Link to home
Start Free TrialLog in
Avatar of challBOE
challBOE

asked on

NAV Symantec DetNat pwsteal false positives ??

O.S. is NT server (don't laugh), Norton/Symantec Corporate AntiVirus 8.01
I have been getting numerous W32.DetNat alerts, all over my NT servers. It's not hitting  2003 servers, but it has hit one Win2000 workstation.
The alerts have been preceeded by alerts for PWSTEAL lineage.
However, when I run AVG or TrendMicro on-line scan, they find nothing. I searched for a couple of days on the net, but could find no reports of false positives until I came across Sopho's site saying Symantec may have a false positive (See http://www.sophos.com/virusinfo/hoaxes/pwsteal.html).

Has anyone else been seeing what might be "false positives" from Symantec on W32.DetNat ?
Also, NAV's write up of DetNat does not quite match what I am seeing, for example they tell you to look for a HKLM\Software\Microsoft\Windows\Current Version\Run\Delphi key - I haven't seen that anywhere on the servers that report themselves infected.

To my chagrin, I have had NAV deleting infections as the primary option for the last 3 years. I thought it was better to kill something immediately. Since it has deleted (apparently) uninfected files I have to go to backups..
I set NAV to clean, and if it can't, leave the file alone. I finally stopped NAV and am running AVG temporarily.
Oh, and my NAV corporate server was one of the infected servers.

Anyway, anyone else seeing W32.DetNat's out there that other AntiVirus products don't see ?
Thanks in advance,
Christina
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of challBOE
challBOE

ASKER

Thanks Rpggamergirl,
Yes I checked the registry for all control sets and for currentversion\Run and current Version\RunOnce and RunOnceEx. No Delphi... Hijack analysis is at https://www.experts-exchange.com/questions/21834067/NAV-Symantec-DetNat-pwsteal-false-positives.html#16581971  but I looked at it and I think I recognize everything. Its an HP server so it has HP software, arcserve and it's an Exchange server with NAV for Exchange 5.5, so there are NAVMSE entries.
BlackLight isn't available for NT servers, but I downloaded their AntiVirus software and am running it (v5.52) now.
Thanks,
Christina
Opps, the log is at http://www.hijackthis.de/logfiles/8c2c988aabe9e3e5c165eb431b895785.html   not, as I posted, this page..
I put the quarrantine console up on NAV. It sends copies of infected files to NAV for analysis. When I looked, all the files that had been submitted and Symantec indicated that they were not infected and it was a false positive. This just leaves me a bit uneasy, since I other than Sophos I dont see anyone else having the same problem. Oh well, Thanks for you help Rpggamergirl.
Glad to hear you sorted it out and that it was just a false positive.

Oh thank you very much for the points that's so generous of you. If you like, you can get a refund for your points, just post at Community Support and ask for a refund.
https://www.experts-exchange.com/Community_Support/

Best wishes!

No problem, you're welcome to it, you were willing to help. Attitude counts too :-) Thanks again !