06-19-2009 11:26 AM
Well excluding them from scanning may help but not something that I think is a sensible option and if I did it it would take an age to locate each file and set this up I think?
What I would lke is for Symantec to fix the virus definitions file so they dont show as a problem when scanned - that would solve it!
06-19-2009 11:29 AM
Like I already mentioned, please Submit all Files to symantec, via the Web Link I gave in my previous Message and, if you choose, to Submit them to ThreatExpert that Stu suggested. Since I am not familiar with Norton 360, I am not sure if you cac Add Files to Exclusions.
It is not the Advanced Protection part of Norton that is Detecting these Files; it is the Anti-Virus Scan since you say the Norton 360 Product just Completed a "Deep Scan", and Bloodhound.Exploit.252 is a Virus Definition and will also be use in Auto-Protect as well. Just keep in mind that you may a Virus/Trojan that is connected with these Legit. Files. How did you know Norton 360 had just Completed a Deep Scan?
06-19-2009 12:10 PM
I know it was the scan that found it as in the Norton 360 History it says Idle Full System Scan Results at 04:45am, this was when the machine reported it had found risks when completing the deep scan.
I have submitted some of the files and also submitted to other websites for checking, the other websites all reported that the files submitted were clean, as I suspect.
I cannot see Bloodhound.Expolit.252 as a Virus Definition within Norton 360 otherwise I could set it to be ignored for the interim period until Symantec sort this out.
06-19-2009 02:08 PM
Hey guys, like you I came in this morning with a freshly updated Norton Antivirus 2007 set of definitions, and through the scan, it starting quarantining Excel files that I am 99% sure are virus free. After reading into the "vulnerability" issues that this supposedly address - I verified that my Office 2007 updates were completely up-to-date, and they were. So I would also agree that it seems that, at present, two options are available: (1) Turn off "Office document" scanning - which seems kinda of dicey. (2) Symantec fixes this "false positive" situation. I've already lost data from my office with this today.
06-19-2009 03:18 PM
:::Like I already mentioned, please Submit all Files to symantec, via the Web Link I gave in my previous Message and, if you choose, to Submit them to ThreatExpert that Stu suggested. Since I am not familiar with Norton 360, I am not sure if you cac Add Files to Exclusions.:::
I am not sure what you have mentioned where.
I don't know where my Quarantine directory is located. For now, I am just leaving my files that are quarantined in quarantine. I have chatted with the Norton Technical support, and they are trigger happy.
Like Carl (C8RLS), I performed a full system scan and luckily don't have as many files as he does in quarantine.
I notice that the Excel files identified are prior to XL 2007. I use Office 2007, and I strongly suspect that this purported "Microsoft Excel Record Pointer Corruption Remote Code Execution Vulnerability" is no longer an issue with Office 2007, SP 3. In other words, even if the files were infected, they've likely been rendered inert.
If someone from Symantec can provide us with a solution on how to deal with these false positives, that would be helpful.
06-20-2009 02:22 AM
Just to add one more example of a possibly over-zealous Norton anti-virus. One of my critical Excel files that has happily been identified as 'Friend' for many years has suddenly been unceremoniously deleted by NIS, because of the 'Bloodhound.exploit.252'. Not quarantined, deleted.
I have tested the file (rescued from an off-site backup via another PC without NIS) and neither Panda nor ESET think it's a problem. However, NIS smacks it out of the system if I put it back!
It would be good if Symantec could at least provide an option instead of just deleting the file.
I have submitted the file but I'm not holding my breath!
06-20-2009 02:57 AM
06-20-2009 03:39 AM
Is there any way of suspending this check while Norton get it fixed? I've turned off scanning for Microsoft Office documents and I've turned off all the Auto-protect options, but the core spreadsheet I use in my business still gets deleted every time I try to open it. I even tried disabling Norton totally, but it still wouldn't let me open the file. Incidentally, I submitted the file to ThreatExpert as recommended above and it found no problems. I also scanned it with a rival virus checker and that found no problems also. I also submitted that file and a couple of others to Norton, but I haven't even had an acknowledgement that they've received them, let alone heard anything back.
In case it's of use to others, I finally got the spreadsheet to open by using a borrowed computer to open the file and delete the macros I'd written, saving the macro scripts to a text document. Then I successfully opened the macro-less spreadsheet on my computer and pasted my macros back in. After saving that spreadsheet everything worked fine - I could save it and load it again without problem. Until this evening that is, when suddenly the virus checker decided it didn't like a couple of numbers I'd updated during the day and deleted the whole thing again.
I too hope Norton will be fixing this, because I'm happy with Norton, but can't have spreadsheets deleted randomly and then have no option to be able to override the virus checker without turning the whole thing off.
06-20-2009 04:00 AM
It may well do, however I have over 140 of them to exclude it would be easier if I could tell it to exclude all excel files for the time being, is there a way to do this?
To be honest though this is a Norton/Symantec issue and they should resolve it, we shouldnt have to make work arounds for thier mistakes with the virus definitions...
06-20-2009 09:10 AM
I have 10 excel 97-2003 format files that were quarantined by Norton Full scan.
So I contacted norton support, even referred then to this thread (which is quite conclusive). The norton chat support board suggested I use the virus removal service. Then I was told I would need to pay £69 for the service - went ahead in the belief that if its a genuine virus then its a fair price to get my PC clean and files restored - on the other hand if its a norton fault then symantec would refund wouldn't they?
Any way after showing the technician this thread plus the fact that the symantec details on bloodhound.exploit.252 refers to Bloodhound.Exploit.252 as a heuristic detection for files that exploit the Microsoft Excel Record Pointer Corruption Remote Code Execution Vulnerability http://www.securityfocus.com/bid/35215 I started coming to the conclusion that this was a fault with Norton 360 virus definitions. Together we identified that opening a supposed infected file and saving to excel 2007 format cleared the problem. The technician recommended deleting the 97-2003 format. He said that the excel doc in 97-2003 format had a definition that looked like a virus. He concluded that my computer was free from viruses or spyware.
Interestingly running norton quick scan shows all clear. But doing a full scan or right clicking the excel files and doing a scan now shows the bloodhound.exploit.252 virus and sends it to quarantine. How strange.
So I have a solution if I convert files to 2007 format which I will do when N360 sends them to quarantine. However, I an concerned with comment above that norton deleted files without going to quarantine. Also, at work we use 97-2003 format.
I wait for the Customer Relationship Department to contact me a) with a refund and b) reassurance that this issue will be resolved properly.