False Positive- unresolved security risk warnings

I spent an agonizing 9 hours today with Symantec/Norton tech support without resolution to a program annoyance.

 

My frustration with Norton is that if a threat is manually removed, Norton is not smart eneough to update the threat status during subsequent scans, and continues to warn about non-existant threats, apparently forever. 

 

About 2 months ago, Norton located several viruses on an external drive connected to my computer.  As soon as the problems were identified, I disconnected the drive and formatted it. The drive has never been reconnected to the computer but Norton still sees the nonexistent files as a threat  Ever since, Norton 2009 AV periodically pops up the "Unresolved Security Risk" window and informs me of a threat within a Drive\folder\file that does not exist!  Subsequent scans by Norton 2009 and even other 3rd party AV programs reveal zero threats, but Norton never updates the unresolved security risk table to reflect "no detected issues".

 

I explained this situation to technical support and they still insisted on performing an on-line scan which took about 4 hours to complete.  Zero issues were detected, but the"false-positive" unresolved security risk window was not corrected.  We then removed and reinstalled AV.  As soon as the program was installed, but before running a scan, we checked the unresolved security risk table and all the false-positive entries were still there.  Tech support insisted that I had a "nasty trojan" even after I pointed out that Norton had not yet performed a scan after the new installation.  This HAD to be left over from the previous installation!  Tech support insisted that the removal tool removed all traces of the old program and that this was clearly a new issue, even after I pointed out the date of the detection was July 21..Several months ago).   Tech support indicated my only recourse was to pay $99 to have priority support "remove the viruses" for me.

 

Shortly after that, my Chat session was terminated and although I monitored the remote "logmein remote" session for 45 minutes the technician never came back on-line. 

 

 

There must be a file location or registry setting that will eliminate this information so that a new installation will truly start fresh.

 

 

Has anyone run into this/fixed it?

  1. What was the Threat Name?
  2. What is its location?
  3. What component is detecting this Threat? Check Security History.

The threat name is trojan.nebular 

 

The pop-up is "unresolved Security risks". 

 

If I go to Security history and choose the "unresolved security risk view", it shows four files that could not be removed on July 1, 2008.  If I check the detail view, it shows:

 

Affected Area: 1 File

 

Details:[onone.software.setup.exe]inside of[scotch.zip]inside of[s:\backoffice\applications\media

 

The important thing to note here is that I have not had an "s:" drive for several months!

 

To clarify, in July I was connected to a network attached storage drive when Norton ran a sheduled scan of my computer.  Norton included the network drive in its scan but was unable to remove the threat as I did not have read/write priveleges on the offending folder.  The network attached storage drive was subsequently formatted and never re-connected to my PC.

 

So, although the threat no longer exists to my PC, Norton keeps popping up a window to remind me that back in July it never resolved the threat.  Since the threats were seen as "high-risk", clicking ignore does not cancel the periodic pop-up reminders.

 

Norton simply does not update the unresolved threat status based on current scans.  For example, I scanned my PC last night:

 

Scan Stats:
  Scan Time: 25003 seconds
  Scan Options:
  Scan Targets: C:\, F:\
  Counts:
   Total items scanned: 1,675,353
   - Files & Directories: 1,675,353
   - Registry Entries: 0
   - Processes & Start-up Items: 0
   - Network & Browser Items: 0
   - Other: 0
   - Trusted Files: 113
   - Skipped Files: 1

   Total security risks detected: 0
   Total items resolved: 0
   Total items that require attention: 0

 

Everything looks clean, right?

 

However, Norton still shows 3 unresolved threats in securityhistory>unresolved security risks and will periodically nag me to correct.  Obviously, if I choose re-scan it fails since the offending drive\path is invalid.

 

 

 

 

A uninstall and reinstallation will clear your Security History and fix the issue. No point in going after the needle in the haystack; just nuke the whole thing.


Tech0utsider wrote:
A uninstall and reinstallation will clear your Security History and fix the issue. No point in going after the needle in the haystack; just nuke the whole thing.

Indeed. I would be curious to see what happens when you do a scan after a reinstall


forwardthinker wrote:

...

Details:[onone.software.setup.exe]inside of[scotch.zip]inside of[s:\backoffice\applications\media

 

The important thing to note here is that I have not had an "s:" drive for several months!

 


That may not be the issue.  If I understand this correctly, the problem is a file inside of a zipped file and the structure tree is there in the zip file, so that might be what is being processed as the location.  Because that is the intended location.

Thanks for the suggestions, but that is part of my frustration: 

 

Yesterday, I used the Symantec software removal tool and uninstalled Norton AV 2009 and then reinstalled.  After installing all the updates, but before running a scan, I checked the security history>unresolved security risks and the old information was still there.

 

So, I ran a full system scan (attached previously) and it came back without finding any issues, but the unresolved threats remained in the history.  To reiterate, the scans always come back without any current threats being found, but hours later I receive a pop-up warning that we never resolved the threats found last July.

 

It's like Norton is stoned; "Dude, remember that virus I found back in July?  We gotta go find that sucker and fix it, man!" 

 

My sense is that there must be a way to manually purge the unresolved threat history (log file, registry item, etc.) since uninstalling and reinstalling 2009 did not accomplish that.

 

Having said all that; although the items remain in the history, I have not received the pop-up unresolved security risk warning yet today, which is unusual.  I can live with the history table being incorrect, it's the periodic pop-ups that drive me crazy.

Mijcar-

I used the zip file as an example. The other risks it found were in .exe files in the same s:\backoffice\applications\media folder.  As I mentioned, I did not have write privileges to the offending folder so Norton was unable to fix or remove the files.  I later formatted the entire external drive, and have not used it since.

 

Since I manually fixed the problem, my assumption is that Norton should be smart enough to update it's unresolved security issues when I re-scan, but that is not the case.  When I run a scan, everything comes back A-OK, but then hours later I receive a reminder that  Norton was unable to fix a problem months ago.  It's like having your car's oil pressure gauge tell you that your neighbor's car needs oil.   The offending file(s) do not represent a threat since the drive and files no longer exist, but Norton still wants to go an fix them.

Okay, I think I have a better picture of what is happening.

 

Is it possible that when you got the original warning and was unable to delete the file(s), you forced the program closed because it wouldn't allow you to close it normally?  I'm asking because once you made a decision, that decision should have been accepted without leaving the kind of artifact behavior you are describing.

 

I have a number of suggestions.

 

1.  (for data purposes):

     a.  Start>Search>For Files or Folders ...

     b.  Find your way to advanced mode and make sure you select "More Advanced Options" and check Search Subfolders, Search System Files, Search Hidden Files

     c.  In the main search field enter the key part of the name of the file that is identified as the problem file; and start the search.

     d.  Make notes of where the name shows up.

 

2.  (for data purposes):

     a.  Start>Run

     b.  type in:  regedit

     c.  Press <enter>

     warning note:  do not make any changes to the registry during the following; this is for info only.

     d.  Press control-F or use the menu bar and select Edit>Find

     e.  Enter the same name you used in 1. above. and press <enter> or okay.

     f.  Note the occurrence of the entry but don't waste your time writing down where it is.  The main thing is, make sure the entry you found wasn't merely a record of your search for that file in Step 1 (that will be obvious from the nature of the key containing the link).

     g.  Press F3 and wait.  This will make the program search for the next occurrence.  Note whether it occurs or not but don't write it down.

     h.  Continue this until you get the report that the search has gone as far as it can.

     i.  Exit from the registry editor.

 

Here's how the information is useful.

3.  If you found references to the original malware in any folder, then that is probably where Norton is finding these spurious entries.  You may consider uninstalling NIS, running the removal tool, then searching for and deleting to the recycler and folder designated as a Norton or Symantec folder or containing the file references you found in 1 above.  If this creates any problems, you can always restore a folder from the Recycler.

 

4.  You now have a choice.

     a.  The easy road and safe road:  Reinstall NIS and see if the problem is fixed.

     b.  (Only applicable if you found any references to the malware file in the Registry)  The tricky, dangerous, but more comprehensive road consists of

          1)  opening the registry

          2)  making a backup of the complete registry

          3)  finding and deleting the keys involved

          4)  closing the registry

          5)  reinstalling NIS

 

 If you are wondering which I would do, I would try 4a first.  I prefer work to danger.

forwardthinker - I feel your pain.  My Norton Internet Security is exhibiting the the exact same behavior.  It found trojans in a copy zip files and continues to report them with a popup window even though they are long gone. 

 

The date reported for them is old, the path to them no longer exists.  I can run a full scan of my computer and it comes up clean.  Scans of that particular folder reveal nothing.  I even tried turning of indexing on the disk to remove any traces of the filenames, but didn't work.

 

I didn't bother calling support on this as, based on past experience, I  knew I would spend many worthless hours waiting on the phone while they had me run a scan, uninstall & reinstall, etc.  This is confirmed by your previous posts.  

 

This list of  "Unresolved Security Risks" must be stored somewhere.  I would like to find a way to wipe it clean.

 

Hi,

 

I think, it is stored in the following location:

 

For Windows XP: C:\Documents & Settings\All Users\Application Data\Norton

 

For Windows Vista: C:\Program Data\All Users\Application Data\Norton

 

Some of these folders are hidden by default, you may need to configure windows to show all files/folders to find this. These are the steps:


1. Click the Start button, and then click My Computer or Computer.
2. Depending on your operating system, do one of the following:
    - For Windows Vista: On the Organize menu, click Folder and Search Options.
    - For Windows XP: On the Tools menu, click Folder Options.
3. Click the View tab.
4. Depending on your operating system, do one of the following:
    - For Windows Vista: Locate and click Show hidden files and folders.
    - For Windows XP: Under the Hidden files folder, locate and check Show hidden files and folders.
      If you see a warning message, click Yes.
5. Locate and uncheck Hide file extensions for known file types.
6. Click Apply > OK.

 

After running Norton removal tool, you may need to check whether this "Norton" folder is still present. If so, try deleting that folder and then reinstall Norton 2009 program.

 

Yogesh

Hi.

You dont need reinstall ! In safe mode delete content of folder QBACKUP (C:\Documents and Settings\All Users\Application data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup).

After restart in "normal" mode is log unresolved security risk empty. :smileyhappy:

Hi Peter63,

 

To remove the QBACKUP folder, no need to boot in safe mode also. You just need to disable the Norton Product Tamper Protection under Miscellanious Settings. QBackup folder(Quarantine Backup) is used by Norton AntiVirus component to store backup recoveries of repaired and removed threats when you fix/remove threats during the scan. It may also contain information about threats detected and retains the remediated data in your computer itself. It will be automatically recreated by Norton program when you run scan next time.

 

If the folder still remains after running the removal tool(uninstall), then it's an incomplete uninstall. That's why I suggested to uninstall, remove that folder and reinstall.

 

Yogesh

I think reinstall is last option to solve problem.

Yogesh- Do you need to remove the QBackup folder in general or just if there is a problem?

NY1986,

 

You need to remove it only if you have any similar problem like unresolved threats still showing in history. Otherwise, no need to remove it.

 

Yogesh

Peter63/Yogesh-  Thanks for the great information.  Deleting the folder did indeed work for me.  Somehow, the Uninstall routine misses that folder, so the incorrect risk advice continues even after an uninstall.  In any event, per your great information, reinstalling is not needed.

 

Thanks again!

Just one note:

For Windows Vista path will be C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup

And hold shift button while deleting folder .... You don't need to boot in a safe mode (just disable tamper protection in miscellaneous settings as stated in other post).


forwardthinker wrote:

I spent an agonizing 9 hours today with Symantec/Norton tech support without resolution to a program annoyance.

 

My frustration with Norton is that if a threat is manually removed, Norton is not smart eneough to update the threat status during subsequent scans, and continues to warn about non-existant threats, apparently forever. 

 

About 2 months ago, Norton located several viruses on an external drive connected to my computer.  As soon as the problems were identified, I disconnected the drive and formatted it. The drive has never been reconnected to the computer but Norton still sees the nonexistent files as a threat  Ever since, Norton 2009 AV periodically pops up the "Unresolved Security Risk" window and informs me of a threat within a Drive\folder\file that does not exist!  Subsequent scans by Norton 2009 and even other 3rd party AV programs reveal zero threats, but Norton never updates the unresolved security risk table to reflect "no detected issues".

 

I explained this situation to technical support and they still insisted on performing an on-line scan which took about 4 hours to complete.  Zero issues were detected, but the"false-positive" unresolved security risk window was not corrected.  We then removed and reinstalled AV.  As soon as the program was installed, but before running a scan, we checked the unresolved security risk table and all the false-positive entries were still there.  Tech support insisted that I had a "nasty trojan" even after I pointed out that Norton had not yet performed a scan after the new installation.  This HAD to be left over from the previous installation!  Tech support insisted that the removal tool removed all traces of the old program and that this was clearly a new issue, even after I pointed out the date of the detection was July 21..Several months ago).   Tech support indicated my only recourse was to pay $99 to have priority support "remove the viruses" for me.

 

Shortly after that, my Chat session was terminated and although I monitored the remote "logmein remote" session for 45 minutes the technician never came back on-line.

 

 

There must be a file location or registry setting that will eliminate this information so that a new installation will truly start fresh.

 

 

Has anyone run into this/fixed it?


To forwardthinker and Everybody,
Yes I have the same issue with NIS2009, only to make my point about this, which is clearly a BUG in "unresolved security risk:  History-window". My "unresolved item" was found by NIS2009 in a CD-ROM (I understand everybody already know that a file (virus/trojan) can not be erased from a cd-rom) and of course the suggested solution "press the REmove" button doesn't work so it said "failed to remove". Next time I reboot windows the alert windows of "action required" popup again. So it reminder me again I have to remove or delete a risk from a cd-rom. Why in the name of earth, "rescan*", "remove* or "get help" can't understand THAT IT IS IMPOSIBLE to clean a CD-ROM???
by the way, my english it is not so good, so first time I read this Thread understand there are a still issue with this FIX (when you deleted the Qbackup folder), so misundertand and go to symantec support to get a better solution (my mistake). So I also spend 5 hours with Symantec/Norton tech support without resolution to this program annoyance. and After they uninstall and reinstall my NIS2009 they just tell me I have a virus and have to pay $99 dollars (double of what I payed for nis2009 for make the work of keep virus out of my pc). When I ask him what happend if I paid the $99 and no virus was found, they told me $99 is for the priority assintance (even if they don't found anything). This is not a fare play SYMANTEC PEOPLE!!!!!!!!!!!. So I tell him again that my problem is not with a virus/trojan (since no virus has been found with AV, and neither any spyware has been found when I use a third party well prestige antyspyware product), that my problem is with this BUG of NIS2009. So I tell the person to read this forum message, but them they told me I can contact anytime the support when I have another problem. So they don't care about this FORUM, they don't even read this (I mean at least the Chat's person at symantec support). So as it is a parallel worlds this will continue to pass since they will not add the knowlegment and solution here are find it everyday. It's a SHAME. They make a protocol for solution and they don't updated it until new version release, WHAT a SHAME!!!
Please people encourage to symantec to solve this BUG in NIS2010 , asking for resolve this issue in their forum for NIS2010 Suggetion box, direct link here NIS2010 suggestion BOX.
thanks for read this message.
THE FIX:
It is not necesary to erase the complete Qbackup folder, neither you need to boot in safe mode also. QBackup folder (Quarantine Backup) is used by Norton AntiVirus component to store backup recoveries of repaired and removed threats when you fix/remove threats during the scan. It may also contain information about threats detected and retains the remediated data in your computer itself. It will be automatically recreated by Norton program when you run scan next time.
So to FIX this problem. Just open NIS2009 history,  GO to "unresolved security risk" Press "Remove*" the item failed to remove, wait for the "failed to remove" status, this will update the "*.qbi" file which have the history of the unresolved items. Then go to NIS2009 settings, go to "miscellaneous setting" and disable the Norton Product Tamper Protection under Miscellanious Settings. Then open your windows explorer and go to
  "C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup"
and erase your most recently (updated, newly)  "*.QBI" file. The asteric it a long number as "{DDAB4332-ED04-4898-9C20-D231FDC4B0C5}.qbi" it will be a small file 1-10 KB. Only deleted this file. Close Windows explorer, go to NIS2009 reactived the  Norton Product Tamper Protection under Miscellanious Settings and you can enter to the HISTORY and you will find it is empty (clear).
Hope this will help to not erase the hole (complete) "Qbackup folder".
BEST REGARDS (SALU2 PARA LA RAZA)
TUFE (aka JC.WILCOX or SABROSO)
 

Just format it.

 

[edit: Language per the Participation Guidelines and Terms of Service.]

Message Edited by shannons on 02-11-2009 08:14 PM