Symantec vs the LastPass Update

A new version of the Lastpass toolbar was released late this week, and I dutifully installed it on my systems.  During the installation, I was prompted by Symantec that less than 5 computers have been seen with this file thus I should only install it if I am sure it is safe.   I clicked allow and continued the install.   After the install winbiostandalone.exe was detected as Suspicious.Cloud.5.

According to Symantec:

Suspicious.Cloud.5 is a detection technology designed to detect entirely new
malware threats without traditional signatures. This technology is aimed at
detecting malicious software that has been intentionally mutated or morphed by
attackers.

So Symantec has become much more aggressive at tagging unknown files as suspicious and also uses aggressive heuristics to block files that have “bad” behavior.   Symantec suggests that software developers submit their applications and new versions to https://submit.symantec.com/whitelist/isv/.   Unfortunately it looks about as responsive and communicative as submitting to the app store.   The form says it will take “a number of weeks” to whitelist software and you won’t hear back if your request is denied.   If your application development includes a Release to Manufacturer period then you might have time for this delay.   When you’re just releasing an update, I can’t imagine waiting on Symantec to whitelist you app.    I can’t imagine a true application whitelisting  app like Bit9 taking so long.

The file winbiostandalone.exe, according to the LastPass forum thread discussing this issue, is used with the fingerprint reader.   So if you don’t use a fingerprint reader with LastPass you can just ignore this.   I submitted the file detection as a false positive, but from what the Symantec forum says it is now a 72 hour turnaround for that report.

So what do you do?   As an individual, you probably just ignore it.   It is not an actual virus.   An enterprise SEP admin could add whitelisting of the files involved and the download site.   What about other applications.   As I roll out SEP 12.1 to more employees, I figure I’ll be seeing a lot more of issues like this.

One Comment

  1. It’s good to see them being more aggressive in detection but is a pain for organisations with a large amount of 3rd party apps, resulting in mass quarantines! I submitted a ticket for white list and after 48 hours I had it resolved, mind you they asked for more detail stating they didn’t pick up anything so I just sent them a copy of the report from the console with an explanation of the products job..

    Now I just set the SONAR component to log only until I am sure none of the important apps are being binned (I usually leave it for 1-2 working days), bit of a pain but it’s better than the alternative.

Comments are closed.