Detected as virus by Symantec

Advertisement

alik
Joined:
Posts:
3
Location:
Home

Detected as virus by Symantec

This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards

winscp2.PNG

winscp1.PNG

Reply with quote

Advertisement

Mr_Generic
Guest

Re: Detected as virus by Symantec

I also saw the same problem.

alik wrote:

This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards

Reply with quote

Guest

Re: Detected as virus by Symantec

5.7.5 also installs "WinSCP.com" but Symantec doesn't complain about it in that version. I'm downgrading to 5.7.5 until this issue is resolved or explained. I recommend everyone else do the same.

Mr_Generic wrote:

I also saw the same problem.

alik wrote:

This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards

Reply with quote

mascotmike
Guest

virus / trojan in winscp.com

With the latest update (this hour) Symantec still insisting it's a virus and quarantining the .com.
Reading the symantec page they claim that this virus targets (among other programs) winscp details. Looks like it's probably being a bit overzealous and detecting the target as the potential threat!

Reply with quote

Advertisement

Harold Bien
Guest

I can confirm this behavior with Symantec Endpoint Protection v12.1.5 build 5337, Virus and Spyware definitions updated 11/7/2015, sequence 151106021, finding "Infostealer.Limitail" in WinSCP.com. Sounds like a false positive and quarantined WinScp.com. However, I can also confirm that on Windows 7 x64 the program _still_works_ despite the quarantine.

Reply with quote

skynet
Guest

Trojan Infostealer.Limitail

Also Known As:
Troj/MSIL-AE [Sophos]
Type:
Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When the Trojan is executed, it copies itself to the following location:
%UserProfile%\Application Data\Microsoft\SysAudio.exe

Next, it creates the following folder:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups

The Trojan then takes screen shots and saves them to the following location:
%UserProfile%\Application Data\Microsoft\Credentials\screen[NUMBER].png

Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"

The Trojan also records the following information:
Keystrokes
Title bars of open windows
The stolen information is then sent to the following location in an email format:
limitlessmail.3owl.com/LimitlessEmail.php

Reply with quote

alik
Joined:
Posts:
3
Location:
Home

Thank you for your reply. I can confirm the installer I had was authentic:

PS C:\Users\ali> Get-FileHash C:\Users\ali\Downloads\winscp576setup.exe -Algorithm SHA256

Algorithm Hash Path
--------- ---- ----
SHA256 3607C84AFB9171497EFB2146B262F44274B2840E05EF74AB57F8D4F1B48A55EE C:\Users\ali\Downloads\winscp576setup.exe


I just reran the installer and I am also happy to confirm it is no longer detected as a threat so the issue seems to be fixed.

Others should be able to confirm as well.

Cheers

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
29,034
Location:
Prague, Czechia

The response from Symantec:

In relation to submission:

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

07C97FEC5E51675F7957608674AA5EA2 - WinSCP.com


The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at https://www.symantec.com/security_response/definitions.jsp

Please note that whitelisting can take up to 24 hours to take effect.

Reply with quote

rardin
Guest

winscp-5.9.4-setup.exe flagged infected by SEP

This seems to have become a problem again with the release of version 5.9.4. Symantec Endpoint Protection 12.1.6 is quarantining winscp-5.9.4-setup.exe and marking it "Infected."

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
29,034
Location:
Prague, Czechia

Re: winscp-5.9.4-setup.exe flagged infected by SEP

rardin wrote:

This seems to have become a problem again with the release of version 5.9.4. Symantec Endpoint Protection 12.1.6 is quarantining winscp-5.9.4-setup.exe and marking it "Infected."
Thanks for your report. Did you report it as a false positive?
_________________
Martin Prikryl

Reply with quote

Advertisement

You can post new topics in this forum