Topic "Detected as virus by Symantec"

Author Message
alik
[View user's profile]

Joined: 2015-11-07
Posts: 3
Location: Home
This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards
winscp2.PNG (16.84 KB)

Description: (none)

winscp2.PNG

winscp1.PNG (34.84 KB) [Download]

Description: (none)

Advertisements
Mr_Generic

Guest


I also saw the same problem.

alik wrote:
This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards
Guest




5.7.5 also installs "WinSCP.com" but Symantec doesn't complain about it in that version. I'm downgrading to 5.7.5 until this issue is resolved or explained. I recommend everyone else do the same.

Mr_Generic wrote:
I also saw the same problem.

alik wrote:
This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards
Waqar

Guest


I too have got the Symantec alert and have reverted to 5.7.5
mascotmike

Guest


With the latest update (this hour) Symantec still insisting it's a virus and quarantining the .com.
Reading the symantec page they claim that this virus targets (among other programs) winscp details. Looks like it's probably being a bit overzealous and detecting the target as the potential threat!
Harold Bien

Guest


I can confirm this behavior with Symantec Endpoint Protection v12.1.5 build 5337, Virus and Spyware definitions updated 11/7/2015, sequence 151106021, finding "Infostealer.Limitail" in WinSCP.com. Sounds like a false positive and quarantined WinScp.com. However, I can also confirm that on Windows 7 x64 the program _still_works_ despite the quarantine.
skynet

Guest


Also Known As:
Troj/MSIL-AE [Sophos]
Type:
Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When the Trojan is executed, it copies itself to the following location:
%UserProfile%\Application Data\Microsoft\SysAudio.exe

Next, it creates the following folder:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups

The Trojan then takes screen shots and saves them to the following location:
%UserProfile%\Application Data\Microsoft\Credentials\screen[NUMBER].png

Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"

The Trojan also records the following information:
Keystrokes
Title bars of open windows
The stolen information is then sent to the following location in an email format:
limitlessmail.3owl.com/LimitlessEmail.php
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24555
Location: Prague, Czechia
Thanks for your report. I have submitted a false positive report to Symantec.

Did you verify checksums of the downloaded file?
https://winscp.net/download/winscp576readme.txt

See also http://winscp.net/tracker/show_bug.cgi?id=530
alik
[View user's profile]

Joined: 2015-11-07
Posts: 3
Location: Home
Thank you for your reply. I can confirm the installer I had was authentic:

PS C:\Users\ali> Get-FileHash C:\Users\ali\Downloads\winscp576setup.exe -Algorithm SHA256

Algorithm Hash Path
--------- ---- ----
SHA256 3607C84AFB9171497EFB2146B262F44274B2840E05EF74AB57F8D4F1B48A55EE C:\Users\ali\Downloads\winscp576setup.exe


I just reran the installer and I am also happy to confirm it is no longer detected as a threat so the issue seems to be fixed.

Others should be able to confirm as well.

Cheers
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24555
Location: Prague, Czechia
The response from Symantec:

Quote:
In relation to submission:

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

07C97FEC5E51675F7957608674AA5EA2 - WinSCP.com


The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at https://www.symantec.com/security_response/definitions.jsp

Please note that whitelisting can take up to 24 hours to take effect.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License