07-30-2008 10:29 PM
Adding the associated files and locations to the exclusions list should work to allow whatever you want to run. You obviously will need to add ALL associated files. Specifically, make sure that the file it keeps detecting is added to the exclusions list. If you believe there is a legitimate file, that could not be used maliciously, being detected then please submit it through the following link. You will get a submission tracking number in an email response. Please PM me that tracking number and I can look into the matter to have an engineer manually re-evaluate the file to see if we are falsely detecting it.
07-31-2008 02:30 AM
First of all I'll try to tackle the issue of the risk classification. "Infostealer" is a broad malware detection for threats which attempt to steal personal information. As this is a malware detection, it will be treated as a high risk threat. However within the threat category there are 5 classifications - Infostealer is classed as a Category 1 threat (very low risk).
The second issue here is whether this is a valid detection or not. In order to do this we will need a copy of the file itself. I've searched our database but have been unable to locate any files with the name "kbdmonitor.ocx" or "kbdmonitor.dll". Do you perhaps know the md5 hashes of these files as this would make my search easier? If not, could you provide us with a location where we download the file in questions or alternatively submit the file to https://submit.symantec.com/retail? You will receive an email with a tracking number for the submission. Please let us know this tracking number once you receive it.
Once we have a copy of the file we determine whether it is a valid detection. If valid, we will provide an explanation why. If it turns out to be a misdetection, we will make sure to remove the detection and push out corrected definitions ASAP.
Thanks and regards
Symantec Security Response
07-31-2008 11:55 AM
07-31-2008 12:18 PM
I'm now confused if I may be doing something different than eveyrone else. Can I get exact configuration and steps to reproduce? I just installed SuperKeys 5.8 and tested with N360 v126.96.36.199 with protection updates from 7/31/08. I was able to use SuperKeys without any detections or any issues. Is it possible something has already been addressed in the current version of SuperKeys?
08-01-2008 10:29 PM
I am running Norton Security Online (provided by Yahoo! Online Protection), version 10.2.0.30 . The latest update dated 8/1/08 has not changed anything: kbdmonitor.ocx still gets deleted in spite of the exception and NSO wants to immediately reboot the computer. A new thing I discovered today is that NSO also says that it discovered Infostealer in file c://WINDOWS/system32/is-NCB97.tmp , which it Blocked.
I can not see this file in the system32 directory. Not after the blocking, and not after reinstalling SuperKeys. (The reinstallation of SuperKeys only possible after suspending Auto-Protect).
Have you been running SuperKeys for a long time? In my case it can take up to maybe 10 minutes after a reinstalaltion before NSO finds it and deletes the crucial kbdmonitor.ocx file. I have excluded that file as well as the SuperKeys program directory from scans, but that does not work/help. Every time a deletion occurs NSO also says that a Browser Cache file was affected, but it does not identify that file. I have tried deleting Browser cache file both using Internet Options and the RUN-> % % procedure Symantec outlines. No change in behavior...
08-01-2008 10:49 PM
Superkeys can be downloaded from http://www.vellosoft.com/SuperKeys/sk1.html . It is small, free and guaranteed harmless (been using it for over 5 years so. Have corresponded with the author).
KBDMonitor description: http://spywaredlls.prevx.com/RRFGIH1760481/KBDMONI
The file itself says it was created May 8, 2000 by Konstantin Tretyakov. This is version 188.8.131.52 . It used to be freely available from a web site that no longer exists (smartsite.cjb.net), but you can see old versions of it at the Internet Archive: http://web.archive.org/web/*/http://smartsite.cjb.
08-07-2008 06:55 AM
After several rounds with Yahoo! and Norton "support", after submitting the file for analysis to Orla, now waiting for a manager of support to call me and start "understanding" the case all over again, still NOTHING FIXED!!
Will somebody please address the status of the kbdmonitor.ocx unpreventable deletion, please? Thanks for nothing so far.
08-07-2008 09:01 AM
We've confirmed that this was indeed a false positive and have removed the detection. This change will be included in a LiveUpdate build scheduled to be released later today. While we do our utmost to avoid false positives, there are times when our analysis systems may have difficulties in differentiating commercial/legitimate keyloggers from those used for malicious purposes. We are constantly making changes to avoid these situations but unfortunately this slipped through the cracks. We've now added this software to our clean file set so that all future definition builds will be checked against it to avoid any further false positives.
Our sincere apologies for any inconvenience this has caused you. Do let us know if you have any further problems.
Thanks and regards
Symantec Security Response