Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

False Positive - Angry IP Scanner

  • 1.  False Positive - Angry IP Scanner

    Posted Jun 20, 2007 03:52 PM
    Since the 6/15 definitions, SAV has been picking this up as a hacktool.  This product has been out for years, is a valuable tool in the arsenals of many network folks I know and work with, and is no more a hacktool than Look@Lan is a hacktool.  This should really be addressed in an upcoming set of definitions, the sooner the better.


  • 2.  RE: False Positive - Angry IP Scanner

    Posted Jun 26, 2007 03:40 AM
    I agree, Angry IP Scanner just a tool for network administrator,
    I don't understand why SAV listed it as a hack tool.
    Is this tool makes any problem or attack automaticlly ?


  • 3.  RE: False Positive - Angry IP Scanner

    Posted Jun 26, 2007 04:08 AM
    While not a hack tool as such, it does meet our criteria set out here:
     
     
    I agree that there are certain products that are perhaps wrongly classified as hacktools, but I can see where we are coming from with programs like IP scanners.  They *could* be used to determine attack surface of a network and in the case of Angry IP, they could then be used to determine open ports and potentially vulnerable products or services.  Equally they can also be used in a perfectly legitimate way.
     
    If you aren't worried about having Angry IP on your servers/network, then the simple solution would be to exclude it from detection.
     
    The only other solution you have open to you is to get the developer to submit this form: https://submit.symantec.com/security_risks/dispute/ 
     
    and attempt to get Security Response to re-evaluate the program.
     
    hth
     
    paul


  • 4.  RE: False Positive - Angry IP Scanner

    Posted Jun 26, 2007 06:06 AM
    Even so, this software has not changed in years, and only recently was added to the detection list?  That is equally as strange as being classified in th first place.


  • 5.  RE: False Positive - Angry IP Scanner

    Posted Jul 02, 2007 10:41 AM
    I'm in agreeance here.  I'm EXTREMELY annoyed that this tool is getting quarantined.  I'm a symantec partner and IT consultant and I'm the main reason my company uses the symantec product.  If this doesn't get resolved in a few months, I won't fight my new boss on his attempts to get us using Trend Micro.  At this point in time, as the lead tech, I'll win the fight.  Angry IP is one of my favorite tools to use as a consultant.  It allows me to quickly figure out what's changed on a network, see if people have things running on their computers that they shouldn't (even helps to identify who's got port 25 open and sending mass mailer worms out).
     
    I'm putting my foot down on this.  Antivirus companies are now a dime a dozen, but there's only one free ip/port scanner that works well, is free, reliable, and easy to use.  Please reconsider or else I will.


  • 6.  RE: False Positive - Angry IP Scanner

    Posted Jul 04, 2007 04:06 AM
    well I can't personally see us removing it any time soon.
     
    Surely if its important to you, then you could just exclude it from detection on your clients?
     
    That way you could even control who has access to the tool, do you REALLY want your normal users/non IT people to use it on your network?


  • 7.  RE: False Positive - Angry IP Scanner

    Posted Jul 05, 2007 04:34 PM
    Well, it surely is that important.  We've tried excluding it and it's still tagging it.  You're angrying more people than what bother to come here and post. 
     
    I'm not worried about my users running it.  What is possibly going to come of it?  I've already secured all important data.  I don't even give them direct access to the tool, it's on my servers.  If they download it and scan the network, so what? 
     
    It just pains me as I sell another $6,000 worth of licensing today, including the 20 renewals in the last 2 months.  I truly don't want to sell the agreement today, but your product is my favorite (eventhough over this one program, you're losing my loyalty and those that work with me on a daily basis). 
     
    We directly affect who buys your product and who doesn't.  Next year will be the year of selling Trend Micro licenses and converting everyone over, but it's not what I want to happen. 
     
    But then again, it probably comes down to the IBM effect, you guys are so large, you could care less if you lose a partner or 2 over something so misc. 
     
    Next is to go complete Anti Symantec and find new backup solutions as well because you don't really care what those who use your software think.   Please by all means bring this post to the attention of someone who can make the difference.  I'm a loyal Symantec user/partner/reseller and don't want to change products, but if push comes to shove, I sincerely care about this issue and will make changes if I have to.


  • 8.  RE: False Positive - Angry IP Scanner

    Posted Jul 06, 2007 09:44 AM
    Have to agree with MrChen.  The comments aroiund my IT department and some colleagues at other financial institutions seem to be quite consistent.  The general impression is that Symantec is taking the "big brother" approach and effectively dictating what tools can and cannot be used.  When there are a handful of similar tools that function virtually the same way, and one is singled out YEARS after it's release, it leaves a bad taste in everyone's mouth.


  • 9.  RE: False Positive - Angry IP Scanner

    Posted Jul 06, 2007 11:00 AM
    Guys,
     
    please bear with us on this one, we are working on changes to our classifications - I have this from Security Response after speaking to them last night.  I can't say any more at the moment until I have confirmation from them as to what we can give out.  I accept we do move fairly slowly with some of these things, but thats the nature of most large corporations (thankfully we aren't as slow as other companies you mention yet.)
     
    On the exclusion front, it does work - I was able to successfully exclude the scanner from being detected last night - I then downloaded and ran the application with no problems whatsoever.  I tried adding it at the "Security Risk" level and admittedly that didn't work.  I then tried adding it as an exclusion from the "Other" section and that works fine - its still in there now as you can see from the below:
     
     
    If you are still having problems, please post and I'll try and help you out.
     
    thanks
     
    paul


  • 10.  RE: False Positive - Angry IP Scanner

    Posted Jul 06, 2007 11:26 AM
    Thanks Paul.  We know that Symantec, as with all large companies, may move slow, but at least speaking for myself, I can live with that.  The message that we didn't like was that there would be no movement.
     
    Also, thanks the tip on where to add the exclusion.  That does seem to be working much better.


  • 11.  RE: False Positive - Angry IP Scanner

    Posted Jul 11, 2007 01:10 PM
    The lack of movement and the choices laid out are one of the things that annoyed me.  Add in the fact I couldn't figure out how to exclude it.  I never even noticed the "other" option as I've never had to exclude one of my tools in SAV (now McAfee is another story). 
     
    Thanks for a WORKING (but annoying) solution, which is better than the previous responses. 
     
    I recently found another tool to use, but it requires an install.  The less I have to install the better and I want to use my ipscan tool without interuption, so stop blocking it! :)


  • 12.  RE: False Positive - Angry IP Scanner

    Posted Jul 19, 2007 12:32 AM
    Is there a way of exluding this file on a domain basis through the Symantec System Center?
    Having to do this workaround on all computers i wish to use the IP Scanner on is a royal pain in the butt.

    I have to agree with the others here too. I am not the biggest fan of Symantec products to begin with, however the organisation i work for is a Symantec Partner and as such chooses to resell it. The fact that Symantec have gone and blacklisted such a product only gives fuel to my argument to my employer to change to another Anti-virus solution.


  • 13.  RE: False Positive - Angry IP Scanner

    Posted Jul 23, 2007 06:40 PM

    I have to say I'm very annoyed about this too. Configuring the exception wasn't working so I had to work with a Symantec support technician to fix it. It took a few days and just when I'd got the exclusion fixed they recategorized it from hacktool to other and I had to do it again. Now I can download and use the scanner but whenever a full system scan runs it still gets quarantined, although it does allow me to undo it.

    That's annoying enough on it's own but I feel that that there's a much larger principal at stake here. If Symantec feel it's ok to block legitimate applications then what's to stop them doing it again and again? There are a few hundred users in my IT department alone, and I don't want them coming to me every week to have another tool unblocked. It doesn't take much for the department to lose confidence in an application and I still get comments about the memory leak in an earlier release of SAV.

    I'm refusing to let this drop with my account manager and I won't give in until either they remove Angry IP scanner from their definitions or my company is no longer using SAV. I received this response today:

    "SR fully understands that the use of these tools is legitimate for network administrators and their purpose is not to decide on behalf of them what tools they want to use in their environment but instead to allow more control on the use of such tools"

    If that's the case why does it get quarantined automatically? And how does putting Angry IP scanner in the same category as applications that install themselves without asking give me more control?



  • 14.  RE: False Positive - Angry IP Scanner

    Posted Jul 25, 2007 07:30 AM
    The other option is to goto http://www.radmin.com/products/utilities/index.php and download "Advanced IP Scanner" - it can even shutdown the remote computer (takes out the fuss for those shutdown command lines for administrators).
     
    So far, I have not received a false positive on this one.
     
    ABR
     


  • 15.  RE: False Positive - Angry IP Scanner

    Posted Jul 25, 2007 10:34 AM
    To add insult to injury.  I did the "other exclusion", but when SAV did a scan on the system, it picked it up anyways.  So it looks like you have to do both exclusions.
     
    I realize there are other tools out there, but why is this one targeted?  It's harmless, easy to find, doesn't require an install, easy to use, and is a quick download.
     
    Even though we have the exclusion(s) solution, I will not fight to keep SAV as our primary AV/SMS solution until this is corrected.  I'm a consultant, Symantec Partner and I personally am the reason we use Symantec.  New management is wanting to change it, but as the technical lead, I'll win the fight.  I repeat, I will *NOT* fight the change to Trend Micro until this is corrected and we sell a lot of SAV licensing.  Once the fight is lost, there's no switching back either.
     
     

    Message Edited by MrChen on 07-25-200707:34 AM



  • 16.  RE: False Positive - Angry IP Scanner

    Posted Aug 29, 2007 12:13 PM
    We have been working with the BETA version of Symantec Endpoint Protection and so far I have not found a way to exclude the Angry IP Scanner.  Even after putting in exclusions for the tool it still won't allow me to execute it. 
     
    Any help would be appreciated, and also any news on when it might get reclassified.  This is a very useful tool that myself and many other IT professionals use on a daily basis and for it to suddenly get classified as a hack tool after being available for several years is very disappointing.
     
    Thanks,
     
     
    Tom


  • 17.  RE: False Positive - Angry IP Scanner

    Posted Sep 24, 2007 09:50 PM
    This evening while configuring a serial-to-wireless ip bridge on a medical device, I needed the ability to scan the scope after configuring the unit as it is using dhcp and there is no other way to determine the IP post configuration. To my anger and frustration, my ipscan tool was gone. I do not believe there is a valid excuse here for detecting my tools as dangerous. The idea that a tool designed to get information on a network is to be classified with the likes of viruses (which demonstrate no value to a computer user) is proposterous and an insult to my intellegence having chosen to have the tool on my computer only to have it removed like a parent taking a child's toy away. I have signed the petition to ask symantec to remove this definition (available here: http://www.petitiononline.com/angryip/petition.html ) and fully expect this to be remedied. This amounts to me a form of censorship and if it is not remedied, I hope to see a lawsuit soon. In the mean time, I have unfortunately disabled auto-protect this evening in order to use my tool, which by the way, effectively saved me easily hours while working on the bridges.
     
    In my organization, a 3 hospital system in Colorado, I have worked to ensure that Symantec was the standard, disallowing systems on my network unless they used Symantec, period. Over the past two years I have seen a degredation in the product, a larger footprint and a bloated profile, and now I am disappointed to have valid tools being removed. I personally would like this post to be placed in front of a development manager. My profile contains my contact information - please Symantec, don't hesitate to use it.


  • 18.  RE: False Positive - Angry IP Scanner

    Posted Sep 25, 2007 12:25 AM
    What ticks me off even more is that nearly identical tools such as those found here: http://www.radmin.com/  are not marked.  Symantec is clearly playing favorites and using its influence to promote one program over another for who knows what reason ($$$, perhaps?).  Sorry to say, but come October when our license expires and with several vendors knocking on our door, Symantec will be losing some 30 server and 350+ client licenses.  It's a shame too, because Endpoint Security looked promising.  But what good is a solution if it prevents you from doing other daily tasks? 
     


  • 19.  RE: False Positive - Angry IP Scanner

    Posted Oct 02, 2007 08:03 AM
    I'm still monitoring this issue as well and every time SAV tags ipscan for whatever reason, my disgust for symantec grows.  My push for another product is nearing. 
     
    Great petition, signed and sent to all the techs in my office.


  • 20.  RE: False Positive - Angry IP Scanner

    Posted Oct 02, 2007 11:36 AM

    Hi MrChen, HurricaneAndrew, TomRobinette, sb13, et al,

    Wow this has been going on for too long, sorry. I have only monitored the Symantec Endpoint Protection forum and stumbled over this threat now that Endpoint Protection is released and the forums merged. If at least one of you can disclose their real identify and provide me with a support case number (in a private message) I can escalate this.

    I hope we can find a solution soon.

    Carsten



  • 21.  RE: False Positive - Angry IP Scanner

    Posted Oct 02, 2007 09:24 PM
    We have the work around now for SEP, but you have to go in and setup an an exclusion for known risks and put a check mark for Angry IP Scanner.  The file exclusions don't seem to work.  Of course the other work around is to just remove Symantec and install a product that doesn't suddenly classify tools we use as security risks.  I hope Symantec will remove the tool from the list.
     
     


  • 22.  RE: False Positive - Angry IP Scanner

    Posted Oct 23, 2007 04:53 PM
    Here it is, 2 months later and still fighting to keep Angry IP Scanner.  Absolutly amazing that "retail" products are ok, but this open source is not.  Any IP scanner can be used as a hack tool, why target one?  Lets just block them all!


  • 23.  RE: False Positive - Angry IP Scanner

    Posted May 14, 2009 05:03 PM
    I've looked at the reasons here from Symantics staff as to why they quarentee angryIp and in the words of a associate of mine and others,.. Bullocks!

    I have to say that the lack of change or even awknowledgemet but the Symantic staff in just over a year and a half it illuminating.

    If this is a hack tool, than so is ping, ipconfig, netstat and nbtstat.  Angry IP was and is a nice small tool to look at what existed on the DCHP managed portions of our network, and has been instrumental in finding several rouge devices. 

    Other tools that work no better and are just as capable of abuse are let through.

    I've reached the point in my career where I can start recommending products and having those recommendations stick.  And I don't advise the use of Symantic products any longer.


  • 24.  RE: False Positive - Angry IP Scanner

    Posted May 14, 2009 05:11 PM
    I am not sure why this is just popping up for you now. 

    It really has nothing to do with the latest definitions... 

    I can tell you from Personal Experience, AngryIP is, as Symantec calls it a "known security risk".

    If you go to your centralized exceptions policy -> Add -> known risk -> AngryIP is in the list.

    I added this exception back when MR1 came out...



  • 25.  RE: False Positive - Angry IP Scanner

    Posted May 14, 2009 07:09 PM
    Well I don't see the fuss here at all. If people are so upset about angry ip getting flagged as a hacktool, then why don't you just make an exception for it? If this is something you really want to see changed in the product please visit http://engweb.symantec.com/enhancement/ and submit an enhancement request. Since you are pulling up a case that is over a year old I can't say for sure whether or not they will reconsider not flagging angry ip as a hacktool. Although I still don't see why it can't just be made an exception and have that be the end of it.
    Grant-



  • 26.  RE: False Positive - Angry IP Scanner

    Posted May 14, 2009 07:28 PM
    I quote:
    "
    MrChen 1 year 42 weeks ago
    To add insult to injury. I did the "other exclusion", but when SAV did a scan on the system, it picked it up anyways. So it looks like you have to do both exclusions.

    I realize there are other tools out there, but why is this one targeted? It's harmless, easy to find, doesn't require an install, easy to use, and is a quick download.

    Even though we have the exclusion(s) solution, I will not fight to keep SAV as our primary AV/SMS solution until this is corrected. I'm a consultant, Symantec Partner and I personally am the reason we use Symantec. New management is wanting to change it, but as the technical lead, I'll win the fight. I repeat, I will *NOT* fight the change to Trend Micro until this is corrected and we sell a lot of SAV licensing. Once the fight is lost, there's no switching back either.


    Message Edited by MrChen on 07-25-200707:34 AM
    "


  • 27.  RE: False Positive - Angry IP Scanner

    Posted May 14, 2009 07:32 PM
    Anyway. AngryIPScanner just pings and waits for a reply doesn't it? The info it displays is found in the ping result or nbtstat result.


  • 28.  RE: False Positive - Angry IP Scanner

    Posted May 14, 2009 07:40 PM
    This was over a year ago! And after reading this long thread more than a few times it seems that most were able to successfully exclude it from their systems, and the others just simply couldn't figure it out. I am sure (i would be glad to myself) that someone here at symantec could help them figure it out if they were having troubles. The point was that they felt that this shouldn't have been flagged in the first place. Well Paul gave the exact guidelines with what gets excluded and what doesn't . My point is that why bring this up after a year? This program can be handled as an exception, and if anyone needs help please call in or make a post and we can help. Personally I would rather have to add something as an exception than it not being flagged in the first place. For every single customer who would like to see it used as a legitimate tool and not be flagged, there are just as many who would rather see it just blocked. That is the purpose of exclusions.

    Grant-


  • 29.  RE: False Positive - Angry IP Scanner

    Posted May 14, 2009 07:41 PM
    I am not even sure if it still gets flagged by SEP. I don't have it installed myself. Again this post is very old.


  • 30.  RE: False Positive - Angry IP Scanner

    Posted May 15, 2009 07:54 AM
    And yet again, why not treat all applications that can perform the same scanning in the same manner? Why is AngryIPScanner different from any other commercial tool? As it is now, the Symantec classification system seems off base, at best.