topic Re: Full system scan suddenly goes nuts identifying "threats" in Norton Internet Security / Norton AntiVirus

Full system scan suddenly goes nuts identifying "threats"

rocketscientist — Thu, 19 Jan 2012 16:57:45 GMT

OK, this is strange. Last night my NIS 2012 ran it's monthly full system scan. Imagine my surprise this morning when I found that it had detected 66 high-risk "threats". The strange thing is, these were all payware software exe files from big-name companies that I have bought and downloaded over the years. Many have been on my hard drive for 4 or 5 years, and never been flagged until now. Some were downloaded with NIS 2010-2011-2012 running, and were verified at the time to be safe.

A few examples are: several versions of Acronis True Image; an old version of Nero DVD writing software; an HP printer driver; Google Earth, and several others. Most of these were on a non-system HD that I use for storing payware, but a few were in my c:windows\installer and c:program files (x86) folders. BTW, I'm running Windows 7 64-bit.

Re: Full system scan suddenly goes nuts identifying "threats"

lmacri — Thu, 19 Jan 2012 17:27:00 GMT

HI rocketscientist:

Were the detections all compressed files (e.g., .exe, .cab, .msi)? If so, turn off the compressed file scanning (in my NIS 2011, it's Settings | Computer Settings | Computer Scans | Compressed File Scans) and see if these files are still detected during a system scan.

Other users have found that compressed files can be mistakenly detected as "suspicious" files if NIS or NAV is corrupted during installation or even during a product update via LiveUpdate (see Rogerror's thread here titled 90 Heuristic Threats Identified on a Full Scan for one example). Fortunately, a clean re-install of your NIS 2012 using the instructions posted here should solve the problem.

Although this doesn't apply to you, this type of problem can also occur if manual scans are run in Safe Mode with 2012 Norton products (see ProTruckDriver's thread here titled Is There a Bug in Safe Mode Scan?).

--------

Windows Vista Home Premium 32-bit SP2 * NIS 2011 v. 18.6.0.29 * IE 9.0 * Firefox 9.0.1
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Re: Full system scan suddenly goes nuts identifying "threats"

rocketscientist — Thu, 19 Jan 2012 20:01:17 GMT

lmacri wrote:
HI rocketscientist:

Were the detections all compressed files (e.g., .exe, .cab, .msi)? If so, turn off the compressed file scanning (in my NIS 2011, it's Settings | Computer Settings | Computer Scans | Compressed File Scans) and see if these files are still detected during a system scan.

Other users have found that compressed files can be mistakenly detected as "suspicious" files if NIS or NAV is corrupted during installation or even during a product update via LiveUpdate (see Rogerror's thread here titled 90 Heuristic Threats Identified on a Full Scan for one example). Fortunately, a clean re-install of your NIS 2012 using the instructions posted here should solve the problem.

Although this doesn't apply to you, this type of problem can also occur if manual scans are run in Safe Mode with 2012 Norton products (see ProTruckDriver's thread here titled Is There a Bug in Safe Mode Scan?).
--------
Windows Vista Home Premium 32-bit SP2 * NIS 2011 v. 18.6.0.29 * IE 9.0 * Firefox 9.0.1
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Yes, they were compressed, mostly .exe and .msi software installers. I suspect it's false positives though since these files have been sitting on the HD for months, sometimes years and NIS has never flagged them before. I just ran a MBAM scan and it didn't find anything, but I'm not sure if it scans compressed files.

I was just looking through my history and I can't find a quick way to find the last heuristic engine update, without looking at each liveupdate event individually.

Re: Full system scan suddenly goes nuts identifying "threats"

lmacri — Fri, 20 Jan 2012 01:39:30 GMT

Hi rocketscientist:

I've never been able to figure out exactly why these false positives can suddenly appear for compressed files, but there's another example here titled Many False Positives Reported by NIS 2011 where a clean re-install using the instructions posted here solved this problem in NIS 2012.

Since your full system scan only runs monthly, it's difficult to tell if Symantec tweaked their heuristic detection algorithm in the last month, but if this were the cause I suspect more users in the forum would be posting with the same problem. It's more likely that a LiveUpdate delivered a product or engine update in the past month that just didn't install correctly on your machine.

For future reference, the support page here shows the latest version number and release date for NIS 2012 virus definitions and security updates. Unfortunately the release date for the latest Behavior and Security Heuristics update isn't listed separately so that isn't much help to you in this particular case.

-----------

Windows Vista Home Premium 32-bit SP2 * NIS 2011 v. 18.6.0.29 * IE 9.0 * Firefox 9.0.1
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Re: Full system scan suddenly goes nuts identifying "threats"

rocketscientist — Sat, 21 Jan 2012 17:31:18 GMT

Thanks Imacri. I've downloaded the NIS 2012 full offline installer, and the Norton removal tool and will try reinstalling later today. Just downloading those two files from the Symantec site gave me some more odd behavior -- I got a warning that both files had "no reputation information". See attached screen capture. This seems to indicate that something has gone amiss in my installation. I'll report results of the reinstall when I get time to finish.

Re: Full system scan suddenly goes nuts identifying "threats"

rocketscientist — Mon, 23 Jan 2012 19:46:13 GMT

It looks like the full uninstall/reinstall fixed it. Just ran a full scan, and no problems. As I got to looking around it was obvious this was a compressed file false positive since I had previously decompressed most of the .zip files that were flagged as threats, and the decompressed folders were not flagged. Also I re-downloaded the NIS2012 installer, and this time it was verified as safe, unlike a couple days ago.