Endpoint Protection

TSizepro.exe = Backdoor.Graybird
Happening across all our installs of TreeSize

Anyone else getting this?

Nick

Yep, got an alert this morning too.  Checking with the TSP vendor now to confirm....

The actual Tree Size executable is TreeSIze.exe  Our alerts have been for TSizepro.exe so I am a little leery on this one...

If it is truely a false positive, then please make a submission to Symantec ASAP.

https://submit.symantec.com/dispute/false_positive/

Best,
Thomas

A little later in the day and it no longer flags as being infected....

I'm guessing it was a falsie....

I have a slightly older version and teh executable is tsizepro.exe

It has not been detected on any of our systems.

Greetings,

There was a report of the Tsizepro.exe being detected as Backdoor.Greybird. I cannot confirm whether the above reports match as I don't have a copy of the file though definitions have been put into place to correct it.

You can try the most recent Rapid Release Defs found here:
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

I just downloaded and installed the latest Rapid release defs 12/4 rev 33.  These also see Tsizepro.exe as a virus (Backdoor.Greybird).  The new definitions also make you reboot afterwards, while the 12/4 rev 6 definitions do not.  Seems like a step backwards to me.  
I have run this file through ThreatExpert and VirusTotal with mixed results.  We have had TreeSize Pro on systems for a couple of years now and have not run into this issue until we upgraded to SEP 11.0.5 (MU5) this past week.  Prior to the upgrade, some systems were on SEP 11.0.4 (MR4) with a majority still on SAV 10.x.  Only the MU5 clients see this as a virus.

Tsizepro.exe is part of the original installation of Tree Size Pro.  For all my tests I copied the TsizePro.exe file from a fresh installation on a fresh image.

I have submitted a false positive request form via the link provided by Cycletech.  I also sent an inquiry to JAM software.

I'll post my results.

I have also had several detections of Greybird between the 4th and 6th of December on clients running sav 10.1.8.  I restored a backup copy of Tsizepro.exe this morning and there was no detection, which suggests a false positive now that defs have updated again overnight.

However...on a few clients I've also had partial removal of the 'trojan' reported.  On these clients not only has tsizepro.exe been deleted but some registry changes have supposedly been corrected and c:\windows\system32\comsa32.sys has also been deleted.  On these clients neither comsa32.sys or tsizepro.exe are in the backed up items area. 

An Iexplore.exe process was also terminated.  So on the one hand it looks like a FP, and on the other it doesn't.

I recieved confirmation from JAM software that Tsizepro.exe is not viral.  I have not heard back from Symantec in reference to my false positive submission.  The folks at JAM noted that Tsizepro.exe is only necessary for backwards compatibility for Tree Size 4.x.
They also noted that Tree Size Pro 5.3 no longer includes this file.