Endpoint Protection

 View Only
Expand all | Collapse all

Flash Player - False Positive

Will Wally

Will WallyJan 28, 2010 11:43 AM

  • 1.  Flash Player - False Positive

    Posted Jan 28, 2010 09:39 AM
    "Paul J" brought this up in another thread, but to give it more visibility, I'm starting a new one. 

    We're getting inundated with "install_flash_player.exe" being detected as a Trojan.Horse.

    Come on Symantec!  Is there a rapid release for this?


  • 2.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:08 AM
    Same here "install_flash_player.exe" being detected as a Trojan.Horse
    And "notes6assoc.exe " being detected as Trojan Horse as well.
    Which we know is False Positive...
    Agreed, need an update from Symantec SOON...!!


  • 3.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:26 AM
    500+ newly infected in SEPM. All are "install_flash_player.exe" detected as a Trojan Horse. I opened a case with Symantec support and have been on hold for 87 minutes!


  • 4.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:30 AM
    Greetings,

    What is the date of your virus definitions? 

    Also, where are you getting the install_flash_player.exe file?

    I just went to adobe.com and downloaded AdobeFlash with definitions dated January 27th, 2010 r49 and I am not getting any detections.

    I tried one Win 2k8 and got a file called install_flash_player_ax.exe and I tried on WinXP and got the install_flash_player.exe file.

    Install_flash_player_ax.exe
    Version: 10.0.42.34
    1.86Mb

    Install_flash_player.exe
    Version: 10.0.42.34
    1.83Mb


  • 5.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:37 AM
     Seeing the same thing here, only a handful though.  Looks like it started after we got 01-27-2010 rev. 049 defs early this morning.

    @Will 
    We all feel your pain.  Hope the hold music is good!


  • 6.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:38 AM
    In my case, I have the same definitions (January 27th, 2010 r49) and I also went to adobe and downloaded the file and it wasn't detected.  I haven't been able to get my hands on one of the files being detected.  One of the users said this was a file that had been on his machine for a while, so it could be an older version that's being detected vs the latest version being downloaded from Adobe.


  • 7.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:38 AM

    SEPM reports definitions are 2010-01-27 rev. 049



  • 8.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:43 AM
    Greetings Will Wally,

    Could you or any of you other people that are getting this detection go to the install file, right click it and go to details so I can see the version?


  • 9.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 10:52 AM
    Hi All,

    I have seen a bunch of computers report back to have the "Install_Flash_Player.exe" as a trojan.

    The weird thing is.. we do deploy flash player to all the computers in the office. We are deploying version 10.0.42.34, however this has been setup as a GPO and ie been deploying this version since the day it came out, about 1 month ago, maybe longer. Today is teh first time we are recving virus alerts about "Install_Flash_Player"

    Attached is a screen shot.



    ScreenShot304.png


  • 10.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:02 AM
    John,

    The file being detected is in c:\users\%username%\downloads. As soon as I click on the downloads folder, the file deletes automatically. The date on the file is 6-3-2009. The file size is 1,835kb. Can't right click because it deletes to fast. Some computers show the file as 0 bytes. The 0 byte file allows me to right click but it does not show any version data, only that the file was modified today. Weird.


  • 11.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:04 AM
    Indentical issue:
    Definition version 2010-01-27 rev 049

    Virus Def: 2010-01-27 rev. 049
    TruScan Def: 2010-01-19 rev. 00


  • 12.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:07 AM
    I am seeing the same results on about 10 out of 300 PCs.  All of the files show as 0 bytes, and date back to somewhere between April and May. 

    Sane Defs as everyone else - 2010-01-27 rev 049



  • 13.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:08 AM
    Please submit the file to https://submit.symantec.com/websubmit/gold.cgi


    Title: 'Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe'
    Document ID: 2010010319585948
    > Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2010010319585948?Open&seg=ent


  • 14.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:10 AM
    I went to http://kb2.adobe.com/cps/142/tn_14266.html which contains older versions of Flash.
    I downloaded the flash 10 zip and extracted it.  
    The file is this archive getting detected  is named flashplayer10r22_87_win.exe.
     
    I submitted to symantec, so hopefully this will get taken care of soon.


  • 15.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:14 AM
    We are getting the same thing.  A few but not a lot.  install_flash_player.exe is being detected as a "Trojan Horse".  Pretty generic and it is quarantining the file.


  • 16.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:17 AM
    On 7 of our computers.
    install_flash_player(3).exe Trojan Horse Cleaned File     SYSTEM Cleaned C:\Documents and Settings\user\Desktop\ Clean security risk Quarantine Auto-Protect scan The file was repaired successfully. 1/28/2010 3:05
    install_flash_player(3).exe Trojan Horse Quarantined File     SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/28/2010 3:05
    install_flash_player(2).exe Trojan Horse Log only File     SYSTEM Log only C:\Documents and Settings\user\Desktop\ Clean security risk Quarantine Auto-Protect scan The file was left unchanged. 1/28/2010 3:05
    install_flash_player(2).exe Trojan Horse Quarantined File     SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/28/2010 3:05
    install_flash_player(3).exe Trojan Horse Quarantined File     SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/28/2010 9:08



  • 17.  RE: Flash Player - False Positive

    Posted Jan 28, 2010 11:17 AM
    Please  submit the file and call support and log a case , it may be a false poistive .


  • 18.  RE: Flash Player - False Positive