5805 & 5807 Definitions disable Symantec NAV

[Guest]

Version 5805 definitions from 2/10/2006 display a false postive threat
"PWS.Bancos.A Password Stealer". If you choose to fix the problem, many
Symantec AntiVirus registry entries are deleted and the Symantec AV becomes
non-operable. It must then be manually removed and re-installed.

This has been observed to happen on multiple PCs with Symantec AntiVirus
Corporate Edition v8.x installed. With Windows XP, if you have a recent
system restore point, you can roll back to that and the problem is fixed.

I just finished a scan with the 5807 version and it has the same false
positive.

Beware!

 

[Bill Sanderson]

David--any chance you can go to Help, about, and hit the diagnostics button,
and report the line ending in a pair of numbers separated by a /?

162/162 for example.

Are these numbers equal?

If not, please try File, check for update, and repeat the above process--see
if you can get the two numbers equal, and then recheck the false positive.

I'm looking for a clear report of the FP persisting even when these two
numbers--whatever they are--are equal--i.e. clearly 5807 is in place.

 

[Guest]

Bill,

Here's what it says ...
Definitions Increment Version: 158/160

I've tried re-updating multiple times, and although it seems to keep
re-applying the update, the numbers still stay at 158/160

 

[Guest]

Ok, the diagnostics indicate 160/160 now (signature file 5807). After
re-booting, I ran a quick scan, and it still detects a High Level "threat".
However, the threat no longer has the name of "PWS.Bancos.A". It just
displays as "()". It still has detected the same Symantec registry entries.
The recommended action is set to "Ignore", though.

Looks like the defs need some more work.

 

[Bill Sanderson]

Thanks, David--that's useful info, I think. Can you say what version of
Symantec Corporate is involved? And am I correct in thinking that you've
not done any cleaning--i.e. all is still working correctly--so this is a
detection of a normal install of the Symantec Corporate version on your
machine?

--

 

[Bill Sanderson]

David--here's a Diagnostics print from a user who has found that 5807 has
fixed this issue for him.
There are four lines relating to Definitions with sizes and the
160/160--can you confirm whether or not all four of those match what you are
seeing on your system?

--------
Bill is correct. It looks like it is truly fixed. There must have been some
glitch in the update mechanism.

I just forced one last update and then ran a deep scan. My Symantec v
10.0.1.100 is still in place this time and was not disrupted.
Here is a portion of the Diagnostics screen.

AutoUpdater Enabled: 1
AutoUpdater AutoApply Enabled: 0
Definitions Increment Version: 160/160
Definitions ThreatAuditThreatData: 1355029
Definitions ThreatAuditScanData: 3098970
Definitions DeterminationData: 806390
Software Update Check Date: 2/9/2006 4:49:58 PM
AutoUpdater Software Enabled: 1
TotalThreatsDetected: 0
TotalScansRun: 13
LastScanDate: 2/10/2006 4:57:48 PM

 

[Bill Sanderson]

Thanks. That result means that 5807 is not in place on that machine.

I'm gonna have to quit and go cook dinner for my sick teenager and the rest
of my family, I'm afraid.

If you have a web cache on your network, see if you can get the cache
flushed. ISA Server, for example, which may be part of Small Business
Server--has such a cache. Some ISP's also may run such a cache.

Aside from getting caches flushed if possible,

repeating the file, check for update until you see 160/160, and ideally
match this list:
in Diagnostics--is all I can suggest:
------

Definitions Increment Version: 160/160
Definitions ThreatAuditThreatData: 1355029
Definitions ThreatAuditScanData: 3098970
Definitions DeterminationData: 806390
--

 

[Guest]

David and Bill,

Thanks for your information. I just want to let you know I have been
suffering from this problem all day. I have my university tech support over
in my office trying to help me. I will now let them know the AntiSpyware
interferes with the SAVirus software. I would love to know how you know its
a fals positive on the Spyware. I am not a programmer so I will ask the
obvious. How does the MS AntiSpyware software get fixed? Thanks Rob

Portland State University

 

[Bill Sanderson]

The detected items are all legitimate registry entries belonging to Symantec
Corporate antivirus, as I understand it--I have not seen this first hand.
Microsoft has acknowledged the false positive, and has provided a fix--the
false positive first appeared in definitions 5805, which came out very early
this morning--perhaps between 2 and 3 AM Eastern US time, as far as I can
see. It is fixed by updating to definitions 5807 which were available
before 3 PM Eastern US time.

So--this is an issue with a specific set of antispyware definitions--not an
inherent conflict between the software products involved, and it is fixed by
updating to the newer definitions--which you can do within the Microsoft
Antispyware, --File, check for updates.

However, there is a catch--such is the nature of beta products. The
definition update is not always perfectly successful--so for some users,
repeated tries are needed before the update takes effect properly.

If you've allowed Microsoft Antispyware to remove the affected registry
entries, my understanding is that affected users have had some trouble
uninstalling Symantec Corporate Antivirus, in order to reinstall it and
correct the situation--a repair install, or an uninstall and reinstall, is
the correct way to fix the problem. One user who was unable to perform
these steps via add or remove programs, reported that he was able to do so
using the setup program on the Symantec CD.

So--that's what I know--and it is all at arms length--via communications in
these groups--not a perfect medium.

--

 

[Bill Sanderson]

Robert--I'd be happy to have email from you or your tech support staff. I
may be able to offer further help via that route:

(e-mail address removed)

--

 

[Guest]

Bill:

I'd also gotten the false positive on the earlier signature, then the "is
clean" report on a later scan today (with definition 5807, definitions
increment Version 160/160)

Product here was Symantec AV Corporate Edition, ver. 10.0.1.1000 (with
Symantec Client Security).

Alli

 

[Bill Sanderson]

Thanks for the report--glad that it's fixed without too much pain.
--

 

[Guest]

Bill, sorry for the delayed response -- weekend and all.

We're running Symantec Corporate edition version 8. The issue was
encountered on two different machines, one running Win2000 and the other
WinXP. On the WinXP system, the user manually clicked to "clean" the threat.
At that point, Symantec AV was disabled because MSAS deleted the SAV
registry entries. Fortunately, WinXP's System Restore fixed everything.

With the Win2000 machine, the "threat" was automatically cleaned, so we had
to go through a tedious process of manually uninstalling Symantec Antivirus,
and then re-installing it.

 

[Guest]

Bill,

Yes, those four lines match mine exactly. However, we're running SAV
version 8.00.9374.

 

[Guest]

We're having the same issue Bill.

I'll e-mail you to discuss further.

 

[Bill Sanderson]

I'd like to be sure that you feel as though this is all squared away.

Is there still any sign of the false positive, with the 5807 definitions
firmly in place--i.e. 160/160?

I'd love to see the \program files\microsoft antispyware\cleaner.log

files from either or both machines, via email:

(e-mail address removed)



--

 

[Guest]

I've been reading about this for a couple of days now and I am confused about
a couple of things. I first saw this in a site with 35 computers, all of the
XP Pro with SP2 and all updates installed and all of them using MS
Anti-Spyware all upto date as well, yet only one system was found with this
signature. I uninstalled Symatec, restarted ran the MS Anti-Spyware again,
restarted again, re-installed the Symantec Anti-virus upated it's
diffinitions and ran the MS Anti-Spyware again and this time found no
signature, it was clean. I also had a second site with 8 systems all
identical, all up todate and only two had the problem. After down the about
mentioned tasks the result was a clear system.

My question is if this is a flaw in the MS Anti-Spyware diffs. then why did
it only show up on 3 out of 43 computers and why does it not show up after
reinstalling the Anit Virus on subsiquent anti spyware scans?

Pete

 

[Bill Sanderson]

One interpretation of the data would be that only that one machine happened
to run a scan with the bad definitions in place. 5805 was apparently
available for download at about 11:30 PM Pacific Standard time, on Thursday.
It was replaced by 5807 at about noon, Pacific standard time, on Friday.

The definition update mechanism is imperfect, and when a given machine is
updated depends on scheduling settings on the individual machine--I think
the default may be 2 AM?

So--there are three timing issues--the availability of the definitions
(which should be equal for all machines)--the setting of the individual
machine for definition update, and the setting on the individual machine for
a scheduled scan.

Additionally--there's whether the update to 5805 was successful. We saw the
difficulty in getting to 5807 that some users experienced--this same level
of difficulty probably happens with other more routine definition
updates--so--it is quite possible that among the "up to date
" machines you looked at that showed 5805 superficially in place--some of
those were not fully updated.

Interesting question--and I can't give a perfect answer--but those are some
of the variables I see as involved.


--

 

[Guest]

Since Defender came out today, I uninstalled MSAS and installed Defender. No
problems running a scan under Defender.

So as far as I'm concerned, the new beta fixed the problem.

 

[Bill Sanderson]

The definition update process is considerably changed with the new
version--but not perfect, yet--as you can see from posts in these groups.

Glad you updated--that's my recommendation for everyone.
--