Alerts From Norton -- False Positive, Whatcha Think?

Hey folks, while I'm working with Norton to try and figure out what's going on, I wouldn't mind getting some independent opinions here as well as to my risk.

As background, I'm running Vista Ultimate 64 with NIS2009 (latest versions and updates with both. The only major setting change I made was to turn Advanced Heuristics (Bloodhound) to Agressive (as SONAR doesn't work with Vista 64). I decided to turn on backups using the Microsoft Backup and Restore Center, the built-in backup you get with Business and Ultimate.

I've decided to clear out my backup drive, and create a clean backup. As the backup started, I received the following alert:

Bloodhound.Boot detected by Auto-Protect

In the alert, it says the attempt to move to quarantine failed. The default next action is rescan, at which point you get an all-clear that it can't detect the file. I tried this three times while running the backup, and it continues to find this error. Here is the advanced details:

Component: Auto-Protect
Defintions Version: 2009.01.18.003
Risk Name: Bloodhound.Boot
Risk Category: Heuristic Virus
Risk Type: Boot Record
Risk Level: High
Risk State: Fully removed
Risk Items: Drive \Device\HarddiskVolumeShadowCopy# (each time I try a new backup, the # increments one in the alert from Norton)

If backup is not running, Norton detects nothing. I've also run a full scan in Safe Mode, and it found nothing. Also, if I turn Advanced Heuristics to Automatic (the default setting), it detects nothing when the backup is running.

I'm leaning towards a false positive, but as I can backup files via scripts I'm leaning towards keeping Agressive on and just not using Microsoft Backup. The question is -- Would you all agree I'm most likely safe? I've deleted all shadow copies by turning off System Restore, and I'm running a fixmbr just to be safe.

I'm also wondering about going back to KIS 2009, which I have a license for, as there's some new posts on the Norton forums about Self-Protect being easy to turn off.

Definitely looking for opinions on if I've found a false positive. I'd be more confident, except Symantec hasn't been able to reproduce the alert.

Thanks in advance!

Edit: The version above was from when I first posted the issue -- I always run a full LiveUpdate when I log in.

 

You can always scan suspicious files on virustotal , virscan or jotti and get a second opinion.

 

When using NAV 2009 I have picked up the same alert ONLY when the heuristics are set to aggressive. Subsequent scans with other malware scanners detect nothing.

If you check out the Norton forums, which I know you do, you will see that Bloodhound.Boot has only be seen when the heuristics are on the highest settings.

So I would lean towards a false positive.

 

That's the trick -- Its not really a "file" but the latest Shadow Copy that's hidden (\Device\HarddiskVolumeShadowCopy#); Nothing to submit.

 

Whew, thank you! A couple people have responded in PMs saying something similar -- At least I'm not the only one! I can live with a False Positive, but it was alarming that I didn't see anyone else with it. Now that others have experienced it, I'm a little more at ease.

I just don't see how it could be a "real" threat as it only appears when backup is running, yet no other time during operation. It also doesn't appear in a safe mode scan. If a boot sector virus bypasses Norton, seems odd it would all of a sudden appear for a backup....

 

How bad is this problem? I was really thinking of getting a license but I dont want a product with poor self-protection. Is there any light you can throw on this country guy?

 

Here's the thread from the Norton boards:
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=31116

Essentially, the service can be stopped via the Services menu or a net stop command. As the poster points out, if you can do it, so can a virus. With Vista, I'd have to OK UAC rights, but its still concerning. Its being evaluated by Norton per the thread.

As for my problem, its a little disconcerting, but I do truly believe its a false positive. I think NIS 2009 is the lightest suite I've ever used, and its detection rates have been stellar.... But as I mention above, given I cannot use SONAR (doesn't work with Vista 64), I really want to keep Bloodhound heuristics turned up.