Norton Internet Security / Norton AntiVirus

Reply
Topic Options
Regular Contributor
JRosenfeld
Posts: 42
Registered: 11-02-2008
0

NAV 2010 False Positive Corel Paintshopphoto Pro X3 file bwout..vfx

Options

02-08-2010 03:42 PM

I have had the new Paintshop photo Pro X3 installed on my PC for several days with no warnings from NAV 2010 that any of its files were infected. Then this evening it suddenly alerted to one of the files being an infostealer Gampass. The file was bwout.vfx in the folder C:\Program Files\Corel\MLE\Vfx_plug.

 

I restored the file and checked with Norton Insight, which simply reported it as unknown (which I changed to user trusted).

I checked the restored file against a copy I had in an image of my hard drive made immediately after installing PSPP X3, and it has the same MD5 hash, so I'm sure it has not been modified or infected since the install. I conclude that it is a false positive.

 

I have also submitted the file to Symantec.

 

Since NAV did not alert over several days, I must assume that the FP is the result of one or other recent update to virus definitions.

 

 

Notify Moderator
Message 1 of 7 (364 Views)
 
Reply
Super Spam Squasher
Super Spam Squasher
cgoldman
Posts: 1,766
Registered: 06-25-2008
0

Re: NAV 2010 False Positive Corel Paintshopphoto Pro X3 file bwout..vfx

Options

02-08-2010 11:09 PM

I can confirm that I had exactly this issue with bwout.vfx within vfx_plug in the mle sub directory . I have not yet restored the file.

 

Later that day another vfx was found in the restore point.

 

I think you are right that it was the result of a virus update because similarly my Corel was installed without issue for several days.

 

I was thinking that this migh be because my Corel was downloaded and not taken from original cd/dvd.

 

I am not convinced that Symantec is taking note of this although I also submitted same.

Notify Moderator
Message 2 of 7 (341 Views)
 
Reply
Moderator
Moderator
TomV
Posts: 2,592
Registered: 04-10-2008
0

Re: NAV 2010 False Positive Corel Paintshopphoto Pro X3 file bwout..vfx

Options

02-11-2010 11:30 AM

Hi JRosenfeld,

 

Sorry for the delayed response to your post. Do you have any tracking number for the submission so that I can follow up with our team internally. Besides, just wanted to check real quick if you used the following url for submitting the FP.

 

https://submit.symantec.com/dispute/false_positive/

 

Thank you.

 

TomV

Norton Forums Moderator

Symantec Corporation

Notify Moderator
Message 3 of 7 (303 Views)
 
Reply
Regular Contributor
JRosenfeld
Posts: 42
Registered: 11-02-2008
0

Re: NAV 2010 False Positive Corel Paintshopphoto Pro X3 file bwout..vfx

[ Edited ]
Options

02-11-2010 04:27 PM - last edited on 02-11-2010 04:32 PM

The way I submitted to Symantec was:

 

View Quarantine: highlight the entry, click options. One of those options was 'submit to Symantec', which I clicked. I got a message that the submission was done.

 

If that is not the correct way to submit a file, please give me the proper instructions (for future use), and explain when that option can be used.

 

Meantime checking today I note that Norton file insight now marks bwout.vfx as 'Norton Trusted' (the other *.vfx files are now marked as good).

 

So I guess someone must have looked at the file and the problem is solved.

Thank you for your interest.

 

I am marking my own post as solved, only because that is where the resolution is reported, not because I think I solved it:-)

Notify Moderator
Message 4 of 7 (288 Views)
 
Reply
Moderator
Moderator
TomV
Posts: 2,592
Registered: 04-10-2008
0

Re: NAV 2010 False Positive Corel Paintshopphoto Pro X3 file bwout..vfx

Options

02-11-2010 07:29 PM

Hi Jrsoenfeld,

 

Thank you very much for letting us know that the problem is now resolved.

 

TomV

Norton Forums Moderator

Symantec Corporation

Notify Moderator
Message 5 of 7 (273 Views)
 
Reply
Super Spam Squasher
Super Spam Squasher
cgoldman
Posts: 1,766
Registered: 06-25-2008
1

Re: NAV 2010 False Positive Corel Paintshopphoto Pro X3 file bwout..vfx

Options

02-11-2010 11:36 PM

TomV wrote:

Hi Jrsoenfeld,

 

Thank you very much for letting us know that the problem is now resolved.

 

I cant say quite the same. When an item is restored from quarantine one gets a quarantine restore pop up. The box has two columns: File and status. The file window is not scrolled and therefore the detail provided is truncated and the user cannot see what entries have actually been restored.

 

I have always said this but let me say it again here. What I think happens in these circumstances is that Norton considers the computer was infected with Infostealer. Now for infostealer Norton knows from its database what registry entries are likely to be affected, so in this case it is actually restoring entries into the registry which were NOT there in the first place. That is, when Norton made this false positive detection it removed the bwout.vfx but the registry was NOT infected. Now on recovery from quarantine it is placing entries in the registry.

Quaratine.jpg

 

Notify Moderator
Message 6 of 7 (252 Views)
 
Reply
Super Spyware Scolder
mythbuster
Posts: 210
Registered: 12-10-2008
0

Re: NAV 2010 False Positive Corel Paintshopphoto Pro X3 file bwout..vfx

Options

02-12-2010 01:22 AM

cgoldman,

I haven't been thorugh a real world FP situation and so I've never thought along these lines. I'm going to Kudo you for this. 

Going by your rank and your posts, you should be more knowledgeable about the products and here is a quiestion. I was thinking that the product restores from the quarantine just as much as a file restore operation. For instance, if infostealer.gampass is detected, it will only quarantine those many files that are in the system and put it in the quarantine folder in the following location. 

 

C:\Documents and Settings\All Users\Application Data\Norton\{XXXX-YYYY-ZZZZ}\SRTSP

A restore would effectively imply that the files stored in the quarantine folder based on the detections, will be put back in the same place. I didn't think of it this way though.

 

-MbR

 

Notify Moderator
Message 7 of 7 (234 Views)
 
Reply