Video Screencast Help

SAV 12.1, recent False Positives Bloodhound.Exploit.426, and NO RECORD OF WHAT 426 is?

Created: 16 Sep 2011 | 2 comments

A recent migration from 11.x to 12.1.6xx and maybe yesterdays DAT files have me scrambling to find this: Bloodhound.Exploit.426.

A search for this description on SAV's website reveals nothing.  Are we being hit with false positives?  They seem to all be based around OFFICE (2007) files, or files created before 2k7 was here in my company (2k3, 2k etc).  We're seeing zero eveidence of damage anywhere, but we can't just start deleting our docx's,xlsx', and pptx's at the suggestion that "something" is present...

Anyway else seeing this or are we unique?


Comments 2 CommentsJump to latest comment

sandra.g's picture

This may be a new detection with no writeup yet, but given what I know about Bloodhound (i.e. heuristic) detections my guess (speculation only at this point) is that these older files were probably created with an older version of the Office suite that had a known vulnerability.

The latest Patch Tuesday blog entry mentions Office-related vulnerabilities almost exclusively. It's possible these detections are related. See:


Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Cameron_W's picture

I spoke with our security response team and they are looking for submissions for this detection. If you believe this is a false positive please submit the file to the website below.

If I was able to help resolve your issue please mark my post as solution.