V7.6.13 detected as malware by Symantec Endpoint Protection

Moderators: Site Moderators, FAHC Science Team

Post Reply
Eagles
Posts: 2
Joined: Fri Apr 03, 2020 12:17 pm

V7.6.13 detected as malware by Symantec Endpoint Protection

Post by Eagles »

Hi,

I've just downloaded fah-installer_7.6.13_x86.exe and when running it, Symantec Endpoint Protection (Version 14.2 RU2 build 5323) was triggered. Note: I ran LiveUpdate in advance of running the installer.
The outcome found in the logging:
Risk=WS.Reputation.1
Category=Malware
Risk Type / Sub Category=Insight Network Threat

Now this is not a hard detection, but still: based on what would the scanner get triggered? I cannot remember that I got this when installing previous version... and since the release history mentions that the core has not changed, I would not expect such a difference.

Regards,
Walter.
Joe_H
Site Admin
Posts: 7951
Joined: Tue Apr 21, 2009 4:41 pm
Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2
Location: W. MA

Re: V7.6.13 detected as malware by Symantec Endpoint Protect

Post by Joe_H »

The cores are not downloaded as part of the installer package. Most likely some random part of the binary code in the installer happens to match some "signature" that Symantec uses to detect a virus and triggered a false positive.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
jrweiss
Posts: 704
Joined: Tue Dec 04, 2007 6:56 am
Hardware configuration: Ryzen 7 5700G, 22.40.46 VGA driver; 32GB G-Skill Trident DDR4-3200; Samsung 860EVO 1TB Boot SSD; VelociRaptor 1TB; MSI GTX 1050ti, 551.23 studio driver; BeQuiet FM 550 PSU; Lian Li PC-9F; Win11Pro-64, F@H 8.3.5.

[Suspended] Ryzen 7 3700X, MSI X570MPG, 32GB G-Skill Trident Z DDR4-3600; Corsair MP600 M.2 PCIe Gen4 Boot, Samsung 840EVO-250 SSDs; VelociRaptor 1TB, Raptor 150; MSI GTX 1050ti, 526.98 driver; Kingwin Stryker 500 PSU; Lian Li PC-K7B. Win10Pro-64, F@H 8.3.5.
Location: @Home
Contact:

Re: V7.6.13 detected as malware by Symantec Endpoint Protect

Post by jrweiss »

It may be triggered as an unknown program. it is common for Symantec to trigger on new releases of programs that are not widely distributed.
Ryzen 7 5700G, 22.40.46 VGA driver; MSI GTX 1050ti, 551.23 studio driver
Ryzen 7 3700X; MSI GTX 1050ti, 551.23 studio driver [Suspended]
PantherX
Site Moderator
Posts: 6986
Joined: Wed Dec 23, 2009 9:33 am
Hardware configuration: V7.6.21 -> Multi-purpose 24/7
Windows 10 64-bit
CPU:2/3/4/6 -> Intel i7-6700K
GPU:1 -> Nvidia GTX 1080 Ti
§
Retired:
2x Nvidia GTX 1070
Nvidia GTX 675M
Nvidia GTX 660 Ti
Nvidia GTX 650 SC
Nvidia GTX 260 896 MB SOC
Nvidia 9600GT 1 GB OC
Nvidia 9500M GS
Nvidia 8800GTS 320 MB

Intel Core i7-860
Intel Core i7-3840QM
Intel i3-3240
Intel Core 2 Duo E8200
Intel Core 2 Duo E6550
Intel Core 2 Duo T8300
Intel Pentium E5500
Intel Pentium E5400
Location: Land Of The Long White Cloud
Contact:

Re: V7.6.13 detected as malware by Symantec Endpoint Protect

Post by PantherX »

Welcome to the F@H Forum Eagles,

I believe that you might be able to report it as false positive so that Symantec can update their detection rules to fix this issue as it lies at their end.
ETA:
Now ↞ Very Soon ↔ Soon ↔ Soon-ish ↔ Not Soon ↠ End Of Time

Welcome To The F@H Support Forum Ӂ Troubleshooting Bad WUs Ӂ Troubleshooting Server Connectivity Issues
Eagles
Posts: 2
Joined: Fri Apr 03, 2020 12:17 pm

Re: V7.6.13 detected as malware by Symantec Endpoint Protect

Post by Eagles »

PantherX wrote:Welcome to the F@H Forum Eagles,
Thanks PantherX!
PantherX wrote:I believe that you might be able to report it as false positive so that Symantec can update their detection rules to fix this issue as it lies at their end.
@all: I also already felt that most likely this would be an issue at the Symantec's end, as more often with such heuristic type of scanning, but still wanted to hear your experiences to check whether something might indeed be wrong, which was not yet identified and notified here. Just being thorough.
@PantherX: Indeed I found after further investigations that possibility to report a false positive. First I hesitated to notify Symantec, because: how can I tell it's a false positive, or a possible infection by someone malicious who penetrated the server where the file resides for downloading... Just being thorough again :wink:
But then I considered that upon such heuristic detection, it's the responsibility of Symantec to judge upon an indicated false positive by an end-user. It should also better be called "supposedly false positive" and hence I indeed decided to enter it for investigation by them.

The reply in short: it's taken off the list of Symantec and should now not trigger the detection anymore.

The complete reply for those who are interested:
Symantec wrote:In relation to submission 204918.

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

File name: fah_installer_7.6.13_x86.exe
MD5: 814C540CF0413F3B405E1854EC3368C3
SHA256: 7618F1D98E1283442767F9735AE5F6C35A0C86B03C3AE62F45EE7BE59509EC3E
Note: Whitelisting may take up to 24 hours to take effect via Live Update

If detection persists, please contact support:
* Norton: https://support.norton.com/sp/en/us/home/current/info
* SEP: https://support.symantec.com/en_US/endp ... 54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/ ... .en-us.pdf


Sincerely,
Symantec Security Response
https://www.symantec.com/security-center
If somebody still:
  • * Can proof that something is wrong with the download after all, then add it here in the replies and notify F@H of course.
    * Encounters that Symantec detects it as WS.Reputation.1 Insight Network Threat malware, then notify Symantec via link above.
But my guess it will be 'case closed' with this.

Greetz,
Walter.
PantherX
Site Moderator
Posts: 6986
Joined: Wed Dec 23, 2009 9:33 am
Hardware configuration: V7.6.21 -> Multi-purpose 24/7
Windows 10 64-bit
CPU:2/3/4/6 -> Intel i7-6700K
GPU:1 -> Nvidia GTX 1080 Ti
§
Retired:
2x Nvidia GTX 1070
Nvidia GTX 675M
Nvidia GTX 660 Ti
Nvidia GTX 650 SC
Nvidia GTX 260 896 MB SOC
Nvidia 9600GT 1 GB OC
Nvidia 9500M GS
Nvidia 8800GTS 320 MB

Intel Core i7-860
Intel Core i7-3840QM
Intel i3-3240
Intel Core 2 Duo E8200
Intel Core 2 Duo E6550
Intel Core 2 Duo T8300
Intel Pentium E5500
Intel Pentium E5400
Location: Land Of The Long White Cloud
Contact:

Re: V7.6.13 detected as malware by Symantec Endpoint Protect

Post by PantherX »

Eagles wrote:...First I hesitated to notify Symantec, because: how can I tell it's a false positive, or a possible infection by someone malicious who penetrated the server where the file resides for downloading... Just being thorough again :wink:
But then I considered that upon such heuristic detection, it's the responsibility of Symantec to judge upon an indicated false positive by an end-user. It should also better be called "supposedly false positive" and hence I indeed decided to enter it for investigation by them...
You can always ask for a second opinion... or in this case several opinions with a click away: https://www.virustotal.com/gui/file/761 ... /detection
ETA:
Now ↞ Very Soon ↔ Soon ↔ Soon-ish ↔ Not Soon ↠ End Of Time

Welcome To The F@H Support Forum Ӂ Troubleshooting Bad WUs Ӂ Troubleshooting Server Connectivity Issues
Post Reply