECH102607 | Created: 2007-01-08 | Updated: 2012-05-01 | Article URLhttp://www.symantec.com/docs/TECH102607
FTP link to RR defs, if needed:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence/
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Look like RR 5/9/12 R2 is fixing todays false positive's
I am still seeing 458 FP's. Now what, Symantec???
Since today's RR was deployed to my SEPM server and then it pushed it out to my SEP clients the 458 FP issue seemed to goway. I'm running 12.1.1101.401, RU1 MP1 for my SEPM & SEP
Hi Welsh
Since we have updated our manager we are also experiencing all our clients with an ips signature out of date
Jesus, I'm glad it not just us again.!
Theres several mentions of resolve from yesterday afternoons release.. Hmmm..
Ok, We aren't seeing the exploits being reported but this is atill a huge concern of being out of date when everything seems not to be.. for two days!
All endpoints are in compliance, but SEPM is not remediating as before when other "odd" updates were released..
I hope Symantec really can put more of a haste on this unlike yesterday..
;-)
this was fixed that day itself thanks to Symantec, but why did this actually happen?
When I was looking at the RR Defs, I noticed something in the Revocation Section that said Experimental. I think something got included in the 'daily' def package that shouldn't have been there.
Would you like to reply?
Login or Register to post your comment.