Windows Defender flags Symantec as "invalid" publisher

Can anybody comment on this report by Windows Defender that came up shortly after rebooting my machine this morning:

 

Summary:

Services and Drivers change occurred.

This agent monitors services and drivers acting as part of Windows, often running with high security privileges. It ensures that no services are being interfered with or added without proper consent.

Path:

C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11312.sys

Detected changes:

regkey:

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EraserUtilDrv11312

file:

C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11312.sys

Advice:

Permit this detected item only if you trust the program or the software publisher.

Publisher:

INVALID:Symantec Corporation

Digitally Signed By:

INVALID:Symantec Corporation

Product name:

ERASER ENGINE

Description:

Symantec Eraser Utility Driver

Original name:

eraser64.sys

Creation date:

3/2/2014 3:03 AM

Size:

137648 bytes

Version:

113.1.2.11

Type:

application

Checkpoint:

Drivers

Category:

Not Yet Classified

 

N360 v21.1.0.18, Vista Home Premium x64.

 

What I’m wondering about is possible reasons why Defender would flag this file as having an “invalid” publisher and an “invalid” digital signer.

 

Some background: last night I experienced the dreaded “3038,104” error and could not perform a Norton scan, even after doing a manual definitions update via Intelligent Updater. N360 hadn’t been able to update the defs on its own for four days. So this morning I followed other steps outlined in other threads here that deal with this error: run a Full System Scan in Safe Mode, run CHKDSK. Everything checked out – no bad stuff on my PC, hard drive is fine. But then shortly after rebooting into Windows, Defender gives me a pop-up that leads to the report quoted above.

 

Is the flagged file legit, or has my PC been attacked? What could lead Defender to flag Symantec as an invalid publisher and invalid digital signer?

 

BTW, my Windows Defender is the original, anti-malware version and not the rebranded, full-fledged AV formerly known as MS Security Essentials. It has coexisted peacefully with various iterations of N360 for five years (since the beginning), and not only does it ask me to approve of certain changes to the registry but it has also caught a few things that N360 missed, so I prefer to keep it running.

 

 

Hi F4E, Can it be said with confidence that the “Symantec” file that Windows Defender flagged is actually OK? What rattles me is the combination of N360 ceasing to update for several days, and then this “INVALID” flag showing up next to a supposedly Symantec file when I rebooted. It makes me wonder if N360 has been compromised. If it HAS been compromised by malware that it didn’t detect, then of course it would return a result that everything’s fine.

Can anybody comment on this report by Windows Defender that came up shortly after rebooting my machine this morning:

 

Summary:

Services and Drivers change occurred.

This agent monitors services and drivers acting as part of Windows, often running with high security privileges. It ensures that no services are being interfered with or added without proper consent.

Path:

C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11312.sys

Detected changes:

regkey:

HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EraserUtilDrv11312

file:

C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11312.sys

Advice:

Permit this detected item only if you trust the program or the software publisher.

Publisher:

INVALID:Symantec Corporation

Digitally Signed By:

INVALID:Symantec Corporation

Product name:

ERASER ENGINE

Description:

Symantec Eraser Utility Driver

Original name:

eraser64.sys

Creation date:

3/2/2014 3:03 AM

Size:

137648 bytes

Version:

113.1.2.11

Type:

application

Checkpoint:

Drivers

Category:

Not Yet Classified

 

N360 v21.1.0.18, Vista Home Premium x64.

 

What I’m wondering about is possible reasons why Defender would flag this file as having an “invalid” publisher and an “invalid” digital signer.

 

Some background: last night I experienced the dreaded “3038,104” error and could not perform a Norton scan, even after doing a manual definitions update via Intelligent Updater. N360 hadn’t been able to update the defs on its own for four days. So this morning I followed other steps outlined in other threads here that deal with this error: run a Full System Scan in Safe Mode, run CHKDSK. Everything checked out – no bad stuff on my PC, hard drive is fine. But then shortly after rebooting into Windows, Defender gives me a pop-up that leads to the report quoted above.

 

Is the flagged file legit, or has my PC been attacked? What could lead Defender to flag Symantec as an invalid publisher and invalid digital signer?

 

BTW, my Windows Defender is the original, anti-malware version and not the rebranded, full-fledged AV formerly known as MS Security Essentials. It has coexisted peacefully with various iterations of N360 for five years (since the beginning), and not only does it ask me to approve of certain changes to the registry but it has also caught a few things that N360 missed, so I prefer to keep it running.

 

 

Hi. If you think that your product may be not working properly, then a fresh install might be in order.

 

You may wish to try the Norton Remove and Reinstall Tool, which will replace your current copy with a fresh one.

 

Run Live Updates after, until no more are found. The link is here   http://www.norton.com/nrnr

I found the likely cause for Windows Defender's flagging that Symantec file (EraserUtilDrv11312.sys).

 

According to VirusTotal, none of 50 scanners considered it malware. HOWEVER, the "File Detail" tab has a line, "Signature verification," which gives the following report in red: "Certificate out of its validity period." No doubt that's the reason Defender asked me if I wanted to allow the registry change.

 

A review of the Eraser file's Certificate Information (Properties --> Digital Signatures tab --> highlight "Symantec Corp." --> Details button --> General tab --> View Certificate button --> General tab) indicates that, "This certificate has expired or is not yet valid," and indeed in the lower half of the box it says that the certificate is "Valid from 9/7/2010 to 11/23/2013." Nor is there a signing time provided when you go to that first Digital Signatures tab.

  

 

I'm using version 20 on XP and the driver for 32bit windows appears to be "EraserUtilRebootDrv.sys".

It also has an expired certificate with the exact same dates.

 

Although, being an older version and the fact that 32 bit windows is not as picky about signed drivers as windows 7 64bit, it seems a little odd for Symantec considering that they own verisign.

 

Your file creation date shows today so I assume it came in with a live update.  I would think they could use an unexpired certificate on new drivers.

 

Dave

The post at the top of this section announcing  version 21.1.0.18 is dated ‎10-30-2013, so that was during the time the certificate was valid.

 

Can you look at the file dates and see if it is dated more recent then the others?

That may show if it came in as an update or if it really was there all along and somehow got detected as being changed or new.

 

I don't have a vista or windows 7 64bit system here at the moment to confirm that, I loaned it to a friend.

 

Dave

Huh, I didn't know that Symantec owns Verisign. It is odd, then.

 

There are just two other files in the same EENGINE folder as EraserUtilDrv11312.sys: EPERSIST.DAT and eeCtrl64.sys.

 

eeCtrl64.sys has a creation date of November 26, 2013. The signature timestamp is October 9, 2013, and the certificate is valid from 9/7/2010 to 11/23/2013 (this one is the same as for EraserUtilDrv11312.sys). The Properties for EPERSIST.DAT don't give certificate information, but the date created is 3/2/2014.

 

Just to recap, the file creation date for EraserUtilDrv11312.sys is 3/2/2014, the certificate is valid for that same period, and there is no signature timestamp.

 

Let me know if you'd like to see the creation dates for any other files.