V7.6.13 detected as malware by Symantec Endpoint Protection

[Eagles]

Hi,

I've just downloaded fah-installer_7.6.13_x86.exe and when running it, Symantec Endpoint Protection (Version 14.2 RU2 build 5323) was triggered. Note: I ran LiveUpdate in advance of running the installer.
The outcome found in the logging:
Risk=WS.Reputation.1
Category=Malware
Risk Type / Sub Category=Insight Network Threat

Now this is not a hard detection, but still: based on what would the scanner get triggered? I cannot remember that I got this when installing previous version... and since the release history mentions that the core has not changed, I would not expect such a difference.

Regards,
Walter.

[Joe_H]

The cores are not downloaded as part of the installer package. Most likely some random part of the binary code in the installer happens to match some "signature" that Symantec uses to detect a virus and triggered a false positive.

[jrweiss]

It may be triggered as an unknown program. it is common for Symantec to trigger on new releases of programs that are not widely distributed.

[PantherX]

Welcome to the F@H Forum Eagles,

I believe that you might be able to report it as false positive so that Symantec can update their detection rules to fix this issue as it lies at their end.

[Eagles]

Welcome to the F@H Forum Eagles,

Thanks PantherX!

I believe that you might be able to report it as false positive so that Symantec can update their detection rules to fix this issue as it lies at their end.

@all: I also already felt that most likely this would be an issue at the Symantec's end, as more often with such heuristic type of scanning, but still wanted to hear your experiences to check whether something might indeed be wrong, which was not yet identified and notified here. Just being thorough.
@PantherX: Indeed I found after further investigations that possibility to report a false positive. First I hesitated to notify Symantec, because: how can I tell it's a false positive, or a possible infection by someone malicious who penetrated the server where the file resides for downloading... Just being thorough again
But then I considered that upon such heuristic detection, it's the responsibility of Symantec to judge upon an indicated false positive by an end-user. It should also better be called "supposedly false positive" and hence I indeed decided to enter it for investigation by them.

The reply in short: it's taken off the list of Symantec and should now not trigger the detection anymore.

The complete reply for those who are interested:

In relation to submission 204918.

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

File name: fah_installer_7.6.13_x86.exe
MD5: 814C540CF0413F3B405E1854EC3368C3
SHA256: 7618F1D98E1283442767F9735AE5F6C35A0C86B03C3AE62F45EE7BE59509EC3E
Note: Whitelisting may take up to 24 hours to take effect via Live Update

If detection persists, please contact support:
* Norton: https://support.norton.com/sp/en/us/home/current/info
* SEP: https://support.symantec.com/en_US/endp ... 54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/ ... .en-us.pdf


Sincerely,
Symantec Security Response
https://www.symantec.com/security-center

If somebody still:

• * Can proof that something is wrong with the download after all, then add it here in the replies and notify F@H of course.
  * Encounters that Symantec detects it as WS.Reputation.1 Insight Network Threat malware, then notify Symantec via link above.

But my guess it will be 'case closed' with this.

Greetz,
Walter.

[PantherX]

...First I hesitated to notify Symantec, because: how can I tell it's a false positive, or a possible infection by someone malicious who penetrated the server where the file resides for downloading... Just being thorough again
But then I considered that upon such heuristic detection, it's the responsibility of Symantec to judge upon an indicated false positive by an end-user. It should also better be called "supposedly false positive" and hence I indeed decided to enter it for investigation by them...

You can always ask for a second opinion... or in this case several opinions with a click away: https://www.virustotal.com/gui/file/761 ... /detection