ALARM Group ALERT - click for a description of ALARM, The Computing Alert System Alert Number:  053107-01 Alert Date:  05/31/07 Alert Title:  Symantec AntiVirus false positive for SpyBot file Update-to:   None OS/Platform/Application: Systems running Symantec Antivirus and SpyBot - Search & Destroy Category:  ALERT Severity: LOW Attention:  System Administrators/Users, Desktop Support Personnel

Summary:  The Symantec AntiVirus definitions update file released on May 30 2007 is apparently mistaking blindman.exe (a harmless file installed by default on systems running the popular anti-spyware program SpyBot - Search & Destroy) as a 'trojan horse' virus file.  As a result of this false-positive activity users running Symatec AntiVirus and SpyBot - Search and Destroy on their systems may see a notification message on their screens similar to the one provided below:

Scan type:  Scheduled Scan
Event:  Virus Found!
Virus name: Trojan Horse
File:  C:\Program Files\Spybot - Search & Destroy\blindman.exe
Location:  Quarantine
Computer:  XXXX-XXXXXX
User:  XXXXXX
Action taken:  Clean failed : Quarantine succeeded :
Date found: Thu May 31 01:07:14 2007

Recommended Actions:  According to various Internet Security agencies this false positive can be safely ignored.  Symantec has announced that they will be providing a hotfix for this issue shortly.  Users with auto-update should receive the fix automatically when it is made available from Symantec; users that manually load definitions are encouraged to check for updates frequently.

ITS Actions:  N/A

Resources:

Infosecblog entry on SAV false positive:
http://www.infosecblog.org/2007/05/sav_false_positive_in_blindman.html