« Quicktime 7.1.6.200 | Main | WiFiEnum »

SAV false positive in blindman.exe

Symantec Antivirus (SAV) is detecting a component of Spybot Search and Destroy as a Trojan Horse. This detection seems to have occurred in the latest AV definition updates (5/30). The file in blindman.exe.

According to the Safer Networking site, this file does nothing. It is used to prevent boot delay caused by their method of disabling unwanted autorrun items.

**update** - Symantec has announced that they will be releasing an update to fix this false positive this evening. Its already available in Rapid Release if you need that now.

Posted by Roger on May 30, 2007 6:42 PM |

TrackBack

TrackBack URL for this entry:
http://www.infosecblog.org/mt-tb20070714.pl/528

Comments

Hey, it would be nice if you linked to the Symantec accouncement. You are the only place I can find this information on the web. I can find no reference to this @ symantec at all. I sure WANT to believe you but can you attribute your sources?

Posted by Robert on May 31, 2007

Symantec's announcement came in an email. Not sure which subscription this is, it looks like a release notification email:

-----Original Message-----
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Wednesday, May 30, 2007 9:12 PM
To: xxxxxx@xxxxxxxxxx
Subject: Symantec Security Response will post LiveUpdate virus definitions today, May 30, 2007 PDT

This posting is in response to a false positive detection on the file
blindman.exe, part of the Spybot Search & Destroy application. This FP was
first released in the 5/30/2007 rev.20 Intelligent Updater and LiveUpdate
definitions, and was corrected from Rapid Release definitions #69173. An
additional message will be sent approximately 30 minutes before the
LiveUpdate virus definitions are available for download.

----------
For additional information, visit our website at
http://securityresponse.symantec.com

The SANS Internet Storm Center has now posted about this issue as well.
http://isc.sans.org/diary.html?storyid=2897

Posted by Roger on May 31, 2007

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)