Video Screencast Help

Flash Player - False Positive

Created: 28 Jan 2010 • Updated: 30 Jul 2010 | 50 comments

"Paul J" brought this up in another thread, but to give it more visibility, I'm starting a new one. 

We're getting inundated with "install_flash_player.exe" being detected as a Trojan.Horse.

Come on Symantec!  Is there a rapid release for this?

Discussion Filed Under:

Comments 50 CommentsJump to latest comment

sthakrar12's picture

Same here "install_flash_player.exe" being detected as a Trojan.Horse
And "notes6assoc.exe " being detected as Trojan Horse as well.
Which we know is False Positive...
Agreed, need an update from Symantec SOON...!!

Will Wally's picture

500+ newly infected in SEPM. All are "install_flash_player.exe" detected as a Trojan Horse. I opened a case with Symantec support and have been on hold for 87 minutes!

John_Prince's picture

Greetings,

What is the date of your virus definitions? 

Also, where are you getting the install_flash_player.exe file?

I just went to adobe.com and downloaded AdobeFlash with definitions dated January 27th, 2010 r49 and I am not getting any detections.

I tried one Win 2k8 and got a file called install_flash_player_ax.exe and I tried on WinXP and got the install_flash_player.exe file.

Install_flash_player_ax.exe
Version: 10.0.42.34
1.86Mb

Install_flash_player.exe
Version: 10.0.42.34
1.83Mb

Remote Product Specialist, Business Critical Services, Symantec

jlevitsk's picture

 I don't know how many here have UK offices but I am seeing spotify.exe caught and it is showing as Trojan Horse.... but it's the legit app...

At least one security risk found:

 

Risk name: Trojan Horse

File path: C:\Program Files\Spotify\spotify.exe

Event time: 2010-01-28 15:41:09 GMT

Database insert time: 2010-01-29 09:18:58 GMT

cgrubbe's picture

 Seeing the same thing here, only a handful though.  Looks like it started after we got 01-27-2010 rev. 049 defs early this morning.

@Will 
We all feel your pain.  Hope the hold music is good!

jsuser's picture

In my case, I have the same definitions (January 27th, 2010 r49) and I also went to adobe and downloaded the file and it wasn't detected.  I haven't been able to get my hands on one of the files being detected.  One of the users said this was a file that had been on his machine for a while, so it could be an older version that's being detected vs the latest version being downloaded from Adobe.

Will Wally's picture

SEPM reports definitions are 2010-01-27 rev. 049

John_Prince's picture

Greetings Will Wally,

Could you or any of you other people that are getting this detection go to the install file, right click it and go to details so I can see the version?

Remote Product Specialist, Business Critical Services, Symantec

snoopy316's picture

Hi All,

I have seen a bunch of computers report back to have the "Install_Flash_Player.exe" as a trojan.

The weird thing is.. we do deploy flash player to all the computers in the office. We are deploying version 10.0.42.34, however this has been setup as a GPO and ie been deploying this version since the day it came out, about 1 month ago, maybe longer. Today is teh first time we are recving virus alerts about "Install_Flash_Player"

Attached is a screen shot.

ScreenShot304.png

Will Wally's picture

John,

The file being detected is in c:\users\%username%\downloads. As soon as I click on the downloads folder, the file deletes automatically. The date on the file is 6-3-2009. The file size is 1,835kb. Can't right click because it deletes to fast. Some computers show the file as 0 bytes. The 0 byte file allows me to right click but it does not show any version data, only that the file was modified today. Weird.

David_Speer's picture

Indentical issue:
Definition version 2010-01-27 rev 049

Virus Def: 2010-01-27 rev. 049
TruScan Def: 2010-01-19 rev. 00

twilliams75's picture

I am seeing the same results on about 10 out of 300 PCs.  All of the files show as 0 bytes, and date back to somewhere between April and May. 

Sane Defs as everyone else - 2010-01-27 rev 049

P_K_'s picture

Please submit the file to https://submit.symantec.com/websubmit/gold.cgi

Title: 'Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe'
Document ID: 2010010319585948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2010010319585948?Open&seg=ent

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Mordac the Preventer's picture

I went to http://kb2.adobe.com/cps/142/tn_14266.html which contains older versions of Flash.
I downloaded the flash 10 zip and extracted it.  
The file is this archive getting detected  is named flashplayer10r22_87_win.exe.
 
I submitted to symantec, so hopefully this will get taken care of soon.

AspenAdmin's picture

We are getting the same thing.  A few but not a lot.  install_flash_player.exe is being detected as a "Trojan Horse".  Pretty generic and it is quarantining the file.

P_K_'s picture

Please  submit the file and call support and log a case , it may be a false poistive .

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

jess1234's picture

On 7 of our computers.

install_flash_player(3).exe Trojan Horse Cleaned File     SYSTEM Cleaned C:\Documents and Settings\user\Desktop\ Clean security risk Quarantine Auto-Protect scan The file was repaired successfully. 1/28/2010 3:05
install_flash_player(3).exe Trojan Horse Quarantined File     SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/28/2010 3:05
install_flash_player(2).exe Trojan Horse Log only File     SYSTEM Log only C:\Documents and Settings\user\Desktop\ Clean security risk Quarantine Auto-Protect scan The file was left unchanged. 1/28/2010 3:05
install_flash_player(2).exe Trojan Horse Quarantined File     SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/28/2010 3:05
install_flash_player(3).exe Trojan Horse Quarantined File     SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/28/2010 9:08

jess1234's picture

Showing still infected after second scan, these are the file location:

  Risk Risk Count Status Last Updated Domain
Server
Group
File / Entry
  Trojan Horse 1 01/28/2010 09:41:14   c:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP148\A0018423.exe
  Trojan Horse 1 01/28/2010 09:41:14   c:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP148\A0018422.exe
  Trojan Horse 1 01/28/2010 08:58:29   c:\System Volume Information\_restore{F4241134-68B1-4307-83B6-3A694DD58F31}\RP625\A0068594.exe
  Trojan Horse 1 01/28/2010 09:52:32   c:\System Volume Information\_restore{F4241134-68B1-4307-83B6-3A694DD58F31}\RP625\A0068593.exe
  Trojan Horse 1 01/28/2010 09:52:35   c:\System Volume Information\_restore{F4241134-68B1-4307-83B6-3A694DD58F31}\RP625\A0068594.exe
  Trojan Horse 1 01/28/2010 08:58:26   c:\System Volume Information\_restore{F4241134-68B1-4307-83B6-3A694DD58F31}\RP625\A0068593.exe
snoopy316's picture

I ran a virus scans on both installer files that we deploy to the company and they both came back clean. Im not sure what the 'Install_flash_player' is, but it was not from anything that we deployed.

Will Wally's picture

Submitted the file, but still cannot get through to support. I have a case open after over 2 hours of hold time I was disconnected. I received the automated response back that the file I uploaded to Symantec was clean. It has to be a false positive.

John_Prince's picture

Greetings,

Do you have the tracking number from that reply?

Remote Product Specialist, Business Critical Services, Symantec

John_Prince's picture

Greetings,

If any of you can get a file that is not 0 bytes and is getting detected as Trojan Horse:

-Click Start > Run > type: cmd > hit Enter or OK
-Navigate to C:\Program Files\Symantec\Symantec Endpoint Protection
-Type the following command:

checksum.exe C:\Path to Installer\install_flash_player.exe C:\textfile.txt

-Check the C:\textfile.txt and reply back with the MD5 hash that is in the file.

Remote Product Specialist, Business Critical Services, Symantec

John_Prince's picture

Greetings,

I did a quick check and currently the only item I can see this as the only version being detected:

Version: 10.0.22.87
MD5: 51f26c0051e97a91145971fe5bc632ff

It's possible we may be detecting others though I do not see them yet. It certainly appears to be a false-positive, I would request you submit any of these to us.

Right now it appears most of the submissions coming in on this are 0Kb files which means Endpoint already removed the code from the file. We would need some files that have not been cleaned by Symantec for us to check them manually to verify their status.

Remote Product Specialist, Business Critical Services, Symantec

John_Prince's picture

Greetings Will,

Submission 14671450
install_flash_player.exe

MD5: d41d8cd98f00b204e9800998ecf8427e
File Size:      0 bytes
File Type:     Empty file
GNU Win32 File Type:     empty

This is why it came back clean.

Remote Product Specialist, Business Critical Services, Symantec

John_Prince's picture

Greetings net-user,

It absolutely can, that's why we are looking for submissions. The MD5 hash that we are detecting right now appears to be a legitimate Adobe file though I cannot say whether thats the same file on all of your machines. If we can get some samples we can verify this is the case or not and change the detection as appropriate.

Remote Product Specialist, Business Critical Services, Symantec

net-user's picture

According to the link, the Adobe flash installer file itself is not the problem, but is a red herring to distract you from finding the real infected files.
In that case, I would expect that you won't find any trojan in the submitted files.

Will Wally's picture

Net-user - This is the link Symantec emailed me when I opened my case earlier today. Unfortunately, the file is not being detcted as Infostealer.Ebod but simply as "Trojan Horse".

Niners77's picture

 Hey folks,

I submitted two files - one was 0k, the other 1.8MB - tracking # 14671522

filename: install_flash_player.exe
machine: Machine
result: This file is clean

filename: install_flash_player(2).exe
machine: Machine
result: This file is clean 

The first one is an empty file - 0k. The (2) file wasn't gone and it turned up OK, with both Symantec, Virustotal.com and virusscan.jotti.org.

However I don't like that the files in question seem to be gone...so we can't get a good read on them. We are approaching 500 machines with this here at my work. 

It looks like we're showing four (4) newer AV defs in our SEPM...but with only one machine having each:
28 rev007
28 rev 005
28 rev 001
27 rev 057

Then we have ~ 14,000 with 'All Others' - meaning mostly 27 rev 049

Kirk...

John_Prince's picture

Greetings,

Submission 14671522
install_flash_player.exe

MD5: 16c6b4b8326a63a99f4250c7585bba7c

This appears to be version 10.0.32.18 of Flash which I show we do not currently detect.

So far, version 10.0.22.87 (MD5: 51f26c0051e97a91145971fe5bc632ff) with a file size of 1878888 bytes appears to be the culprit.

Remote Product Specialist, Business Critical Services, Symantec

Will Wally's picture

It is definately with Adobe Flash Player Version: 10.0.22.87. I just imaged a fresh coputer with an image we had built back in June 2009. It has Flash player version 10.0.22.87. As soon as I executed Flash Player, the SEP client detcted and deleted the file.

John_Prince's picture

Greetings,

Our Security Response is addressing this issue right now, as soon as I have something further I will report back. Thank you all for providing the information that you did!

Remote Product Specialist, Business Critical Services, Symantec

ajurison's picture

Download the archived Flash Players Directly from Adobe:

http://fpdownload.macromedia.com/get/flashplayer/installers/archive/fp10_archive.zip

This file has every old version of Flash 10x avaialble.

Unzip the file; and you'll get flagged on:

fp10_archive\fp10_archive\10r22_87\flashplayer10r22_87_win.exe

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan Horse

Niners77's picture

 Yep - looks like SEP removed that file from the unzipped folder...all others seem to be intact.

Thanks for the link.

Dan Odle's picture

First thing I thought when I seen a few machines today report install_flash_player.exe as a virus was false positive. Glad to see i was correct. Now to sit and wait for an updated file to resolve this.

Mick2009's picture

Just adding this article to the thread, not specific to this individual file......:

Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe

Thanks and best regards,

Mick

With thanks and best regards,

Mick

sandeep_sali's picture

The Security response team is aware of the issue and working on it. Will keep this information updated.

Thanks & Regards

Sandeep C Sali

John_Prince's picture

Greetings,

We are in the process of releasing Rapid Release definitions right now to address this. Definitions dated 1/28/2010 rev. 20 (sequence 106382) should no longer detect Adobe Flash as a Trojan Horse.

These definitions will be automatically download to your Endpoint at some point later today/early tomorrow. If you absolutely need this false positive fixed now you can get updated definitions manually at the following:

ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_c...

Please ensure you are accessing the folder number equal to or greater than 106382. Right now we are filling this folder with updated definitions and should be finished shortly.

Here are the steps to update with the Rapid Release definitions, please be aware I would only recommend this in a scenario where this absolutely needs updated:
http://service1.symantec.com/SUPPORT/ent-security....

As far as we are seeing, this only affects the installer for Adobe Flash and not the actual functionality of it. Those with the affected version of Flash already installed will not see anything other than the installer disappearing.

On a side note, Adobe Flash is one way viruses can infect your network. This product gets updated frequently to address vulnerabilities, if you have this false positive detection I would recommend updating your images/installs with the latest version of Adobe Flash as well.

If you are still experiencing the detections after updating to the above definition date please do open a case with Symantec so we can investigate further.

Remote Product Specialist, Business Critical Services, Symantec

dimitri limanovski's picture

John,
  When are certified definitions planed to be released for this? Rapid Release definitions aren't always the safest thing to roll out across the enterprise.
Thanks! 

Orla's picture

 I can confirm that unfortunately we did have an FP on an older version of the Adobe Flash Player Plugin Installer. The version affected is 10.0.22.87. The detection was first introduced in definitions version 20100127.039. It has now been corrected in Rapid Release definitions version 20100128.020. LiveUpdate definitions will be available later today. Once the corrected definitions have been applied, the file can be restored from quarantine.

Our sincere apologies for any inconvenience caused.

Orla
Symantec Security Response

teiva-boy's picture

 On one side, Flash is the most buggy and insecure thing that is in widespread use to date!  I am secretly smiling inside that Symantec is blocking it.  LOL

On the other hand, it is a legitimate app that is in wide spread use...  

We should also just convert to Microsoft SilverLight...  Just kidding.

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

Dan Odle's picture

Sounds good me me. I'm for everyone dropping flash and moving to silverlight.

Niners77's picture

With the Rapid Release defs via a SEPM? Anyone try that yet? :) 

ajurison's picture

Now that this issue looks to be resolved soon, I've got a question...

Since this was involving the installer, not the actuall installation of Flash, I got to thinking about this.  This version that it was detecting was from Feb 2009. 

In the 100+ cases I had of detection of this the installer was never executed.  It appears that the new AV Updates came into the system and then SEP found it and Quarantined it.

Our systems are set to have an automatic scan once a week on Mondays. 

If nobody executed the installer, and a system scan wasn't supposed to be until Monday... how did SEP detect this?

Does SEP do a system scan when a new AV update comes in?  There are no log entries indicating it's doing that.

It just seems that these detections shouldn't have occurred without a full system scan or someone or something executing the file.

Thoughts?

dimitri limanovski's picture

 When new definitions are loaded, memory and all the usual loadpoints (as well as items in quarantine) are re-scanned using the new defs. This is how it's been catching it, I think.

Mibdragon82's picture

I noticed a couple of the other posts had detections for similar A*.exe files located in "c:\System Volume Information". I did some searching and found that this is for systems with System Restore enabled. I'm assuming that these files are remnants of the Adobe Flash install that is being detected, files that would be used by System Restore. Is it safe to assume that? I would try to check the file properties, but it was already deleted by the scan. Is there another way I can verify these files by chance?

P_K_'s picture

Please update your virus defintion to 1/28/2010 rev. 20 and above and it will take care of the False Postive detection.

Download the rapid realese from ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

tborger's picture

BTW: where can I send such files like in this case the flash_player_install.exe, so that Symantec can take the required tests to decide false positive or not?!

jeffrey's picture

Get ready, now Microsoft DirectX Installer is being detected. (admin installed the .exe detected and comfirmed it installed Microsoft DirectX). Today's latest defs (1-29-2010) are now hitting the standalone Microsoft DirectX installer .exe files.  Have no idea what version and don't have time to find out (it's coming from an offsite location also dealing with the Flash false positives) 

Symantec-  I thought you QC'd your defs before releasing??? I'd hate to be using Rapid Release defs because if your QC'd defs are starting to be this bad (this seems like a new trend), I feel sorry for those that are using Rapid Release. Unfortunately, I don't have time chasing all these false positives and submitting. (too busy responding to all the alerts from the field on the flash detections) 

Symantec Antivirus is now acting like a virus itself deleting/quarantining legitimate files if you think about it.   

First the Dec 31, 2009 def issues, now this.  I realize there's a lot that goes on in definition creation but I would think that such common software like Flash and DirectX wouldn't make it past QC.  When you have networks of 20,000 systems + it's a real pain to deal with.  Please relook your QC process.  Last thing I want to do is push out Rapid Release defs for something that's not even a threat (if your current QC'd defs catch legit software, I can't imagine what today's Rapid release defs would do).  We only would use Rapid release in the event of a rapidly progressing threat.  This is just an annoyance, thank goodness. 

If you add up the manhour costs these mistakes are costing companies world wide, you're definatelly in the millions of $$$$. And now legit threats are being intermingled with false positives of legit popular software.  Our jobs are time consuming enough to have to worry about this now. I hope this is just a temp problem (ie. new guy working on the def creation team) and not something we can expect more of. 

Sorry for the rant but I'm sure you understand the fustration. Now back to work responding to scared users and system admins asking about the flash and directx detections....