• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Heur.AdvML.B detected-false positive or not?

Hello,

I am a user of Windows XP Professional SP3 as well as of Norton Security(Standard) 22.7.0.76...Recently, I had left my laptop idle for a couple of hours and when I was back, Norton alerted me that it had detected and fixed threats...I checked security history and there were 141(yes, a hundred and forty one) of them! All of them were named as Heur.AdvML.B, which I find a bit weird...

Of course, it is quite possible but these files that were quarantined were mostly driver installation files which I might need in the future, along with some files in the Windows directory...

Since these files may be critical and might be needed sometime or the other and I believe that these files may be clean(some of the quarantined files include very common ones like wordpad.exe),I submitted one of them as a possible false positive(wordpad.exe) but Symantec says the detection cannot be revoked since the file is bad/infected...

I have uploaded one of the detected files on virustotal and the fact that most other well-known security software like Bitdefender,Kaspersky,Trend micro,just to name a few did not classify that file as a threat;only Norton and some other ones like AVG,avast(which I do not trust much)did...

Yes, I do not challenge Symantec's statement and I am sure that the required analysis has been carried out well...However, since these files have been on my laptop since I installed Norton(in 2011) and they were not detected till today,plus they are critical-at least I believe so and please tell me if they could be replaced-and all of them are classified as infected by the same threat, I believe this might be an error...Yes, there is the possibility that they were infected recently but then any files downloaded are scanned by download insight, plus I run full system scans at least once a fortnight, so that is quite difficult to be true...

So, could this really be an error(false positive) or is it not? Moreover,what could be done, other than simply excluding these files?

Thanks

jabhay

Replies

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello jabhay

This sounds very unusual. I will try to get some help now. Dave can you do anything to help this customer? 141 files quarantine for same virus---drivers, system files.

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos2 Stats

Re: Heur.AdvML.B detected-false positive or not?

Hi jabhay,

Heur.AdvML.B is a new technology to detects malicious file.

Could you please submit all the files via https://submit.symantec.com/false_positive/, and back me the ticket number, I can quickly look what happened, and resolve the problem if they're real false positives.

Thanks,

Qichao

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Same issue.

JohnOzuk:  The tracking number for your submission is: 3971077, please reference this tracking number in any further correspondence on this issue.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Personally, the new engine could cause yr trouble here... Good luck... :0

PUP Hunter PRO: Just TRYING to save the world (U) from cyber threats, A single blog post, at a time, and ONCE & FOR ALL. (A fan of Nadia_Kovacs)
Kudos2 Stats

Re: Heur.AdvML.B detected-false positive or not?

Appears Norton agrees mine was a false positive

In relation to submission [3971077].

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

Filename: razoapi8.dll
MD5: B480EB15863635BBBAEE4C17DE8B2117
SHA256: 2080408B68634716424417F946B32FFF3563BE654B1C1D2FD0DFDEFC6D6C5372
Result: Whitelisting for above file is taking effect from now on.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

@jabhay - We'd still like to get your files.  Could you submit them via https://submit.symantec.com/false_positive/ and reply back with the tracking number? 

@JohnOzuk - Thank you for your submission. 

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

@dave_coleman

Norton just silently restored erroneously quarantined dllls (from this issue)..  Was that as designed?  Not necessarily what I might have wanted.  What if I had replaced files?

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello,

First of all, please accept my apologies for replying so late-I had quite forgotten about this issue but now that I have gone through the replies,I will certainly submit those files via the link provided by Dave_Coleman and let you know the tracking number...

However, please give me some time to do so-since all the files are scattered it will take me a bit of time to make a list of all of them and submit them(after archiving them so that I can simply upload the zip file)...Will try to do so as soon as possible...

Thanks to all for the quick replies!

jabhay

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

@jabhay - We appreciate it.  Cheers! 

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello,

Since I had restored the files from quarantine earlier, I have scanned my machine again(after making sure that I had cleared the exclusions) and this time, only 136 of them were detected as threats instead of the earlier 141...Have submitted them anyways in a '.zip' file...

Tracking number is : 3972444

Thanks

jabhay

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hi Jabhay, I've heard back from the team concerning 397244, and they said, "We have determined these files are True Positive, his files have been infected." That's all I know. I hope that answers your concern. If you need help cleaning your system, you can contact Norton Support. This site may be beneficial to you: Norton Virus Protection Promise.   --Dave

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

I'm running Windows 7 64 Professional. This supposed virus, Heur.AdvML.B immediately deletes my applications when I compile my software. I don't write viruses. I write industrial software and I'm extremely tired of having to waste my time trying to convince my customers that Norton and Avast anti virus are dumb programs that lack the capability of actually detecting a virus so they discriminate based on facts that that have nothing to do with a virus. First it was the *LAME* Win32.evo-gen virus that deleted all of my applications from my computer. For the amount of money that Norton charges for the Anti Virus software I would think that Norton would test the anti virus software before releasing it to needlessly delete the user's files. If you sense irritation then your perception is far better than your anti virus software.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello RFB

You may be interested in having your programs whitelisted by Norton. You can use this link.

https://submit.symantec.com/whitelist/isv/ 

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Once a week, or more often, Heur.Adv.ML.B gets quarantined on my Windows 10, 64b laptop. It usually happens when I am typing an email or in Word, or scrolling a Web page. Now when these activities are interrupted or I lose the web page, or the page scrolls up ad down by itself, I know it is the Heur virus. Then I get the Norton message that they are working on it, followed by the Quarantine message (about 24 this year). In my case, I know that anytime Heur is lurking around, I can hardly finish what I am doing. Once Heur is quarantined, it is easier to complete my tasks. Can an expert opine on this, please? I am not experienced as others are so I would not know enough to even question the false/positive since there is definitely a connection between Heur and laptop malfunctioning. Thanks for your help.

Kudos1 Stats

Re: Heur.AdvML.B detected-false positive or not?

If it keeps coming back, there must be something a little deeper than what is being removed by Norton.

I would suggest you sign up at one of the free Malware Removal sites below. Do not try to do anything on your own as it could make things harder for the Malware Removal expert at that site to help you. Choose one and stay there until your system is clean.

http://www.bleepingcomputer.com/
http://www.geekstogo.com/forum/
http://www.cybertechhelp.com/forums/
http://forums.whatthetech.com/
http://qmalwareremoval.freeforums.net/

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Thank you very much for the quick reply and options provided. I clicked on the first link and it took me to Myturbopc_ (Malware removal tool). While it found System issues; Privacy items, and numerous junk files, under "Malwares" it found nothing. I aborted the removal since the latter was the most important issue. Also, at that stage, Norton had popped up indicating it was working on Heur.AdvML.B... then quarantining it. This has happened each time before with other known programs that Norton pops up in the middle of the intended virus removal and then the anti-virus program finds nothing. Should I temporarily stop Norton to allow another program to possibly disinfect my laptop from HEUR...?
Kudos1 Stats

Re: Heur.AdvML.B detected-false positive or not?

Hi, Artistica. I would follow peterweb's suggestion and have one of the malware removal experts at one of the sites we recommend, and let them check your system out.

Don't attempt self fixing.

Windows 10 Home X 64
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

I clicked on the first link and it took me to Myturbopc_ (Malware removal tool).

If you clicked on the Bleeping Computer link in my post and it took you to Myturbopc, you definitely have some problem  on your system. I would suggest using another computer to contact Bleeping and get help there.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Thanks for the suggestions. I'll try going back to the Bleeping computer link at my other laptop and see what happens. Since the HEUR virus, I tried a few times Superspyware and PCCleaners, but Norton always interrupts with a popup about Heur.AdvML.B's activity and then quarentines it. After the latter, when the other anti-virus programs finish checking, they no longer find any virus or malware - something that had not happened before. I wonder if I should temporarily turn off Norton while I try the companies recommended?

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello Artistica

1. Pick 1 site and register.

2 Follow the directions for new users of the recommended site. Describe the issues and tell them what you have tried and what security program you use.

3They will work with you on a 1 on 1 basis. Tell them  to go slow.

4. They will tell you what programs to run and how to get those programs to scan your computer to see what is on it. Have a pen drive with you and tell them the problem computer is a different one from the one you are currently using and that you have a pen drive so you can run the programs and then post back to them the results of the scans.

5. follow their instructions and ask questions as needed

6. stay with them until your computer is clean.

7 Come back and let us know how you did. We can help you get your Norton product reinstalled if necessary.

Good Luck !

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello,

Similar problems here...

Since a few months I have many virus-free files disappearing because of a false Heur.AdvML.B threats. I am a music procuder and I have many VSTs (dll files) that I used for many years without any issue, but now Norton deletes many of them and then my music files do not work anymore. Every time again I have to restore the files, and what is worse after restore I have to rename each file: Norton takes off all capitales after restore from Quarantine, but my music software is case-sensible and so even after restore it still does not work...

In the beginning I contacted the suppliers of the files to warn them for a virus, but now when I see the Norton message I know it is again a false alarm so it works totally counter-productive. I also sometimes make my own VSTs and then it is worse: anything I produce is immediately quarantined by Norton so the only way out is to deactivate the anti-virus... I hope Semantic can correct this soon because I am seriously considering to stop usage of Norton whereas before it was very effective!!

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Lucas Paris: Hello, Similar problems here...

> have you tried creating work product folder and Exclude 'folder' from Auto-Protect.  Just asking.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

I have many folders containing VSTs, installation files and own-made programs that are all creating false virus alerts... of course I can exclude them all, I could even exclude my full PC, but is it then still beneficial to have an anti-virus program? Up to a few months ago there was no issue and no need to exclude any folders, today it is totally different and only because of this Heur.AdvML.B detection. Apparently the choice is now between either being protected and having a lot of false alarms and corrective actions, or disabling the protection which could result in worse annoyances...

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Lucas Paris: Apparently the choice is now between either being protected and having a lot of false alarms and corrective actions, or disabling the protection which could result in worse annoyances...

I hear ya'....confirm Heuristic Protection is Automatic.  You may Heuristic Protection Off.  Just saying.  
Norton is mass market, as you know. 
Norton may not satisfy all users, all the time. 
Exclude from Auto-Protect is, as you know, available for known safe. 
Heur.AdvML.B is a new technology to detects malicious file.
> authors and vendors may request whitelisting https://submit.symantec.com/whitelist/

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello

I been getting them also. I had 3 emails from my son. I don't know how old they were, but they were in my email folder with my son's name on it. 2 of them from last night's scan and  from a scan 2 weeks ago. He uses the same Norton program as I do, but he is Windows 10 and I'm 7 also. He doesn't send me that many emails, so I don't know.

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

@Lucas Paris, did you submit your files to https://submit.symantec.com/whitelist/ if so, can you please share me the ticket ID, I'd love to help you resolve the problem permanently, not just folder exclusion. 

Thanks,

Qichao

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

@Qichao, no I did not - instead of asking your customers to report all files that are creating false alarms (which would be a continuous task because there are many) it would be much better to review the way Norton is detecting this virus and to avoid files without any issues to be taken off. Anti-virus software should just do its job without the need of any feedback or intervention from the side of the user, and you clearly have an issue here otherwise we would not be expressing our frustration here on this forum. To make it worse my windows crashed today (resulting in a bsod) and this was caused by a file srtsp64.sys that appeared to be part of Norton... the only way out was to re-install Norton but then all files that I had excluded from being incorrectly deleted were deleted once again because the exclusion settings disappear when re-installing!!

I suggest instead that you consider the following inprovements:

- disable the Heur.AdvML.B virus detection until you are able to detect only files that really are infected

- when a virus is found, let the user choose whether it should be deleted or not, instead of deleting the file automatically

- after restoring from quarantine give the restored file exactly its original name back without taking off the capitals

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello @qichao_lan

Please see this Permalink. The customer responded to you, but tried to use the @mentions which naturally didn't work.

                 Permalink

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

So is it fair to say that  Heur.AdvML.B is not the name of any detected malware file at all, it is instead the name of some algorithm or technology that is used to *detect* malware???

If so, then really you guys at Symantec/Norton need to change the way you report your scan/detection results. I guess that you're all very proud of your  Heur.AdvML.B and you want us all to know about  Heur.AdvML.B and every time​  Heur.AdvML.B detects something you want to say "Look what  Heur.AdvML.B did!!" Isn't  Heur.AdvML.B great? Buy our software."

BUT THAT IS STUPID AND CONFUSING!!! Your listing of detected threats have this big giant-font "  Heur.AdvML.B " in them and then the name of the actual detected malware in much smaller print off in one corner of the entry, so everybody thinks "  Heur.AdvML.B " is the name of the virus (it sure *sounds* like the name of a virus) and then when they research it to try and learn about this  "  Heur.AdvML.B " virus the phrase "Heur.AdvML.B is a heuristic detection designed <yadda> <yadda>..." just goes over everybody's head as technobabble.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

What? It is AML tecnology - Adnvanced Machine Learning - advanced heur tech for static detection. OK? That's all. 

You show malicious behavior.  Just buy another antivirus.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

I think I may have a (hopefully similar false) positive on Windows 10 with Norton 22.8.1.14 with all the latest updates as of Feb 11 - detected in a file called vgagent.exe from software called VisualGDB from Sysprogs.com available for download here:

https://visualgdb.com/download/

If it is not a false positive, then I'm pretty disappointing in the fact that it was installed on my system not just once, but twice over the period of a month before Norton A/V actually noticed there was a problem. Odd, as this thread topic is several months old.

I posted this question on the sysprogs forum and documented it on my blog page:

http://gojimmypi.blogspot.com/2017/02/visualgdb-missing-vgagent.html

I have an expiring trial version of VisualGDB and I'd sure like to take it for a full test drive this weekend, so any input on whether their vgagent has an infection problem or not will be greatly appreciated. I could re-install on a VM and send the file to anyone interested in examining it, if desired. Thanks.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello gojimmypi

You can submit the file to Virus Total. You can also submit it to Norton for further analysis

www.virustotal.com

To report a false positive, please use this link

https://submit.symantec.com/false_positive/

Please see this KB

https://support.norton.com/sp/en/us/threat-removal-solutions/current/solutions/kb20100222230832EN_EndUserProfile_en_us

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hi there.

Today I also got this Heur.AdvML.B problem.

I'm downloading my new PC drivers from LENOVO's official site using IDM on limited download speed (I set it up at 100 KB/s).

And yes it takes a little longer to complete the download.

While the file is downloading on IDM (not yet finished), NS alert pop up.

Then I stopped the IDM download.

Tried to download again on IDM (create new link) and a few minutes later I got the same NS pop up warning.

Soo I tried downloading it manually using Firefox.

And NS pop up a good file.

Then I did On Demand Scan on Drive C:\

The result :

Soo...

Whats wrong with this "Heur.AdvML.B" ??

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Hello

You got the original bad popups because the file was too new. You needed a few more tries at it and then it would come back as good. They can't tell that the same person tried let's say 10 times. To them it's 10 different users.

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

So..

Lets just said that "If" I download a big installer apps (for example over 500 MB size) that pop up will up and the unfinished download file parts will be automatically deleted or quarantined?

While the apps itself absolutely not a virus.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

I'm also seeing this. I'm trying to set up a simple C language environment on a Windows-7 PC using "MinGW" (minimal GCC Windows environment)

My repro is as follows:

I downloaded mingw-get-setup.exe from www.mingw.org and ran it.  It fetched a GUI installer named mingw-get.exe, which gave me a list of modules to choose from.  I selected only mingw32-base, and clicked "continue".  I did not install the MSYS module, or any of the others.  I then added c:\mingw\bin to my path, and wrote a "hello world" program.

When I compile the program ("gcc helloworld.c -o helloworld.exe"), the exe file is created but when I run the exe I get a popup warning about Heur and the exe file is deleted/quarantined.

Kudos2 Stats

Re: Heur.AdvML.B detected-false positive or not?

If you are developing your own apps, Norton has no knowledge of the app, and can often flag it as a problem.

What you need to do is create a folder that will contain all your projects. Then exclude that folder from both Items to Exclude from Scans, and Items to Exclude from Auto-Protect, SONAR, and Download Intelligence.


Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Heur.AdvML.B detected-false positive or not?

So no analysis of the code is done?  It just runs off of a safe list?  No wonder there are so many false positives. 

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Thanks PeterWeb I'll see if I can get that to work around the problem. Interesting that if my HelloWorld program does a simple return-0 it works. If it tries printf Hello World then return-0 to exit the failure occurs.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

And just to complete the path, PeterWeb's workaround worked for me.
 Thanks for the screen shots, that helped a lot.

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

Jim Uren:

I'm also seeing this. I'm trying to set up a simple C language environment on a Windows-7 PC using "MinGW" (minimal GCC Windows environment)

My repro is as follows:

I downloaded mingw-get-setup.exe from www.mingw.org and ran it.  It fetched a GUI installer named mingw-get.exe, which gave me a list of modules to choose from.  I selected only mingw32-base, and clicked "continue".  I did not install the MSYS module, or any of the others.  I then added c:\mingw\bin to my path, and wrote a "hello world" program.

When I compile the program ("gcc helloworld.c -o helloworld.exe"), the exe file is created but when I run the exe I get a popup warning about Heur and the exe file is deleted/quarantined.

With your style of work, Norton is wrong too often.

Just change the antivirus to a weaker one (but more accurate), Kaspersky(!), ESET, BitDefender(!).

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

JohnOzuk:

So no analysis of the code is done?  It just runs off of a safe list?  No wonder there are so many false positives. 

No many (medium amount): Av-TEST, AV-Comporatives labs confirm this

Kudos0

Re: Heur.AdvML.B detected-false positive or not?

JohnOzuk:

So no analysis of the code is done?  It just runs off of a safe list?  No wonder there are so many false positives. 

Not so. There are also real time heuristic detections done, based on a file's behaviour.

Things happen. Export/Backup your Norton Password Manager data.

This thread is closed from further comment. Please visit the forum to start a new thread.