• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

On1 RAW 2019.6 update - possible false positive

On1 RAW 2019 told me there was an update available, so I downloaded the file, Norton Security scanned it and didn't highlight a problem. I checked the digital certificate which was issued by DigiCert EV code signing CA (SHA2), before I attempted to install it, but the installation was stopped by Norton Security as it found a "SONAR.Heuristic.170" problem.

Unfortunately, the file is too large to upload to Symantec, so how can I test to see if this is a true threat or a false positive.

Filename: on1_photo_raw_2019.exe
Threat name: SONAR.Heuristic.170

Full Path: Not Available

____________________________

____________________________


On computers as of
Not Available

Last Used
 at 

Startup Item
No

Launched
Yes

SONAR Protection monitors for suspicious program activity on your computer.


____________________________


on1_photo_raw_2019.exe Threat name: SONAR.Heuristic.170
Locate


Unknown
It is unknown how many users in the Norton Community have used this file.

Unknown
This file release is currently not known.

High
This file risk is high.


____________________________


Source: External Media


____________________________

File Actions

File: c:\users\rick\appdata\local\temp\{050c53e8-1e70-4a21-8a86-ddc0b6235abd}\ on1_photo_raw_2019.exe No Action Required
File: c:\Users\Rick\AppData\Local\Temp\{050c53e8-1e70-4a21-8a86-ddc0b6235abd}\ 0x0409.ini Threat Removed
____________________________

System Settings Actions

Event: Process start (Performed by c:\users\rick\appdata\local\temp\{050c53e8-1e70-4a21-8a86-ddc0b6235abd}\on1_photo_raw_2019.exe, PID:17696) No action taken
Event: PE file creation: c:\users\rick\appdata\local\temp\{050c53e8-1e70-4a21-8a86-ddc0b6235abd}\ issetup.dll (Performed by c:\users\rick\appdata\local\temp\{050c53e8-1e70-4a21-8a86-ddc0b6235abd}\on1_photo_raw_2019.exe, PID:17696) No action taken
Event: Process start: c:\users\rick\appdata\local\temp\{050c53e8-1e70-4a21-8a86-ddc0b6235abd}\ on1_photo_raw_2019.exe, PID:17696 (Performed by c:\users\rick\appdata\local\temp\{050c53e8-1e70-4a21-8a86-ddc0b6235abd}\on1_photo_raw_2019.exe, PID:17696) No action taken
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

Replies

Kudos1 Stats

Re: On1 RAW 2019.6 update - possible false positive

Maybe, there is another History event related to > on1_photo_raw_2019.exe

Um, maybe you can use direct download URL....

...for example

http://ononesoft.cachefly.net/photoraw2019/win/gm_7353/ON1_Photo_RAW_2019.exe

Edit: don't know if this is related to your > on1_photo_raw_2019.exe

Filename: ON1_Photo_RAW_2019.exe
Full Path: c:\bjm\Chrome\user\current\Desktop\ON1_Photo_RAW_2019.exe

Developers 
ON1, Inc

Version 
Not Available

Identified 
8/1/2019 at 4:01:32 PM

Last Used 
Not Available

Startup Item 
No

Few Users
Fewer than 50 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

Trusted
Norton has given this file a trusted rating.

http://ononesoft.cachefly.net/photoraw2019/win/gm_7353/ON1_Photo_RAW_2019.exe
Downloaded File ON1_Photo_RAW_2019.exe from cachefly.net

ON1_Photo_RAW_2019.exe

File Thumbprint - SHA:
5bcfe1a645a53e1549053363cc0d3e6afe7f66367bda373da8e28f0cc99a12d5
File Thumbprint - MD5:
4ffb028f84e064c8c24b6236a0150561

Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Hello Therick. The problem file is the file "0x0409.ini", if you can extract that single file using something like 7zip, you can submit it to Symantec for review for a possible false positive. The author of the package is using this file to create calls to the windows installer environment which in turn, is being detected as Trojan per this Symantec article. You can submit the file here when ready.

When I see this it also raises red flags regarding the authenticity of the file you are downloading.

File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.356 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.00
Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Edit:

File: ON1_Photo_RAW_2019.exe
File size: 1.27 GB (1,361,902,944 bytes)
MD5 checksum: 4FFB028F84E064C8C24B6236A0150561
SHA1 checksum: 1E793395FC45CC9E497021FAA3A9FC6955042635
SHA256 checksum: 5BCFE1A645A53E1549053363CC0D3E6AFE7F66367BDA373DA8E28F0CC99A12D5

File: 0x0409.ini
File size: 22.0 KB (22,480 bytes)
MD5 checksum: A108F0030A2CDA00405281014F897241
SHA1 checksum: D112325FA45664272B08EF5E8FF8C85382EBB991
SHA256 checksum: 8B76DF0FFC9A226B532B60936765B852B89780C6E475C152F7C320E085E43948


Filename: on1_photo_raw_2019.exe
Threat name: SONAR.Heuristic.170Full Path: Not Available

On computers as of 
Not Available

Last Used 
 at 

Startup Item 
No

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.

on1_photo_raw_2019.exe Threat name: SONAR.Heuristic.170
Locate


Unknown
It is unknown how many users in the Norton Community have used this file.

Unknown
This file release is currently not known.

High
This file risk is high.

Source: External Media

File Actions

File: c:\users\bjm\appdata\local\temp\{9518f240-cb1f-40eb-957a-5cd88860980c}\ on1_photo_raw_2019.exe No Action Required
File: c:\Users\bjm\AppData\Local\Temp\{9518f240-cb1f-40eb-957a-5cd88860980c}\ 0x0409.ini Threat Removed

System Settings Actions

Event: Process start (Performed by c:\users\bjm\appdata\local\temp\{9518f240-cb1f-40eb-957a-5cd88860980c}\on1_photo_raw_2019.exe, PID:9472) No action taken
Event: PE file creation: c:\users\bjm\appdata\local\temp\{9518f240-cb1f-40eb-957a-5cd88860980c}\ issetup.dll (Performed by c:\users\bjm\appdata\local\temp\{9518f240-cb1f-40eb-957a-5cd88860980c}\on1_photo_raw_2019.exe, PID:9472) No action taken
Event: Process start: c:\users\bjm\appdata\local\temp\{9518f240-cb1f-40eb-957a-5cd88860980c}\ on1_photo_raw_2019.exe, PID:9472 (Performed by c:\users\bjm\appdata\local\temp\{9518f240-cb1f-40eb-957a-5cd88860980c}\on1_photo_raw_2019.exe, PID:9472) No action taken

File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

Accepted Solution
Kudos2 Stats

Re: On1 RAW 2019.6 update - possible false positive

In relation to submission 162334.

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at https://www.symantec.com/security_response/definitions.jsp

Please note that whitelisting can take up to 24 hours to take effect.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/enterprise/white_papers/b-to_increase_downloads-instill_trust_first_WP.en-us.pdf

Sincerely,
Symantec Security Response
https://www.symantec.com/security-center
In relation to submission 162335.

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at https://www.symantec.com/security_response/definitions.jsp

Please note that whitelisting can take up to 24 hours to take effect.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/enterprise/white_papers/b-to_increase_downloads-instill_trust_first_WP.en-us.pdf

Sincerely,
Symantec Security Response
https://www.symantec.com/security-center

@Therick

Hope this helps.  

Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Thank you for your advice, I didn't realise that I could send a URL link, I guess I was into much of a rush or panic to look for alternative ways to get the information to Symantec.

As you can see, further down the page, this situation has been resolved.

 Thank you again for your help.

Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Thank you for your suggestion of extracting the "problem" file, I have tried using Winzip, WinRAR and 7zip, but none of them recognised the ".exe" file as a zip file.

But as you can see my problem has been resolved.

Once again thank you for your help.

Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Thank you for looking into this for me, I'm glad that this is a "false" positive, but before I download the update again, I will leave it a few days, just to allow the "virus definitions" to be updated.

Thank you once again for your help.

Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Therick:

Thank you for your suggestion of extracting the "problem" file, I have tried using Winzip, WinRAR and 7zip, but none of them recognised the ".exe" file as a zip file.

Note: I did not find 0x0409.ini within archive.  

0x0409.ini was created with install. 

Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Therick:

Thank you for your advice, I didn't realize that I could send a URL link, I guess I was into much of a rush or panic to look for alternative ways to get the information to Symantec.

I made two submissions. 
1) with direct download URL
2) with the 0x0409.ini 

Kudos0

Re: On1 RAW 2019.6 update - possible false positive

Therick:

Thank you for looking into this for me, I'm glad that this is a "false" positive, but before I download the update again, I will leave it a few days, just to allow the "virus definitions" to be updated.

0x0409.ini was detected with install. 


The name "INI file" comes from the commonly used filename extension .INI, which stands for "initialization". Other common initialization file extensions are .CFG.conf, and .TXT, especially CONFIG.SYS and 'config.txt' occurrences.

https://en.wikipedia.org/wiki/INI_file

Let us know how your install goes. 
Thanks

This thread is closed from further comment. Please visit the forum to start a new thread.