Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Spotify is detected as an Trojan Horse?

Created: 28 Jan 2010 • Updated: 21 May 2010 | 30 comments
This issue has been solved. See solution.

Does anyone know something about “Spotify” is detected as an Trojan Horse?

I’m running Symantec Endpoint Protection version 11.0.5002.333
Definitions:  27 januari 2010 r49

Discussion Filed Under:

Comments 30 CommentsJump to latest comment

reedmohn's picture

Just started happening here, too.
Messages about Spotify are pouring in.

Not that I am sad about it, it's not exactly a business critical application, but it is causing users some grief.

Is this deliberate from Symantec?

Martin_H's picture

Same problem here. All my clients using Spotify suddenly receive this warnig.

Magnus_Sweden's picture

A Spotify employee writes this in their support forum: "We've made no changes to Spotify and there is nothing infecting it. It's possible that it's a false positive which we've seen before from anti-virus programs. " http://getsatisfaction.com/spotify/topics/spotify_defined_as_a_trojan_by_symantec#reply_1837534

kjellie's picture

Same problem here.
Need asap confirmation on that verifies the threat to reel or to be a false positive.

P_K_'s picture

Please submit the file to https://submit.symantec.com/websubmit/gold.cgi.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Ola Svessson's picture

Hi The file is subbmitted already and there is several open cases with this.
Case: 411-147-522 - False Positive - spotify.exe detected as trojan - Tracking #14666799
 

Seems that the test of the defs is limited according to Spotifyt they have 100 000 000 installation of the application.

/Stickan

AravindKM's picture

False Positive Submission 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Ola Svessson's picture

Sorry 100 000 000 downloads 7 000 000 installations. Not yet released in US. Probalby why it is not tested.

/Stickan

Mark Pugh's picture

It is business critical! Means I don't need to listen to the crap my boss says all day. Keeps me sane. I keep the network sane.

Seeing annoying false positive here too. When can we expect the updated defs symantec?

Aniket Amdekar's picture

Hi,

We are aware of this false positive and working on it.

The definitions Spotify will be published very soon.

This post will be updated as soon as the definitions are published.

Best,
Aniket Amdekar

Paul Murgatroyd's picture

Hi All,

Security Response have confirmed this is a false positive and have fixed the issue.

If you are running SEP or SAV, then Rapid Release definitions have just been released dated 28/01/2010 rev. 2.

They will be included in the next full release for both SEP and SAV.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Aniket Amdekar's picture

Hi,

Please refer to the link below:

http://www.symantec.com/business/security_response...

The sequence number of the definition is: 106370

So, if you download the rapid-release definitions, the issue should be resolved.

Please post a comment in this thread if you have applied the Rapid-Release definition mentioned above, and let us know if the issue has been taken care of.

Cheers,
Aniket

SOLUTION
mikeymike64's picture

Re the 'solution' posted by Aniket Amdekar;

Please bear in mind that most users, like myself, have no idea what to do with the information you supplied!  You may as well have written in Ancient Egyptian Hieroglyphs.

"So, if you download the rapid-release definitions, the issue should be resolved."

Well I found definition 106370 on the link you supplied but there must be over 50 downloads there!!

Come on Symantec, you have to do better than this . . .

Aniket Amdekar's picture

Hi,

Thank for pointing out the missing simplification of the technical details.

Here is the info you should have received in the first post itself:

How to update definitions for Symantec Endpoint Protection Manager using a JDB file

http://service1.symantec.com/support/ent-security....

Applying rapid release definitions to a Symantec Endpoint Protection (SEP) client.

http://service1.symantec.com/support/ent-security....

You need to download the jdb file provided in my origial link and then use the articles mentioned above.

Cheers,
Aniket

reedmohn's picture

At the same time, we started seeing blocks of   "install_flash_player.exe"  as well. Don't think I've seen that before.

Related problem?

Pekka's picture

We have started to se install_flash_player.exe as infected with a Trojan
Is this fixed with the latest rapid release as well?
I'm pretty sure that this is a false positive as well

knightstorm's picture

It would be helpful if the properties window for the quarantine showed the original file properties. That might help us determine the original source of the quarantined items.

rjouin's picture

Hi all,
Must be a bit silly but I can't find out how to download rapid-release definitions.
Anyone can help?

This patch doesn't seems to work on Windows7...
=> symrapidreleasedefsv5i32.exe

Thx

cpeterm's picture
Thanks Aniket Amdekar,
You’re latest response solved the problem.
I installed the rapid-release definition and the problem is gone.

I see this problem as resolved.
Thanks again for the rapid response Aniket.

Paul J's picture

We are also seeing huge amounts of alerts on install_flash_player.exe being quarantined as a Trojan Horse.

Please advise on this ASAP

MightyTor's picture

@ rjouin

That's not a silly question at all. I can't find it either.
Please refer to a link.

LensIT's picture

Well I'm REALLY stupid!
- sorry what do you mean 'refer to a link'?
Anyone know how to force Symantec endpoint protection to retrieve these latest defs?
Maybe not business critical, but people ringing up helpdesk to advise of virus found is getting annoying

MightyTor's picture

I find it very complicated. I don't understand why Symantec can't do this automaticly through LiveUpdate. We are paying for this! And now it's up to US to fix a problem that THEY have caused?

Hmmffph...

Well, enough complaining.

Yes davrog, I was thinking about that link, but I'm not sure which one to download.
Because there are several downloads there. I have Win 7 ultimate 64bit. And my Symantec product is Norton Internet Security Online 2009 or 2010. So which one to download and install?
I just need to fix this Spotify problem, nothing else....

If the nice technician named Aniket would be so kind to explain this step by step for me, I would appreciate it enormously. Because the explaination by the links he posted is quite difficult to follow.

regards
MightyTor

cable mite's picture

See more here on sans.org

http://isc.sans.org/diary.html?storyid=8104

First SEP does not like 2010 and now doesnt like Spotify & Flash.

------------------------------------------------------------
MR99 will fix it all.

Mark Gregory's picture

I see others are also seeing detections on install_flash_player.exe.  Has this issue also been confirmed with install_flash_player.exe?  If, so, will the rapid release correct that problem?

Mark

Aniket Amdekar's picture

Hi Mark,

The Rapid Release sequence: 106382 will be able to solve this issue. If you use the rapid release definitions and use the articles I have mentioned in my previous post, the issue wuill be taken care of.

Cheers,
Aniket

LensIT's picture

I dont really care too much about spotify, unlike my 100-odd users who lost it and dont think too highly of Norton, but after trying various methods of updating sepm with rapid release versions, and waiting instead for live update to update it yesterday (why cant live update do it straightaway!), I now have the problem of my system showing 120 PCs infected with a bogus virus!

Can anyone please tell me how I'm meant to clear this status from sepm without having to go to each individual PC and mark as cleaned? - And where do I send my bill to, Mr Norton?
:)

(by the way found a document :http://service1.symantec.com/support/ent-security.nsf/docid/2007100820002048?Open&seg=ent for supposed rapid definitions update for future reference...

Aniket Amdekar's picture

Hi,

have you tried this document?

http://service1.symantec.com/support/ent-security....

-- Click on Advanced settings
-- Click on Compliance Options
-- check the box for "Infected Only"
-- save the filter as "Infected computers"
-- click on view logs, it showed all the computers in Infected status
-- in the drop down manu where the defaul selection is "Selected", make sure that you select "all"
-- click on clear infected status
-- log out and log back into SEPM and wait for 10 mins
-- after 10 mins, in SEPM home page, none of the computers should be shown as still infected

Cheers,
Aniket