Comments on: “HTTP Acrobat PDF Suspicious File Download” – False Positives?

By: kathy

kathy — Sun, 23 May 2010 07:54:40 +0000

Hello, Do you mind if I link to your site? Thanks.

By: Rob Ferrer’s Thoughts and Writings » Famous for a day…

Rob Ferrer’s Thoughts and Writings » Famous for a day… — Thu, 18 Dec 2008 12:00:49 +0000

[...] quite a lot of reputable websites. Deciding these sites were almost certainly not all compromised, I wrote a post about it, suggesting that it was a [...]

By: Gunnar

Gunnar — Fri, 12 Dec 2008 11:45:06 +0000

Hi all,

My name is Gunnar and I am working for an external European Symantec-Support-Team. I am sorry to hear that you have experienced some problems caused by the False Positive condition. As Mike mentioned in his post above, the new update has corrected it, but I would still like to present you with the official statement from Symantec:

On December 10, Symantec posted a modification to an IPS signature that caused a False Positive condition with our customers. Customers may have experienced a virus warning or in some cases, partial loading of Web pages. The signature was released to all consumer products. On the enterprise side, only Symantec Client Security was impacted.

The specific signature at fault was the “HTTP Acrobat PDF Suspicious File Download” signature. This signature was triggered by generic JavaScript, which is used on certain Web sites. The signature was released around 1 a.m. PT on Wednesday, December 10. The signature was corrected and made available to Symantec customers at approximately 10 a.m. PT, 9 hours after the initial release.

Because the majority of our consumers receive updates automatically, they will already have been updated with the corrected signature. Any consumer customer that does not automatically download signatures, is unlikely to have experienced the False Positive. If they have, manually running Live Update will resolve the issue.

Symantec would like to apologise to any customers affected by this false positive for any inconvenience it may have caused.

Best Regards,
Gunnar
Norton Forum Assist Team

By: Stuckinit

Stuckinit — Thu, 11 Dec 2008 13:39:06 +0000

Well done rob with the post I think you helped create action hope you got lots of hits

By: Rob

Rob — Thu, 11 Dec 2008 08:48:56 +0000

Yep, got in to the office this morning and it’s all working ok.

If anyone is stil;l getting the problem after doing a live update, let us know.

By: Mike

Mike — Thu, 11 Dec 2008 08:46:13 +0000

Looks like today’s update had fixed it !!! At least Symantec fixed it within 24 hours. Mind you, I think someone in their shop should check why a rep. tried to charge one of your bloggers $175 to troublehsoot !!!???

By: Gotan

Gotan — Thu, 11 Dec 2008 00:32:35 +0000

Hallo Boys and girls

Just update it to Norton internet security 2009 and the problem is fixed! Look under product updates…

http://www.symantec.com/norton/downloads/index.jsp

By: Craigmed

Craigmed — Wed, 10 Dec 2008 22:05:53 +0000

This is apparently affecting all computers with Norton AV (any version) with worm protection enabled. Live update does not solve the problem as of 12/10 2:00 PM Pacific time, Temporary fix is to go to AV settings, Worm protection, configure, find the entry “HTTP Acrobat PDF and uncheck the box. This will eliminate the warning messages until Norton can provide a fix through live update. This problem was caused by the last Norton AV update issued within the last 12 hours. We do not believe it is related to any other source ( example: last Microsoft security updates)

By: CelticLady

CelticLady — Wed, 10 Dec 2008 20:29:33 +0000

I’ve been getting this all day too on various Ning sites (chat) and mySpace (3rd apps) – I checked out Norton and it said it wasn’t a false positive – but – hopefully whether it is or is not a threat they will remedy it. I’ve done the Norton LiveUpdate and it continues to happen. Very strang doings today

By: Alon Cohen

Alon Cohen — Wed, 10 Dec 2008 20:26:28 +0000

I ran across the same problem this morning when accessing my blog admin area (thought my site was hacked).

Ran the live update a few minutes ago and that fixed it.

-Alon