It’s going to be a long day for sysadmins who use AutoIT on their production Lan as symantec has detected the product as MSN.flooder in their dat files – the last time this happened was Jan 2006. Fortunately I only have it on a couple of pc’s but it is going to be a real pain for someone who uses it on every desktop or in login scripts. This follows about a week after they crippled thousands of chinese pc’s by detecting windows files as virus’s. I sure wouldn’t want to be a chinese sysadmin running autoit! Home users can log a report at the symantec false positive report site but enterprise gold or platinum users need to contact support or submit a false positive report after updating the dats. To report using the antivirus application – right click the file in quarantine and choose submit to symantec security response. Unfortunately on my work pc I don’t have rights to do this!
Update Downloading the latest updates to May 31st defs, releasing the files from quarantine and then scanning did not quarantine the files again.
Update 2 It looks like the same definition patterns also got a false positive in Search & Destroy according to SANS.
Update 3 Html corrected to ensure the updates appear properly.
Comments
All of the projects I was working on got deleted… not quarantined… deleted. I have backups, but still. At lest they rewrote the virus defs over night.
There is only one file in Spybot S&D that is recognized as a virus and all it is, ( I beleive blindman.exe ) is a blank reference file so when you enable/disable a startup item, this takes its place, as to not slow startup times.