Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Symantec generating a False Positive on Flash Player installer - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Symantec generating a False Positive on Flash Player installer

If you are running Symantec antivirus, and trying to install Flash, and the Installer is being flagged as a Trojan Horse, now you know why.  Seems there might be a false positive in Symantec's host based detection, flagging the Adobe Flash Installer as a Trojan Horse.

This isn't a big slight, this happens from time to time, with the thousands and thousands of different types of detection that is done with an antivirus tool, it's actually fairly impressive that this type of thing doesn't happen more often.  But it's happened before, and it will happen again.  (Remember the Excel file fiasco that McAfee's AV caused?)

Symantec is encouraging people that are affected to call Symantec support.  I am sure this will be resolved very soon.

Seems that the affected Revision is: 2010-01-27 rev 049.

I'll update this post when it's corrected.

-- Joel Esler | |


454 Posts
Jan 28th 2010
Had a couple of calls on this, this morning. My machine isn't effected with Jan 27, 2010 r49.
We had 3 of these this morning. Thanks for the info.
I wonder if it's flagging the actual Adobe Flash Player installer, or the Adobe DLM program that most people are duped into downloading from the Adobe site in order to simply get the Flash Player. Of course the latter tries to install other unwated 'goodies' such as Acrobat Reader, so I think it's only fair to flag it as spyware/malware...
Steven C.

171 Posts
We had the problem here for several machines. It looks like the older Adobe Flash installer version for Firefox is the one being detected as a Trojan Horse. I downloaded this older version from Adobe and it detected it wit hthe 1/27/2010 r49 definitions. I uploaded the installer to Symantec's submission web site in response to a case I had opened and they said it was clean. Rapid Release for 1/28/2010 r7 still detects it. I suspect a definition update that comes out later today will correct it.
Steven C.
3 Posts
I also wanted to note that the current version of Adobe Flash player is
Steven C.
3 Posts
I'll take an occasional false positive, since it's blocking about 6-12 FakeAV install attempts a day in my environment.

29 Posts
I've confirmed that the Symantec definitions dated 1/28/2010 revision 25 or later correct this false positive detection.
3 Posts

Sign Up for Free or Log In to start participating in the conversation!