The other day I started noticing that our SEP clients were saying that install_flash_player.exe was a Trojan Horse. I got a lot of alerts like the below;

 At least one security risk found: 

Risk name: Trojan Horse
File path: C:\Documents and Settings\username\My Documents\Downloads\install_flash_player.exe
Event time: 2010-01-28 09:35:13 GMT
Database insert time: 2010-01-28 15:25:05 GMT
User: SYSTEM
Computer: XXXXXXXXXX
IP Address: 0.0.0.0
Domain: system
Server: XXXXXXXXXX
Client Group: My Company\XXXX
Action taken on risk: Quarantined

 We found this thread on Symantec’s forum;
And this on Internet Storm Center;
 To eliminate this issue you need to update your virus definitions to 1/28/2010 rev. 20 and above and it will take care of the False Postive detection.
Unfortunately today I started seeing Spotify.exe get captured on our UK machines. Spotify is a music service in the UK. The file name and location, and that 3 machines sent an alert all at once make me think that this might be another false positive so now we need to open a ticket with Symantec and work with our UK folks to find out. For anyone running SEP I strongly encourage you to enable Single Risk Event emails and read them. That’s how I caught the Flash issue and now the Spotify possible issue.
Advertisements