Symantec generating a False Positive on Flash Player installer

Published: 2010-01-28. Last Updated: 2010-01-28 19:47:09 UTC
by Joel Esler (Version: 2)
7 comment(s)

If you are running Symantec antivirus, and trying to install Flash, and the Installer is being flagged as a Trojan Horse, now you know why.  Seems there might be a false positive in Symantec's host based detection, flagging the Adobe Flash Installer as a Trojan Horse.

This isn't a big slight, this happens from time to time, with the thousands and thousands of different types of detection that is done with an antivirus tool, it's actually fairly impressive that this type of thing doesn't happen more often.  But it's happened before, and it will happen again.  (Remember the Excel file fiasco that McAfee's AV caused?)

Symantec is encouraging people that are affected to call Symantec support.  I am sure this will be resolved very soon.

Seems that the affected Revision is: 2010-01-27 rev 049.

I'll update this post when it's corrected.

UPDATE: This has been fixed: http://www.symantec.com/connect/forums/flash-player-false-positive#comment-3520451

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
7 comment(s)

Comments

Had a couple of calls on this, this morning. My machine isn't effected with Jan 27, 2010 r49.
We had 3 of these this morning. Thanks for the info.
I wonder if it's flagging the actual Adobe Flash Player installer, or the Adobe DLM program that most people are duped into downloading from the Adobe site in order to simply get the Flash Player. Of course the latter tries to install other unwated 'goodies' such as Acrobat Reader, so I think it's only fair to flag it as spyware/malware...
We had the problem here for several machines. It looks like the older Adobe Flash installer version 10.0.22.87 for Firefox is the one being detected as a Trojan Horse. I downloaded this older version from Adobe and it detected it wit hthe 1/27/2010 r49 definitions. I uploaded the installer to Symantec's submission web site in response to a case I had opened and they said it was clean. Rapid Release for 1/28/2010 r7 still detects it. I suspect a definition update that comes out later today will correct it.
I also wanted to note that the current version of Adobe Flash player is 10.0.42.34.
I'll take an occasional false positive, since it's blocking about 6-12 FakeAV install attempts a day in my environment.
I've confirmed that the Symantec definitions dated 1/28/2010 revision 25 or later correct this false positive detection.

Diary Archives