Endpoint Protection

Hello,

We are experiencing a large amount of detections this morning for AntiVirus 2009 Security Risk with the file C:/WINDOWS/system32/SSInstDll.dll

I can not find any additional information on the SSInstDll.dll.

Anybody have more information on this file or this detection?

Thank you.

Mike

We've been seeing this too.  At this point, we're not sure whether we have a real problem, or just bad definitions.

The file in question has a created timestamp of March 30, 2005, though that may or may not mean anything.

The problem started with a virus definition update that happened over the weekend.  The virus definitions released Friday ignore this file.

This is Spyware.CometCursor,  please check the link posted,

http://www.symantec.com/security_response/writeup.jsp?docid=2004-091615-0103-99&tabid=1

The exact same issue, same file, and same date on the file..    So far, about 60 of our 1200 clients are reporting "Antivirus2009".  Also started this weekend for this during a Saturday 2 AM administrator scan.

Hi,

I suggest you to open the risk log, get the exact virus name and search it in the Symantec web site for the removal procedure.

Regards,

Can you manually update 1 client and try to run a scan again?

This is not Spyware.CometCursor. Most all computers on our network have the file ssinstdll.dll dated from 2004. Around 50-60 out of around 400+ computers are showing up with this "infection" that is called either Antivirus 2009 or SafeStrip. The problem started as others noted, after definition updates this past weekend.

Now C:/WINDOWS/system32/SSInstDll.dll is being detected as "safe strip security risk".  We also now have newer definitions than this weekend.

Anyone else seeing this as well?

We are seeing this same problem with the file SSInstDll.dll since the update that I forced this morning. (It seems LiveUpdate did not run this weekend automatically like it should have.) I scanned my PC after getting reports from my users and seeing the file on my computer. SEP11 detected it as AntiVirus 2009 and quarantined it, then it detected it as SafeStrip and deleted it. Trying to determine if this is cause for concern or not.

Giuseppe,

Any idea if definition files updated this past weekend touch C:/WINDOWS/system32/SSInstDll.dll ?

Several people seem to have the same problem.

Thanks.

Mike


Hi,

I suggest you to open the risk log, get the exact virus name and search it in the Symantec web site for the removal procedure.

Regards,

I think that if the definitions are corrupted the ssinstdll.dll should be detected in all machines not olny in some of them... Compare bit-by-bit the ssinstdll.dll from a suspected machine with the one from a safe machine.
Eventually send both to the security response and open a case to ask a deeper analysis of the samples to understand if they are really infected or just a false positive (really rare).

Hi mhanson,

this is what I collected:

SafeStrip:
Latest Daily Certified version December 30, 2008 revision 004

Antivirus2009:
Latest Daily Certified version April 4, 2009 revision 020
Latest Rapid Release version April 6, 2009 revision 008

If you search SSINSTDLL.DLL in Google it is clear that it is not a windows system files, do you still think that it is a false positive?

Regards,

The workstations that are showing Risk have this file ssinstdll.dll.
The workstations that are not showing this do not have it.
Cannot compare the files.

Also, we have an image that we just brought up with that file.
the definition date on it is from Feb 2009.
To test, this workstation is not on the network.
As soon as we updated with April-05-2009 rev.3 from a USB key, its finding that file as a Risk (AntiVirus2009)
Same results for the latest definition file. April 6 2009 rev.21
I have been on the phone  with symantec research department and they are searching through the Definition files above.

I hope it is a bad def file and not a true risk.

J L

Another detail: I don't have SSINSTDLL.DLL in my Windows XP SP3 system.

To be honest I think it is a true risk, this file is not related to any well known application and I don't read here any evidence for a false positive unless all of the people posted here have the same rare application, used only in a part of the clients, that puts this file in the crucial system32 folder.
I cannot know why it is detect now and not before, if I guessed what you are thinking.

Giuseppe,

A user who has this file in quarantine tried to restore it to no avail. I have scanned several computers that have the file  SSINSTDLL.DLL  located in C:\WINDOWS\system32 including my own computer and the scan comes back negative with no risks found. As of now  87% of our computers are at definiton 2009-04-06 Rev. 003 and new alerts of infected computers on our network have stopped coming in.

This morning most computers were at either 2009-04-05 rev 03 or 2009--04-03 rev 04

I had a user try to restore SSINSTDLL.DLL from their quarantine but was unsuccessful.

So it looks like their was a modification of the detection for Antivirus2009 between April 4th and April 6th? Is that common?

Thanks for your help.

Mike



Hi mhanson,

this is what I collected:

SafeStrip:
Latest Daily Certified version December 30, 2008 revision 004

Antivirus2009:
Latest Daily Certified version April 4, 2009 revision 020
Latest Rapid Release version April 6, 2009 revision 008

If you search SSINSTDLL.DLL in Google it is clear that it is not a windows system files, do you still think that it is a false positive?

Regards,

That is probably a very new threat if google doesn't have any info for the dll.
I don't see a reason why you should not be submitting.
Can you confirm that the name is SSINSTDLL.dll, Some writers mix letters and numbers to make it being read like all alphabets.

Well I can tell I have had them on every workstation and server. But according to Symantec Endpoint they have been quaranteed. No idea how this get into servers where noone uses the IE or browse Internet and no shares are access to clients. Will be glad for any advise or confirmation what exactly is this threat.

 

 

I just submitted a file from an "infected" machine.

Yes I can confirm the file being quarantined is ssinstdll.dll

Mike

That is probably a very new threat if google doesn't have any info for the dll.
I don't see a reason why you should not be submitting.
Can you confirm that the name is SSINSTDLL.dll, Some writers mix letters and numbers to make it being read like all alphabets.

In our case, it appears that the SSInstDll.dll appears to be a part of Mike Lischke's Theme Manager for Borland/Delphi C++.  In reviewing the file, we suspect it is leftover baggage from Webroot Spysweeper.  We have not confirmed this with absolute certainty, but this appears to be the case. 

I wonder if this toolkit was also used in creating the Antispyware 2009 malware.

Are you guys running Spysweeper?  Within the DLL there are numerous references to it.

We did use Spysweeper on our network but it has been removed several months ago but  I did find one machine that still had Spysweeper installed and Symantec had quarantined the SSInstDll.dll file as well.

The naming convention of the file does point to Spysweeper?

Anyone else?

Are you guys running Spysweeper?  Within the DLL there are numerous references to it.

Jerry

Did you guys or do you use Spysweeper?


Well I can tell I have had them on every workstation and server. But according to Symantec Endpoint they have been quaranteed. No idea how this get into servers where noone uses the IE or browse Internet and no shares are access to clients. Will be glad for any advise or confirmation what exactly is this threat.

 

 

@mhanson: it is rare that the definitions detect a false positive and if it is confirmend of course we fix them asap.The sample submission is the best option in case of doubts.
Generally, two security products in the same machines could trigger false positive.
I hope the Security Response will answer us asap.

Search the file on the ThreatExpert website.

I also wanted to post that we used to run Webroot Spysweeper on our PCs.  We uninstalled the product about 6 months ago.  Some PCs on our network have this SSinstdll.dll and some don't.  Those that do have the file, did pop the alert about Antivirus2009.

its not webroot spysweeper, it's cometcursor or adware.comet. is it possible also that since you've used webroot spysweeper before, it detected the file and created a backup.

I do not believe this is comet cursor.  The comet cursor file is SSSInstdll.dll.  This file is SSInstDll.dll.

The data contents of this dll have several references to Webroot Spysweeper.

I believe, in this case, that this is a false positive.  I think it likely that this tool could have been used in malware applications such as Antivirus 2009 and SafeStrip, which would explain why it is now being tripped over by Symantec.

Use a hex editor or open it in a strong text editor (not notepad) and you'll see if it's a legit file or not.
A legit DLL will have SOME human-readable text in it, they almost all have messages, etc. that are used.

Submit it.
Use a hex editor to look inside it.
Scan it with other free/online systems.

Jerry

Did you guys or do you use Spysweeper?

Well I can tell I have had them on every workstation and server. But according to Symantec Endpoint they have been quaranteed. No idea how this get into servers where noone uses the IE or browse Internet and no shares are access to clients. Will be glad for any advise or confirmation what exactly is this threat.

 

 Yes Webroot Spysweeper is on workstations but not on the servers. I have only one server where the management console is installed.

About 40% of our workstations reported same issue all of a sudden

I opened a case with Symantec (through web support) about this issue yesterday morning.  Normally, I would have received a response by now, but have heard nothing.  Would be nice to know if nothing to worry about...

Dear XXXXXX,

We have analyzed your submission. The following is a report of our

findings for each file you have submitted:

filename: SSInstDll.dll

machine: Machine

result: NAV is falsely identifying this file as a virus

Customer notes:

We think this file is NOT infected and Symantec quarantines it as Antivirus 2009

　

Developer notes:

SSInstDll.dll is falsely identified as malicious. To fix this problem, please follow the instruction at the end of this email message to install the latest available definitions. Then, restore this file from NAV Quarantine.

 

The sample(s) that you provided are not infected with a virus, worm, or Trojan, and do not contain malicious code. It appears to be a false identification. To solve the false identification problem, please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.

Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

Downloading and Installing RapidRelease Definitions:

1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/

2. Copy and paste the address ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence/ into the address bar of your Web browser and then press Enter.(this could take a minute or so if you have a slow connection)

3. Now select 93933 folder or a higher. Open the folder.

4. Select the file symrapidreleasedefsx86.exe

5. When a download dialog box appears, save the file to the Windows desktop.

6. Double-click the downloaded file and follow the prompts.

Virus definition detail:

Sequence Number: 93933

Defs Version: 110407q

Extended Version: 04/07/2009 rev.17

Should you have any questions about your submission, please contact

your regional technical support from the Symantec website and give them

the tracking number in the subject of this message.

-----------------------------------------------------------------------

This message was generated by Symantec Security Response automation.

For USA:

For electronic support options, Symantec provides On-Line Services at

http://www.symantec.com/techsupp/

Yo Yo's

To ViR...... BRAVO! Good job.
submitting that got new defs built that will fix it.

Cool........ following this thread - that was my first thought. False positive.

I think we had false positives yesterday from about 3:30 to about 9:30 on the ping of death, they started suddenly, then a few hours later, stopped suddenly. Updates of the defs are the only things I can think of......... bad defs gave a false positive on ping of death, then defs we got at about 9:40 fixed it.

I guess if I had to build definitions for a hundred trillion bazillion threats of all sorts, I'd make a mistake now and then, too.......

So Virtual736 posted his response from Symantec Security Response but there has been nothing from Symantec acknowledging this problem. Why not?

Many of us spent the whole day yesterday trying to track down this problem while being assured that it was highly unlikely that Symantec made a mistake with their definition files.

We all understand and appreciate how much effort goes into the anti-malware work and that mistakes are going to be made but Symantec should acknowledge those mistakes if and when they happen and publicize the fix.

Mike

Has anyone else seen their Start menu shortcuts disappear?  Specifically Outlook.  This started happening when Symantec detected and quarantined "SSINSTDLL.dll"

I added it back to the Start menu and it is gone when I restart.

Results or Suggestions?

Is it located on all users Start Menu? this could be a profile problem. is it occuring on all workstations?

Yeah.  Every workstation that I seen had Symantec detect SSINSTDLL.dll and then the Outlook shortcut disappears.  I can re-pin it, but after a restart, it's gone.

I also noticed it detected "A0057498.dll" as Antivirus2009.

Are you seeing the same thing?

No sir, haven't encountered this file. "A0057498.dll" usually means it is in the System Restore. You can disable system restore to remove this file. Can you re-pin the shortcut on all users profile?

Thanks Paul Mapacpac.  I've been re-pinning it to the users profile.  I was just wondering if it's been happening to anyone else.

I just did another search this morning, Apr/8/09 and still find only this thread as relevant to this issue.

We've had several customers affected by this problem, and it is disapointing to see no further clarification from Symantec.  In all cases, these sites were running the Symantec Corporate A/V v10.7.7.  Not all machines at each site were afected, only some.  In all cases, the same file was originally quarantined (c:\windows\system32\SSInstDll.dll).  SAV reported several instances of it.  Another file was subsequently quarantined from the System Restore and which has a random number starting with an A, as reported above.  SAV reports a message stating that it requires a reboot to complete the remediation, but then reports a couple of times being unable to complete the remediation process.

Suspecting that this was a false positive, we've attempted to first update the virus definitions, then restorint the SSInstDll.dll file from the quarantine.  In all cases, the file is restored back to the system32 folder as above, and always with the same date stamp of 3/30/2005 03:03 PM and size of 437,760 bytes.  However, SAV reports a status of only a "partially restored" and keeps the file still in the quarantine as well.  A subsequest manual scan of th entire windows folder reports no problems found.  The file properties shows no author, version number, or any other info.

The questions remain as to whether this file is in fact legitimate or not, whether SAV in fact restores it correctly, and what it is used for?  Could it in fact be a required component of some other application or driver which is not imediately apparent and will cause problems later?  We had one user who quarantined the file and took the actions that SAV recommended, and ended up with a BSOD dead machine with a Windows Stop error of 0x00000035, which was then remedied through a MicroSoft recommended Registry change, manual stripping of SAV, then subsequent clean re-install of SAV.

While errors can naturally happen, it is clearly seen that this was a problem with a direct correlation to the Symante cproduct, and many users have been affected.  Some of the reprecussions may not be seen until some time in the future.  It is therefore important that Symantec address this issue.

Symantec?

mjs2

Do or did the computers affected by this have Spysweeper installed? We had Spysweeper on our machines but removed it network wide this past summer. We found the ssinstdll.dll file to be a remnent of Spysweeper so no apparent damage has been caused by the quarantine of these files.

I am glad Symantec fixed the definition files in a timely manor but their lack of help in regards to this matter on the forum is shameful.

Have you opened a case with tech support?

Mike

Hi mhanson,

Thanks for the feedback.  I think the afected PCs all have or have had SpySweeper corporate installed.  I tried examining the file properties for the SSInstDll.dll file (after being restored by SAV), but could find no clues as to its author.  It is possible that the restored version was incomplete, since SAV reported a partial restore.  If the file was a remnant of SpySweeper, then it must have been an old file that uninstalled inconsistently, because in one intance, only 2 of some 50 systems of the same vintage on the same network reported the error.

Before posting, I searched several times through the Symantec knowledgebase and site search, but found only this thread.  It is not new for one virus scanner product to identify another manufacturer's product as a false positive.  Errors, of course happen also.  However, Symantec should have posted something on their site to alert of the error and the correct action to take.  I thought they may monitor these forums also, as other vendors do, but perhaps not, since there is still no response.  I did not bother to open a support ticket, as we had to deal with the issue rather quickly.

 

Just an update I tried creating a ticket with them regarding this issue and here's their reply,

Reply from Webroot Support:

 

Hello,
 
This has been confirmed as a false positive from Symantec.  We have received the following information from Symantec for correcting this issue:
 

------------------------------

SSInstDll.dll is falsely identified as malicious. To fix this problem, please follow the instruction at the end of this email message to install the latest available definitions. Then, restore this file from NAV Quarantine.

 Downloading and Installing RapidRelease Definitions:

1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/

2. Copy and paste the address ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence/

 into the address bar of your Web browser and then press Enter.(this could take a minute or so if you have a slow connection)

3. Now select 93933 folder or a higher. Open the folder.

4. Select the file symrapidreleasedefsx86.exe

5. When a download dialog box appears, save the file to the Windows desktop.

6. Double-click the downloaded file and follow the prompts.

Should you have any questions, please contact

your regional technical support from the Symantec website.

 

Jason A. | Enterprise Support
____________________________

Webroot Software, Inc.
2560 55th Street
Boulder, CO 80301 USA

Phone: 800-870-8102 Option 2
Fax: 303-442-3846
Web: www.webroot.com