SAV Corporate Edition detected as PWS.Bancos.A Password Stealer

[Guest]

I just downloaded the latest MS Antispyware definitions : Version: 5805
(2006-02-10 07:15:54)

A quick scan subsequently detected 614 Symantec AntiVirus Corporate Edition
10.0.2.2001 registry keys as a severe threat : PWS.Bancos.A Password Stealer
!!!

All keys and values under
HKEY_LOCAL_MACHINE\Software\Intel\Landesk\VirusProtect6 where detected as
being the password stealer.

Is this a marketing ploy to eliminate a future concurent after the anouncment
of a future Microsoft anitvirus product ? ;-)

 

[Guest]

I have just had the same and have had to reinstall sav corp v10

 

[Guest]

advised by symantec to remove microsoft spyware as it is the problem. If
using version 10 corporate edition so disabling microsoft until I here
otherwise

 

[Guest]

I think it is enough to set MS Antispyware to ignore the litigious SAV CE 10
registry keys.

I hope MS will correct this false recognition soon.

 

[Guest]

I've got exactly the same thing as I'm using SAV Corp Edition 9. Is this a
falst positive of MSAS??

jlt50z

 

[Guest]

I've got exactly the same thing using SAV Corp Edition 9. Is this a false
positive of MSAS?? Will someone please let us know??

Thanks,
jlt50z

 

[Guest]

Same problem here. Using SAVCE. Detecteded PWS.Bancos.A. One other thing now
is: After this detection by MSAS Our SAVCE no longer works, even after
removing MSAS. Any suggestions?

 

[Bill Sanderson]

This is a false positive. It is corrected in Version 5807 definitions,
available now.

 

[Guest]

If you "removed" the entries using MSAS you just wiped out the registry for
SAVCE, You will have to reinstall SAVCE to fix.

I hope MS fixes this false positive soon.

 

[Guest]

Thanks, Bill. I had to re-install NAV. So trusting and silly to let MSASW
remove it and bugger up our PC's!

I've downloaded the 5807 defs.

I'm glad I took the time to search through the dg's for this issue - after
the fact of course... NEXT TIME, i may just wait and see...

Thanks!

 

[Bill Sanderson]

I'm afraid that this kind of issue has come up before in the beta, and will
likely continue to arise, beta or released product.

The problem is one that every antispyware vendor faces--and a good measure
for such vendors is how well they do at dealing with such issues once
they've been alerted to them. Microsoft has done well, I think.--this is
the quickest re-release I've seen, but there have been several 24 hour
re-release cycles, and a number of cases where comparitively minor
false-positives (in terms of numbers of users impacted) have been fixed in
the next definition cycle.

And there was one that took 3 weeks, perhaps partly because I promised to
help bring it to Microsoft's attention and failed to do that!

--

 

[Guest]

I just downloaded the 5807 defs and then ran a scan. Shows Bancos! What do I
need to do?

 

[Guest]

select ignore in action list (drop down)
--

I just downloaded the 5807 defs and then ran a scan. Shows Bancos! What do I
need to do?

 

[Bill Sanderson]

If you still see the detection after apparently downloading 5807.

1) choose the Ignore action, as AthenaT has advised.

2) go to Help, about, in Microsoft Antispyware and press the diagnostics
buttion. Check for two numbers separated by a / in the output.

These two numbers should be equal--162/162, for example. If they are not,
the definition update has not fully completed correctly, and you should
re-try until this comes out right.

If you are on 5807, and see equal numbers, and are still seeing this
detection, I would either suppose that the fix has not elminated the false
positive for every case--so I'd like to see complete details of what is
detected, and full versioning information for the Symantec product
involved--if that's what is being detected. Or--perhaps this is a real
detection of PWS.Banco.a.

--

 

[Guest]

The only "/" separated numbers I saw were in Definitions Increment Version.
Mine says 160/158 even after running the update again. I closed msas then
opened it again. Now i see Definitions Increment Version: 158/158

I ran a "quick scan" and PWS.Bancos.A came up again. I had to select
"ignore" again. Am i supposed to click "ignore always"? I have to leave IE
as it wants to close the prgrom in order to complete....

Thanks, Bill.

 

[Guest]

Athena,
Mine was exactly the same as yours 160/158 when I checked the Def Increment
Version as Bill asked us to. What I did was clear my Temp Internet Files then
tried to download the new defs again and this is where it gets weird. It
posted that I had the latest defs installed!! So I checked the Def. Increm.
Vers. again and it was now showing 160/160! I then ran a scan and mine didn't
show the false positive anymore.

I'm sorry you're still having issues. What I was going to do if mine "still"
showed the false positive was do like we used to do and do a "manual"
installation of the new 5807 defs. Even though the numbers were equal that by
forcing the 5807defs to be overwritten by doing a manual install of them
again I was hoping that it would insure that I had ALL of the update info
entered even though the numbers were showing 160/160. Would this work Bill??

BTW, once again Bill I wish to say a VERY big THANK YOU to YOU for sticking
with us all trying to get this issue resolved. I for one really appreciate
all your efforts! Thanks again very much, jlt50z

 

[Bill Sanderson]

Go to Help, about, and hit the diagnostics button.

Compare what you see to this list and let me know how it compares:
---
Definitions Increment Version: 160/160
Definitions ThreatAuditThreatData: 1355029
Definitions ThreatAuditScanData: 3098970
Definitions DeterminationData: 806390
--

 

[Bill Sanderson]

158/158 is definitely not 5807--that should be 5805, which we know shows the
false positive.

Please go back to File, check for updates and see if you can get fully
updated to 5807.

When you are, these are among the lines you should see:
---
Definitions Increment Version: 160/160
Definitions ThreatAuditThreatData: 1355029
Definitions ThreatAuditScanData: 3098970
Definitions DeterminationData: 806390
--

 

[Bill Sanderson]

Thanks, jlt50z--I'm glad to be able to help--sorry the issue has come up in
the first place!
--

 

[Bill Sanderson]

I'd suggest using System Restore to return to a restore point before
midnight of last night. That should get SAV functional again.

--