Endpoint Protection

 View Only

  • 1.  SAV10 false positive or not?

    Posted Jan 26, 2010 01:50 PM
    Hi,

    Has this occurred to you?

    "If you’ve ever been affected by a virus definition file update that’s flagged an app or a file that you use as a problem, you know how frustrating it can be.  If you haven’t, consider yourself fortunate.  There has just been a virus file definition update that has flagged some code used by our products as problematic.  RSRunner.exe is a file used by our Performance Analysis products, and is a Delphi executable we use to schedule and generate reports.  The file has been used by the client application for over 5 years without issue, but – perhaps because the name is similar to a Trojan called SRunner.exe – the file is being quarantined in some environments."



    http://questkb.com/2010/01/22/we-are-sparta-but-theres-no-trojan-horse/

    Thanks,


  • 2.  RE: SAV10 false positive or not?

    Posted Jan 26, 2010 01:55 PM
     There are no false positives with Delphi and Symantec. Even if there is a detection it might not be false positive.
    https://www-secure.symantec.com/connect/blogs/delphi-falls-prey


  • 3.  RE: SAV10 false positive or not?

    Posted Jan 26, 2010 02:15 PM
    The article says the the Delphi compiled files are detected as W32.Induc.A or its variants. In this case, the detection is a Trojan Horse, and weird is that it's been spotted only a few days ago, never triggered anything before.

    Thanks for your answer.


  • 4.  RE: SAV10 false positive or not?

    Posted Feb 06, 2010 11:05 PM
    I got a response from Symantec.

    We have analyzed your submission. The following is a report of our findings for each file you have submitted:
     
    filename: C:\Users\Desktop\RSRunner.zip
    machine: Machine
    result: See the developer notes
     
    filename: RSRunner.exe
    machine: Machine
    result: NAV is falsely identifying this file as a virus
     

     

     

    Developer notes:
     C:\Users\Desktop\RSRunner.zip is a container file of type ZIP
    RSRunner.exe is falsely identified as malicious. To fix this problem, please install the latest available definitions by following the instructions at the end of this email message. This file is contained by   C:\Users\Desktop\RSRunner.zip


    So, it's a false positive after all.


  • 5.  RE: SAV10 false positive or not?

    Posted Feb 07, 2010 12:25 AM
    Hello Mitacus,

    thanks for sharing valuable information, yes a false positive :)


  • 6.  RE: SAV10 false positive or not?

    Posted Feb 07, 2010 06:52 AM
     So its a false positive only with NAV and not SAV/ SEP ?