I have notified Symantec through online Product Feedback:
- - -
Due to the last week’s updates of Norton Antivirus the Full System Scan reported 19 items as “Adware threats”. All of these files are Setup Launchers created with Setup Factory 6.0 from Indigo Rose Corp (www.indigorose.com)

The scan did NOT report all of these files as adware threats. Example: I have 8 occurrences of the file RegRdPD.exe; all of them are builded with Setup Factory v 6.0.1.2 but with three different file dates. Only the 3 files with date 05/05/2003 are reported as adware threats.

Several of my customers are running Norton Antivirus. I fear the consequences when NAV is deleting these files, especially the file mentioned (a necessary component of the working application).

The threat reporting is false. I kindly ask you to update your product ASAP. I should like to know WHY this “adware threat” is reported.
- - -
The Symantec Product Feedback site states: “Please note that no answers of any kind are provided in this area.” Obviously Symantec has stopped their online technical support.

Hi there,

Yes I recently noticed these false positives on a windows 98 machine with Norton Anti-Virus 2004 just updated with recent signatures seems to detect indigorose installs built with version 6.0.1.2 as adware.showbehind (signature added 1 July 2004), didnt show before, or identify any other files, the same files on an XP machine with Norton 2003 version of the product dont show this threat.

It appears to detect in the file (program files\setup factory 6\data\w32wiz.da1 - the 6.0.1.2 version) as this threat, and I take it its parts of this used to build the setup shields and thus propagates the signature its picking up.

Having recently updated to 6.0.1.4 re-compiling a shield and re-testing on the machine that was showing false positives no longer detected this threat, and the 6.0.1.4 version of program files\setup factory 6\data\w32wiz.da1 didnt show a threat either.

It might be an idea if someone from Indigorose contacts them to update the signature.

Symantec do at least log alterations to signatures in their updates, so if I notice its re-issued I'll post back.

Regards,

Ceej

Ceej,
Thanks. I’m happy for your confirmation (and I want to be prepared when any of my customers complaints that I have distributed “Adware”). Like you I have noticed that a 6.0.1.4 build does not produce any warning.

I have reinstalled SF v6.0.1.2 and recompiled some projects. The new output is NOT reported to be “Adware threats”, but now I’m told: “The file D:\Program Files\Setup Factory 6.0\Data\w32wiz.da1 is a Adware threat.” [This is too hard for my brain! :eek: ]

I opened a support ticket yesterday, but I think it should be up to Adam to comment this thread (if he wants to do so).

In the past when we have a false positive situation we were informed by the antivirus company that they would like the users to notify them of the issue through the system that is in place for that.

I will look into contacting Symantec but as you may know this is not always as easy as it sounds.

Does the issue exist with the newest definitions? I understand the concern from our users.

Thank you for your time and patience.

Adam Kapilik

The problem still occurs with the virus definitions of 15th July 2004.

I encourage all SF users who experience this false positive situation to enter a notification on the Symantec Feedback site (if you are concerned about your customers; the NAV default action is to delete the file).

(The “threat” is not detected by Symantec Online Security Check.)

My advice if you want a chance of a resolution, the best thing to do to ensure the people who build the signatures become aware of this problem is to submit to symantec via their quarantine mechanism in their product, submitting a copy of the file w32wiz.da1 (the 6.0.1.2 version, not the 6.0.1.4 version as that doesnt produce the false positive :rolleyes , copied to another directory) and explaining its a false positive with this product, w32wiz.da1 (the 6.0.1.2 version) seems to be the parent file that causes the issue in 6.0.1.2 installs as its used to construct them, and a link to this thread.

In my experience dealing with issues with people software products I doubt if you just post via their feedback section of their customer support pages on their site it will ever be seen by anyone who can see the issue and ensure the signature is updated (indeed it hints at this by saying you wont get a reply :wow ). Without the file also, they cant verify its a false positive either and would probably ignore.

So in Norton Anti-Virus you go to "View Reports", go in to the quarantine section and add a copy (add item) of w32wiz.da1 from another directory (dont want to quarantine the actual file as will stop SF working). Then right click submit to symantec where you enter details, etc. You might even get a response this way ;)

This kind of thing is obviously an irritant because people will believe what their PC is telling them, and will follow the default advice delete. They wont think that "threats" are identified by signatures and it just so happens by chance this file has the same signature. The particular machines I replicated on were development boxes which are only connected to the Internet to download updates, etc, but next time I am on one of these machines I'll plug in and submit if they havent fixed this issue.

Regards,

Ceej

I just noticed on the detections added page of the products web site a note on new signatures for 16 July 2004 stating

"(This release contains modifications to existing detections, but no new detections.)"

Unfortunately doesnt say which ones.

Note these are not available yet through LiveUpdate, but when the next post 16 July definitions are packaged as a Live Update (usually once a week minimum, mid-week, more often depending on whats new, etc) its worth checking again.

Regards,

Ceej

Tip: Here is a link to the Intelligent Updater package which is updated before the Live Update feature of Norton Antivirus. I hope this helps to expedite a resolution to your quagmire:

Intelligent Update Package (just an .exe file, RUN when prompted or save for later) (http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html)

I couldn’t wait. I downloaded the 07/16 signature through Intelligent Updater. Sorry to say: The IR products (6.0.1.2) are still recognized as Adware Threats.

Ceej, thanks for your instruction how to submit the file to Symantec (BTW, the Delete option does not work; should move the file to Quarantine\Backup Items but the activity log tells the truth: “Delete failed”.)

Adam has sent Symantec some information. Hopefully Symantec has SOME focus on their customers, but I don’t expect that they care about their customers in the Indigo Rose manner...

I'm having the same problem with Panda antivirus :huh

Chris.

Panda may use the virus definitions from Symantec. I have been in the process of contacting them (Symantec) about this issue. In the end I was told to call their corporate headquarters at: (408) 517-8000. I was told to tell the operator that:

"I am a software developer and I need to speak to a developer about a false positive reported by Norton antivirus 2004"

I was then put through to a voicemail of the vice president of consumer relations. It may help if some other people phone them as well.

Adam Kapilik

I have submitted two files to Symantec, but at last I understood that the submit function is a totally automated process. After a few minutes I receive a “Closing Message” that tells me that “w32wiz.da1 is an adware” (the file from IR), and that “the currently published LiveUpdate definitions are capable of detecting these threats”.

I have opened a support ticket at IR, but it is now closed (without a solution).

I have phoned Symantec, Norway. The technician understood my frustration, but “could not do anything”. “It’s not me that develope our apps. I’m just allowed to send you a link to a document.” (A general definition document on the Web.). “Due to legal regulations we can not remove the adware”.

Still the scenario is:
My customers have bought apps that Symantec declares to be “Adware: Programs that secretly gather information through the Internet and relay it back to another computer, generally for advertising purposes.”

I have not programmed something like that.

And IR has delivered me a system with this un-nice “feature”.

Not pleasant at all!

I take it for granted that IR never has incorporated spyware/adware in their products (?). I’m unsure about the next move.

csd214,

Our software does not contain any adware. This is a false positive on the part of Norton Antivirus.

They have been absolutly no help so far in this matter. I will continue to press them on this issue.

Adam Kapilik

This is one thing which irks me. I like Symantec, but they are selling false security and giving out inaccurate info to millions of people daily. This same problem is felt by many other software companies. Symantec doesn't care. They sold us a tool which doesn't work properly and now our clients get caught in the middle. It's a genuine shame.

I use Norton AV and it's a good product, the problems lie 100% in their coporate dogma, not the product. Take it from us, if you want to make something happen for your clients, it's not that hard once you've resigned yourself to the task. Like Nike says, just do it.

These guys are just simply not making it a priority. Because *if* Symantec ever accidentally added a trojan app to their white list (this is an oversimplification) not only would the media have a field day, but they would also be legally liable. (regardless of their sketchy disclaimers) Optics are the key, Symantec has nothing to lose by over-excluding applications but much to lose by over-including titles. Or at least that's the perception.

And we all know what most corporate managers do when faced with this sort of risk, they err on the side of caution and protect optics *above all else*. That's their job, to avoid change. It costs money to improve. Bottom line is their active priorities. Symantec simply doesn't feel they have enough left at the end of the day, after all those gigantic profits have been divided up, to improve their product accuracy. To hear them tell it from a cost availability standpoint those guys can barely cobble together a hot meal between them, while meanwhile on the showroom floor, their slick-suited brokers boast of bursting coffers.

I've always wondered what happens if you get one of the back end guys and one of the front end guys together in a room. The raw factual inversion it generates might cause a fold in time. :yes

Corey Milner
Creative Director, Indigo Rose Software (http://www.indigorose.com)

I am furious with Symantec (I have been a Symantec customer for 25 years; personal and enterprise systems). Next move might be to contact the national IDG Magazine. I have never before used the press when I am dissatisfied with a supplier, but it looks like that Symantec has grown too big for their customers. They don't care at all...

This is a problem at our 'shop' too.

We have a software application that many customer's will use at some point. It is used by several company's of our type and by some 'big name' players at that.

Without failure, each and every time a customer goes to download and install our software for them the Norton Alert dialog box comes up.

Our solution has been to explain to each and every customer on how to handle this. "Sir, ma'am... please choose 'Allow this script to run in its entirety one time'".

It's time comsuming, phone bills can go up if they '800' number call in, and it can actually loose sales for us! If I was making the call I would find another way to handle such.

Uhg...

Not to mention the fact that it is this kind of 'support' that causes people to lose trust in other company's support systems! No wonder no one believes us when we talk about how great our support is. I'm constantly baffled that some people are so unwilling to even TRY our free ticketed support system...trust me, folks, here at Indigo Rose we do our very best to answer all support tickets within 48 hours if not sooner.

Not to mention the fact that it is this kind of 'support' that causes people to lose trust in other company's support systems! No wonder no one believes us when we talk about how great our support is. I'm constantly baffled that some people are so unwilling to even TRY our free ticketed support system...trust me, folks, here at Indigo Rose we do our very best to answer all support tickets within 48 hours if not sooner.
As a customer I am very happy, proud to back your comment Sandy, for what it's worth! I.R. gives A+ support via the Ticket Support System. Two times I have used such and very quickly a workable solution was found and then I implemented such. I am skeptical by nature and I do not say these things nonchalontly. I believe in the Ticket Submit System and you I.R. folks in general, so much so, that I am treating AutoPlay Media Studio as my money maker, bedrock application!

Let me give you an example, a nationwide company that works in our market, well, a customer of theirs called our 'shop' and asked about our services and support. Nothing out of the ordinary. What struck me dumbfounded is that the reason they wanted to look into using our services. Well, it was because they support Outlook Express questions by telephone but not Outlook!

These were basic questions that both software applications need to function properly. So, support of both products is needed and should not even be an issue!

I try to work with our customers as best I can. Customer's, I am flat out sure, do not believe me when I explain our support and how it differs from other company's.

So, Sandy... I know exactly what you are saying.

Very Sincerely,

Country Manager, Symantec Norway has informed me:

Symantec US has removed the false positive with their signature update of November 12th (with respect to Setup Factory 6 v.6.0.1.2 and 6.0.1.3).

The US lab has contacted/are going to contact Indigo Rose to ask for a confirmation. Adam, please post a note in this forum.

I can't test this anymore because I have uninstalled Norton Anti Virus (and I don't want to reinstall the app).

This case seems to be closed. What about the next one? I think we have to accept that security software some times gives a false positive alert. That's why it is so important that we are able to contact the provider. I have asked Symantec either to revive "Ask Symantec" or; as a minimum; create a web service "Submit False Positive" (like the 'Submit suspicious file' service).