WS.Trojan.H Exonerated and Others Exonerated

WS.Trojan.H Exonerated

 

setting32.exe Exonerated

 

mkunicode.dll Exonerated

 

installedcodec.exe Exonerated

 

All 4 of these files say pending under security History and 1 of them is a trojan shouldnt it be removed? and what about the other 3 files? are they safe ?

Hi xflash27,

 

I think what you are seeing are Statistical Submissions that are sent to Symantec via Norton Community Watch.  These help Symantec refine the detection signatures that are used to recognize different malware in order to make them more efficient and to help eliminate false positives.  Had the program discovered files that were actually infected, those files would have been instantly removed from your system.  As with almost all other Norton History entries, no user action is required.

WS.Trojan.H Exonerated

 

setting32.exe Exonerated

 

mkunicode.dll Exonerated

 

installedcodec.exe Exonerated

 

All 4 of these files say pending under security History and 1 of them is a trojan shouldnt it be removed? and what about the other 3 files? are they safe ?

At this stage, I'd like to know how the following two files that xflash27 reported above, arrived on xflash27's computer:

 

setting32.exe Exonerated

installedcodec.exe Exonerated

 

At face value, and without Norton's help, both of these files would be considered suspicious, for obvious reasons...

 

If both of these files arrived via email, then the presence of Statistical Submission 'exonerated' entries for these two files in the Security History log indicates that Norton's SONAR feature is the only thing left that might protect xflash27 if xflash27 chooses to execute either of these two files...

 

To illustrate with a recent real life example, 'FedEx_Invoice_Copy.exe' arrived inside a zip archive via email and initially triggered an exonerated submission as shown in the first record below:

 

Date & TimeRiskActivitySubmission Details
04/04/2012 20:17InfoStatistical Submission: FedEx_Invoice_Copy.exe Exoneratedfedex_invoice_copy.exe [...]
05/04/2012 12:15HighTrojan.FakeAV detected by Virus scanner 
05/04/2012 12:15InfoStatistical Submission: Trojan.FakeAVfedex_invoice_copy.exe [...]

 

 A later re-scan, as shown above, indicates that 'FedEx_Invoice_Copy.exe' now contains 'Trojan.FakeAV', despite the previously exonerated status.

 

As per my recommendation here, Norton should remove the word 'Exonerated' from the Statistical Submission text because it can mislead users into thinking that a file marked as 'exonerated' is considered safe to run...

 

 

 

 

 

 

setting32.exe Exonerated

installedcodec.exe Exonerated

 

I scan my computer every night and i recently did a factory data reset so i dont think those 2 files are on my computer anymore but if  the files are a virus and still on my computer would norton remove it?

 

I think those 2 files came from a codecpack i downloaded from Shark007.net

 

Btw  WS.Trojan.H Exonerated keeps popping up in my scan results even though i recently did a factory data reset to my computer should i be worried or not? If you look under Category: Norton Community Watch you will see it

 

Category: Scan Results
Date & Time,Risk,Activity,Status,Scan Time (d:h:m:s),Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention,Task Name
2012-04-20 20:27:06,Info,Full System Scan results,Completed,0:00:27:00,"412,486","406,018",567,"5,215",678,8,"9,281","21,824",0,0,0,
2012-04-20 19:57:26,Info,Quick Scan results,Completed,0:00:02:19,"10,610","3,583",567,"5,774",678,8,"1,270",0,0,0,0,
2012-04-20 19:53:28,Info,On-Demand scan results,Completed,0:00:00:01,14,14,0,0,0,0,0,0,0,0,0,On-Demand scan
2012-04-20 19:53:08,Info,On-Demand scan results,Canceled,0:00:01:00,"4,927","4,927",0,0,0,0,0,0,0,0,0,On-Demand scan


Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category,Program Name,Program Path,Default Action,Action Taken,Local Computer,Traffic Description
2012-04-20 20:32:20,Info,"An instance of \"C:\Users\Owner-HP\AppData\Local\Google\Chrome\Application\chrome.exe\" is preparing to access the Internet.",Detected,No Action Required,Firewall - Activities,,,,,,
2012-04-20 20:31:17,Info,"An instance of \"C:\Users\Owner-HP\AppData\Local\Google\Chrome\Application\chrome.exe\" is preparing to access the Internet.",Detected,No Action Required,Firewall - Activities,,,,,,
2012-04-20 20:16:59,Info,Firewall configuration updated: 142 rules.,Detected,No Action Required,Firewall - Activities,,,,,,
2012-04-20 20:16:59,Info,Firewall rules were automatically created for Spooler SubSystem App.,Protected,No Action Required,,Spooler SubSystem App,C:\Windows\System32\spoolsv.exe,No Action Required,Automatically create rules,"HP (192.168.1.16), 50854","Outbound TCP, Port 3910"
2012-04-20 20:08:51,Info,"An instance of \"C:\Users\Owner-HP\AppData\Local\Google\Chrome\Application\chrome.exe\" is preparing to access the Internet.",Detected,No Action Required,Firewall - Activities,,,,,,
2012-04-20 20:00:35,Info,"An instance of \"C:\Users\Owner-HP\AppData\Local\Google\Chrome\Application\chrome.exe\" is preparing to access the Internet.",Detected,No Action Required,Firewall - Activities,,,,,,
2012-04-20 20:00:10,Info,Firewall configuration updated: 140 rules.,Detected,No Action Required,Firewall - Activities,,,,,,
2012-04-20 19:53:45,Info,You created firewall rules to manage how Device Display Object Function Discovery Provider accesses your network resources.,Custom,No Action Required,,Device Display Object Function Discovery Provider,C:\Windows\System32\DeviceDisplayObjectProvider.exe,No Action Required,User configured rules,"HP (192.168.1.16), 50357","Outbound TCP, www-http"
2012-04-20 19:53:45,Info,"An instance of \"C:\Windows\System32\DeviceDisplayObjectProvider.exe\" is preparing to access the Internet.",Detected,No Action Required,Firewall - Activities,,,,,,


Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,Category,Default Action,Action Taken
2012-04-20 19:58:03,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required
2012-04-20 19:58:03,Info,Intrusion Prevention Engine version: 4.9.0.6 Definitions Set version: 20120420.001,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required
2012-04-20 19:58:03,Info,Intrusion Prevention is monitoring 2015 signatures. Driver version: 10.1.0.68,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required


Category: Identity
Date & Time,Risk,Activity,Status,Recommended Action
2012-04-20 20:00:06,Info,Antiphishing definitions version 20120420.013 downloaded,Detected,No Action Required
2012-04-20 20:00:03,Info,Using Antiphishing definitions version 20120420.013,Detected,No Action Required
2012-04-20 19:57:57,Info,Antiphishing definitions version 20120420.012 downloaded,Detected,No Action Required
2012-04-20 19:57:54,Info,Using Antiphishing definitions version 20120420.012,Detected,No Action Required


Category: Norton Community Watch
Date & Time,Risk,Activity,Status,Recommended Action,Date Updated,Submitted By,Description,Submission Details
2012-04-20 20:09:40,Info,Statistical Submission: WS.Trojan.H Exonerated,Pending,No Action Required,2012-04-20 20:09:40,Norton 360,Statistical Submission: WS.Trojan.H Exonerated,"_dc046d237c5b44049bdaf842541c0913 <br>Detection Digest: <br>03 00 EA AF 0F 01 00 03 00 F0 19 00 00 BD 03 43 ...............C <br>32 63 42 A1 7B 00 00 00 00 79 F8 B4 AF 01 03 00 2cB.{....y...... <br>01 A9 00 04 03 00 00 32 19 03 05 00 01 02 03 00 .......2........ <br>00 . <br>"


Category: File Cleanup
Date & Time,Risk,Activity,Status,Recommended Action,Category,Result,Space Cleaned
2012-04-20 20:27:08,Info,Windows Temporary Files,Succeeded,No Action Required,Tuneup,Fixed: 7,12 KB
2012-04-20 20:27:07,Info,Internet Explorer Temporary Files,Succeeded,No Action Required,Tuneup,Fixed: 8,37 KB


Category: Disk Optimization
Date & Time,Risk,Activity,Status,Recommended Action,Category,Result,Details
2012-04-20 20:27:40,Info,Disk Optimization,Succeeded,No Action Required,Tuneup,No problems detected.,"System Reserved Drive: Optimization not required, current disk fragmentation is 3%., Drive C: Optimization not required, current disk fragmentation is 0%., Drive D: Optimization not required, current disk fragmentation is 0%."


Category: LiveUpdate
Date & Time,Risk,Activity,Status,Recommended Action,Type of Update,Result,Date & Time,Total Updates Applied,Norton 2012 Web Protection Definitions,Norton Pulse Updates,Reboot Required,Risk,Norton 2012 Smart Virus Definitions X64,Norton 2012 IPS Definitions,Norton 2012 Whitelist,Norton Activity Map Data,Norton 2012 Reputation Revocation List
2012-04-20 20:00:06,Info,LiveUpdate Session,Completed,No Action Required,Interactive,Norton LiveUpdate has successfully completed. Your Norton product now has the latest protection updates.,2012-04-20 20:00:06,2,Success,Success,No,Info,,,,,
2012-04-20 19:58:05,Info,LiveUpdate Session,Completed,No Action Required,Automatic,Norton LiveUpdate has successfully completed. Your Norton product now has the latest protection updates.,2012-04-20 19:58:05,7,Success,Success,No,Info,Success,Success,Success,Success,Success

 

 

 

 


xflash27 wrote:

[...]

 

Btw  WS.Trojan.H Exonerated keeps popping up in my scan results even though i recently did a factory data reset to my computer should i be worried or not? If you look under Category: Norton Community Watch you will see it

 

[...]


Category: Norton Community Watch
Date & Time,Risk,Activity,Status,Recommended Action,Date Updated,Submitted By,Description,Submission Details
2012-04-20 20:09:40,Info,Statistical Submission: WS.Trojan.H Exonerated,Pending,No Action Required,2012-04-20 20:09:40,Norton 360,Statistical Submission: WS.Trojan.H Exonerated,"_dc046d237c5b44049bdaf842541c0913 <br>Detection Digest: <br>03 00 EA AF 0F 01 00 03 00 F0 19 00 00 BD 03 43 ...............C <br>32 63 42 A1 7B 00 00 00 00 79 F8 B4 AF 01 03 00 2cB.{....y...... <br>01 A9 00 04 03 00 00 32 19 03 05 00 01 02 03 00 .......2........ <br>00 . <br>"


[...]


It's potentially a false positive but we need to take a closer look at what Norton is detecting here. Search your computer for files with the same name as the one highlighted in blue above. If you find a match, then please right-click on the file and copy and paste the 'Norton File Insight' report for that file into your next post.

 

If no matches are found, then please run a Full system Scan in SAFE mode based on the instructions provided here. Please note that the opportunity provided by that thread may be lost now.

I copied and pasted what was in blue but no file was found with _dc046d237c5b44049bdaf842541c0913 

 

I also did a full system scan in SAFE MODE but nothing came up so is it safe to say its a false positive?

I am not seeing these in your scan results.  I see them only in your Norton Community Watch submissions, but those are files of interest that Norton submits for analysis - they are not malware detections.  NCW is not one of the protection components; it is strictly a data-collection tool.  That is why it is listed in the Norton History logs in the "Submissions and Errors" category, rather than under "Protection and Performance," where security risks are logged.

 

Certainly, if a file that is submitted is determined to be malicious, then a signature for its detection will be added to the virus definitions and Norton will remove that file when it is scanned with the updated signature.  But inclusion in the submissions queue is not an indicator that a file is malicious and a user should never take pre-emptive action based on anything having to do with the NCW submissions list.  You can't really call your submissions false positives, because they were never erroneously alerted to as "positives."


SendOfJive wrote:

I am not seeing these in your scan results.  I see them only in your Norton Community Watch submissions, but those are files of interest that Norton submits for analysis - they are not malware detections.  NCW is not one of the protection components; it is strictly a data-collection tool.  That is why it is listed in the Norton History logs in the "Submissions and Errors" category, rather than under "Protection and Performance," where security risks are logged.

 

Certainly, if a file that is submitted is determined to be malicious, then a signature for its detection will be added to the virus definitions and Norton will remove that file when it is scanned with the updated signature.  But inclusion in the submissions queue is not an indicator that a file is malicious and a user should never take pre-emptive action based on anything having to do with the NCW submissions list.  You can't really call your submissions false positives, because they were never erroneously alerted to as "positives."


I had hoped that in the context of my earlier post here and it's associated link, that the Safe Mode scan may have detected and named a 'false positive' file that xflash27 could then re-scan in Normal mode to see if it generated a 'WS.Trojan.H' Norton Community Watch submission. Alas, it wasn't to be, so now we have to find the 'WS.Trojan.H' trigger file manually.

 

The real problem here is that a Norton Protection component is delivering erroneous messages to the Norton Community Watch submission queue for processing.

 

Examples of the erroneous Norton Protection component messages that are delivered to Norton Community Watch submission queue for processing include:

 

(1)  Norton Protection component messages containing the word 'Exonerated': Fully explained earlier; this word should only be used when Norton can absolutely guarantee the safety of the file in question. At present it doesn't and the word exonerated is being attributed to files that later turn out to be malware;

 

(2) Norton Protection component messages containing file information that doesn't enable an end user to easily identify the suspicious file in question. To illustrate using a Microsoft WorldWide Telescope setup file (Windows Installer Package (.msi)), the File Insight attributes for this file are as follows:

 

WWTSetup.png

 

Despite the trust shown above, this file will produce the following 'Suspicious.Cloud.2 Exonerated' submission when scanned under a 'Full Scan' Performance Profile:

 

NIS 2012 19-7-0-9 Suspicious Cloud 2 Advanced Details.png

 

Note how the first line of the 'Submission Details' section shown above closely resembles the format of xflash27's original 'WS.Trojan.H' submission, '_dc046d237c5b44049bdaf842541c0913'? In my case, the first line above should have read something like: 'C:\Users\Public\Documents\Norton Issues\False Positives\WWTSetup.3.0.60.msi'. Instead, what is being reported is an individual file contained within this package file. From a user's perspective, it would be better if Norton reported the full name and path of the host package file instead. This would quickly allow the user to locate and establish the trust-worthiness of the submitted file in question.

 

(3) The pairing of these Norton Community Watch submissions with Scan results in the 'Recent History' section of the Norton Security History.

 

xflash27 wrote:

 

'Btw  WS.Trojan.H Exonerated keeps popping up in my scan results even though i recently did a factory data reset to my computer should i be worried or not? If you look under Category: Norton Community Watch you will see it'

 

What xflash27 is seeing in the Recent History is the equivalent of this:

 

NIS 2012 19-7-0-9 Recent History Suspicious Cloud 2 Scan Results.png



 

With every scan, the same 'Statistical Submission', paired with the equivalent scan results, will be shown over an over, as per the screenshot above. Scan result's like this make users anxious and anxiety has no place in an Internet Security product. I'm sure that xflash27 can verify and confirm this behaviour.

 

Hi elsewhere,

 

I agree with your last point and would go even farther to suggest that statistical submissions perhaps ought to be excluded from the logs altogether.  They are not malware detections, and they are not logged for the purpose of alerting the user to anything that needs to be acted upon.  SInce they are not, in fact, alerting the user to a threat, they are not false positives and the submissions are not erroneous (if Norton did warn about these, the number of false positives would be horrendous and never-ending).  These are simply files of interest that are being submitted for analysis for the purpose of making signatures more efficient and less likely to result in actual false positives.  You are no less secure if you opt out of Norton Community Watch participation and never see any of these sorts of submission records.

I think the false possitive is bull crap.  Here's a link from Norton's website that says it "IS" a threat.  My computer still runs slow and locks up.  http://www.symantec.com/security_response/writeup.jsp?docid=2011-102713-4647-99

 

Hi cindysellshomes,

 

Yes, WS.Trojan.H is an actual threat, and if Norton Auto-Protect or a System Scan alerts to its presense, then you may indeed be infected.  But if it appears in a Norton Communitity Watch log as an exonerated statistical submission, then it is not a detection of that threat.