Problem description: After last the update of libreoffice the file unopkg.bin has been marked as a thread by Symantec Endpoint protection and quarantined (moved). The thread type is marked as Suspicious.MLApp: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-012023-3422-99&vid=24052 The SEP version is 12.1.2015.2015. The virusdef file is Nov 3, 2013 r21. It can be easily false positive, thus bug in Symantec product. The question is if they would care? Steps to reproduce: 1. Have installed and active the SEP resident shield. 2. Install Libreoffice. 3. File unopkg.bin get marked as a thread. Current behavior: File unopkg.bin get marked as a thread and moved from it's original location. Expected behavior: File unopkg.bin doesn't alert the SEP residential shield. Operating System: Windows 7 Version: 4.1.3.2 rc Last worked in: 4.1.3.1 rc
From http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-012023-3422-99&tabid=2: "In rare cases where a legitimate file is misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product and review the list of files detected as suspicious. If you identify a potential misidentification, restore the file from Quarantine and allow it to run normally in order to regain the functionality of your computer or application. Suspected false-positive detections can be reported to Symantec using our false-positive detection reporting page to contribute to the effectiveness of our product." Could you report false positive using https://submit.symantec.com/false_positive/? Thanks!
So I submitted false positive for the unopkg.bin in the Symantec system. The tracking number is 3358768 (Even thou I'm not sure if the tracking system is accesible somewhere).
Thanks. Hope Symantec will update their definitions soon. I will mark this report as NOTOURBUG.
I just got response from Symantec: > In relation to submission [3358768]. > > Upon further analysis and investigation we have verified your submission and as > such this detection will be removed from our products. > > The updated detection will be distributed in the next set of virus definitions, > available via LiveUpdate or from our website at > http://securityresponse.symantec.com/avcenter/defs.download.html > Decisions made by Symantec are subject to change if alterations to the Software > are made over time or as classification criteria and/or the policy employed by > Symantec changes over time to address the evolving landscape. > > If you are a software vendor, why not take part in our whitelisting program? > To participate in this program, please complete the following form: > https://submit.symantec.com/whitelist > > Sincerely, > Symantec Security Response > http://securityresponse.symantec.com So if I understand correctly they fixed their definitions to not raise alert on unopkg.bin. I will check it later today.
(In reply to comment #4) > I just got response from Symantec: [...] > So if I understand correctly they fixed their definitions to not raise alert > on unopkg.bin. I will check it later today. Thanks again for your submission. Please do not hesitate to do it in the future. Adding Joel, to evaluate submitting Symantec Software White-Listing Request for LibreOffice - would it be possible to submit such requests for all major AV vendors?
What a pain - but I suppose we have to do it. Bfoman - you mind emailing me a list of AV programs that you think I should contact that we know are causing problems?
Migrating Whiteboard tags to Keywords: (possibleRegression) [NinjaEdit]