Norton Internet Security flagging odrive files as threats

MarkyP · March 9, 2016, 9:49pm

I’m using odrive version 5049 on windows 10.

A Full System Scan on Norton Internet Security is giving me two threats:

odrive.exe flagged as “Suspicious.Cloud.9” threat
odrive.cab flagged as “Compressed” threat.

Hopefully these are false positives but do they need to be flagged somewhere to get them on a whitelist to stop this happening going forward?

I have screenshots from Norton with details of what was shown but only 1 image is allowed to be posted.

Any help and advice would be gratefully received. Hopefully these details will also help other users that come across this issue.

Tony · March 9, 2016, 11:05pm

Thanks for the report. Their heuristic detection can be overly aggressive.

We do not have any malware in the product. I am going to try to submit a false positive report to Symantec for this. Can you give me the full path of each file it is reporting? I just want to make sure I have everything accounted for.

Thanks!

MarkyP · March 10, 2016, 9:33am

Hi Tony, Thanks for the response. Here is the path for “Suspicious.Cloud.9”:

MarkyP · March 10, 2016, 9:34am

And here is the path for “odrive.cab”:

Tony · March 10, 2016, 4:42pm

Thanks! I have submitted to Norton’s false positive reporting service:
https://submit.symantec.com/false_positive/

Tony · March 11, 2016, 3:43pm

Got a response back and odrive.exe should be in the clear now, although it will depend on when they roll-out an update.

MarkyP · March 11, 2016, 5:15pm

Thanks for following this up.

I will wait a few days and then remove it from the Exclude List. I will run the Full Scan again to see what happens.

Thomas_Buck · March 15, 2016, 4:16pm

Symantec is flagging “filodrive.exe” as a threat. Is this one of yours and should it be set to ignore?

Tony · March 15, 2016, 4:17pm

Hi @Thomas_Buck

Is the error above what you are seeing? I submitted it for whitelisting to Symantec, so I am hoping it is rolled out soon.

Thomas_Buck · March 15, 2016, 4:22pm

That’s it all right.

EthanH · March 15, 2016, 11:58pm

The v5080 installer was flagged by our corporate Symantec Endpoint Protection (Windows) as a “suspicious file.” The business versions of Symantec products are less strict about deleting what it sees as threats. Looking through the logs it appears that Symantec got its knickers in a twist due to the combination of multiple internet accesses and Explorer shell injection.

Systems that upgraded directly to v5085, on the other hand, did not produce objections from Symantec Endpoint

mesutton · April 9, 2017, 2:32pm

I am trying to download odrivesync.6209.exe. Norton flags and removes the file immediately. Is the WS.Reputation.1 supposed to be in the download? Any suggestions will be appreciated. The path is c:\users\user1\downloads\odrivesyn.6209.exe, and a Norton screen shot is attached. I’m looking forward to using the product.

Tony · April 9, 2017, 6:02pm

Hi @mesutton,
Annoying. Usually Norton is smarter than this, since our code signing certificate has been in use since early 2015. I guess because the file version is appended to the file, it somehow triggered this as a “brand new” application. I have submitted a false positive report to Symantec. You should be able to pull this out of quarantine and run it.

I also ran the file through VirusTotal, for good measure, and it came up clean:
https://www.virustotal.com/en/file/8d64e96593da8c426d9ab6fadc63f24f6af740b1226976e1871624cee0cc5b5e/analysis/

mesutton · April 16, 2017, 11:08pm

Thank you. I pulled the file out of quarantine, and everything worked fine.

Tony · April 17, 2017, 3:33pm

Thanks for confirming. Norton has also whitelisted us.