redholm
join:2004-10-31
Sunnyvale, CA
 ·AT&T U-Verse
 ·Axvoice
|  Symantec AV identifying Angry IP scanner as hacktool
Symantec AV identifying it as a hacktool see summary below,
Updated: June 26, 2007 1:14:02 PM
Also Known As: Hacktool.Angry [Symantec]
Type: Security Assessment Tool
Version: 2.12
Publisher: Angryziber Software
Risk Impact: Low
I can check the source code the program is not running unless I start it. No hacker will be blocked by this. I can not see any reason for the AV blocking this.
I know of no commercial tools that are blocked. All ip scanners should be treated the same this is a double standard against open source. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
1 edit | From the write up here: »www.symantec.com/security_respon···&tabid=1
I see that there have been updated protections released beginning today [ NOV 14th ]
I will find the link for you to use if you will post the version of your NAV or SAV product that is currently installed
This detection is listed as modified late the 13th and included in Rapid Release definitions after:
22:50:58 PST November 13
Beginning with versions: 91114a 11/14/2007 rev. 1
Scroll down this page: »www.symantec.com/avcenter/whats_new_RR/ to version info 22:50;58 FOR MORE.
I'll need the product info and OS info to get you hotlinked to the proper version for download.
-amy-
--
DSLR Phishtracker |
|
redholm
join:2004-10-31
Sunnyvale, CA
·AT&T U-Verse
·Axvoice
| Amy thank you for the links
I read »www.symantec.com/avcenter/whats_new_RR/ I see that AngryIPScanner is listed as modified but what type of modification is not specified (or I can not read the table properly). Is there a way to know what type of modification before trying it?
I have Symantec AV Full version 10.1.4.400 and I am running Windows XP. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| Any version released beginning Nov 14 includes the modifications.
Scroll down to the link to this executable
symrapidreleasedefsi32.exe
November 14, 2007
November 14, 2007
19.97 MB
Go to: »www.symantec.com/avcenter/rapidr···oad.html
Current time-stamp is 8:21 pst [released 3 minutes ago]
The remediated added 10/13/ late evening is included in this release.
The DAILY updates release for later today will also include this remediation and it will be included in the weekly live update packages releasing today.
If you are afraid of the RR definition download wait for today's daily and weekly releases via Live Update.
If the problem persists after the new defintions installed please report back.
-amy-
Supports the following versions of Symantec antivirus software:
Norton AntiVirus 2003 Professional Edition
Norton AntiVirus 2003 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2004 Professional Edition
Norton AntiVirus 2004 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2005 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
Norton AntiVirus for Microsoft Exchange (Intel)
Norton SystemWorks (all versions)
Norton Utilities for Windows 95/98 (all versions)
Symantec AntiVirus 3.0 for CacheFlow Security Gateway
Symantec AntiVirus 3.0 for Inktomi Traffic Edge
Symantec AntiVirus 3.0 for NetApp Filer/NetCache
Symantec AntiVirus 8.0 Corporate Edition Client
Symantec AntiVirus 8.1 Corporate Edition Client
Symantec AntiVirus 9.0 Corporate Edition Client
Symantec AntiVirus 10.0 Corporate Edition Client
Symantec AntiVirus 10.1 Corporate Edition Client
Symantec AntiVirus 10.2 Corporate Edition Client
Symantec Mail Security for Domino v 4.x/5.x
Symantec Mail Security for Microsoft Exchange v 4.x/5.x
--
DSLR Phishtracker |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to redholm
From Sunbelt:
A Potentially Dangerous Tool is an application that is not necessarily harmful if properly installed by the user or administrator of the PC, but which could be harmful or disruptive to the user, PC, or network if deployed by unauthorized parties for potentially malicious purposes.
Low risks should not harm your machine or compromise your privacy and security unless they have been installed without your knowledge and consent. A low risk may be a program, network tool, or system utility that you knowingly and deliberately installed and that you wish to keep.
»72.14.253.104/search?q=cache:d2b···=8&gl=us
There are several other vendor writeups about this 'risk'.
All state that IF you DID NOT install this program, remove it.
If you wish to use this program then ignore the detection,
It's one of those programs that has been used maliciously when installed without the user's permission.
McAfee and CA E-trust also offer the same general info. If you wish to use it and installed it, then ignore the detection. If you did NOT install this program then simply remove it.
-amy-
--
DSLR Phishtracker |
|
redholm
join:2004-10-31
Sunnyvale, CA
·AT&T U-Verse
·Axvoice
| Amy,
I now have an updated definition 11/16/2006 rev 9. I am still blocked from accessing the file and there is no undo action.
No change from prior definition file.
I would not complain it was a warning and I had some easy way to decline the default block action. The Symantec AV message is a after the fact message and the only easy way to get access is to disable the AV program.
My original complains stand there are many IP scan tools that are not interfered with why is Angry IP scanner treated differently. |
|
Gavin_TH
join:2003-04-03
Australia
| Because they have it
Send them a hundred IP scanners, and they will soon all be detected as Hacktools. The hacktool detection is there so that such tools can be found !
There MUST be a way to exclude it, if not then its a design issue.. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to redholm
I agree with Gavin. Surely Symantec stills lets you exclude? |
|
Max_War
join:2002-11-30
Scarborough, ON | reply to redholm
I had this problem for a couple months now. I searched the net and managed to find another free IP scanner called netscan from softperfect.com.
SAV doesn't detect this program as a virus. |
|
redholm
join:2004-10-31
Sunnyvale, CA | reply to Gavin_TH
Gavin_TH,
I am not sure Symantec AV is adding commercial IP scanners. There are risks of law suite if they would treat a commercial entity like they have Angry IP scanner. |
|
redholm
join:2004-10-31
Sunnyvale, CA | reply to Mele20
Mele20,
I have managed to make some progress on excluding for the Auto-detect but the big scans will still block and remove. I am sure that it is theoretical possible to exclude but usability design issues definitely exist |
|
redholm
join:2004-10-31
Sunnyvale, CA
·AT&T U-Verse
·Axvoice
1 edit | reply to Max_War
Max_War,
Thanks for the netscan tip. Finding scanners is easy but it is nice to know they are not yet poorly treated by Symantec AV
I also note that you found it easier to find a new tool that to get Symantec AV to not interfere. I am happy I am not the only one who finds Symantec exclusion design hard to use.
I am thinking on switching AV tool, we will see what happens when the contract is up for renewal.
// edit spelling |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to redholm
So, you are saying Symantec basically no longer lets the user configure the AV? That is sad, if I am understanding you correctly. I have not tried Symantec (and that was Norton/NIS not the corporate product) since 2004 I think it was. I might have tried it again ...but not if the user can't configure exactly how they want everything. Exclusion, even with an AV that has a very low FP rate, is still very important and should not be difficult.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | You can exclude files and folders and disk with Symantec
Cudni |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to redholm
Not sure what you do in SAV but in NIS 2007 you can exclude the signature.
IN NIS
Click Autoprotect - Click Configure - Click Signature Exclusions - Select AngryIPscanner - Click Add
I would think SAV has something on the same order.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
redholm
join:2004-10-31
Sunnyvale, CA
·AT&T U-Verse
·Axvoice
|  reply to Cudni
Cudni,
Thank you I knew of this capability but I was not using it.
I tried to exclude the signature and that became surprisingly complicated. You need to exclude the signature in both auto detect and schedule scans and signatures are grouped in different categories and a signature can be in more than one category or I might misunderstand the behavior of Symantec AV. I never got it to work the way I wanted.
I just excluded a directory and put Angry IP scanner in the folder. I wish I had better file security control but this is a FAT32 machine but much better than turning AV of.
I kept banging my head on the exclude signature path but your suggestion was much easier and this work for me. |
|
rosco
Premium
join:2003-11-10
USA
 ·Verizon Online DSL
| reply to redholm
I have angry IP scanner on a usb drive I use at school(college)
i stuck the drive in today to work on some files, and symantec quarantined the file off of my drive...i had to go unquarantine it to get my file back. But they have the tamper control on so I could not exclude it. pissed me right off. |
|
redholm
join:2004-10-31
Sunnyvale, CA | I found a petition for AV vendors to handle Angry IP scanner better. It has over 2,000 signature. Symantec users are heavily represented.
Please sign if you have issues
http://www.petitiononline.com/angryip/petition.html |
|
Kunja Knight
| reply to redholm
When the "Auto Protect" notification jumped up at me announcing that it had quarantined AngryIPScanner.exe, it had a checkbox right there in the announcement labeled "exclude". I ticked the box, downloaded AngryIPScanner.exe again, and Symantec left it alone.
I'm running SAV Full 10.1.5.5000. |
|
Kunja Knight
| reply to redholm
I have an addition to my last post. For those of you willing to risk it all and hack your registry (Win XP), I figured out how to exclude SAV from finding AngryIPScanner as a "risk". As usual, hacking your registry could result in the destruction of your PC, blah blah blah, so use at your own risk.
HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScanFileExceptions
In this location, create a new String Value. Name it "ThreatName" (no quotes). In the "Data" field, enter "AngryIPScanner" (no quotes). Reboot. I can now directly scan AngryIPScanner.exe, and Symantec politely ignores it.
Hope this helps. |
|
