SAV false positive in blindman.exe

Symantec Antivirus (SAV) is detecting a component of Spybot Search and Destroy as a Trojan Horse. This detection seems to have occurred in the latest AV definition updates (5/30). The file in blindman.exe.
According to the Safer Networking site, this file does nothing. It is used to prevent boot delay caused by their method of disabling unwanted autorrun items.
**update** – Symantec has announced that they will be releasing an update to fix this false positive this evening. Its already available in Rapid Release if you need that now.


  1. Hey, it would be nice if you linked to the Symantec accouncement. You are the only place I can find this information on the web. I can find no reference to this @ symantec at all. I sure WANT to believe you but can you attribute your sources?

  2. Symantec’s announcement came in an email. Not sure which subscription this is, it looks like a release notification email:
    —–Original Message—–
    From: [email protected] [mailto:[email protected]]
    Sent: Wednesday, May 30, 2007 9:12 PM
    To: [email protected]
    Subject: Symantec Security Response will post LiveUpdate virus definitions today, May 30, 2007 PDT
    This posting is in response to a false positive detection on the file
    blindman.exe, part of the Spybot Search & Destroy application. This FP was
    first released in the 5/30/2007 rev.20 Intelligent Updater and LiveUpdate
    definitions, and was corrected from Rapid Release definitions #69173. An
    additional message will be sent approximately 30 minutes before the
    LiveUpdate virus definitions are available for download.
    For additional information, visit our website at
    The SANS Internet Storm Center has now posted about this issue as well.

Comments are closed.