NAV Symantec DetNat pwsteal false positives ??

Posted on 2006-05-01
Last Modified: 2010-08-05
O.S. is NT server (don't laugh), Norton/Symantec Corporate AntiVirus 8.01
I have been getting numerous W32.DetNat alerts, all over my NT servers. It's not hitting  2003 servers, but it has hit one Win2000 workstation.
The alerts have been preceeded by alerts for PWSTEAL lineage.
However, when I run AVG or TrendMicro on-line scan, they find nothing. I searched for a couple of days on the net, but could find no reports of false positives until I came across Sopho's site saying Symantec may have a false positive (See

Has anyone else been seeing what might be "false positives" from Symantec on W32.DetNat ?
Also, NAV's write up of DetNat does not quite match what I am seeing, for example they tell you to look for a HKLM\Software\Microsoft\Windows\Current Version\Run\Delphi key - I haven't seen that anywhere on the servers that report themselves infected.

To my chagrin, I have had NAV deleting infections as the primary option for the last 3 years. I thought it was better to kill something immediately. Since it has deleted (apparently) uninfected files I have to go to backups..
I set NAV to clean, and if it can't, leave the file alone. I finally stopped NAV and am running AVG temporarily.
Oh, and my NAV corporate server was one of the infected servers.

Anyway, anyone else seeing W32.DetNat's out there that other AntiVirus products don't see ?
Thanks in advance,
Question by:challBOE
    LVL 47

    Accepted Solution

    Hi Christina,

    Did you check in this part of the registry?

    It supposedly uses rootkit technology to hide from the user.
    Maybe Blacklight may show something:
    Download and save blacklight to your desktop.
    Doubleclick blbeta.exe, accept the agreement, click scan > next.

    You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

    Also, let us look at your Hijackthis log:
    Please download HijackThis 1.99.1
    Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet,
    copy and paste the log at;
    and click "Analyse", click "Save".  Post the link to the saved list here.

    Author Comment

    Thanks Rpggamergirl,
    Yes I checked the registry for all control sets and for currentversion\Run and current Version\RunOnce and RunOnceEx. No Delphi... Hijack analysis is at  but I looked at it and I think I recognize everything. Its an HP server so it has HP software, arcserve and it's an Exchange server with NAV for Exchange 5.5, so there are NAVMSE entries.
    BlackLight isn't available for NT servers, but I downloaded their AntiVirus software and am running it (v5.52) now.

    Author Comment

    Opps, the log is at   not, as I posted, this page..

    Author Comment

    I put the quarrantine console up on NAV. It sends copies of infected files to NAV for analysis. When I looked, all the files that had been submitted and Symantec indicated that they were not infected and it was a false positive. This just leaves me a bit uneasy, since I other than Sophos I dont see anyone else having the same problem. Oh well, Thanks for you help Rpggamergirl.
    LVL 47

    Expert Comment

    Glad to hear you sorted it out and that it was just a false positive.

    Oh thank you very much for the points that's so generous of you. If you like, you can get a refund for your points, just post at Community Support and ask for a refund.

    Best wishes!


    Author Comment

    No problem, you're welcome to it, you were willing to help. Attitude counts too :-) Thanks again !

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now