topic Re: Restoring Threat Fixing File - Bloodhound.Exploit.252 in Norton 360

Bloodhound.Exploit.252

Stecyk — Thu, 18 Jun 2009 23:26:37 GMT

On my desktop PC, I was running the older version of Norton 360 (version 2). My PC was always clean with never any viruses.

I recently reinstalled Vista, restored all my data, and upgraded to Norton 360 Version 3.

Norton 360 v3 has tagged a few Excel files with "Bloodhound.Exploit.252" and placed them in quarantine. This is a "heuristic virus," implying that it might be a virus.

According to Symantenc, these files should be submitted for review.

See: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2009-061801-4302-99&tabid=2

Files that are detected as Bloodhound.Exploit.252 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.252.

Now that these files are in quarantine, how do I submit them to Symantec for review? There's no buttons that allow automatic submission.

I doubt strongly that these files are malicious. I suspect that I have false positives. If Symantec confirms that these files are NOT malicious, how do I get Norton 360 to ignore these files in the future?

In summary:

1) How do I submit files to Norton that in quarantine and have been tagged with "Bloodhound.Exploit.252?"

2) If Norton confirms that these files are NOT malicious (suspect strongly that the files are safe), how do I get Norton to ignore these files in the future?

Message Edited by Stecyk on 06-18-2009 05:26 PM

Re: Bloodhound.Exploit.252

delphinium — Fri, 19 Jun 2009 02:04:37 GMT

If you click on the list of files, does that allow you to see further details or bring up a choice of submit or restore?

Re: Bloodhound.Exploit.252

Stecyk — Fri, 19 Jun 2009 04:21:02 GMT

>>If you click on the list of files, does that allow you to see further details or bring up a choice of submit or restore?

View Quarantine:

I see four bloodhounds. I have the following choices: 1) More Details; 2) Add to Quarantine (even tho' it's already there); 3) Clear Entries.

If I now select a single bloodhound, and hit More Details, I get a window titled: Security History: Details.

I get various details with two possible action buttons: 1) Restore; and 2) Remove from History.

However, I can also click a link called "Risk Details". When I click Risk Details, it provides me with the Risk Impact and Details, which provides the prior file location.

---

So I could restore earlier in the process (when I hit "More Details"), but there is no Submit.

Earlier, I zapped a few bloodhounds, which I now think were "good" (false positives) files. So before deleting more good data, I'd like to get confirmation.

Thank you for your help so far.

Re: Bloodhound.Exploit.252

delphinium — Fri, 19 Jun 2009 06:56:33 GMT

This link could answer some questions. I wasn't able to test it because fortunately I don't have anything in quarantine. It may be helpful for you.

http://service1.symantec.com/support/nav.nsf/docid/2000031615501306?Open&src=tranus_con_br&seg=hm

Threat Expert can be found at this link

http://www.threatexpert.com/submit.aspx

You could check under Documents & Settings>All users>Application data/Symantec/SRTSP

to see if any of the quarantined files can be submitterd from there.

Message Edited by delphinium on 06-19-2009 06:56 PM

Re: Bloodhound.Exploit.252

Stecyk — Fri, 19 Jun 2009 15:15:51 GMT

The link you provided is to:

:::Submitting a file to Symantec Security Response using Scan and Deliver in Norton AntiVirus 2006 or earlier

I have Norton 360 v3, which has just been released. That article addresses a different product.

:::You could check under Documents & Settings>All users>Application data/Symantec/SRTSP to see if any of the quarantined files can be submitterd from there.

I didn't find an application data directory under all users. Instead, I found this directory:

:::C:\Users\All Users\Norton\{0C-blah-blah-blah-E7}\SRTSP\Quarantine

and it was empty.

Re: Bloodhound.Exploit.252

delphinium — Fri, 19 Jun 2009 16:16:20 GMT

Sorry Stecyk. Rather than Scan and deliver, I was hoping some of the information on the main page would help. It appears that Norton hasn't decided that it is enough of a threat to send directly to quarantine, and is holding onto it. I will see if a Symantec rep can point you in the right direction.

Re: Bloodhound.Exploit.252

Stecyk — Fri, 19 Jun 2009 17:01:05 GMT

I would be very grateful for a Norton representative to assit. I have already lost--I believe good--data because of this heuristic test. The Norton chat support people struggle with this issue too.

Thank you for directing a Symantec representative to my case.

Re: Bloodhound.Exploit.252

C8RLS — Fri, 19 Jun 2009 18:19:20 GMT

When I got into my office this morning Norton 360 V3.0.0.135 (Last Updated Definitions 19/06/2009) had completed a deep scan and identified over 140 Excel files as a Virus [Bloodhound.Exploit 252] and moved all of them to quarantine.

I am on a Vista machine and all the files were Excel files, and I use Microsoft Office 2003. All the excel files had been written over many years by myself and were kind of semi interactive with graphs made from data input myself within associated worksheets. I therefore was 100% sure that they did not contain any malicious coding.

I have managed to recover all the files back to their original location from Quarantine and then took a sample of them to our works office to check using Symantec (Enterprise) version I think. They were all confirmed as free of any virus.

I then returned home and contacted Symantec support and they were not able to assist, all they said was that I had a virus and if I paid they would assist me in removing it.

I then scanned my computer using the Symantec on line scanner and it confirmed my machine, and all the files on it, were virus free.

After a lot of research I think it must be the latest Virus definitions working along with the Advanced Heuristic Protection that has incorrectly identified these files as containing a virus and moved them to Quarantine.

The next problem is these files would not open as they were being scanned each time I tried to open them and moving to Quarantine. I have managed to stop this by turning off Microsoft Office Automatic Scan in Antivirus>Scans and Risks, however, this now makes me feel a little uncomfortable.

Advanced Heuristic Protection is currently set to Automatic, my concern is when the next deep scan runs all these files will be moved to quarantine again and I will have to spend a while recovering them.

Any assistance would therefore be appreciated in solving this problem.

Thanks in advance.

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

Stu — Fri, 19 Jun 2009 18:22:50 GMT

You might want to exclude them from scanning. Does that help?

Re: Bloodhound.Exploit.252

Stecyk — Fri, 19 Jun 2009 18:25:04 GMT

Thank you Carl for pitching in.

I have lost some data that I believe was healthy--not infected--because of Norton. I think this heuristic test is a little oversensitive. I hope that an official Symantec person comes to our rescue.

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

C8RLS — Fri, 19 Jun 2009 18:26:07 GMT

Well excluding them from scanning may help but not something that I think is a sensible option and if I did it it would take an age to locate each file and set this up I think?

What I would lke is for Symantec to fix the virus definitions file so they dont show as a problem when scanned - that would solve it!

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

Floating_Red — Fri, 19 Jun 2009 18:29:03 GMT

Like I already mentioned, please Submit all Files to symantec, via the Web Link I gave in my previous Message and, if you choose, to Submit them to ThreatExpert that Stu suggested. Since I am not familiar with Norton 360, I am not sure if you cac Add Files to Exclusions.

It is not the Advanced Protection part of Norton that is Detecting these Files; it is the Anti-Virus Scan since you say the Norton 360 Product just Completed a "Deep Scan", and Bloodhound.Exploit.252 is a Virus Definition and will also be use in Auto-Protect as well. Just keep in mind that you may a Virus/Trojan that is connected with these Legit. Files. How did you know Norton 360 had just Completed a Deep Scan?

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

C8RLS — Fri, 19 Jun 2009 19:10:11 GMT

I know it was the scan that found it as in the Norton 360 History it says Idle Full System Scan Results at 04:45am, this was when the machine reported it had found risks when completing the deep scan.

I have submitted some of the files and also submitted to other websites for checking, the other websites all reported that the files submitted were clean, as I suspect.

I cannot see Bloodhound.Expolit.252 as a Virus Definition within Norton 360 otherwise I could set it to be ignored for the interim period until Symantec sort this out.

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

gt1812a — Fri, 19 Jun 2009 21:08:54 GMT

Hey guys, like you I came in this morning with a freshly updated Norton Antivirus 2007 set of definitions, and through the scan, it starting quarantining Excel files that I am 99% sure are virus free. After reading into the "vulnerability" issues that this supposedly address - I verified that my Office 2007 updates were completely up-to-date, and they were. So I would also agree that it seems that, at present, two options are available: (1) Turn off "Office document" scanning - which seems kinda of dicey. (2) Symantec fixes this "false positive" situation. I've already lost data from my office with this today.

Doug

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

Stecyk — Fri, 19 Jun 2009 22:18:26 GMT

:::Like I already mentioned, please Submit all Files to symantec, via the Web Link I gave in my previous Message and, if you choose, to Submit them to ThreatExpert that Stu suggested. Since I am not familiar with Norton 360, I am not sure if you cac Add Files to Exclusions.:::

I am not sure what you have mentioned where.

I don't know where my Quarantine directory is located. For now, I am just leaving my files that are quarantined in quarantine. I have chatted with the Norton Technical support, and they are trigger happy.

Like Carl (C8RLS), I performed a full system scan and luckily don't have as many files as he does in quarantine.

I notice that the Excel files identified are prior to XL 2007. I use Office 2007, and I strongly suspect that this purported "Microsoft Excel Record Pointer Corruption Remote Code Execution Vulnerability" is no longer an issue with Office 2007, SP 3. In other words, even if the files were infected, they've likely been rendered inert.

If someone from Symantec can provide us with a solution on how to deal with these false positives, that would be helpful.

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

mikefnz — Sat, 20 Jun 2009 09:22:58 GMT

Just to add one more example of a possibly over-zealous Norton anti-virus. One of my critical Excel files that has happily been identified as 'Friend' for many years has suddenly been unceremoniously deleted by NIS, because of the 'Bloodhound.exploit.252'. Not quarantined, deleted.

I have tested the file (rescued from an off-site backup via another PC without NIS) and neither Panda nor ESET think it's a problem. However, NIS smacks it out of the system if I put it back!

It would be good if Symantec could at least provide an option instead of just deleting the file.

I have submitted the file but I'm not holding my breath!

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

C8RLS — Sat, 20 Jun 2009 09:57:07 GMT

To be honest jf Norton dont put out an update to stop this over this next week (I am going away on leave) then when I get back I will be sacking Norton and moving on, after a long period of being a very loyal Norton customer as well.

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

M20J — Sat, 20 Jun 2009 10:39:15 GMT

Is there any way of suspending this check while Norton get it fixed? I've turned off scanning for Microsoft Office documents and I've turned off all the Auto-protect options, but the core spreadsheet I use in my business still gets deleted every time I try to open it. I even tried disabling Norton totally, but it still wouldn't let me open the file. Incidentally, I submitted the file to ThreatExpert as recommended above and it found no problems. I also scanned it with a rival virus checker and that found no problems also. I also submitted that file and a couple of others to Norton, but I haven't even had an acknowledgement that they've received them, let alone heard anything back.

In case it's of use to others, I finally got the spreadsheet to open by using a borrowed computer to open the file and delete the macros I'd written, saving the macro scripts to a text document. Then I successfully opened the macro-less spreadsheet on my computer and pasted my macros back in. After saving that spreadsheet everything worked fine - I could save it and load it again without problem. Until this evening that is, when suddenly the virus checker decided it didn't like a couple of numbers I'd updated during the day and deleted the whole thing again.

I too hope Norton will be fixing this, because I'm happy with Norton, but can't have spreadsheets deleted randomly and then have no option to be able to override the virus checker without turning the whole thing off.

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

C8RLS — Sat, 20 Jun 2009 11:00:28 GMT

It may well do, however I have over 140 of them to exclude it would be easier if I could tell it to exclude all excel files for the time being, is there a way to do this?

To be honest though this is a Norton/Symantec issue and they should resolve it, we shouldnt have to make work arounds for thier mistakes with the virus definitions...

Re: Restoring Threat Fixing File - Bloodhound.Exploit.252

AndyP — Sat, 20 Jun 2009 16:10:05 GMT

I have 10 excel 97-2003 format files that were quarantined by Norton Full scan.

So I contacted norton support, even referred then to this thread (which is quite conclusive). The norton chat support board suggested I use the virus removal service. Then I was told I would need to pay £69 for the service - went ahead in the belief that if its a genuine virus then its a fair price to get my PC clean and files restored - on the other hand if its a norton fault then symantec would refund wouldn't they?

Any way after showing the technician this thread plus the fact that the symantec details on bloodhound.exploit.252 refers to Bloodhound.Exploit.252 as a heuristic detection for files that exploit the Microsoft Excel Record Pointer Corruption Remote Code Execution Vulnerability http://www.securityfocus.com/bid/35215 I started coming to the conclusion that this was a fault with Norton 360 virus definitions. Together we identified that opening a supposed infected file and saving to excel 2007 format cleared the problem. The technician recommended deleting the 97-2003 format. He said that the excel doc in 97-2003 format had a definition that looked like a virus. He concluded that my computer was free from viruses or spyware.

Interestingly running norton quick scan shows all clear. But doing a full scan or right clicking the excel files and doing a scan now shows the bloodhound.exploit.252 virus and sends it to quarantine. How strange.

So I have a solution if I convert files to 2007 format which I will do when N360 sends them to quarantine. However, I an concerned with comment above that norton deleted files without going to quarantine. Also, at work we use 97-2003 format.

I wait for the Customer Relationship Department to contact me a) with a refund and b) reassurance that this issue will be resolved properly.

Happy days

Andy