Has anyone seen this:

Symantec Corporation Norton Internet Security
Version: 16.5.0.135

minirosetta_1.80_windows_intelx86.exe detected by SONAR

Risk Name:
minirosetta_1.80_windows_intelx86.exe

Risk Type:
File Based

Severity:
High

Component:
SONAR

Risk State:
Fully removed

Definitions Version:
2009.06.26.054

ERASER Version:
109.1.0.61

Reported by my antivirus this morning. I went to look to see if the file was there and a new .zip had been downloaded following detection and removal. The message digests for the newly downloaded executable are:

(MD5) 34F18CD07435ABD14098D79FE228F727
(SHA1) 02E9513E28CB2DCCF16B54B7C5F64F42CAF43C89

Clues anyone?

This is not a new issue. It happens every few months.

They will fix it. Thanks for reporting.

thanks for crunching.

---

Thx!

Paul

It looked like a false positive to me.

Was there a new build recently or do we believe this was Symantec definitions related?

I guess it's a good idea to have BIONC just download a new copy if an executable disappears like that (though I'm a bit uncomfortable with the idea).

It looked like a false positive to me.

Was there a new build recently or do we believe this was Symantec definitions related?

I guess it's a good idea to have BIONC just download a new copy if an executable disappears like that (though I'm a bit uncomfortable with the idea).

There was a big brew-ha-ha a few months ago and it was discovered that the anti-virus companies had decided that something that Boinc does was then a problem, sounds like the companies are at it again. Most people have set the anti-virus so it just doesn't scan the Boinc directories and then there are no more problems. Yes that can be a bit scary at first but you are just connecting to your favorite project with Boinc, not going to the whole internet with it.

---

I've added C:Documents and SettingsAll UsersApplication DataBOINCprojects to the Scan Exclusions settings. Since I run boinc as the daemon, I'm not too concerned about the security issues (IBM has done a fine job lending a hand at getting the containment model secured).

I'm more concerned about work stoppage or loss. There are already too many host related failures across all the various projects, mostly due to inattentive owners. I wonder what kind of statistics there are for replication efficiency over the millions of systems.

I've added C:Documents and SettingsAll UsersApplication DataBOINCprojects to the Scan Exclusions settings. Since I run Boinc as the daemon, I'm not too concerned about the security issues (IBM has done a fine job lending a hand at getting the containment model secured).

That's a good idea for those who repeatedly have this problem.

I'm more concerned about work stoppage or loss. There are already too many host related failures across all the various projects, mostly due to inattentive owners. I wonder what kind of statistics there are for replication efficiency over the millions of systems.

That may be true, but it's also harsh because it's not the complete story.

- Norton 360 (all versions that I've used) don't reject the minirosetta executable.
- Norton Antivirus doesn't reject the minirosetta executable either (that I'm aware).
- Norton Internet Security rejects the minirosetta executable every time there's a new minirosetta version.

So, to some extent, there's an inconsistency with Symantec themselves that they have to address.

Kaspersky has also had this problem in the past, as has ESET NOD32 if I recall correctly.

---

That may be true, but it's also harsh because it's not the complete story.

- Norton 360 (all versions that I've used) don't reject the minirosetta executable.
- Norton Antivirus doesn't reject the minirosetta executable either (that I'm aware).
- Norton Internet Security rejects the minirosetta executable every time there's a new minirosetta version.

So, to some extent, there's an inconsistency with Symantec themselves that they have to address.

Norton Internet Security 2009 seems to have fixed the problem the previous Norton programs had with slowly corrupting the database of the Windows Mail email/newsreader program that comes with Vista, but some its recent updates seem to have introduced new problems. Could we get some of the RALPH@home alpha testers to test for problems with running new minirosetta versions on computers that also have Norton Internet Security installed, and scan the BOINC folders whenever any new version of minirosetta is available?

I just created a custom Norton Internet Security scan on my x64 Vista computer to scan only the BOINC directories, ran it, and everything passed. The alpha testers could use such tests to report false positives. I remember a setting for including heuristic scanning, but don't remember whether it was for Norton Internet Security or for Microsoft Windows Defender, another program for which recent updates have added false positives.

At least for Microsoft Windows Defender, the changes needed to control the problem seen to include having every new version of minirosetta include the files needed to tell Windows Defender where that program came from, and a few more things needed to tell Windows Defender to treat the program better than a program downloaded from an unknown source.

That may be true, but it's also harsh because it's not the complete story.

- Norton 360 (all versions that I've used) don't reject the minirosetta executable.
- Norton Antivirus doesn't reject the minirosetta executable either (that I'm aware).
- Norton Internet Security rejects the minirosetta executable every time there's a new minirosetta version.

So, to some extent, there's an inconsistency with Symantec themselves that they have to address.

Norton Internet Security 2009 seems to have fixed the problem the previous Norton programs had with slowly corrupting the database of the Windows Mail email/newsreader program that comes with Vista, but some its recent updates seem to have introduced new problems.

Yes. sorry about that. A team-mate confirmed to me that Mini 1.80 was the first for a long time to get through NIS2009 without problems. Hopefully that continues now.

---

This only happened immediately following the 1.80 update, so it appears that NIS 2009 still has an issue. BIONC (and r@h), however, recovered gracefully and went right on about their business of crunching.

I added the exclusion rule, just in case, though I'm not all that comfortable with the idea. I've had no issues since.

With the new update to 1.82 (which got downloaded last night) I deleted the exclusion this morning, performed a manual scan on the main directory and all subs, and of over a thousand items scanned there were zero (0) detections.

I'm leaving the exclusion off for the time being to see if it happens again.