This forum thread needs a solution.
Kudos0

SAPE.heur.9BDD4

There seems to be a problem with your heuristic signatures concerning the detection of - SAPE.heur.9BDD4. I've sent multiple files that NIS has flagged as this threat - every file is then confirmed by symantec to be a false positive and deemed safe. Your white list never seems to update to reflect this needed correction. WILL YOU PLEASE ADDRESS THIS FALSE POSITIVE ISSUE? This has been an ongoing issue since Thursday of last week. In addition I've run MBAM and MSMRT and NEITHER detect any malware.

Replies

Kudos0

Re: SAPE.heur.9BDD4

Ich verwende das Programm "TIA-Portal V12" von Siemens. Beim Öffnen der "Gerätekonfiguration" kommt der Norton mit der Meldung: "SAPE.Heur.9BDD4" File ....dll wurde gelöscht.

Das TIA-Portal wird dann geschlossen mit der Meldung "Es ist ein Fehler aufgetreten......"

Kudos0

Re: SAPE.heur.9BDD4

For the past few days i too have had continual reports of sape.heur.9bdd4. Performing all the scans available to me, many listed by RDLee have so far found nothing. i then noticed that the reports were generally coming every half an hour. Checking the Scheduled Task list, I found an HP "Registration" task which was executing every half an hour, times which coincided exactly with the virus reports. Disabling and now deleting this task has stopped the reports being generated. I'm not sure if this task, or the thing it executes has been hijacked, or maybe its just the false positive issue, but at least the randomly named dll's which were causing NIS to react have stopped being spawned?

Kudos0

Re: SAPE.heur.9BDD4

Our company has also been hit with this for the last 4 days. Please fix this as soon as possible.

Kudos0

Re: SAPE.heur.9BDD4

My company has also been getting the SAPE.heur.9BDD4 alerts. The alerts always reference a .dll in the /appdata/local/temp folder. Starting one program always triggers it: The AIA Contract Document software (software used by architects to create standardized contract documents.) The software issues its own error: "Access to the temp directory is denied. Identity 'Station\Damiro' under which XmlSerializer is running does not have sufficient permission to access the temp directory. CodeDom will use the user account the process is using to do the compilation, so if the user doesnt have access to system temp directory, you will not be able to compile. Use Path.GetTempPath() API to find out the temp directory location." The AIA software never opens up. I am guessing this is a false positive of some sort, because 3 scans from 3 different AV software brings up nothing.
Kudos0

Re: SAPE.heur.9BDD4

Hi Everyone,

Sorry for the inconvenience. Team has resolved the False Positive detections of "SAPE.HEUR.9BDD4" signature issue. If you are still experiencing the problem, please run the LiveUpdates, restart the computer and then check for the issue. 

Thanks,
Sunil G A
Norton Forums Administrator
Symantec Corporation

Sunil_GA | Norton Community Administrator | NortonLifeLock
Kudos0

Re: SAPE.heur.9BDD4

Really need an answer, does anyone know what the solution to this is?

Kudos0

Re: SAPE.heur.9BDD4

I'm still experiencing this. Every 2 minutes I get an alert and then an email. Is this really a virus? Is this a false positive? How can I make it stop???

Kudos0

Re: SAPE.heur.9BDD4

Thanks Sunil, but unfortunately, after updating, and restarting, I still have the issue. When I try and start our AIA Contract Document software, the sape.heur.9bdd4 flag comes up, and locks me out of the software. (The tech guy at AIA suggested excluding the %temp% folder, and that does work, but I'd rather not have that as a permanent solution.)
Kudos0

Re: SAPE.heur.9BDD4

since some days i get same sape.heur.9bdd4 messages..., when i try to start games from steam

please fix this

e: i formated my system and installed win10 again and still get this ****

Kudos1 Stats

Re: SAPE.heur.9BDD4

@Glassware, @Damiro & @hideouz,

Please try updating the Norton Virus definitions files using Intelligent Updater by following Norton Support article and restart the computer. Let us know if this resolve the false positive detections alerts of SAPE.heur.9BDD4 signature. 

Norton Support Aritcle: How to update the virus definition files using Intelligent Updater

Sunil_GA | Norton Community Administrator | NortonLifeLock
Kudos0

Re: SAPE.heur.9BDD4

I'm using Symantec Endpoint, and I've already run Live Update successfully. Is this updater compatible?

Kudos0

Re: SAPE.heur.9BDD4

i had another update in norton now, but i download this intelligent updater now, then i will check to repruduce it

hope it is fixed then

thank you

Kudos0

Re: SAPE.heur.9BDD4

wow, i think, it is fixed now - started game like over 10 times and nothin

hope it will stay so - im thankfull

but ++++, i formated my disk, had to install win10 again and all the other things #wasted time

e: so nice, no more this messages!

Kudos0

Re: SAPE.heur.9BDD4

Sunil,

Followed your directions to the letter and still getting the same issue. Have scanned the 6 computers having this issue with 4 different malware/virus scanners and have found no threats. This issue is tied to a program, Time Clock Plus. It places a .dll file in the users\username\Appdata\local\temp folder when it runs. This file has a different name each time the application runs making it impossible to exclude. I am quite certain it is a false positive. 

Kudos0

Re: SAPE.heur.9BDD4

This is pretty much what is happening to me, except I have no idea what program it's tied to. Tried 5 different AV and malware removal tools that found nothing.

Kudos0

Re: SAPE.heur.9BDD4

oh no, it came back..

i added my log from intelligent updater

File Attachment: 
Kudos0

Re: SAPE.heur.9BDD4

Still having same issue Sunil after doing as you recommended. Please advise.

Kudos0

Re: SAPE.heur.9BDD4

Still having the same problem, even after using the intelligent updater/ restarting. The program that flags the virus quarantine, tries to create dll's in the %temp% folder, but they get flagged as viruses. Interesting note (?) these dll's have a different name each time I start the software ( I know this by looking at the name of the items that have been quarantined over the past 2 days). Thanks for you help on this though Sunil.
Kudos0

Re: SAPE.heur.9BDD4

@Damiro

How did you isolate the program that is tied to this?

Kudos0

Re: SAPE.heur.9BDD4

@Glassware,

Since you are using Symantec Endpoint Protection, i would recommend you to post the issue in Symantec Enterprise forums http://www.symantec.com/connect/. These Norton forums are specifically for consumer product discussion. I apologize for this inconvenience.

Sunil_GA | Norton Community Administrator | NortonLifeLock
Kudos0

Re: SAPE.heur.9BDD4

Cause and effect Glassware. Every time I tried to open that one program, the virus software would trigger a quarantine message, and the program would crash with an error from the program (AIA Contract Software). However, looking through my logs, I think it has happened once with out opening the software. So some other software caused it? Who knows. I know reading from elsewhere, that if your problem is happening on a specific schedule, like every hour on the dot, than the program "might" be one that is under task manager, as a scheduled task. But its clear from these posts, its not just one program triggering it.
Kudos0

Re: SAPE.heur.9BDD4

@Sunil

Gee thanks.....

Kudos0

Re: SAPE.heur.9BDD4

There are no forums regarding this issue on that site. Sorry Sunil, I'm staying right here because you guys are the only ones talking about it.

Kudos0

Re: SAPE.heur.9BDD4

Update: around 305 pm (EST) I ran live update, and there was a new definition. After it installed, I restarted my computer. And now have successfully opened the problematic program 6 times without incident (no virus pop ups). Even restarted my computer a second time and started up the program 3 more times, again no incident. So as of right now the problem seems to be solved (for me at least). Thanks Sunil.
Kudos0

Re: SAPE.heur.9BDD4

@Damiro, Thanks for the Update. The new definitions contains the fix for the false positive detections for the SAPE.heur.9BDD4 signature.

@btarjick, @lwbonner & @hideouz, Please try updating the IU again and Liveupdates from the Norton product following the system restart. If you are still getting false positive threat alerts, i have sent you a private message via forums with steps to collect logs. Thanks.

Sunil_GA | Norton Community Administrator | NortonLifeLock
Kudos0

Re: SAPE.heur.9BDD4

jus hope Damiro

i had that to and now it is back..

Kudos0

Re: SAPE.heur.9BDD4

Do these definitions also apply to the Cloud product?

Kudos0

Re: SAPE.heur.9BDD4

i downloaded the newer intelligent updater, then before 1-2hours, and let em run through, included restart pc

we will see what happen now, i started the game from steam now over 10 times and no messages - i jus hope, that it will stay without alert message

when not, i will be back here

thanks for the fast and good help

laterz (i hope not ;] )

Kudos0

Re: SAPE.heur.9BDD4

Nothing suspicious here - DLLs with random names detected in temp directory as SAPE.heur.9BDD4 are nowadays common for all .Net programs utilizing XML serializer classes (they emit dynamically generated code into temporary DLLs, which are loaded immediately after). Unfortunately, it is catched by AV engine due to bad defs. Whitelisting single file does not solve the problem, since every "DLL emit" produces file with different timestamp and thus with different hash. Although Symantec stated that this false positive detection is already fixed, the distribution of new virdefs (non-pulse) to all LiveUpdate servers can take a few hours, so be patient. In the meantime, problem can be worked around by adding SAPE.heur.9BDD4 on detection whitelist (in v20: Settings - Computer - Antivirus and SONAR Exclusions - Signatures to Exclude from All Detections).
Kudos0

Re: SAPE.heur.9BDD4

With virus definitions 20150902.002 the false positive detection of SAPE.heur.9BDD4 is gone.
Kudos0

Re: SAPE.heur.9BDD4

Very good - as of now lets consider this snafu resolved and closed. Thank for the prompt follow through and resolution to this problem. Keep up the good work.
Kudos0

Re: SAPE.heur.9BDD4

I am now getting something similar since installing the definitions on 2 September

I have updated to the latest but the issue remains.  SAPE.Heur.804F3 giving false positive and preventing use of software.

This thread is closed from further comment. Please visit the forum to start a new thread.