Symantec False Positive

If you’ve got Symantec Antivirus and you’ve got Webroot Spysweeper, than you probably have seen a Backdoor.Graybird detection today. This is a false positive. The files typically detected are in the temp director and named mc21.tmp or mc22.tmp in my experience.
I have called Symantec support, the next set of virus defs released should solve this problem. The current set of Rapid Release defs do fix this but I’d rather wait for “certified” definitions.


  1. Interesting read, and my symptoms match all of the above – Symantec Anti-Virus (Corp Ed. v9.0.3), Webroot Spysweeper, and detections of the mc21.tmp file.
    Do you have any other documentation to support this claim?

  2. My information was from a thread at dslreports (aka as well as a conversation with Symantec support.
    Symantec also later sent an email at 4:50 pm on Friday. I am not aware if that is only to platinum customers or not. They stated “Symantec Security Response will post LiveUpdate virus definitions today,
    September 16, 2005. This posting is to correct a false positive with Backdoor.Graybird

  3. Would you mind forwarding that e-mail to me.
    I would like to show the boss to put his mind at ease.
    Thanks a bunch.

  4. I had a problem with my symantec Antivirus v9 detecting and then deleting mc22.tmp. I had this happen several times a few months ago and then it was no longer detected. I was not able to find the listed registry changes. I updated to v10 recently. While I updated a couple of months ago, the new version keeps detecting and then deleting the file identified as Backdoor.Graybird. Is this a false positive?

  5. I just bought Symantec Norton Antivirus 2006 right after Christmas 2005 and I’m getting that backdoor.graybird FP. First I racked my brain trying to find the files to remove the virus according to symantecs website. If it’s a fp why don’t they say so instead of sending people on a wild goose chase? I emailed them and they sent me back an email that said “we don’t offer email support to remove viruses but for a nominal fee of $69.95 we will help you to remove the virus with no gurantees”! What a SCAM!
    I just bought this copy of norton antivirus a week ago for $40 and now they want more money?
    So here it is months since these initial posts of the problem and they still haven’t fixed this problem on their latest release? What is the deal with them?

  6. Sorry about the late posting of this comment. It was placed in the junk file by an overzealous spam filter. I am posting Shawn’s comment today.
    Webroot released the following information:
    Symantec False Positive:
    The definition files released by Symantec (rev 7) on January 1, 2006 are incorrectly detecting MC***.tmp files created by the Spy Sweeper Enterprise client as Backdoor.Graybird. Symantec was notified of this False Positive and they created Rapid Release definitions to resolve this issue. If you seeing this behavior, you can download the Definition File (rev 18) that corrects this from Symantec’s public FTP site.
    The certified definitions that Symantec will release on January 3, 2006 will also contain this fix.

Comments are closed.