Bug 71316 - Other: unopkg.bin marked as thread by Symantec Endpoint Protection and quarantined.
Summary: Other: unopkg.bin marked as thread by Symantec Endpoint Protection and quaran...
Status: RESOLVED NOTOURBUG
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
4.1.3.2 release
Hardware: Other Windows (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: BSA
Keywords: possibleRegression
Depends on:
Blocks:
 
Reported: 2013-11-06 17:15 UTC by roman149
Modified: 2015-12-15 10:53 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description roman149 2013-11-06 17:15:18 UTC
Problem description: 
After last the update of libreoffice the file unopkg.bin has been marked as a thread by Symantec Endpoint protection and quarantined (moved).

The thread type is marked as Suspicious.MLApp:
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-012023-3422-99&vid=24052

The SEP version is 12.1.2015.2015. The virusdef file is Nov 3, 2013 r21.

It can be easily false positive, thus bug in Symantec product. The question is if they would care?

Steps to reproduce:
1. Have installed and active the SEP resident shield.
2. Install Libreoffice.
3. File unopkg.bin get marked as a thread.

Current behavior:
File unopkg.bin get marked as a thread and moved from it's original location.

Expected behavior:
File unopkg.bin doesn't alert the SEP residential shield.
              
Operating System: Windows 7
Version: 4.1.3.2 rc
Last worked in: 4.1.3.1 rc
Comment 1 bfoman (inactive) 2013-11-06 21:44:31 UTC
From http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-012023-3422-99&tabid=2:

"In rare cases where a legitimate file is misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product and review the list of files detected as suspicious. If you identify a potential misidentification, restore the file from Quarantine and allow it to run normally in order to regain the functionality of your computer or application.

Suspected false-positive detections can be reported to Symantec using our false-positive detection reporting page to contribute to the effectiveness of our product."

Could you report false positive using https://submit.symantec.com/false_positive/? 
Thanks!
Comment 2 roman149 2013-11-07 22:53:54 UTC
So I submitted false positive for the unopkg.bin in the Symantec system.

The tracking number is 3358768 (Even thou I'm not sure if the tracking system is accesible somewhere).
Comment 3 bfoman (inactive) 2013-11-08 15:50:41 UTC
Thanks. Hope Symantec will update their definitions soon. I will mark this report as NOTOURBUG.
Comment 4 roman149 2013-11-08 20:57:30 UTC
I just got response from Symantec:

> In relation to submission [3358768].
> 
> Upon further analysis and investigation we have verified your submission and as > such this detection will be removed from our products.
> 
> The updated detection will be distributed in the next set of virus definitions, > available via LiveUpdate or from our website at
> http://securityresponse.symantec.com/avcenter/defs.download.html

> Decisions made by Symantec are subject to change if alterations to the Software > are made over time or as classification criteria and/or the policy employed by > Symantec changes over time to address the evolving landscape.
> 
> If you are a software vendor, why not take part in our whitelisting program?
> To participate in this program, please complete the following form: 
> https://submit.symantec.com/whitelist
> 
> Sincerely,
> Symantec Security Response
> http://securityresponse.symantec.com

So if I understand correctly they fixed their definitions to not raise alert on unopkg.bin. I will check it later today.
Comment 5 bfoman (inactive) 2013-11-09 09:52:24 UTC
(In reply to comment #4)
> I just got response from Symantec:
[...]
> So if I understand correctly they fixed their definitions to not raise alert
> on unopkg.bin. I will check it later today.

Thanks again for your submission. Please do not hesitate to do it in the future.
Adding Joel, to evaluate submitting Symantec Software White-Listing Request for LibreOffice - would it be possible to submit such requests for all major AV vendors?
Comment 6 Joel Madero 2013-11-09 17:17:04 UTC
What a pain - but I suppose we have to do it. Bfoman - you mind emailing me a list of AV programs that you think I should contact that we know are causing problems?
Comment 7 Robinson Tryon (qubit) 2015-12-15 10:53:33 UTC
Migrating Whiteboard tags to Keywords: (possibleRegression)
[NinjaEdit]