I can't submit them from work; the enterprise version quarantines them the
instant I try to install or unpack them. I'm also not allowed to mark files
as safe or to move them out of quarantine.
I'm running a different version at home, so I need to know how to unpack
these files from the installer. If I can pull them out of the installer, I
can submit them at home.
Metta,
Ivan
On Mon, Jun 6, 2011 at 10:38 AM, Glenn Fowler <g...@research.att.com> wrote:
>
> the "technical details" link at the url you cited has:
>
> Discovered: April 29, 2010
> Updated: April 29, 2010 9:31:22 PM
> Type: Trojan, Virus
>
> Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
> Windows NT, Windows Server 2003, Windows Vista, Windows XP
>
> Symantec antivirus products contain an highly sensitive detection
> technology designed to detect entirely new malware threats without
> traditional signatures. This technology is aimed at detecting malicious
> software that has been intentionally mutated or morphed by attackers.
>
> If one or more files on your computer have been classified as having a
> Suspicious.Emit threat, this indicates that the files have suspicious
> characteristics and therefore might contain a new or unknown threat.
> However, given the sensitive nature of this detection technology, it
> may occasionally identify non-malicious, legitimate software programs
> that also share these behavioral characteristics. Therefore, it is
> recommended that users manually check all files detected as
> Suspicious.Emit by Symantec antivirus products for potential
> misidentification, and submit any suspect files to Symantec Security
> Response for further analysis. For instructions on how to do this, read
> Submit Virus Samples.
>
> In rare cases where a legitimate file has been misidentified and
> subsequently quarantined, your computer may behave abnormally or you
> may find that one or more applications no longer function as expected.
> In such rare situations, you should open the Quarantine in your
> Symantec antivirus product. From here, you may review the list of all
> files detected as Suspicious.Emit and, if you identify a potential
> misidentification, restore the file from quarantine and allow it to run
> normally.
>
> we don't use symantec so I don't know if they would take a submission by us
> seriously
> could you submit { awk.exe bc.exe } via "Submit Virus Samples" with a note
> that they are mislabeled
>
> thanks
>
> On Mon, 6 Jun 2011 10:18:04 -0600 Ivan Van Laningham wrote:
> > I have four entries in my risk log for Symantec. One each of Log Only
> and
> > Quarantine for bc.exe and awk.exe. All four are classed as "Suspicious
> > Emit" as defined here:
>
> >
> http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-042920-5108-99&vid=42286
>
> > The Log Only warnings happened at 24 May 0218, and the Quarantine
> happened
> > the same day at 1205.
>
> > Thanks,
> > Ivan
>
> > On Thu, Jun 2, 2011 at 7:31 PM, Ivan Van Laningham <ivanl...@gmail.com
> >wrote:
>
> > > I did get messages telling me which executables were problematic when I
> > > logged in that day, but I didn't think to look in the logs. I'll check
> > > tomorrow when I'm at work.
> > >
> > > Thanks.
> > >
> > > Metta,
> > > Ivan
> > >
> > >
> > > On Thu, Jun 2, 2011 at 5:38 PM, Glenn Fowler <g...@research.att.com>
> wrote:
> > >
> > >>
> > >> any symantec log messages corresponding to the quarantine?
> > >>
> > >> On Thu, 2 Jun 2011 17:29:03 -0600 Ivan Van Laningham wrote:
> > >> > Symantec enterprise suddenly started classifying these two
> executables,
> > >> > unchanged for months, as virus threats and quarantined them.
> Scanning
> > >> the
> > >> > Uwin installer exe does not yield results, but as soon as the
> installer
> > >> is
> > >> > run, awk and bc are removed as threats. telnet.exe is also missing,
> but
> > >> I
> > >> > never received a notice that it was a threat.
> > >>
> > >> > This began happening on either Monday, 23 May or Tuesday, 24 May. I
> > >> believe
> > >> > there was a Symantec virus definition update around that time.
> > >>
> > >> > This is fairly irritating, as corporate security is unwilling to
> > >> question
> > >> > the word of Symantec. "Ticket: closed. Resolution: Please find an
> > >> > alternate implementation."
> > >>
> > >> > I'm not the only one on the network to suffer this problem. Are
> others
> > >> out
> > >> > there experiencing this? How about home users of Symantec AV?
> > >>
> > >>
> > >
> > >
> > > --
> > > Ivan Van Laningham
> > > God N Locomotive Works
> > > http://www.pauahtun.org/
> > >
> > >
> http://www.python.org/workshops/1998-11/proceedings/papers/laningham/laningham.html
> > > Army Signal Corps: Cu Chi, Class of '70
> > > Author: Teach Yourself Python in 24 Hours
> > >
>
> > --
> > Ivan Van Laningham
> > God N Locomotive Works
> > http://www.pauahtun.org/
> >
> http://www.python.org/workshops/1998-11/proceedings/papers/laningham/laningham.html
> > Army Signal Corps: Cu Chi, Class of '70
> > Author: Teach Yourself Python in 24 Hours
>
> > --000e0cd519c0be477904a50d7221
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
>
> > Hi All--<br>I have four entries in my risk log for Symantec.=C2=A0 One
> each=
> > of Log Only and Quarantine for bc.exe and awk.exe.=C2=A0 All four are
> clas=
> > sed as "Suspicious Emit" as defined here:<br><br><a
> href=3D"http:=
> > //
> securityresponse.symantec.com/security_response/writeup.jsp?docid=3D2010-=
> > 042920-5108-99&vid=3D42286">
> http://securityresponse.symantec.com/securi=
> >
> ty_response/writeup.jsp?docid=3D2010-042920-5108-99&vid=3D42286</a><br>
> > <br>The Log Only warnings happened at 24 May 0218, and the Quarantine
> happe=
> > ned the same day at 1205.<br><br>Thanks,<br>Ivan<br><br><div
> class=3D"gmail=
> > _quote">On Thu, Jun 2, 2011 at 7:31 PM, Ivan Van Laningham <span
> dir=3D"ltr=
> > "><<a href=3D"mailto:ivanl...@gmail.com";>ivanl...@gmail.com
> </a>></spa=
> > n> wrote:<br>
> > <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex;
> borde=
> > r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">I did get
> message=
> > s telling me which executables were problematic when I logged in that
> day, =
> > but I didn't think to look in the logs.=C2=A0 I'll check tomorrow
> w=
> > hen I'm at work.<br>
> > <br>Thanks.<br><br>Metta,<br><font
> color=3D"#888888">Ivan</font><div><div><=
> > /div><div class=3D"h5"><br>
> > <br><div class=3D"gmail_quote">On Thu, Jun 2, 2011 at 5:38 PM, Glenn
> Fowler=
> > <span dir=3D"ltr"><<a href=3D"mailto:g...@research.att.com";
> target=3D"_b=
> > lank">g...@research.att.com</a>></span> wrote:<br><blockquote
> class=3D"gm=
> > ail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid
> rgb(2=
> > 04, 204, 204); padding-left: 1ex;">
>
> > <br>
> > any symantec log messages corresponding to the quarantine?<br>
> > <div><div></div><div><br>
> > On Thu, 2 Jun 2011 17:29:03 -0600 Ivan Van Laningham wrote:<br>
> > > Symantec enterprise suddenly started classifying these two
> executables=
> > ,<br>
> > > unchanged for months, as virus threats and quarantined them.
> =C2=A0Sca=
> > nning the<br>
> > > Uwin installer exe does not yield results, but as soon as the
> installe=
> > r is<br>
> > > run, awk and bc are removed as threats. =C2=A0telnet.exe is also
> missi=
> > ng, but I<br>
> > > never received a notice that it was a threat.<br>
> > <br>
> > > This began happening on either Monday, 23 May or Tuesday, 24 May.
> =C2=
> > =A0I believe<br>
> > > there was a Symantec virus definition update around that time.<br>
> > <br>
> > > This is fairly irritating, as corporate security is unwilling to
> quest=
> > ion<br>
> > > the word of Symantec. =C2=A0"Ticket: closed. =C2=A0Resolution:
> Pl=
> > ease find an<br>
> > > alternate implementation."<br>
> > <br>
> > > I'm not the only one on the network to suffer this problem.
> =C2=A0=
> > Are others out<br>
> > > there experiencing this? =C2=A0How about home users of Symantec
> AV?<br=
> > >
> > <br>
> > </div></div></blockquote></div><br><br
> clear=3D"all"><br></div></div><div><=
> > div></div><div class=3D"h5">-- <br>Ivan Van Laningham<br>God N Locomotive
> W=
> > orks<br><a href=3D"http://www.pauahtun.org/"; target=3D"_blank">
> http://www.p=
> > auahtun.org/</a><br>
> > <a href=3D"
> http://www.python.org/workshops/1998-11/proceedings/papers/lanin=
> > gham/laningham.html" target=3D"_blank">
> http://www.python.org/workshops/1998=
> > -11/proceedings/papers/laningham/laningham.html</a><br>
> > Army Signal Corps:=C2=A0 Cu Chi, Class of '70<br>Author:=C2=A0 Teach
> Yo=
> > urself Python in 24 Hours<br>
> > </div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>Ivan Van
> La=
> > ningham<br>God N Locomotive Works<br><a href=3D"http://www.pauahtun.org/
> ">h=
> > ttp://www.pauahtun.org/</a><br><a href=3D"
> http://www.python.org/workshops/1=
> > 998-11/proceedings/papers/laningham/laningham.html">
> http://www.python.org/w=
> > orkshops/1998-11/proceedings/papers/laningham/laningham.html</a><br>
> > Army Signal Corps:=C2=A0 Cu Chi, Class of '70<br>Author:=C2=A0 Teach
> Yo=
> > urself Python in 24 Hours<br>
>
> > --000e0cd519c0be477904a50d7221--
>
>
--
Ivan Van Laningham
God N Locomotive Works
http://www.pauahtun.org/
http://www.python.org/workshops/1998-11/proceedings/papers/laningham/laningham.html
Army Signal Corps: Cu Chi, Class of '70
Author: Teach Yourself Python in 24 Hours
_______________________________________________
uwin-users mailing list
uwin-users@research.att.com
https://mailman.research.att.com/mailman/listinfo/uwin-users
