• Gesamte Community
    • Gesamte Community
    • Foren
    • Ideen
    • Blogs
Erweitert

Nicht was Sie suchen? Die Experten fragen!

Danksagungen0

false positive for Heur.AdvML.C

On one out of 4 Windows 10 PCs NS went crazy and started removing numerous files (mostly old items, but a few currently used programs too) declaring them to be infected with the Heur.AdvML.C Heuristic virus. I ran a scan on another PC of one of the exe files it removed and NS said the file was fine.

I had just used the Remove and Reinstall program yesterday because NS was acting "weird" (running all the time).

I'm currently on hold on the phone waiting for tech support.

Labels: Windows 10

Antworten

Danksagungen0

Re: false positive for Heur.AdvML.C

Posting the details from the detection log can sometimes be helpful. (there is usually a copy to clipboard option)

I may be able to get some details with those logs or with a way to download the program that Norton objected to.

Danksagungen0

Re: false positive for Heur.AdvML.C

Tech support was a waste of time. They say my PC must have a supper secret infection that I downloaded and I need to pay them to fix it. They ran NPE and it didn't find anything.

I suspect this problem may be related to this thread: https://community.norton.com/en/comment/7534361#comment-7534361

 

Danksagungen0

Re: false positive for Heur.AdvML.C

Where do I find that log?

Danksagungen0

Re: false positive for Heur.AdvML.C

Um, Official Norton Support advised you'd need to pay them to fix it ?

Danksagungen0

Re: false positive for Heur.AdvML.C

sewing1243:

Where do I find that log?

Right click on Norton and pick "View Recent History". On the new window there is a drop down menu go from "Recent History" to "Resolved .." (you also may check "Unresolved .." or "Quarantine .." for any that are not duplicates)

Once you find the item in question double click on it and there should be a "Copy to Clipboard" option. Click that and paste it in your next post.

sewing1243:

Tech support was a waste of time. They say my PC must have a supper secret infection that I downloaded and I need to pay them to fix it. They ran NPE and it didn't find anything.

That makes no sense for tech support (in multiple ways). Post exactly how you got in contact with them. (phone number, web link, anything you have). Something was abnormal there.

I suspect this problem may be related to this thread: https://community.norton.com/en/comment/7534361#comment-7534361

That is a thread about slowness of a computer running Norton, you are reported an incorrect detection. I don't see the relation.

Danksagungen0

Re: false positive for Heur.AdvML.C

I am having the same issue.

Filename: swglegends.exe
Threat name: Heur.AdvML.CFull Path: d:\star wars galaxies\swg legends\swglegends(dot)exe

____________________________

____________________________


On computers as of
7/29/2017 at 3:18:32 PM

Last Used
7/29/2017 at 3:18:37 PM

Startup Item
No

Launched
No

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.


____________________________


swglegends.exe Threat name: Heur.AdvML.C
Locate


Few Users
Hundreds of users in the Norton Community have used this file.

Mature
This file was released 8 months ago.

High
This file risk is high.


____________________________


http:// www . swglegends . com/launcher/SWGLegends(dot)zip
Downloaded File  from swglegends.com
Source: External Media

explorer.exe
 

File Created:
swglegends.exe

____________________________

File Actions

File: d:\star wars galaxies\swg legends\ swglegends(dot)exe Removed
____________________________


File Thumbprint - SHA:
55ba62fdf5ec7a1e289106c034302440edae4a0d63f4c732f64054f4d3feeafe
File Thumbprint - MD5:
cd5ad98c7a59db96dcda832b17861529

Danksagungen0

Re: false positive for Heur.AdvML.C

>> How to report false positives


File name: SWGLegends.exe
Detection ratio: 1 / 65
Analysis date: 2017-07-28

Danksagungen0

Re: false positive for Heur.AdvML.C

Yesterday I had the sluggishness described in the thread I posted so I used the Remove and Reinstall tool to see if it would resolve the problem. Today (about the same time as the sluggish problem yesterday) Norton started using resources like crazy again and then it started removing files saying they were all infected with the Heur.AdvML.C virus, probably about 50 files.

There are multiple items: Here is an example of what the 50+ files all say in the quarantine folder:

Filename: midownload.exe
Threat name: Heur.AdvML.CFull Path: c:\users\steve\documents\bedroomtoo documents\bedroomtoo documents\windows crash files\program files\common files\arcsoft\media browser\midownload.exe

____________________________

____________________________


On computers as of
7/29/2017 at 11:33:06 AM

Last Used
7/29/2017 at 11:35:06 AM

Startup Item
No

Launched
No

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.


____________________________


midownload.exe Threat name: Heur.AdvML.C
Locate


Many Users
Tens of thousands of users in the Norton Community have used this file.

Mature
This file was released 7 years 10 months ago.

High
This file risk is high.

I contacted Tech support through the normal channels using the 800 number supplied on the support website.

Danksagungen0

Re: false positive for Heur.AdvML.C

I contacted Tech support through the normal channels using the 800 number supplied on the support website.

Norton Support Phone Numbers  1-800-745-6034

Um, are product Settings at Default.   And since running R&R tool.  You've run LiveUpdate several times until no updates found with machine Restart (not Shut down).  Repeat. 

There are multiple items: Here is an example of what the 50+ files all say in the quarantine folder:

 Sounds like bad definition update.   Def needs tweaking?   FWIW

Danksagungen0

Re: false positive for Heur.AdvML.C

I run live update everyday (manually) on all PCs until it says there are no updates just to make sure they are updated. After new or reinstall of NS I always manually run liveupdate until it says no more updates available.

If it is a bad definition I'm wondering why it's acting up on that PC only? The only thing I can think of that is happening on the PC in question and not on my other 3 PCs is I ran Windows Live Mail on that PC about the same time as the problems and I'm assuming the email scanner was active. So there may be a glitch in the email scanner of the latest version of NS (I have 22.10.0.85 running on all my PCs).

Danksagungen0

Re: false positive for Heur.AdvML.C

Hmm, head scratch for sure.   Thanks

and head scratch re:

Tech support was a waste of time. They say my PC must have a supper secret infection that I downloaded and I need to pay them to fix it.

Would you consider trying Norton Official Support, again.  
What are you doing about 50+ quarantine events?

Lets hear from Community

Danksagungen0

Re: false positive for Heur.AdvML.C

"Would you consider trying Norton Official Support, again." No, that appears to be a waste of my time. 
"What are you doing about 50+ quarantine events?" I'm going to restore them one at a time and manually scan them...in my "spare" time since I see no way to do it automatically.  Fortunately most of them are old and probably should be tossed anyway.

I just ran a scan across the network from another PC of the folders most of those files came from and NS found no threats.

Danksagungen0

Re: false positive for Heur.AdvML.C

Fwiw, only contact Norton Support from an official link, never via a Google Search.

http://norton.com/chat

Top right on each forum page.

Windows 10 Home X 64
Danksagungen0

Re: false positive for Heur.AdvML.C

"Fwiw, only contact Norton Support from an official link, never via a Google Search."

I'm not sure if this is a general statement or intended for me, but in my recent interaction with support I contacted Norton from the support page (https://support.norton.com/sp/en/us/norton-security/current/contact-phon...) and was even given a code to give the representative when they finally answered the phone.

Danksagungen0

Re: false positive for Heur.AdvML.C

I went to restore all the erroneously deleted files today and they are all gone from the quarantine folder (but older files are still there). So what did NS do with them?

Danksagungen0

Re: false positive for Heur.AdvML.C

Maybe, erroneous detection's were reversed...?  
Maybe, convicted items were exonerated...? 

Danksagungen0

Re: false positive for Heur.AdvML.C

"Maybe, erroneous detection's were reversed...?  
Maybe, convicted items were exonerated...? "

That appears to be the case but I've yet to find anywhere that fact is the normal/expected operation of Norton Security. It would be nice to have known that is how it works and I wouldn't have had to call tech support (and the person I was dealing with apparently also doesn't know that either).

Danksagungen0

Re: false positive for Heur.AdvML.C

sewing1243:

"Maybe, erroneous detection's were reversed...?  
Maybe, convicted items were exonerated...? "

That appears to be the case but I've yet to find anywhere that fact is the normal/expected operation of Norton Security. It would be nice to have known that is how it works and I wouldn't have had to call tech support (and the person I was dealing with apparently also doesn't know that either).

Well, FWIW
Symantec reserves the right to ______________________________.   &

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

Danksagungen0

Re: false positive for Heur.AdvML.C

I'm having the same problems with this same false positive. I've downloaded files from a reputable website that I am certain is not infected but Norton is removing it and quarantining it. I downloaded the same file I different PC running the same version of Norton and reports the file is okay. Then when I transfer that claim file from the other PC to my main PC, Norton is rejecting it and quarantining.

Danksagungen0

Re: false positive for Heur.AdvML.C

I downloaded the same file I different PC running the same version of Norton and reports the file is okay.

Curious, are Norton settings at default or the same on both machines?

>> How to report false positives

For second opinion choose File &/or Search hash at VirusTotal


For more information > from Norton pop-up > More Details > Copy to Clipboard and/or from Norton history > More Options > Copy to Clipboard > paste.


Restore an item from Quarantine
https://support.norton.com/sp/en/us/home/current/solutions/v6200368

My Norton product alerts that the file I downloaded is not safe, and deletes it
https://support.norton.com/sp/en/us/home/current/solutions/v80629965

My Norton product incorrectly alerts that a file is infected, or a program or website is suspicious
https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230832

Add items to the Signature Exclusions
https://support.norton.com/sp/en/us/home/current/solutions/v54298598

Turn off or turn on Download Intelligence
https://support.norton.com/sp/en/us/norton-security/current/solutions/v23920640

Thanks

Danksagungen0

Re: false positive for Heur.AdvML.C

@sewing1243, I wonder if those false positive happened automatically when the software is being removed and reinstalled, or you run manual or schedule scan after the reinstalling is finished.  

Thanks,

Qichao

Danksagungen0

Re: false positive for Heur.AdvML.C

BTW, if someone ask you pay money to fix issue, this guy must be a FAKE Norton tech support.   

Danksagungen0

Re: false positive for Heur.AdvML.C

The same issue happens for the application "Internet ownload Manager" I have tried many Antivirus programs But only Norton says it is infected and removes it. It says that Adware "Heur.AdvML.C" is found and remover the file. I have contacted IDM and they said that they arte having issues Regarding norton as it identifies the program as an infection.

This is a false positive and I highly recomend that Norton fixes this issue or check these applications. I have contact Tech support and others have mentioned They asked me to pay around 200$.

I have attached the screenshot of the message. Finally I have to exclude the file from scan.

NOTE : This started After I reinstalled the application. The setup is not infected as I used the same setup to install in another system running "Norton Internet Security"

Danksagungen0

Re: false positive for Heur.AdvML.C

Arean82:  This is a false positive and I highly recommend that Norton fixes this issue or check these applications. I have contact Tech support and others have mentioned They asked me to pay around 200$.

Please review >> How to report false positives 

Please post contact information / link for the Tech support that you contacted.
Thanks



Is this the Item that Norton flagged.

File name: idman628build17.exe
Detection ratio: 0 / 64
Analysis date: 2017-08-06

For more information re this event > from Norton pop-up > More Details > Copy to Clipboard and/or from Norton history > More Options > Copy to Clipboard > paste here.

For second opinion choose File &/or Search hash at VirusTotal

Thanks

Danksagungen0

Re: false positive for Heur.AdvML.C

Clarification on Paying for removal:

Unless the Norton website had been hacked I was talking to Norton Tech support on a number provided by that website. The customer service rep, after not being able to find the problem, told me I would have to contact "Premium Services" (which is a fee based service: https://us.norton.com/ultimate-help-desk-monthly) for help removing the unknown virus that had "obviously" infected my PC.

Danksagungen0

Re: false positive for Heur.AdvML.C

Chat with Official Norton Support  ask for VPP team > Support will work with you to diagnose and remove malware. What is Norton Virus Protection Promise

Note1: Enroll in Automatic Renewal before reaching out to Official Norton Support.
Norton requires user is enrolled in Automatic Renewal for VPP team to provide free malware remediation under Virus Protection Promise.  
Note2: User may enroll or cancel Automatic Renewal & remove payment info at anytime.

Update Norton account settings > https://support.norton.com/current/solutions/v52531049

Danksagungen0

Re: false positive for Heur.AdvML.C

sewing1243:

Clarification on Paying for removal:

Unless the Norton website had been hacked I was talking to Norton Tech support on a number provided by that website. The customer service rep, after not being able to find the problem, told me I would have to contact "Premium Services" (which is a fee based service: https://us.norton.com/ultimate-help-desk-monthly) for help removing the unknown virus that had "obviously" infected my PC.

Thanks.   I suspected that's what happened even though Norton staff Reply to my query:  "Does Official Norton Support solicit payment for "fix".

Hi @bjm_ - absolutely not. The Virus Protection promise covers all NS or legacy products with the exception of NAV lite, so the customer would not have been asked for payment. The conversation details sound like a support imposter to me.

from my recent Support session inquiry: 

User:  Every user with current subscription should have access to free simple & free advanced malware removal help.
Support:  Yes you do have access on it, User name.
Support:  We call this Norton Power Eraser, this is free simple & free advanced malware removal help.
[...]
Support:  I understand your concern, User name. If Norton Power Eraser cannot remove a threat on your computer, it will advise you to contact us and you can for the meantime, enable automatic renewal on your Norton so we can transfer you to our VPP Department for free and once done, you can disable it on your Norton Account again.

Since, the Norton Community has a history of dissuading use of NPE.  IDK

Danksagungen1 Stats

Re: false positive for Heur.AdvML.C

T&C's for VPP: https://us.norton.com/nortonservices/guarantee/protection-promise

I'm doing some additional research on whether you actually need to be enrolled in AR to receive the benefit, as I have seen contradictory information on that point, as well as researching some of the templates on VPP that our agents use. 

Matt

Danksagungen0

Re: false positive for Heur.AdvML.C

matt_phillips:

I'm doing some additional research on whether you actually need to be enrolled in AR to receive the benefit, as I have seen contradictory information on that point, as well as researching some of the templates on VPP that our agents use.
Matt

what progress ? 

Danksagungen0

Re: false positive for Heur.AdvML.C

Just in case anybody is still worried that its actually their files that are infected, their not trust me!

I just had risingstorm2.exe removed for being infected with Heur.ADvML.C! 

Filename: risingstorm2.exe
Threat name: Heur.AdvML.CFull Path: c:\program files (x86)\steam\steamapps\common\rising storm 2\binaries\win64\risingstorm2.exe

Ya, you read that right this is from Steam, unless some 20 hacking masterminds managed to hack Steam, then you can sleep easy knowing your not infected

Danksagungen0

Re: false positive for Heur.AdvML.C

Just in case anybody is still worried that its actually their files that are infected, their not trust me!

I just had risingstorm2.exe removed for being infected with Heur.ADvML.C! 

Filename: risingstorm2.exe
Threat name: Heur.AdvML.CFull Path: c:\program files (x86)\steam\steamapps\common\rising storm 2\binaries\win64\risingstorm2.exe

Ya, you read that right this is from Steam, unless some 20 hacking masterminds managed to hack Steam, then you can sleep easy knowing your not infected

User with no account and no name...

If you have a detection posting the details from "copy to clipboard" will contain the file identifier and allow some other forum users to investigate the file on their own.

This thread is closed from further comment. Please visit the forum to start a new thread.