Endpoint Protection

Expand all | Collapse all

Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

  • 1.  Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 08:49 AM
    We have an OnBase application that automatically creates PDF files and SAV 10.1.6.6000 is installed on the server. SAV began quarantining the documents this morning. We've never had this issue before today.

    Ray


  • 2.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 09:54 AM
    Same here - and the files are those generated by our OWN application in-house. However, the same test this AM showed that the problem must be solved as it didn't do it today, but was repeatable on several computers yesterday.
    SEP 11. (the latest) was the product, defs from yesterday, but I was gone so am not sure the exact defs release - but it was after noon, CDT.


  • 3.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 09:59 AM
    I'm betting it's the later defs. http://www.symantec.com/business/security_response/definitions.jsp shows SEP 11 has later defs than SAV 10.

    Ray


  • 4.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 02:18 PM
    New defs are not helping us and some PDF files are getting written to disk corrupted. When you look at them in Notepad, they are about the correct size but they are full of null characters only.

    I'm on hold with Support now.

    Ray


  • 5.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 02:44 PM



  • 6.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 02:55 PM
    Maybe no one has reported it, but I sure can if they want details!
    And PERHAPS the next defs came out SO QUICKLY that it only happened for a couple of hours??

    We have seen it here, and it was easily "repeatable" by our help desk - go to our OWN INTERNAL APPLICATION, request a report, wala! Bingo! SEP alert.
    It happened to 3 people yesterday in an hours time.

    Today, it doesn't happen.


  • 7.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 03:03 PM
    We're trying them now. Rapid Release definitions of sequence number 93430 or later are supposed to fix this.

    Ray


  • 8.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 03:05 PM
    I submitted a pdf about an hour ago that was picked up in this manner. File had existed since Jan 13, scanned many times, and last night was Quarantined along with 6 other pdf's. Doesn't make any sense that files one month old would suddenly turn up infected. They had not been modified, accessed or even copied/read in the prior 45 days, but they had been scanned by our SEP with daily current defs.


  • 9.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-27-2009 03:46 PM
    We have an application that scans documents and lets the employee see them on the screen. If they are OK they click a button and the app submits the document as a PDF file directly to an OnBase document repository. There is no disk file or temporary file at all. The PDF is written on the fly. Onbase can store any type of file and it happily stored them without any errors being displayed.

    Later on people are opening the PDF files from the document repository and they won't open because they are corrupted. Looking at one in Notepad shows it's full of nothing but null characters. And since OnBase creates the file names automatically in sequence, we can't just re-scan the originals and have them go in the correct place to replace the corrupted ones.

    And since SAV/SEP silently corrupted the PDF's being written on the fly, we really have no idea how many or which ones we need to fix without going through every one, and there are hundreds from just today.

    This is going to take days to straighten out. We've never had a virus outbreak that caused this much damage to productivity and operations.

    Ray



  • 10.  RE: Getting false positives from Bloodhound.PDF.6 with 3/26/2009 rev. 7 defs with OnBase

    Posted 03-28-2009 10:34 AM
    Hi All, The Bloodhound.PDF.6 detection was recently re-worked to ensure the best possible coverage for the threat this issue presents to customers. After the detection was reworked it went through extensive testing against 1000s of PDFs to prevent false positives and ensure all PDFs that should be detected were detected. This is standard procedure. The issue mentioned here was caused by very specific conditions which did not arise during our pre-release testing. Once this issue was brought to our attention we discovered that the detection was being triggered by Auto-Protect as a result of the way PDFs were being stored on the system. As soon as this information was available the detection was reverted to its previous state before the re-work. This is why the reports above mention that this issue had been solved. I hope this helps to clear things up a bit. Patrick.