Norton finds trojan in version 2.6.0's mplayer.exe

[cmonster]

As I said, this version of SEP (symantec endpoint protection) doesn't have a "right-click scan this file". Kinda lame imo.
As for disabling SEP and access the file, even though I disable all SEP services it seems that it is still running because when I try to access the file it still pops up saying it found a threat.
I just can't seem to stop SEP completely...
Cheers

I didn't you specifically mention SEP, but you're right; you're out of luck with any attempt to manually control it.

[jdecape]

John-


1-are we really-really sure it is a false positive?

Josh>Yes I am sure, I was sure it was a FP based on it being noted as a heuristic quarantine. You should google heuristic. Symantec then examined the file properties submitted and exonerated the file. Symantec is using a cloud based reputational technology that takes many many attributes into play for whitelisting/blacklisting executable behavior. The fact it was a new file and seen by a small # of persons, and had some behavior attributes I cant guess at, caused it to be a FP on the client side before hash based sigantures were created and distributed.

2-why did the AV catch mplayer.exe that comes with UMS but then it didn't catch the stock mplayer.exe that can be downloaded on mplayerhq.hu website?

Josh>I am not Symantec. See my response to #1. Google heuristic. Google Norton Insight. As well mplayerhq has latest rev 1.1 and UMS is older.

3-am I missing anything by running the stock mplayer.exe instead of the mplayer.exe that comes with UMS?

Josh>Dont know. Mplayer.exe is 0.9 in UMS 2.6.0 I think, and 1.1 on the latest. Again 'heursitcs' re anti malware software is examining attributes and behavior, this is not the hash based AV. But the hash would be different from .9 to 1.1.

John youu appear to be using a corporate licensed version "SEP" Symante Enterprise Protection not Norton (all by Symantec just home use or corprate), you need to take up with your admin your lack of ability to control the anti malware application UI options for SEP. You are running UMS on an enteprise managed device with a corporate license for Symante malware in SEP i take it, not Norton you can control totally, and then wondering why you cannot control all your settings? Um, okay. Got it.

-->Note in my SEP UI I can see greyed out excepting files/folders as an end user for SEP.Is yours greyed out? You state that you dont see this option at all, I do.
-->Note in my SEP UI I do see right click scan file, which has been a part of every SEP release, and every anti malware app I can think of for years. It does single file, or folder. Its been an option in anti malware from time begat which means 1980s.I see this option. You say you do not.
-->NOte I can submit manually, and automatically. admin controlled. SEP UI
-->Note I can restore from quarantine.admin controlled SEP UI

So here are your choices in re SEP:

1) take up this fact of corporate licensed anti malware being controlled by your company, and you desiring to run UMS and a FP on mplayer.exe, and you do not have in your SEP UI the ability to restore or submit the file.

2)Maybe you should source a home system, even used, to run UMS and other freeware on instead of company owned and controlled devices thus allowing you complete control of your anti malware apps.

3) Run VMWare workstation running in bridged mode if you want to be sneaky on your company device, but thats not newbie techie level, but not very difficult. And can be frowned upon.


What you are stating for SEP is just not true for me. I can indeed see, all the items you say are not visible or availible. Some are greyed out for me, like excepting files and folders. When greyed out I still see the options. Being a SEP admin I tested and confirmed all the above on 12.1.2.

And I run Norton as well at home. I did the exceptions for Norton easily by the way for mplayer.exe and was running in about 3 mouse clicks 2.60 UMS easily.

I just have to take to task what you are stating as fact-it's not the same for me.


(SEP admin since day 0)


(Edit-its a moot point, the latest def set exonartes the UMS mplayer.exe)

[john3voltas]

Hi jdecape, thanks for your reply.
I will try to address all your comments.
My main test machine is very old and currently has a broken power supply.
So I have to use the company's laptop to test UMS.
Yes, I have been thinking about installing another Arch Linux VM on virtualbox to test it but I have lots of stuff on my to-do list and my daughter has been monopolizing my free time .
Ultimately I would like to run UMS on a tiny plug computer running Arch Linux (Seagate Dockstar) but this hardware is limited and UMS seems to need loads of RAM (more than 400MB on my windows install).
As for SEP, the version I am running is SEP Small Business Edition 12.0. Maybe the small business edition doesn't have the "scan on right click". The IT guys say they contacted our Symantec representatives that told them this is normal behavior.
Hope I didn't miss anything .
Cheers

[jdecape]

It is an option in Small Business, in 12.1.2 client. Goohttp://www.symantec.com/business/support/index ... id=DOC6147 (page 21 availible in 32 and 64 bit)

Looks like in other google located KB articles it was removed from SEP 11 x64 bit systems, since basically its a moot feature. Files when accessed get scanned. So its an old UI feature for users, that was deleted until people complained and it was brought back for 12.1 big boy edition all OS, but not 11 version x64. Maybe it was not in the small biz product 12.1 release orginally I don't know. It is in the latest small biz product version 12.1.2 unless they eitehr made a mistake in the docs, or you running an older version. Go ask your admin to upgrade to the latest.

No offense, but everything you state is not possible is possible for me...

Again moot-the latest defs have the hashed file value exonorated and will auto take care of this minor annoyance for those unable to figure out how to except a False Positive convicted file.

[john3voltas]

No offense taken.
Since I'm not in the IT team I don't have to worry about how the product works. So yes, you may be right on everything you said.
But as for the "right click to scan" feature, we even opened a ticket with Symantec...
Now, I sure would like to know how I can temporarily and completely disable all SEP's features.
This is a very common question on Symantec's KB/Forum/etc.
They say you just right click the systray shield icon and click "disable symantec endpoint protection".
Actually this seems to disable "virus and spyware protection", "proactive threat protection" and "network threat protection".
But the truth is, even with all the above disabled, if I click a suspect file SEP still pops up a window stating that.
Which means it's not completely disabled.
Cheers

[cmg]

Hi,

I'm using Norton 360 and also got a warning.
However, it looks like Symantec have updated there virus definition files since I do not get the warning anymore.
So I think we can be sure it was an FP.

I noticed that the Mplayer in version 2.6.0 is smaller (17 363 470). The earlier version was 22 418 958.

[SubJunk]

Hi guys, sorry for your troubles with this, but blame Symantec It's not the first time we've had them detect a false-positive with our binaries. At one stage they were blocking the whole UMS program.
I compile our mplayer.exe and mencoder.exe myself and I can assure you there is nothing wrong with it. It's smaller because I removed some libraries that UMS wasn't using.
Thanks for submitting the report to Symantec and getting it fixed

[cmonster]

Yep, everything looks like it's back to normal (Norton, that is).