Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Symantec generating a False Positive on Flash Player installer SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Symantec generating a False Positive on Flash Player installer

If you are running Symantec antivirus, and trying to install Flash, and the Installer is being flagged as a Trojan Horse, now you know why.  Seems there might be a false positive in Symantec's host based detection, flagging the Adobe Flash Installer as a Trojan Horse.

This isn't a big slight, this happens from time to time, with the thousands and thousands of different types of detection that is done with an antivirus tool, it's actually fairly impressive that this type of thing doesn't happen more often.  But it's happened before, and it will happen again.  (Remember the Excel file fiasco that McAfee's AV caused?)

Symantec is encouraging people that are affected to call Symantec support.  I am sure this will be resolved very soon.

Seems that the affected Revision is: 2010-01-27 rev 049.

I'll update this post when it's corrected.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Joel

454 Posts
ISC Handler
Had a couple of calls on this, this morning. My machine isn't effected with Jan 27, 2010 r49.
Anonymous
We had 3 of these this morning. Thanks for the info.
Anonymous
I wonder if it's flagging the actual Adobe Flash Player installer, or the Adobe DLM program that most people are duped into downloading from the Adobe site in order to simply get the Flash Player. Of course the latter tries to install other unwated 'goodies' such as Acrobat Reader, so I think it's only fair to flag it as spyware/malware...
Steven C.

171 Posts
We had the problem here for several machines. It looks like the older Adobe Flash installer version 10.0.22.87 for Firefox is the one being detected as a Trojan Horse. I downloaded this older version from Adobe and it detected it wit hthe 1/27/2010 r49 definitions. I uploaded the installer to Symantec's submission web site in response to a case I had opened and they said it was clean. Rapid Release for 1/28/2010 r7 still detects it. I suspect a definition update that comes out later today will correct it.
Steven C.
3 Posts
I also wanted to note that the current version of Adobe Flash player is 10.0.42.34.
Steven C.
3 Posts
I'll take an occasional false positive, since it's blocking about 6-12 FakeAV install attempts a day in my environment.
Shawn

29 Posts
I've confirmed that the Symantec definitions dated 1/28/2010 revision 25 or later correct this false positive detection.
Shawn
3 Posts

Sign Up for Free or Log In to start participating in the conversation!