cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Help us improve the PTC Community by taking this short Community Survey! X

Norton AV flagged Creo 3.0 M010 as high risk...

TomD.inPDX
17-Peridot

Norton AV flagged Creo 3.0 M010 as high risk...

Heads up, and looking for others that have had this pop up recently...

 

I download all the releases for Creo to an archive foldere. After a few days of being on my system, Norton antivirus flags the install zip file as a high risk.

 

I reported this to customer support. I will update with their response. Anyone else get this?

 

Norton_alert_Creo_3_m010.png


This thread is inactive and closed by the PTC Community Management Team. If you would like to provide a reply and re-open this thread, please notify the moderator and reference the thread. You may also use "Start a topic" button to ask a new question. Please be sure to include what version of the PTC product you are using so another community member knowledgeable about your version may be able to assist.
1 ACCEPTED SOLUTION

Accepted Solutions
RichardJ
19-Tanzanite
(To:TomD.inPDX)

I just got this from Symantec:

In relation to submission [3688339].

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

53E35B99B59E10B3BA69A503A4919AF6 - portmap.exe

The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor, why not take part in our whitelisting program?

To participate in this program, please complete the following form: https://submit.symantec.com/whitelist

So it is definitely a false positive. PTC might want to think about that whitelisting program. I assume other AV software companies have similar programs

View solution in original post

50 REPLIES 50
Inoram
13-Aquamarine
(To:TomD.inPDX)

delete it!

hehe

TomD.inPDX
17-Peridot
(To:Inoram)

I cannot believe I am going round and round on this with CS including an escalation today.

I've excluded the error for now but am not moving forward until PTC has had a conversation with Norton.

I've had nothing but advice on how to avoid getting the warning... but that wasn't the point of reporting this!

I fully trust PTC in their efforts to avoid virus issues with their roll outs but if one could have snuck in there, I would expect them to give this the utmost priority considering the install base.

I don't know enough about Norton to dig deeper... and worse, this is the Comcast provided version which has limited support or options. It just works and that's good enough for me.

RichardJ
19-Tanzanite
(To:TomD.inPDX)

I don't normally watch the Creo forums at all, and just happened to catch this. I've used Norton for years, and am very familiar with it. Assuming Norton will let you, unzip all the files into a new folder. Simply unzipping the file can't harm you, just don't run anything in the new folder. Then right click on the folder and tell Norton to scan it. Tell me what threat(s) it found.

I cannot scan a single folder. Norton wants to do a full system scan only. Again... seriously limited version.

I did go back into the logs and found these:

norton_problem_with_creo3_II.PNG

norton_problem_with_creo3.PNG

RichardJ
19-Tanzanite
(To:TomD.inPDX)

Unfortunately I can't tell anything form those, except that there is something in the zip file it doesn't like. Is there somewhere I can get the zip file (either from the PTC website, bearing in mind I do not have Creo, or PM me with an ftp site, dropbox link, or similar)?

Edit: It's not quite true that it tells me nothing. I suspect Norton is picking up on the fact that the executable "portmap.exe" is being flagged just because it's new, and not known to them. I can't be sure of that without getting into the zip file contents though.

It is flagging PORTMAP.EXE in ptc268.cab, in the download of the Creo 3.0 M010 install zip file.

Which is funny because there are portmap.exe's in many of the PTC zip files.

PTC doesn't make these accessible without a current maintenance contract for that specific product.

I found an On-Demand scan option... it still reports this file as having a high threat problem.

Scan Information:
Virus Defs Version: 2014.12.15.002
Virus Defs Seq ID: 159764

Scan Statistics:
Scan Start:
Local: 12/15/2014 4:36 PM
UTC: 12/16/2014 12:36 AM
Scan Time: 579 seconds
Scan Targets: C:\Users\...etc...\PTC\Creo3.0_install_files\MED-100WIN-CD-400_M010_Win64.zip
Counts:
Total items scanned: 247,693
- Files & Directories: 247,693
- Registry Entries: 0
- Processes & Start-up Items: 0
- Network & Browser Items: 0
- Other: 0
- Trusted Files: 0
- Skipped Files: 0

Total security risks detected: 1
Total items resolved: 0
Total items that require attention: 1

Resolved Threats:
No risks have been resolved

Unresolved Threats:
Risks in compressed file "med-100win-cd-400_m010_win64.zip"
Type: Compressed
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Heuristic Virus
Status: Not Attempted
-----------
1 File
[portmap.exe] inside of [ptc268.cab] inside of [c:\users\...etc...\ptc\creo3.0_install_files\med-100win-cd-400_m010_win64.zip] - Not Attempted

...etc... my edition.

RichardJ
19-Tanzanite
(To:TomD.inPDX)

OK, I am 99% sure I know what the problem is. Here's how it works:

No AV software that only looks at a database of known threats can ever detect every real threat. It can only detect what's in the database. So any current AV software that's worth having employs heuristic algorithms to detect potential, or likely threats. The algorithms look at many factors, and I don't know what all of them are (and I'm sure if I asked Symantec, the producers of Norton, they would not tell me!), but Norton AV does look at the age of the file, how many people in the Norton community have installed it, and probably where it came from. Based on your post I suspect that it also does not like the fact that the executable file is buried in a zip file. The fact that portmap.exe is in other PTC zip files does not matter. Unless the file size is the same, to the byte, from Symantec's point of view they are not the same file.

The key piece of info in your new post is "Categories: Heuristic Virus". If I could scan portmap.exe I am almost certain it would flag it with a warning I have seen many times, because I often download new installers from a software developer I work with. Unzip the file (really, there's no danger in just unzipping it, just don't allow Windows to run anything afterwards) and scan portmap.exe. I think I know what it will report, but I would like to be sure.

RichardJ
19-Tanzanite
(To:TomD.inPDX)

I could edit my previous reply, but I think a new one is justified, to make sure you (and perhaps others) are notified. The risk is labelled as "High Stealth, High Removal, High Performance, High Privacy". Well, you can look up here what that means: http://www.symantec.com/security_response/antispyware_approach.jsp

What exactly does portmap.exe do? I scanned my PC and it's not there, so it's not installed with Mathcad. Thankfully! What is this very nasty looking animal?

I cannot open the .cab files. These unpack with the install process.

I uploaded the Norton result file to my support case.

I loved the graphic among all those words on the symantec page...

Pour in files...

Shake it up...

See what falls out!

This is the scan from Creo 2.0 M130 install files: no threats found!

Scan Statistics:
Scan Start:
Local: 12/15/2014 5:58 PM
UTC: 12/16/2014 1:58 AM
Scan Time: 1,026 seconds
Scan Targets: C:\Users\...ect...\PTC\Creo2.0_install_files\MED-100WIN-CD-390_M130_Win32-64.zip
Counts:
Total items scanned: 261,101
- Files & Directories: 261,101
- Registry Entries: 0
- Processes & Start-up Items: 0
- Network & Browser Items: 0
- Other: 0
- Trusted Files: 0
- Skipped Files: 0

Total security risks detected: 0
Total items resolved: 0
Total items that require attention: 0

Resolved Threats:
No risks have been resolved

Unresolved Threats:
No unresolved risks

RichardJ
19-Tanzanite
(To:TomD.inPDX)

What concerns me is that it scores a high risk as spyware in four out of four categories! Symantec is not some fly-by-night operation, they are a leading software security company. So I have to ask again, what exactly does portmap.exe do? Because a leading software security company certainly doesn't seem to like the answer to that question!

Me too. I will continue to ask until I get a satisfactory answer.

Inoram
13-Aquamarine
(To:TomD.inPDX)

Make a text file, rename it portmap.exe (or whatever it was) and see if it gives the same error.

RichardJ
19-Tanzanite
(To:Inoram)

Make a text file, rename it portmap.exe (or whatever it was) and see if it gives the same error.

Don't bother. It will not get the same error.

Inoram
13-Aquamarine
(To:RichardJ)

Richard Jackson wrote:

Make a text file, rename it portmap.exe (or whatever it was) and see if it gives the same error.

Don't bother. It will not get the same error.

I wouldn't be surprised if Norton flagged it on name alone.

RichardJ
19-Tanzanite
(To:Inoram)

I wouldn't be surprised if Norton flagged it on name alone.

Why? Why do you think a leading AV product would do that?

It didn't. I renamed a textfile to portmap.exe and it was safe.

Inoram
13-Aquamarine
(To:TomD.inPDX)

Cool! Norton stepped up their game some.

Inoram
13-Aquamarine
(To:RichardJ)

I've seen it in the past

Read http://processchecker.com/file/portmap.exe.html and http://www.file.net/process/portmap.exe.html

It looks likes it's part of an Oracle system used in Creo.

I haven't trusted Norton since Norton left. Norton Ghost (not antivirus) screwed me over too many times and I have no respect for the company since. It's likely to be a false positive, so I'd check using other products. AVG has a free version that's been a good test.

My personal preference was a little job called SuperAntiSpyware (also free trial, which I used, and then bought when it was the ONLY one that worked) that cleared off a boot-sector virus, but the mainstream Kapersky and McAfee are reasonably ok for regular file infections.

You should be able to extract the file with Winzip. This would allow you to compare it to previous versions of the same file that you may have and use something besides Norton to check it.

RichardJ
19-Tanzanite
(To:dschenken)

I agree that it's probably a false positive, but the second URL you posted sure shows why Norton flagged it! However, although the report says "Heuristic Virus", it's clear from the Norton website that it's not really flagging it as a virus, but as possible spyware. From what we now know about it it's clear why it flagged it. So it will be interesting to hear from PTC what portmap actually does.

Any AV software with heuristics is going to get false positives sometimes, and AV software without heuristics leaves you vulnerable. Pick your poison!

Another very good free AV scanner is Malwarebytes. The free version does not give you real time protection, but it is very good at finding malware. They also have very good forums, with very knowledgeable people. In general you should be very wary about installing free AV software that's not from a known source. There is a lot of malware out there that masquerades as anti-malware software, and some of it is very nasty!

Not sure I follow where the second link says why it would be flagged.

Unless you are going by the masquerade notation. The problem is that every executable is prone to that, so it should not be a reason to flag.

RichardJ
19-Tanzanite
(To:dschenken)

That on it's own wouldn't be a reason to flag it, but maybe Symantec knows the sizes of the legitimate versions, so if PTC changed it in this version that would raise the risk level. It's also known to use ports to connect to the internet, which is another thing that raises the risk level, it sometimes installs into the Windows/system32 folder, so up goes the risk level again. In addition to those factors, Symantec also apparently thinks it's installed without the user noticing (which is obviously true), it's hard to remove, it adversely impacts performance, and that it has a high privacy impact. The last one is perhaps because of the way it connects to the internet.

I don't know exactly how the heuristics in NAV work. I have never seen them flag a commercial software package. The only time I have seen them flag something is when I get an installation file from a software developer I work with, but in that case I'm the first person to have the file, and it's not downloaded from a known website (which I know also makes NAV raise the risk assessment).

Richard Jackson wrote:

That on it's own wouldn't be a reason to flag it, but maybe Symantec knows the sizes of the legitimate versions, so if PTC changed it in this version that would raise the risk level. <snip>

I think you might have hit on something here. Tom's screen shot shows that PTC has "branded" the file as their own. That will certainly change the size and content.

TomU
23-Emerald IV
(To:TomD.inPDX)

I have a copy of the Creo 3.0 M010 downloads for Help, Win32, and Win64. I located the cabinet files and extracted the files and folders. Only Help and Win64 contained the portmap.exe file. From all appearances both copies seem to be identical. The AntiVirus software we are using (Kaspersky) did not detect any threats with either of them.

6.PNG

8.PNG

10.PNG

TomU
23-Emerald IV
(To:TomU)

Just for fun, I submitted it to an online scanning site. It was runthrough 42 different scanners and passed all of them. Interestingly enough, Norton wasn't included. Full results here:

https://www.metascan-online.com/en/scanresult/file/2eade8e11dfd4034a5fa19c1669bf709

12.PNG

RichardJ
19-Tanzanite
(To:TomU)

So it's a false positive. Norton flagged it not because it knew it was a threat, but because it has too many characteristics that make it look like it might be be one.

Yawn!

TomU
23-Emerald IV
(To:TomU)

Here is a link to another online scanner. This one gives a lot more information about the contents of the file.

https://www.virustotal.com/en/file/59dc8b68031a509a1fd5d073a2a849d9f102d696aafeec9fb4cd48cf29a28bdf/analysis/1418735250/

RichardJ
19-Tanzanite
(To:TomU)

On the "additional information" tab it says "Symantec reputation Suspicious.Insight". This is what the Symantec site has to says about that: http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99. I've seen this happen several times when I get software from someone I work with, because I'm the first one to get the new installer. Once I flag it as OK, the warnings stop (for others as well, not just me). Once a few people with Norton AV have installed the new version of Creo this problem should go away on its own.

TomD.inPDX
17-Peridot
(To:TomU)

Tom, can you attach the file to a post so I can scan it with my Norton installation?

Top Tags