Rob's Blog

I’m getting the same trouble – for several trusted sites including Google News. Looks like it all started after Symantec issued an update earlier this morning.

Just been on a support session with Symantec and told them they must be getting other reports about this. The response was “I accept that”. So hopefully they will sort it soon.

Hello,
I was suprise as I got the same message and. I hope they will fix it fast.

Greeting ocean

I got it on gmail today too

Found this by doing a web search. I’m getting them left and right myself all of a sudden today. Do notice it references admunch.exe (from Ad Muncher) when doing most blocks, too.

Can’t believe I’m legitimately getting attacked from all these places. Must be a problem on Symantec’s end.

I am getting the same message when I creat a post on all myblogs

Nice post! Just googled this term and came up with your article.
yes, NAV stuffed it up again this time. all javascripts go awry on my browser after i receive the notification.

We have problem with several sites aswell. Do anyone know what is triggering this “false positive”?

Ditto for me. All machines on my corporate network showing same issue. http://is.gd/aZHE … screen shot

I am getting the same problem is it a virus on our computers

I just disabled the Internet Worm Protection temporary.
Norton screen->Norton Antivirus tab->Settings->Web Browsing->Internet Worm Protection
Don’t think it’s an actual virus….unless I’m unconsciously writing a virus on my own web application..hohoho…

Rob,

I just wanted to say thanks for posting this. It’s good to know I’m not the only one experiencing the problem, although I suspected it was a false positive as well. I’ll call Symantec and tell them to send you a cheque for your fantastic support / customer communications efforts!

me too, just got it for the google sandbox application I’ve been working on. It said google was attacking me from cf-in-f104.google.com

Hi,

It all started for me after a visit to an Ebay store this morning. I even had tried Live help with an Ebay representative to tell em they should check that sellers pages, because it triggered alerts from Norton. I even disabled the warnings from Norton, thankfully not disabled the blocking, as that would have been a stupid reaction.

Thank god, its almost surely only a false positive.

Thanks for posting, fix worked for me.

ahh…not sure what version I’m using..
after reading your solution, I dug deeper in the configuration of my Norton and found similar solution to yours.
(they’ve hidden the settings screen nicely in my version)

Norton screen->Norton Antivirus tab->Settings->Web Browsing->Internet Worm Protection->Configure:
Real-time Protection->Internet Worm Protection->Configure->uncheck “HTTP Acrobat PDF Suspicious File Download”

I’m getting the same message from Norton. I ran the update last night and this just started this morning. Every time I visit CNN.com, Norton blocks an attack from an HTTP Acrobat PDF Suspicious File Download. This is crazy.

Run Live Update again. I was having the same problems. It appears they have now put out a fix and I am no longer having problems.

Looks like I might have spoken too soon.

I got a hold of someone at Norton. They said “yes, it is a common issue”. He gave me the following to correct it. I do not know it works. I will be trying it, but thought you might like it as well

Step 1: You can download the Norton Anti virus 2009 from the web link http://www.norton.com/nav09 , you need to remove your old Norton before installing the new one , you can use the Norton removal tool to remove your old
Norton files , you can use the web link http://www.symantec.com/nrt to download the Norton removal tool.

Step 2: after completing the both downloads ( Norton anti virus 2009, removal tool ) you need to run the Removal tool
first to remove the old Norton files, after removal it will ask you to restart your computer , restart your computer

Step 3 : After restart you can start installing the Norton anti virus 2009, and activate the product using your
product key.

Hmmmmmmmmm – I am already running 2009 and I have had the problem all day even after rerunning Live Update !!!????

Which by the way, i think is ridiculous to have us reinstall a product, in which they have a liveupdate program that is used for just that reason.

I dont blame you, I had second thoughts about reinstalling my NAV 2009 as well.

I get the same error. I think the new live update screwed me over. I’m unable to get to several real estate web sites. Looks like the google maps portion using javascript. I hope Symantec or Norton fixes this quick. It’s like releasing a new car with square wheels.

this could be bad

I ran the update and it did not fix the problem

After the next update I would turn the option back on and see if the problem has been resolved. Symantec wanted 175$ to troubleshoot the problem further.

Thanks for writing this post.

Patrick

hello,
Thank you for your posting and your tips. Norton lets the user in the rain.

Just lovely! I am having the same problem – and sent a “customer satisfaction” note to Symantec. Absent information about known viruses, a hypersensitive block us just *irritating*. I can do with a little less “big brother”. :-/

I wanted to check on my order with http://www.skechers.com/ and Norton blocked it

Even CNN is been blocked
http://www.cnn.com/

This is strange, I went to CNN and it gives me that error. And the funning thing is when I view the source code of that page and search for .pdf, it doesn’t find anything.

http://www.pcworld.com/

I’m using a JavaScript library named MooTools.js. Symantec blocks my site I have it. When I comment out MooTools Symantec lets it pass.

So, Symantec is blocking my JavaScript library.

Thanks for the blog.

http://www.anandtech.com/

http://www.losi.com/

I got this problem too. But not with my second computer without Norton on it (I use mcafee).

Very strange !

[...] blogs já relataram o problema, confirmado pela equipe de desenvolvimento do Norton. Se você não quiser [...]

had this problem this morning. Spoke with tech support.
They are working on it according to the rep in India
The workaround seems to be for now
JasonC has posted a possible solution. I have a slightly different version of NAV, and this is how I fixed it:

Opened Norton Antivirus (double clicked on the icon in the system tray)
Clicked “Settings” on the internet section
Clicked “Configure [+]” next to “Intrusion Exclusions”
Scrolled down to “HTTP Acrobat PDF Suspicious File Download”, and unchecked it
Clicked “OK” on all open screens.
It worked and I started getting this on things like CNN, MSN, Dailyrecord.com and most media places.

Just trying to help Rob… How long do you think it’s gonna take for a fix?

it’s fixed.
run liveupdate.
and undo all the steps listed on this page to undo the not-checking.

I was getting this problem on CNN this morning after getting a LiveUpdate yesterday. Downloaded the new update today and it appears to have gone away, at least for now.

i just ran liveupdate and its still happening… anyone else still having trouble?

I’m also having difficulty with accessing many popular websites due to this flakey rule in Norton Internet Security 2009.
Symantec needs to fix this soon…

New liveupdate worked for me. Whew!

Norton tech support said to run Live Update to fix it, and that took care of things. So they were responsive (although their chat support person took 15 minutes to come up with that answer).

Oddly, one of the web sites I visited that had the problem was able to fix it before I did the update, for their web site. Not sure what they did.

Thank you, Rob, for posting this in your blog. It helped to know that it wasn’t just the one web site I was working with…

It also worked for me!

I got it on this site…

I ran across the same problem this morning when accessing my blog admin area (thought my site was hacked).

Ran the live update a few minutes ago and that fixed it.

-Alon

I’ve been getting this all day too on various Ning sites (chat) and mySpace (3rd apps) – I checked out Norton and it said it wasn’t a false positive – but – hopefully whether it is or is not a threat they will remedy it. I’ve done the Norton LiveUpdate and it continues to happen. Very strang doings today

This is apparently affecting all computers with Norton AV (any version) with worm protection enabled. Live update does not solve the problem as of 12/10 2:00 PM Pacific time, Temporary fix is to go to AV settings, Worm protection, configure, find the entry “HTTP Acrobat PDF and uncheck the box. This will eliminate the warning messages until Norton can provide a fix through live update. This problem was caused by the last Norton AV update issued within the last 12 hours. We do not believe it is related to any other source ( example: last Microsoft security updates)

Hallo Boys and girls

Just update it to Norton internet security 2009 and the problem is fixed! Look under product updates…

http://www.symantec.com/norton/downloads/index.jsp

Looks like today’s update had fixed it !!! At least Symantec fixed it within 24 hours. Mind you, I think someone in their shop should check why a rep. tried to charge one of your bloggers $175 to troublehsoot !!!???

Well done rob with the post I think you helped create action hope you got lots of hits

Hi all,

My name is Gunnar and I am working for an external European Symantec-Support-Team. I am sorry to hear that you have experienced some problems caused by the False Positive condition. As Mike mentioned in his post above, the new update has corrected it, but I would still like to present you with the official statement from Symantec:

On December 10, Symantec posted a modification to an IPS signature that caused a False Positive condition with our customers. Customers may have experienced a virus warning or in some cases, partial loading of Web pages. The signature was released to all consumer products. On the enterprise side, only Symantec Client Security was impacted.

The specific signature at fault was the “HTTP Acrobat PDF Suspicious File Download” signature. This signature was triggered by generic JavaScript, which is used on certain Web sites. The signature was released around 1 a.m. PT on Wednesday, December 10. The signature was corrected and made available to Symantec customers at approximately 10 a.m. PT, 9 hours after the initial release.

Because the majority of our consumers receive updates automatically, they will already have been updated with the corrected signature. Any consumer customer that does not automatically download signatures, is unlikely to have experienced the False Positive. If they have, manually running Live Update will resolve the issue.

Symantec would like to apologise to any customers affected by this false positive for any inconvenience it may have caused.

Best Regards,
Gunnar
Norton Forum Assist Team

[...] quite a lot of reputable websites. Deciding these sites were almost certainly not all compromised, I wrote a post about it, suggesting that it was a [...]

Hello, Do you mind if I link to your site? Thanks.