Endpoint Protection

 View Only

  • 1.  Bloodhound.PDF.21 false positives

    Posted May 06, 2010 08:50 AM
    Hello,

    We have an interal application that loads pdf templates. The user chooses a particular case, opens the pdf and clicks the "activate" button with loads the template (pdf) with the specific case information. Upon clicking the activate button, the user with sometimes (not every time) get the Bloodhound.PDF.21 error. This is a web application used by hundreds of users and has been in production for 6 years with no problems. This Bloodhound.PDF.21 seems to be a new heuristic of some kind. Can someone please explain what exactly it thinks is the issue and what I can do about? This is freaking out my users.

    thanks,
    Rick


  • 2.  RE: Bloodhound.PDF.21 false positives

    Posted May 06, 2010 08:57 AM
    In risk logs are you able to see any relevant entry?

    "Bloodhound.PDF.21 error" you mean SEP is giving a message saying that this virus found?


  • 3.  RE: Bloodhound.PDF.21 false positives

    Posted May 06, 2010 09:13 AM
    Do you changed anything recently in the policies?
    If you are strongly believe it is a fault positive do as follows
    Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe


  • 4.  RE: Bloodhound.PDF.21 false positives

    Posted May 06, 2010 09:25 AM
    Hi Rick,

    The link below is a Writeup from Symanetc about Bloodhound.PDF.21
    Web Link: http://www.symantec.com/security_response/writeup.jsp?docid=2010-042718-4157-99&tabid=2

    This link also has Symantec recomendations


  • 5.  RE: Bloodhound.PDF.21 false positives

    Posted May 06, 2010 09:42 AM
    Mudit,

    Can you explain exactly what Bloodhound.PDF.21 thinks is the problem. I've read the tech description you linked in your response but it doesn't really explain anything. It appears to be complaining about a possible vulerability. Is that right?

    To answer your question AravindKM, nothing in this area of the system has been changed in some time. The action of loading the pdf with data is using an Adobe library so I can't see the code being called and that library hasn't changed in years.

    It looks to be quarintining temp or cached files. In one example, it complained about fdfaction.fdf and a temp file called arg87.tmp. This is being found during a "realtime protection scan".  Part of the problem is that I can't reproduce it at my site. I'm getting various reports from user sites.

    Thanks,
    Rick



  • 6.  RE: Bloodhound.PDF.21 false positives

    Posted May 06, 2010 04:29 PM
    Hello Mudit,  Can you please respond to me last entry? Not sure where to turn at this point.


  • 7.  RE: Bloodhound.PDF.21 false positives

    Posted May 07, 2010 09:35 AM
    I think it is better to open a case with symantec support.


  • 8.  RE: Bloodhound.PDF.21 false positives

    Posted May 07, 2010 01:41 PM
    Thanks AravindKM. I'll try that. I suspect this is going to be difficult since I can't reproduce the problem here, it's only happening to my users in the field.

    Thanks,
    Rick