Detected as virus by Symantec

This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards

I also saw the same problem.

alik wrote:

This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards

5.7.5 also installs "WinSCP.com" but Symantec doesn't complain about it in that version. I'm downgrading to 5.7.5 until this issue is resolved or explained. I recommend everyone else do the same.

Mr_Generic wrote:

I also saw the same problem.

alik wrote:

This is more of an FYI as I am not sure if there is anything that can be done besides contacting Symantec...

Detected as: Infostealer.Limitail
OS: Win 10 PRO 64bit
Anti virus: Symantec Endpoint Protection Small Business Edition

Please see 2 screenshots attached.

This was after updating to 5.7.6 last night. Detected as virus today.

Thank you for the great software.

Kind regards

I too have got the Symantec alert and have reverted to 5.7.5

With the latest update (this hour) Symantec still insisting it's a virus and quarantining the .com.
Reading the symantec page they claim that this virus targets (among other programs) winscp details. Looks like it's probably being a bit overzealous and detecting the target as the potential threat!

I can confirm this behavior with Symantec Endpoint Protection v12.1.5 build 5337, Virus and Spyware definitions updated 11/7/2015, sequence 151106021, finding "Infostealer.Limitail" in WinSCP.com. Sounds like a false positive and quarantined WinScp.com. However, I can also confirm that on Windows 7 x64 the program _still_works_ despite the quarantine.

Also Known As:
Troj/MSIL-AE [Sophos]
Type:
Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When the Trojan is executed, it copies itself to the following location:
%UserProfile%\Application Data\Microsoft\SysAudio.exe

Next, it creates the following folder:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups

The Trojan then takes screen shots and saves them to the following location:
%UserProfile%\Application Data\Microsoft\Credentials\screen[NUMBER].png

Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.

Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"

The Trojan also records the following information:
Keystrokes
Title bars of open windows
The stolen information is then sent to the following location in an email format:
limitlessmail.3owl.com/LimitlessEmail.php

Thanks for your report. I have submitted a false positive report to Symantec.

Did you verify checksums of the downloaded file?
https://winscp.net/download/winscp576readme.txt

See also https://winscp.net/tracker/530

Thank you for your reply. I can confirm the installer I had was authentic:

PS C:\Users\ali> Get-FileHash C:\Users\ali\Downloads\winscp576setup.exe -Algorithm SHA256

Algorithm Hash Path
--------- ---- ----
SHA256 3607C84AFB9171497EFB2146B262F44274B2840E05EF74AB57F8D4F1B48A55EE C:\Users\ali\Downloads\winscp576setup.exe


I just reran the installer and I am also happy to confirm it is no longer detected as a threat so the issue seems to be fixed.

Others should be able to confirm as well.

Cheers

The response from Symantec:

In relation to submission:

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

07C97FEC5E51675F7957608674AA5EA2 - WinSCP.com


The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at https://www.broadcom.com/support/security-center/definitions

Please note that whitelisting can take up to 24 hours to take effect.

This seems to have become a problem again with the release of version 5.9.4. Symantec Endpoint Protection 12.1.6 is quarantining winscp-5.9.4-setup.exe and marking it "Infected."

rardin wrote:

This seems to have become a problem again with the release of version 5.9.4. Symantec Endpoint Protection 12.1.6 is quarantining winscp-5.9.4-setup.exe and marking it "Infected."

Thanks for your report. Did you report it as a false positive?