• 所有社区 - 中文
    • 所有社区 - 中文
    • 论坛
    • 创意
    • 博客
高级

不是您要找的? 咨询专家!

好评0

False positive, or... SAPE.Heur.b7a1

Starting at 10 today Norton outputs the following every hour or so

category: Quarantine
Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename
12/17/2015 10:04:33,High,73hhw4ts.dll (SAPE.Heur.b7a1) detected by Auto-Protect,Quarantined,Resolved - No Action Required,c:\users\...\appdata\local\temp\73hhw4ts.dll

A full system scan by Norton detects nothing  I notice other posts on SAPE.Heur so wonder if real  or a false positive.  If real why didn't full scan fiind anything?  Anyone else seeing?  Thanks!

标签: VirusDefs

回复

好评0

Re: False positive, or... SAPE.Heur.b7a1

For second opinion choose File and / or Search hash at VirusTotal or upload file to VirSCAN and/or Jotti and/or submit to Symantec for review analysis > see > How to report false positive

Try clear browser and system cache.    From Security History > Quarantine > More Options > Copy to Clipboard > search File Thumbprint at VirusTotal.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Thanks, went away so may not worry and keep an eye on it.  They want a copy of file, how do I get this if in quarantine?

好评0

Re: False positive, or... SAPE.Heur.b7a1

JohnOzuk: Thanks, went away so may not worry and keep an eye on it.  They want a copy of file, how do I get this if in quarantine?

Auto-Protect detection suggests item was executed/launced and the dll was called.  
You may restore from Quarantine or check if Norton reported SHA. 
You may search File Thumbprint-SHA: alpha-numeric at VirusTotal.   Depending on your Norton setting for Heuristics you may experience False Positive.   If you can Copy to Clipboard the record of this event.  You may find related information to help you scrutinize this event.  You may paste event information to the Community or attach text file (if you want).

Step 2) Tell us about the detection
Name of the software being detected:
Name of detection given by Symantec product: *
Important: Quarantine or product clipboard information:
https://submit.symantec.com/false_positive/standard/

好评0

Re: False positive, or... SAPE.Heur.b7a1

I had the same problem occurring today at 10.02 am, with the file MFMRSZK.DLL being the issue. On the next occurrence at just past noon today, YBNBDV16.dll was the issue.  Both times a full system scan showed no issues. Latest occurrence was at 1.00pm when 3ZKTTHMP.dll was indicated as the issue.

I had a license expired copy of Malware bytes on the machine, that I deleted after the third occurrence to see if this had any bearing on the problem.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Interesting you also see 10 Am.  I am CST, yourself?

Happened again a few minutes ago.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Security History > Quarantine > More Options > Copy to Clipboard > search File Thumbprint at VirusTotal and / or paste event information to the Community or attach text file (if you want).
Submit to Symantec for review analysis > see > How to report false positive

Try run LiveUpdate several time w restart/reboot.

好评0

Re: False positive, or... SAPE.Heur.b7a1

I am having the same issue, but about every hour. It is always a different .dll file being quarantined. Any thoughts?

File names:

fu55bekt.dll

k8u4thw1.dll

to5wca2i.dll

j3nnirwk.dll

e0lpuygu.dll

sn7mm26m.dll

5lfdp0gg.dll

8y2_z6uy.dll

好评0

Re: False positive, or... SAPE.Heur.b7a1

Please advise Norton w version number.
Please advise operating system.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Same thing here, almost every hour at 16 minutes after the hour. I turned my computer on at exactly 16 minutes past the hour today. 

It detects two files, here, 

c:\users\rob\appdata\local\temp\ 

For example: nz6stkbf.dll and gl_ifghw.dll

After they are quarantined, i do a Full System scan and it shows no threats.  How do we find the source?  The NAV history shows nothing under Source but the file name.  I've been unable to locate where the files are coming from, checked my system registry and combed thru Msconfig.exe and nothing out of place.  The only thing running is Google Chrome.  So I thought it was a bad chrome extension, so I removed them all but it happened again. 

好评0

Re: False positive, or... SAPE.Heur.b7a1

Hmm, so > Security History > Quarantine > More Options > Copy to Clipboard > offers nothing...?

Please advise Norton w version number.
Please advise operating system.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Here is one that just happened...

Filename: cepoyacm.dll
Threat name: SAPE.Heur.b7a1Full Path: c:\users\rob\appdata\local\temp\cepoyacm.dll

____________________________

____________________________


On computers as of 
12/17/2015 at 6:14:36 PM

Last Used 
12/17/2015 at 6:16:37 PM

Startup Item 
No

Launched 
No

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.


____________________________


cepoyacm.dll Threat name: SAPE.Heur.b7a1
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.


____________________________


Source: External Media

Source File:
cepoyacm.dll

____________________________

File Actions

File: c:\users\rob\appdata\local\temp\ cepoyacm.dll Removed
____________________________


File Thumbprint - SHA:
20c5755980ad83598e68bca76e06d3a3692c5adda584a89ba287de2c41864f1e
File Thumbprint - MD5:
Not available
 

好评0

Re: False positive, or... SAPE.Heur.b7a1

Windows 7.  The latest version of NAV version.

I Just noticed this... It says  Source: External Media?   What would that be, a drive?  

好评0

Re: False positive, or... SAPE.Heur.b7a1

Well, VirusTotal is File not found ....
Wonder, if you turn off Heuristics we'll see WS.Reputation.1

Lets hear from the Community

好评0

Re: False positive, or... SAPE.Heur.b7a1

I am windows 7,  22.5.5.15 Norton Anti virus.

好评0

Re: False positive, or... SAPE.Heur.b7a1

OS is Windows 7 Home Premium 64 bit with the latest set of Microsoft Windows patches.

Norton is Norton Security with backup version 22.5.5.15

好评1 Stats

Re: False positive, or... SAPE.Heur.b7a1

Looks like Endpoint is detecting it today (December 17) too.

http://www.symantec.com/connect/forums/sapeheurb7a1-threat-warnings

好评0

Re: False positive, or... SAPE.Heur.b7a1

Thanks for reporting this issue. We have reported this issue to the team and will update once we have more info on this. 

Thanks,
Sunil G A
Norton Forums Administrator
Symantec Corporation

Sunil_GA | Norton Forums Administrator | Symantec Corporation
好评0

Re: False positive, or... SAPE.Heur.b7a1

Just an update, did some experimenting over the last few  hours, and when Google Chrome is not open it does not happen.  And when i had Chrome open it was just sitting on Google.com's page in my tests.  All extensions have been removed except one, RoboForm.   When Chrome is open NAV detects the two .dll files every hour on the hour (well, for me 16 minutes past).  Coincidentally an update to Chrome was applied last night just before I shut my PC off.

好评0

Re: False positive, or... SAPE.Heur.b7a1

We have had a similar report to the one copied below occur app 15 times today on two different computers at two different locations.  Once thing both these pc's share in common is a "Roll Back" to previous build after a failed Win 10 update.

Message copied below, the dll's are different in each message, but the message remains the same.

==================================================

A high-risk incident was detected on 201511SSCSUMDSK within the group SSC on 12/17/2015 6:54:14 PM.

Threat Name
SAPE.Heur.b7a1

Threat Type
Heuristic Virus

File Name
c:\users\ssc\appdata\local\temp\3myd8phf.dll

Action Required
Resolved - No Action Required

好评0

Re: False positive, or... SAPE.Heur.b7a1

I have had the same problem.  All files were in my c:\users\ME\appdata\local\temp\.  This morning I saw about 6 files quarantined and Removed them from the History.  Then again I see that additional files were quarantined throughout the day today.. 

Windows 10 64 bit - Norton Security 22.5.5.15

I keep my temp file cleaned up so I'm not sure where the files are coming from.  All .dll files... with SAPE.Heur.b7a1

Filename: pf73vztw.dll

File: c:\users\ME\appdata\local\temp\ pf73vztw.dll Removed

Would be nice to have matter cleared up...
 

好评0

Re: False positive, or... SAPE.Heur.b7a1

Hope update comes soon.  Based on posts suspect this is a bug.  However worried could be more.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Happened to me as well @ 2:30, 6:30 and 8:30 PM PST.

I use Chrome and IE - checked my history - nothing at those times.

So I ran a Norton Power Eraser - it found 1 item:

____________________________
Registry Key: HKEY_USERS\S-1-5-21-1714103665-1234856076-1163071814-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideIcons"
____________________________
____________________________
Registry Key: HKEY_USERS\S-1-5-21-1714103665-1234856076-1163071814-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideIcons"
____________________________

File Thumbprint - SHA:
Not Available
____________________________


So I said fix now and got:

"An error has occurred
System Restore point cannot be created. Close page and continue without creating a restore point.
Error Code: 0x80043003,3

Upon reboot - it said it "failed"

好评1 Stats

Re: False positive, or... SAPE.Heur.b7a1

Heretic Wild:

Happened to me as well @ 2:30, 6:30 and 8:30 PM PST.

I use Chrome and IE - checked my history - nothing at those times.

So I ran a Norton Power Eraser - it found 1 item:

____________________________
Registry Key: HKEY_USERS\S-1-5-21-1714103665-1234856076-1163071814-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideIcons"

Please review > https://community.norton.com/en/comment/3725943 (broken links are from old community)
Regarding NPE.....best to ask before you react.  And never act on one NPE scan. 
_______________________________________________________

Thanks for reporting this issue. We have reported this issue to the team and will update once we have more info on this. 

Thanks,
Sunil G A
Norton Forums Administrator
Symantec Corporation

好评0

Re: False positive, or... SAPE.Heur.b7a1

I haven't read this whole thread yet but I had the same trojan warning come up today when I got home from work!

Source File: itze2txr.dll

c:\users\whodat\appdata\local\temp\ itze2txr.dll Removed

What's interesting to me is when I came home for lunch to check my email I noticed malware bytes was running a complete scan after I took the computer out of sleep. I didn't think anything of that but when i got home from work and saw this message above come up as soon as I took it out of sleep I was a little perplexed on what this could be.

Anyway, I believe this could possibly be related to malwarebytes and will keep an eye on this thread. I'm about to run a full scan now. I have a full paid for version of malware bytes. I've seen malwarebytes slip up before so I'm suspect.

I let norton remove it and then I restored it so I could scan this on different websites. Here's what some website virus scan sites showed>

I'm going to quarantine the file again and run my full scan now. Thanks for any other ideas. It's also interesting to note that M$ pushed their crappy KB3035583 windows 10 virus again. I guess they don't understand the no means no slogan.

enough-already-microsoft-pushes-windows-nagware-patch-kb-3035583-for-sixth-time.html

好评0

Re: False positive, or... SAPE.Heur.b7a1

I am also experiencing the same problem since approx. 10am 17/12 GMT - UK Time.

I logged a support call and my PC was fully checked by a NORTON support person - they believed now ok but the problem seems to have now occurred again.

System details - Windows 10 - up to date; Chrome not installed; use IE as browser

好评0

Re: False positive, or... SAPE.Heur.b7a1

Same problem starting late yesterday evening (GMT).

Using Procmon.exe it would appear that on my system the alleged suspect dll files are being created in temp by C:\Program Files (x86)\HP\HPLJUT\HPLJUTSCH.exe and C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe with the command line "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\hrg\AppData\Local\Temp\db2lwwab.cmdline".

Norton Details

Filename: db2lwwab.dll
Threat name: SAPE.Heur.b7a1Full Path: c:\users\hrg\appdata\local\temp\db2lwwab.dll

____________________________

____________________________


On computers as of
18/12/2015 at 10:06:03

Last Used
18/12/2015 at 10:08:04

Startup Item
No

Launched
No

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.


____________________________


db2lwwab.dll Threat name: SAPE.Heur.b7a1
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.


____________________________


Source: External Media

Source File:
db2lwwab.dll

____________________________

File Actions

File: c:\users\hrg\appdata\local\temp\ db2lwwab.dll Removed
____________________________


File Thumbprint - SHA:
4f8c71745a67168aa43615efeb140c44b8de7846f370351cb66dfce848fe25b1
File Thumbprint - MD5:
Not available

好评1 Stats

Re: False positive, or... SAPE.Heur.b7a1

Hi Everyone,

This issue has been resolved with the latest virus definitions release. If you are still seeing "SAPE.Heur.b7a1" detection please run Live Updates and restart the computer. 

Thanks,
Sunil G A
Norton Forums Administrator
Symantec Corporation

Sunil_GA | Norton Forums Administrator | Symantec Corporation
好评1 Stats

Re: False positive, or... SAPE.Heur.b7a1

Bit late now since Norton say that they have fixed the virus definitions.

However, HPLJUTSCH.exe is run once an hour as part of "Start->All Apps->HP->HP Laserjet customer Participation Program"

Using Task Scheduler to disable the associated task entry or running "Start->All Apps->HP->HP Laserjet customer Participation Program" and pressing the decline button should stop it permanently.

好评0

Re: False positive, or... SAPE.Heur.b7a1

I have used live update to bring all definitions totally up to date and I am still experiencing the same issue.

Following the post from hrg above, I ran "HP Laserjet customer Participation Program" and instantly I received a series of these errors.

It doesn't look as though this issue is yet resolved

好评0

Re: False positive, or... SAPE.Heur.b7a1

I have the same problem since yesterday morning 8AM GMT +1

No infected file.

Nome file: y4fkkcz5.dll
Nome della minaccia: SAPE.Heur.b7a1Percorso completo:  c:\users\mai\appdata\local\temp\y4fkkcz5.dll

____________________________

____________________________


Sui computer a partire dal 
18/12/2015 alle 13:53:57

Ultimo utilizzo 
18/12/2015 alle 13:55:57

Elemento di avvio 
No

Avviato 
No

Tipo di minaccia: Virus euristico. Rilevazione delle minacce basata su euristica malware. 

____________________________


y4fkkcz5.dll Nome della minaccia: SAPE.Heur.b7a1
Trova


Pochissimi utenti
Il file è stato utilizzato da meno di 5 utenti della Norton Community.

Nuovissimo
Questo file è stato rilasciato da meno di 1 settimana 

Alto
Il livello di rischio per questo file è alto.


____________________________


Origine: Supporti esterni

File di origine:
y4fkkcz5.dll

____________________________

Azioni del file

File: c:\users\mai\appdata\local\temp\ y4fkkcz5.dll Rimosso
____________________________


Identificazione personale file - SHA:
298be3de683b84b29edec414fb8ed243869c28a514d3d7c9db0e3970e6aee05b
Identificazione personale file - MD5:
Non disponibile
 

好评1 Stats

Re: False positive, or... SAPE.Heur.b7a1

@hrg, @RTurner0034 & @KaISBC,

Please try updating the Norton product virus definitions using Intelligent Updater and restart your computer to get new virus definitions to resolve this issue. Please see below Norton support article for instructions:

How to update the virus definition files using Intelligent Updater

Sunil_GA | Norton Forums Administrator | Symantec Corporation
好评0

Re: False positive, or... SAPE.Heur.b7a1

Hello Sunil_GA,
So, detection by resident defs will not query the cloud ....?

I image Local definitions / signatures as a base of detections.
Anything rapidly evolving, newly spotted behaviors or first sight code - those are the Cloud's responsibilities.    Comment..?

好评0

Re: False positive, or... SAPE.Heur.b7a1

Still Occurring after updates, Power Eraser Scan, and Power Eraser Scan from USB Boot.

Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename
12/18/2015 8:14:42 AM,High,sa4maxkj.dll (SAPE.Heur.b7a1) detected by Auto-Protect,Quarantined,Resolved - No Action Required,c:\users\XXXX\appdata\local\temp\sa4maxkj.dll
 

好评0

Re: False positive, or... SAPE.Heur.b7a1

So far, so good.  How do I view my quarantined items?  I want to decide if I want to restore or delete.  The below document from Norton seems out of date.  I cleared my history to make viewing new history easier.  Please do not tell me I no longer am able to see quarantined items.   Thanks everyone!

https://support.norton.com/sp/en/us/home/current/solutions/v54276523_nis...

As side note I too also have an HP laser printer.

好评0

Re: False positive, or... SAPE.Heur.b7a1

JohnOzuk:  So far, so good.  How do I view my quarantined items?

main view > Security > History > Quarantine
More Options e.g., Copy to Clipboard or Restore or Options
you may search File Thumbprint at VirusTotal

好评0

Re: False positive, or... SAPE.Heur.b7a1

Thanks, bad eyes.  Though they say I have nothing in quarantine????  I suspect they just scan log file to build list.  Yet another bug for another day.  Since they were all in %temp% probably ok.

After latest issue now have one item in quarantine.  Building list off of history...not a good idea.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Sorry,

I replied too soon...

Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename
12/18/2015 12:04:24,High,f3zvqln2.dll (SAPE.Heur.b7a1) detected by Auto-Protect,Quarantined,Resolved - No Action Required,c:\users\john ozuk\appdata\local\temp\f3zvqln2.dll

You did reduce two logs to one.

I also have an HP laser printer

好评0

Re: False positive, or... SAPE.Heur.b7a1

JohnOzuk:

Sorry,

I replied too soon...

Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename
12/18/2015 12:04:24,High,f3zvqln2.dll (SAPE.Heur.b7a1) detected by Auto-Protect,Quarantined,Resolved - No Action Required,c:\users\john ozuk\appdata\local\temp\f3zvqln2.dll

I also have an HP laser printer

so, besides running LiveUpdate several times with restart/reboot. 
You also ran Intelligent Updater...?

Posted: 18-Dec-2015 | 9:32AMPermalink

@hrg, @RTurner0034 & @KaISBC,

Please try updating the Norton product virus definitions using Intelligent Updater and restart your computer to get new virus definitions to resolve this issue. Please see below Norton support article for instructions:

How to update the virus definition files using Intelligent Updater

好评0

Re: False positive, or... SAPE.Heur.b7a1

I have now updated the definitions with "Intelligent Updater" and rebooted the PC.

So far no issues but the issue seems to happen at a certain number of minutes past the hour - I may have an update in 20 minutes

好评0

Re: False positive, or... SAPE.Heur.b7a1

The latest NAV update did not fix the issue for me.  After hours of trying to figure it out, I've just confirmed it's the HP Laser Jet software.  HPLJUTSCH.exe running under the Windows Task Scheduler.  I can recreate the issue by starting that program.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Although I have updated the definitions as instructed, the issue persists.

However, there is certainly some link to the HP software as it occurred again when the HP participation software ran

I have done a quick check and the HP program has not changed / been updated recently

好评0

Re: False positive, or... SAPE.Heur.b7a1

I have been following this thread since yesterday and like others I have followed the instructions for Intelligent Updater and ran NPE which didn't identify SAPE.Heur.b7a1.  The problem continues to persist.  Every hour on the hour at the top of the hour plus 45 seconds.

According to my Norton log, it first occurred at 6:00:53 AM (CST) yesterday (12/17) when I know I was not at my computer.  Not sure what the connection could be but I might mention I also have a HP Laser Jet printer connected.

Any other suggestions?

好评0

Re: False positive, or... SAPE.Heur.b7a1

Have done so,will se

好评3 Stats

Re: False positive, or... SAPE.Heur.b7a1

Go to start menu and search for the Windows "Task Scheduler", open it and click Task Scheduler Library to see a list of tasks that Windows will be doing, Look for "HPLJCustParticipation"  right click it and click disable.  Its unnecessary HP software, should not affect printing.  I haven't gotten any SAPE.Heur.b7a1 warnings since I shut that off.

好评0

Re: False positive, or... SAPE.Heur.b7a1

Thanks DJRob29 - I have now disabled this software.

I am hopeful that this will stop the problem from occurring but surely there is still an issue with how Norton is reporting the issue - the HP software has been in place for some time but has only just started to "cause" these alerts.

OR

are we saying that the HP software is in error and that Norton is correct in raising an alert?

好评0

Re: False positive, or... SAPE.Heur.b7a1

@Djrob -- Thank you as well.  I am hopeful too and should find out in about 15 mins. 

Just a little more info on how to find "HPLJCustParticipation", highlight 'Task Scheduler Libray' at the top of the tree on the left, HPLJCustParticipation is within the list that appears in the next window to the right.  (I scrolled through the entire tree before I finally found it.)

好评0

Re: False positive, or... SAPE.Heur.b7a1

Well, the hour passed.  So far so good.

Whoops.  Sorry.  I guess I wasn't paying attention.  The log shows it quarantined it again at 1:00:23 PM CST.

Ok Norton, any other suggestions?

好评0

Re: False positive, or... SAPE.Heur.b7a1

@DEEBOW, Could you please submit any .dll files getting detected as threat "SAPE.Heur.b7a1" at Norton.com/FP for further investigation? Also, please share the submission tracking numbers with us.

Sunil_GA | Norton Forums Administrator | Symantec Corporation
好评0

Re: False positive, or... SAPE.Heur.b7a1

I apologize for my lack of knowledge with this but I cannot locate any of the dll files that is associated with SAPE.Heur.b7a1 in the Norton log.  Looking through the log it appears that when it started, it associated with several different dll files then diminished each time down just one with the latest one being 0zw9sxaa.dll.  I searched for that file (and one other) on my HD and it didn't show any results.  Suggestions?

好评1 Stats

Re: False positive, or... SAPE.Heur.b7a1

I submitted a sample .dll file to the false positive site for verification of SAPE.Heur.b7a1 alert.  As others have mentioned, the .dll file is changing it's name.

The tracking number for the submission is: 3891135

This thread is closed from further comment. Please visit the forum to start a new thread.