Topic: OT : Symantec AV Defs 12/17/03 Rev 4 have False Positive. (Read 2171 times)

AdmiralFrey_XC · « **on:** December 18, 2003, 08:13:58 pm »

Heyya, all, just to let you know.

I found today that the av defs symantec released for their AV dated 12/17/03 Rev 4 has a false positive for the backdoor.trojan.

They have released a quickfix def 12/18/03 Rev 19 that addresses this issue.

The problem is if you have your AV Client / Server set to DELETE, the files will be deleted if a scan is run that are NOT infected.

I spoke with Symantec, and identified the issue today after we received a large number of alerts once the new defs loaded.

I tested it with Symantec on the phone by utlizing the previous defs and performing a scan on the same files after restoring them from quarantine. They checked out virus free. To detect the backdoor.trojan virus, the virus defs must be older than 1998, so we felt like that was a pretty clear indicator. When the new av defs were ready, I downloaded them to the specific servers, and re-scanned the files. Again, no infections found.

Thought I'd let my virtual reality family know.

Regards,

E_Look · « **Reply #1 on:** December 18, 2003, 09:50:26 pm »

Why, thank you very much. My Symantec firewall has been giving me a ton of these alerts now for MONTHS! You think that there may be other similar errors still uncaught?

AdmiralFrey_XC · « **Reply #2 on:** December 18, 2003, 10:05:34 pm »

Actually, while looking through some related articules on the Symantec website I browsed through a few things that might help you.

Try searching for the backdoor.trojan, then search the description for information regarding that virus and Symantec's firewall software.

It's also possible that the alerts your receiving are from getting port probed at the particular port that trojan is known for utilizing. That's a good thing, as your firewall is doing what's intended.

Regards,

Warden · « **Reply #3 on:** December 19, 2003, 05:00:41 am »

Thanks for the notice Admiral Frey

AdmiralFrey_XC · « **Reply #4 on:** December 18, 2003, 08:13:58 pm »

Heyya, all, just to let you know.

I found today that the av defs symantec released for their AV dated 12/17/03 Rev 4 has a false positive for the backdoor.trojan.

They have released a quickfix def 12/18/03 Rev 19 that addresses this issue.

The problem is if you have your AV Client / Server set to DELETE, the files will be deleted if a scan is run that are NOT infected.

I spoke with Symantec, and identified the issue today after we received a large number of alerts once the new defs loaded.

I tested it with Symantec on the phone by utlizing the previous defs and performing a scan on the same files after restoring them from quarantine. They checked out virus free. To detect the backdoor.trojan virus, the virus defs must be older than 1998, so we felt like that was a pretty clear indicator. When the new av defs were ready, I downloaded them to the specific servers, and re-scanned the files. Again, no infections found.

Thought I'd let my virtual reality family know.

Regards,

E_Look · « **Reply #5 on:** December 18, 2003, 09:50:26 pm »

Why, thank you very much. My Symantec firewall has been giving me a ton of these alerts now for MONTHS! You think that there may be other similar errors still uncaught?

AdmiralFrey_XC · « **Reply #6 on:** December 18, 2003, 10:05:34 pm »

Actually, while looking through some related articules on the Symantec website I browsed through a few things that might help you.

Try searching for the backdoor.trojan, then search the description for information regarding that virus and Symantec's firewall software.

It's also possible that the alerts your receiving are from getting port probed at the particular port that trojan is known for utilizing. That's a good thing, as your firewall is doing what's intended.

Regards,

Warden · « **Reply #7 on:** December 19, 2003, 05:00:41 am »

Thanks for the notice Admiral Frey

News: