Norton Security AV - Trojan Virus Heur.AdvML.B in PrimalScript 2017 files

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST SUBSCRIPTION NUMBERS, LICENSE KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
User avatar
yamaha04
Posts: 1
Joined: Thu Aug 28, 2014 8:39 pm

Norton Security AV - Trojan Virus Heur.AdvML.B in PrimalScript 2017 files

Post by yamaha04 » Wed Aug 09, 2017 12:12 pm

Hello Sapien Team and Board Members,
I am receiving what appears to be false positives for the Trojan virus Heur.AdvML.B on the following files:

<primal script install path>\sapien powershell v5 host (windows application) win32.exe
<primal script install path>\sapien powershell v3 host (windows application) win32.exe
<primal script install path>\sapien powershell v2 host (windows application) win32.exe

Product: PrimalScript 2017 64-Bit
Product Version and build: Build 7.3.106
Operating system: Windows 10 Pro 64-Bit Version 10.0.15063

I saw a related article to this on the Forum here: viewtopic.php?f=7&t=11780

My reason for posting is to raise awareness, and provide others using Norton AV to restore their PrimalScript 2017 files. I'm also curious if the Sapien Team has seen false positives on these files with whatever AV scanning is used by your test teams.

To restore the PrimalScript 2017 files, and exclude them from future scans, take the following steps in Norton AV:
1. From the Security History dialog, select and open a file that has been quarantined
NortonAV_Sapien-PowerShell_v5_Host_SecurityHistory.png
NortonAV_Sapien-PowerShell_v5_Host_SecurityHistory.png (47.79 KiB) Viewed 4224 times
2. This opens the File Insight dialog, click the Restore link in the lower right
NortonAV_Sapien-PowerShell_vX_Virus_FileInsight.png
NortonAV_Sapien-PowerShell_vX_Virus_FileInsight.png (21.38 KiB) Viewed 4224 times
3. This opens the Quarantine Restore dialog, select the "Exclude this file ID from future scans..." option, and click Yes. This will restore the Sapien PrimalScript 2017 files to the original location.
NortonAV_Sapien-PowerShell_vX_QuarantineRestore.png
NortonAV_Sapien-PowerShell_vX_QuarantineRestore.png (19.65 KiB) Viewed 4224 times
4. Once this is completed, the files will no longer be quarantined on future scans.

I also submitted the files and detail to Symantec to hopefully get these files logged as false positives in their AV definitions, or perhaps mentioned in a support article.

Thank You,
Paul (a.k.a yamaha04)

User avatar
davidc
Posts: 5913
Joined: Thu Aug 18, 2011 4:56 am

Re: Norton Security AV - Trojan Virus Heur.AdvML.B in PrimalScript 2017 files

Post by davidc » Wed Aug 09, 2017 1:16 pm

Thank you for submitting the files and providing the steps.
Virus definitions are constantly updated so false-positives will keep popping up every once in a while. Part of the issue could that the executables are not signed, but that a necessity because otherwise you would not be able to sign their own packaged scripts.
David
SAPIEN Technologies, Inc.