I'm currently running NIS 2010. Windows XP. I downloaded a program which runs as an .exe file listed here.

http://safeweb.norton.com/report/show?url=http://download.banhurt.com/DreamJournal.exe

But then SONAR detects it as a High Risk and automatically removes it because it detected suspicious behavior

on the program. I've been using this program "Dream Journal" for a year, but, ever since I ran it's update, it's been giving me a high risk detection.

Don't know what that's all about, the creator and other people who used this says it's a false positive, but I'm

not totally sure.

Hi Slick,

Please do the following:

Submit the file to Symantec if you think that it is a false positive:

https://submit.symantec.com/dispute/false_positive/

If you are unsure and regard the file as infected, please go over here: 

https://submit.symantec.com/websubmit/retail.cgi

If you want a faster (but non-human) analysis, then you can go to Threat Expert (which belongs to Symantec):

http://www.threatexpert.com/submit.aspx

Hey Slick,

If you are sure this is a false positive, you can restore it from quarantine.  Instructions

We will look into what is causing this..

Barrett

I ran the program, no reaction whatsoever

Thanks for the reponse guys.

To Barrett, I'll put that on hold for awhile, I used the 2nd and 3rd link Yaso_Kuuhl provided me with, because I'm still not sure about it. But, I hope to get more results and get around it soon, because I really want to continue to use this program without being at risked.

---

TomiRed wrote:

I ran the program, no reaction whatsoever

 

---

So, is that determined False Positive then? What should I do?

Quote:

Submit the file to Symantec if you think that it is a false positive:

https://submit.symantec.com/dispute/false_positive/

Why is it necessary to be a company to submit a False Positive?

The field on the form requires a company name to proceed.

You can indicate in the slot that you are not a company :-)

OK but it also asks for the web site address. Surely that field will require a genuine www address.

---

crisoco8722 wrote:

OK but it also asks for the web site address. Surely that field will require a genuine www address.

---

You can probably indicate that there is no company URL available. It would be rather problematic if only companies could submit false positives while everybody could not use the form. The other method would be to submit the file via Norton's Quarantine, but I don't think you have the option to say specifically that you want it analysed because you suspect that it's a false positive.

---

Yaso_Kuuhl wrote:

You can probably indicate that there is no company URL available. It would be rather problematic if only companies could submit false positives while everybody could not use the form. The other method would be to submit the file via Norton's Quarantine, but I don't think you have the option to say specifically that you want it analysed because you suspect that it's a false positive.

---

It all sounds a bit hit and miss. I think it highly unlikely that you can submit the form without filling in the boxes correctly. I have already submitted a false positive via Quarantine but like you say it does not have anything to say what the problem is.

Can Symantec not adjudicate on the correct method of dealing with this.

Fill out the form and if any of the fields aren't applicable, simply indicate that in the field.

Thank you for clarifying that.

Earlier you gave instructions about restoring ..........

---

BarrettBaxter wrote:

If you are sure this is a false positive, you can restore it from quarantine.  Instructions

---

When I tried to do this in NIS 2009 I did not get an option to exclude it when trying to restore it from quarantine.

What is the method of dealing with it in NIS 2009 so that it remains excluded?

I have manually added it to exclusions but Norton still blocks it. See my other post.

Unlocker 1.8.8.exe

---

BarrettBaxter wrote:

Fill out the form and if any of the fields aren't applicable, simply indicate that in the field.

---

I think the other problem here is this paragraph which I have just noticed ..........

Quote: 'Please use the form below if you believe your software has been identified as another program'.

Then it goes on to say .......

Quote: 'The software vendor making the claim must complete the form before Symantec will begin a review'.

Although the box further down does ask if you are vendor or not.

It is all very confusing. However I am going to submit it anyway although I am not the vendor.

So...what should I do guys, is it safe to use now? How do I know when Norton will give me back results on this?

Also, what's the difference between False Positive Submission and Security Risk Dispute Submission?

And which one should I use for this program?

Hi Slick,

You can read more about how Symantec defines a "security risk" over here:

http://securityresponse.symantec.com/avcenter/security_risks/general_criteria.html

If you think that your program has been mistaken for a false positive then you can either use the false positive form or you can open NIS, go to Quarantine and submit the file to Symantec from there.

What did ThreatExpert say about the file, by the way?

---

Yaso_Kuuhl wrote:

Hi Slick,

 

You can read more about how Symantec defines a "security risk" over here:

http://securityresponse.symantec.com/avcenter/security_risks/general_criteria.html

 

If you think that your program has been mistaken for a false positive then you can either use the false positive form or you can open NIS, go to Quarantine and submit the file to Symantec from there.

 

What did ThreatExpert say about the file, by the way?

---

This is all it showed, not sure what it means though.

http://www.threatexpert.com/report.aspx?md5=1b30f569930a7d95f91dfc30cd27ab03

Slick, I have the exact same NIS version, same definitions, only the OS is different, and I can run this exact same program without problems, and SONAR doesn't react.

It is possible that you have some other malware present on your system which this program is loading when it starts (some malicious dll?). I'm grasping with this assumption, but it is the only way I can explain for this difference between your and my sistem.

I see, I'll try to run a full scan on my pc with Malwarebytes and Norton to see if I can find anything.