• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

exiftool.exe false positive?

Opened Geosetter, which advised me that a new version of exiftool was available (ver 10.21). Clicking ok to install, Norton Security with Backup popped up and quarantined the said tool. It also prompted for a reboot. Since new versions appear almost every other week, I was wondering if this was a false positive. This is the report created:

Filename: exiftool.exe
Threat name: SONAR.Heuristic.142Full Path: Not Available

____________________________

____________________________


On computers as of 
30/06/2016 at 7:53:48 PM

Last Used 
30/06/2016 at 7:53:48 PM

Startup Item 
No

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.


____________________________


exiftool.exe Threat name: SONAR.Heuristic.142
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.


____________________________


Source: External Media

Source File:
exiftool.exe

____________________________

File Actions

File: c:\Users\admin\AppData\Roaming\geosetter\tools\ exiftool.exe Threat Removed
File: c:\users\admin\appdata\local\temp\par-61646d696e\cache-exiftool-10.21\ exiftool.exe No Action Required
Directory: c:\users\admin\appdata\local\temp\ par-61646d696e Removed
Directory: c:\users\admin\appdata\local\temp\par-61646d696e\ cache-exiftool-10.21 Threat Removed
____________________________

System Settings Actions

Event: Process start (Performed by c:\users\admin\appdata\roaming\geosetter\tools\exiftool.exe, PID:5684) No action taken
Event: PE file creation: c:\users\admin\appdata\local\temp\par-61646d696e\cache-exiftool-10.21\ exiftool.exe (Performed by c:\users\admin\appdata\roaming\geosetter\tools\exiftool.exe, PID:5684) No action taken
Event: Process start: c:\Users\admin\AppData\Roaming\geosetter\tools\ exiftool.exe, PID:5684 (Performed by c:\users\admin\appdata\roaming\geosetter\tools\exiftool.exe, PID:5684) No action taken
Event: Process start (Performed by c:\users\admin\appdata\roaming\geosetter\tools\exiftool.exe, PID:3808) No action taken
Event: Process start: c:\Users\admin\AppData\Roaming\geosetter\tools\ exiftool.exe, PID:3808 (Performed by c:\users\admin\appdata\roaming\geosetter\tools\exiftool.exe, PID:3808) No action taken
Event: Process start (Performed by c:\users\admin\appdata\roaming\geosetter\tools\exiftool.exe, PID:9852) No action taken
Event: Process start: c:\Users\admin\AppData\Roaming\geosetter\tools\ exiftool.exe, PID:9852 (Performed by c:\users\admin\appdata\roaming\geosetter\tools\exiftool.exe, PID:9852) No action taken
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

Labels: SONAR

Replies

Kudos0

Re: exiftool.exe false positive?

Hi vienna10

Report it here https://submit.symantec.com/false_positive/

I have used it a few times and they are very fast when investigating it and will email you the results (usually less than a day)

Kudos0

Re: exiftool.exe false positive?

thank you very much for the reply and link. The only problem is, the file in question has to be uploaded, so it would have to be restored from quarantine. Restoring it, would also restore all other changes Norton made.

Might try the update on another PC first.

Kudos0

Re: exiftool.exe false positive?

vienna10:  thank you very much for the reply and link. The only problem is, the file in question has to be uploaded, so it would have to be restored from quarantine. Restoring it, would also restore all other changes Norton made.  Might try the update on another PC first.

you may also (try) submit url from where file may be pulled
https://submit.symantec.com/false_positive/standard/

Step 1) Help us locate the software
A copy of the software/file being detected is required in order to resolve false positives.
Upload a file | Provide a direct download URL | Provide blocked URL (IPS)  


 and or look in Quarantine for (sometime) option > Submit to Symantec.  
FWIW ~ just pulled geosetter_setup.exe
Norton has given this file a good rating.


Um, I'm not familiar with exiftool > do you pull https://en.wikipedia.org/wiki/ExifTool from http://www.sno.phy.queensu.ca/~phil/exiftool/ or ?
and which version.
http://owl.phy.queensu.ca/~phil/exiftool/checksums.txt

Kudos1 Stats

Re: exiftool.exe false positive?

@vienna10: I am using NS v22.7.0.76, and I was trying to reproduce your issue above.

Downloaded, installed and ran GeoSetter 3.4.16 with no problem.

Downloaded the Beta version of GeoSetter; I got the following report:

Direct ran the Beta exe. Nothing happened to the new install of Geo.

Scanned the said exiftool.exe, nothing...

Or, it just works for me. Or, you update yr Norton product? LUCK!

PUP Hunter PRO: Just TRYING to save the world (U) from cyber threats, A single blog post, at a time, and ONCE & FOR ALL. (A fan of Nadia_Kovacs)
Kudos0

Re: exiftool.exe false positive?

OK, it wasn't Geosetter Beta itself, but the exiftool update within the program - as mentioned in my original post. Geosetter, if so configured, will check for ExifTool updates and present you with the option to update to the next version. It was during this update, that Norton stopped the install of ExifTool.

Went to ExifTool website and downloaded the latest compressed file, which I then submitted to Symantec a couple of hours ago. This was the best I could do, as I don't actually know Geosetter handles the update.

Also opened my notebook, which has a similar install to my PC, ran Geosetter, which then updated ExifTool to vers. 10.21 without any interference from Norton. Both, notebook and PC have the updated Norton.

Kudos0

Re: exiftool.exe false positive?

vienna10: Went to ExifTool website and downloaded the latest compressed file, which I then submitted to Symantec a couple of hours ago.

this file > ?

SHA1(exiftool-10.21.zip)= 93604c07e9686209d0ff85da1629417227990b8d

http://owl.phy.queensu.ca/~phil/exiftool/checksums.txt 


SHA256: 010c9346457514d7bf9cb61bb5ca18c7fe73f7a043243264edd446a2307d32ba
File name: exiftool-10.21.zip
Detection ratio: 2 / 36
Analysis date: 2016-07-01

Kudos0

Re: exiftool.exe false positive?

went to this website: http://www.sno.phy.queensu.ca/~phil/exiftool/ and downloaded the file exiftool-10.21.zip

Kudos0

Re: exiftool.exe false positive?

vienna10:  went to this website: http://www.sno.phy.queensu.ca/~phil/exiftool/ and downloaded the file exiftool-10.21.zip

extracted application ....> 
Very Few Users: Fewer than 5 users in the Norton Community have used this file.
Very New: This file was released less than 1 week  ago.
Poor: There are some indications that this file is untrustworthy.
SHA256:
8d4d9f941fb0ce6c99b91e31d328b72ceb1cf67ed341f0ee25dd227a29fa8312
File name: exiftool(-k).exe
Detection ratio: 1 / 55
Analysis date: 2016-07-01

Kudos0

Re: exiftool.exe false positive?

Since an update is released every other week (on average), it will always have few users. So in theory, one should never trust it. However, have been using Geosetter for many years, with the said ExifTool update periodically. It is strange that I could update ExifTool on my notebook the day after, without a prompt from Norton.

Also tried to restore the file from quarantine, which was unsuccessful. It kept on asking me where to restore it to, no matter which directory I chose

Kudos0

Re: exiftool.exe false positive?

vienna10:  Since an update is released every other week (on average), it will always have few users. So in theory, one should never trust it. However, have been using Geosetter for many years, with the said ExifTool update periodically. It is strange that I could update ExifTool on my notebook the day after, without a prompt from Norton.

FWIW ~ I have a few favorite trusted programs -- that I run beta and/or update frequently -- that are reported Good for the Installer and Poor for the Installed.  I'll Exclude from Auto-Protect the program (folder).
Yes, the Wisdom of Crowds seems focus'd on number of users and how new. 
Since, you trust Geosetter/ExifTool.  And since you're aware re Wisdom of Crowds (for better or worse).
Maybe, try Exclude from Auto-Protect and/or check Norton Insight > Untrusted Files and Trust Now items you trust deemed Poor.

Also tried to restore the file from quarantine, which was unsuccessful. It kept on asking me where to restore it to, no matter which directory I chose

maybe, the extracted file is not in the original zip download location....?
maybe, file corruption ... ?
Does Geosetter/ExifTool update via internal updater and then Exif gets quarantined...?
Sorry, I'm not familiar with Geosetter/ExifTool. 

Kudos0

Re: exiftool.exe false positive?

Geosetter updates ExifTool internally. If this was a temporary directory, it would have been deleted by Norton File Cleanup. THis doesn't worry me, but as with the last false positive, it also changed part of the registry Shell Folders to read C:Users\admin....

Kudos0

Re: exiftool.exe false positive?

Geosetter, if so configured, will check for ExifTool updates and present you with the option to update to the next version. It was during this update, that Norton stopped the install of ExifTool.

 Now, I am trying to reproduce yr comment above:

  • Updated NS to its latest build
  • Installed, ran Geosetter through its express install options

  • Met the same (?) "ExifTool Update Information" alert

  • Download exiftool-10.21.zip (4.9 MB), unpacked that file; NS warned...

Personally, the cmd like behaviour is the reason (trouble)... Contact the coder@ http://u88.n24.queensu.ca/exiftool/forum/ ?

rename to "exiftool.exe" for command-line use.

PUP Hunter PRO: Just TRYING to save the world (U) from cyber threats, A single blog post, at a time, and ONCE & FOR ALL. (A fan of Nadia_Kovacs)
Kudos0

Re: exiftool.exe false positive?

It looks like different Norton installs give you different results. As mentioned, had no problems updating my notebook, with updated Norton.

Also decided to rerun Geosetter ExifTool update, where there was no response from Norton this time. This is now 2 days later, so I assume that something was changed within Norton.

Have just run the update on my second PC - also no response from Norton

Kudos1 Stats

Re: exiftool.exe false positive?

Hello Vienna

What may have happened is that the file isn't as new any more. More Norton Customers have installed the program. Can the updater be changed so that you can choose when to update it? It might work out better if you could update it a little later after the version has come out.

If my idea is incorrect, please just ignore it.

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NSBU 22.17.0.183 Core Firmware 282 I E 11 Chrome latest version.
Kudos1 Stats

Re: exiftool.exe false positive?

File name: exiftool-10.21.zip
Detection ratio: 1 / 52
Analysis date: 2016-07-03

File name: exiftool(-k).exe
Detection ratio: 1 / 55
Analysis date: 2016-07-01

Kudos0

Re: exiftool.exe false positive?

yes, of course it is possible to ignore the update until Geosetter is opened next time. This may be a day, or a week later.

It would also mean that we should ignore all updates that programs offer, as they could be infected. However, someone has to be first!

Accepted Solution
Kudos1 Stats

Re: exiftool.exe false positive?

thanks for the scan info. So is HW32.Packed.780A a virus, or not? Scanned the local file itself by right click and got the ok from Norton. This is getting very confusing. Pity I don't have the previous version available any more. Have only an old one from June 2014, which scanned ok

Have just received a reply from my submission to "falsepositives@symantec.com", which reads

Quote:

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

                Filename: 8D4D9F941FB0CE6C99B91E31D328B72CEB1CF67ED341F0EE25DD227A29FA8312

                MD5: 156BCF25B7A08DBBB1FD262D6CB190B6

                SHA256: 8D4D9F941FB0CE6C99B91E31D328B72CEB1CF67ED341F0EE25DD227A29FA8312

                Result: Whitelisting for above file is under process. It may take up to 72 hours to take effect.

Unquote

Kudos0

Re: exiftool.exe false positive?

Hello Vienna

So by Friday, it should be ok. Make sure you run Live Update. If you put the file folder into do not scan, you should be able to take it out of there by Friday night.

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NSBU 22.17.0.183 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: exiftool.exe false positive?

Thanks. Had already done so, without marking it do not scan - you never know......

Kudos0

Re: exiftool.exe false positive?

Useful information to me, thank you for sharing

This thread is closed from further comment. Please visit the forum to start a new thread.