Endpoint Protection

 View Only

  • 1.  SAV 12.1, recent False Positives Bloodhound.Exploit.426, and NO RECORD OF WHAT 426 is?

    Posted Sep 16, 2011 01:59 PM

    A recent migration from 11.x to 12.1.6xx and maybe yesterdays DAT files have me scrambling to find this: Bloodhound.Exploit.426.

    A search for this description on SAV's website reveals nothing.  Are we being hit with false positives?  They seem to all be based around OFFICE (2007) files, or files created before 2k7 was here in my company (2k3, 2k etc).  We're seeing zero eveidence of damage anywhere, but we can't just start deleting our docx's,xlsx', and pptx's at the suggestion that "something" is present...

    Anyway else seeing this or are we unique?

     

    BWB



  • 2.  RE: SAV 12.1, recent False Positives Bloodhound.Exploit.426, and NO RECORD OF WHAT 426 is?

    Posted Sep 16, 2011 02:47 PM

    This may be a new detection with no writeup yet, but given what I know about Bloodhound (i.e. heuristic) detections my guess (speculation only at this point) is that these older files were probably created with an older version of the Office suite that had a known vulnerability.

    The latest Patch Tuesday blog entry mentions Office-related vulnerabilities almost exclusively. It's possible these detections are related. See: https://www-secure.symantec.com/connect/blogs/microsoft-patch-tuesday-september-2011

    sandra



  • 3.  RE: SAV 12.1, recent False Positives Bloodhound.Exploit.426, and NO RECORD OF WHAT 426 is?

    Posted Sep 16, 2011 04:27 PM

    I spoke with our security response team and they are looking for submissions for this detection. If you believe this is a false positive please submit the file to the website below.

    https://submit.symantec.com/false_positive/