False positive with latest virus definitions

Norton Security | Norton Internet Security
1

Yesterday, apparently following an automatic virus definition update, NIS2009 suddenly began identifying a file in one of our commericial products as being infected with the W32.IRCBot trojan. Your web site indicates that the definition for this virus was changed yesterday. Previously, this file had repeatedly passed virus scans by Norton, McAfee and Kaspersky over several months without any indication of problems, and we are confident that the file is not infected.

 

The file in question is encrypted for license management purposes. Our theory is that a random byte pattern in the encrypted version is triggering detection with the updated virus definitions. The unencrypted file shows no sign of being infected, and the encryption is performed by a reputable commercial product which is also malware-free.

 

How can we get in touch with someone in your virus definition group to diagnose and correct this problem? Existing users who have Norton protection will otherwise have their main executable files for the application deleted.

 

I can provide more details via a private channel if one is available. Obviously, this is a sensitive issue for us.

 

Terry R.

Enventra, Inc.

 

2

Terry,

 

Would it be possible to submit this false positive? That is, The file while it is compressed? I do realise it could be sensitive info though. Furthermore, could you provide any details as to the process of encryption, as this may prove important if your theory is correct.

 

If you could possibly answer these questions and provide any further information that you deem not too sensitive that wouldbe great, so that when a moderator does come along, your info is here already and they can get straight to the heart of the problem.

 

Regards

 

 

Matt

3

Thanks for the guidance. The product used for license management and encryption is Software Passport, version 5.4.2.542. Armadillo is used as the underlying DRM technology.

 

The file can be downloaded from

 

[edit: removed link to executable per the Participation Guidelines and Terms of Service. The information is still available to Moderation team if further review is necessary.]

 

 

Message Edited by Tony_Weiss on 08-04-2009 02:06 PM
4

Hi trochford,

 

For all possible false positives, the software vendor will need to complete the form on the following page:

 

https://submit.symantec.com/false_positive/index.html

 

Thanks!

5

Tony,

 

Thanks for the link. I just completed and submitted the form.

 

Terry