Alerts From Norton -- False Positive, Whatcha Think?

Discussion in 'other anti-virus software' started by CountryGuy, Jan 21, 2009.

Thread Status:
Not open for further replies.
  1. CountryGuy

    CountryGuy Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    139
    Hey folks, while I'm working with Norton to try and figure out what's going on, I wouldn't mind getting some independent opinions here as well as to my risk.

    As background, I'm running Vista Ultimate 64 with NIS2009 (latest versions and updates with both. The only major setting change I made was to turn Advanced Heuristics (Bloodhound) to Agressive (as SONAR doesn't work with Vista 64). I decided to turn on backups using the Microsoft Backup and Restore Center, the built-in backup you get with Business and Ultimate.

    I've decided to clear out my backup drive, and create a clean backup. As the backup started, I received the following alert:

    Bloodhound.Boot detected by Auto-Protect

    In the alert, it says the attempt to move to quarantine failed. The default next action is rescan, at which point you get an all-clear that it can't detect the file. I tried this three times while running the backup, and it continues to find this error. Here is the advanced details:

    Component: Auto-Protect
    Defintions Version: 2009.01.18.003
    Risk Name: Bloodhound.Boot
    Risk Category: Heuristic Virus
    Risk Type: Boot Record
    Risk Level: High
    Risk State: Fully removed
    Risk Items: Drive \Device\HarddiskVolumeShadowCopy# (each time I try a new backup, the # increments one in the alert from Norton)

    If backup is not running, Norton detects nothing. I've also run a full scan in Safe Mode, and it found nothing. Also, if I turn Advanced Heuristics to Automatic (the default setting), it detects nothing when the backup is running.

    I'm leaning towards a false positive, but as I can backup files via scripts I'm leaning towards keeping Agressive on and just not using Microsoft Backup. The question is -- Would you all agree I'm most likely safe? I've deleted all shadow copies by turning off System Restore, and I'm running a fixmbr just to be safe.

    I'm also wondering about going back to KIS 2009, which I have a license for, as there's some new posts on the Norton forums about Self-Protect being easy to turn off.

    Definitely looking for opinions on if I've found a false positive. I'd be more confident, except Symantec hasn't been able to reproduce the alert.

    Thanks in advance!

    Edit: The version above was from when I first posted the issue -- I always run a full LiveUpdate when I log in.
     
  2. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    You can always scan suspicious files on virustotal , virscan or jotti and get a second opinion.
     
  3. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    When using NAV 2009 I have picked up the same alert ONLY when the heuristics are set to aggressive. Subsequent scans with other malware scanners detect nothing.

    If you check out the Norton forums, which I know you do, you will see that Bloodhound.Boot has only be seen when the heuristics are on the highest settings.

    So I would lean towards a false positive.
     
  4. CountryGuy

    CountryGuy Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    139
    That's the trick -- Its not really a "file" but the latest Shadow Copy that's hidden (\Device\HarddiskVolumeShadowCopy#); Nothing to submit.
     
  5. CountryGuy

    CountryGuy Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    139
    Whew, thank you! A couple people have responded in PMs saying something similar -- At least I'm not the only one! I can live with a False Positive, but it was alarming that I didn't see anyone else with it. Now that others have experienced it, I'm a little more at ease.

    I just don't see how it could be a "real" threat as it only appears when backup is running, yet no other time during operation. It also doesn't appear in a safe mode scan. If a boot sector virus bypasses Norton, seems odd it would all of a sudden appear for a backup....
     
  6. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    How bad is this problem? I was really thinking of getting a license but I dont want a product with poor self-protection. Is there any light you can throw on this country guy?
     
  7. CountryGuy

    CountryGuy Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    139
    Here's the thread from the Norton boards:
    http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=31116

    Essentially, the service can be stopped via the Services menu or a net stop command. As the poster points out, if you can do it, so can a virus. With Vista, I'd have to OK UAC rights, but its still concerning. Its being evaluated by Norton per the thread.

    As for my problem, its a little disconcerting, but I do truly believe its a false positive. I think NIS 2009 is the lightest suite I've ever used, and its detection rates have been stellar.... But as I mention above, given I cannot use SONAR (doesn't work with Vista 64), I really want to keep Bloodhound heuristics turned up.
     
Loading...
Thread Status:
Not open for further replies.