The Welkin Suite Forum

welkinsuite.autoupdater.exe detected as Heur.AdvML.B virus



welkinsuite.autoupdater.exe detected as Heur.AdvML.B virus

  • Please log in to reply

#1

phil.spenceley

    Posted 17 Aug 2016

    Just to let you know, Norton AV this morning detected WelkinSuite auto-update as a High Risk virus and Quarantined it.



    9 replies to this topic

    #2

    oleksiy

      Posted 18 Aug 2016

      Had the same on my laptop this evening with an exception that the file was deleted by Norton AV



      #3

      vlgubanovich

        Posted 18 Aug 2016

        Hi Phil and Oleksiy,


        Thank you for letting us know about this issue!


        Can you please let us know when exactly Norton detected TWS as a virus? Was it when downloading it or installing or just using or anything else?

        Can you please also say us what version of the Norton AV do you have?


        This info will help us contacting Norton to resolve this situation.


        Thank you,

        Vladimir


        Vladimir Gubanovich
        Head of Product
         
        The Welkin Suite
        skype id: vladimir.gubanovich
        e-mail: vladimir.gubanovich@welkinsuite.com


        #4

        joe.briatico

          Posted 18 Aug 2016

          I received the same error.  It happened while I was installing ​



          #5

          oleksiy

            Posted 18 Aug 2016

            It happened with real-time protection - just a regular background monitoring. And also when I was trying to install the newest version until I added the file to the exceptions list. I'll be able to provide more details when I'm back home later in the evening.



            #6

            oleksiy

              Posted 19 Aug 2016

              Norton Security Suite v 22.7.0.76

              [attachment=148:norton.PNG]



              #7

              kate.dulko

                Posted 19 Aug 2016

                Hi guys,


                Thank you for the additional information.

                We will check this issue with other Antivirus programs.


                We are going to contact them to solve this issue.

                You can not worry, the TWS installer doesn't contain any danger to your system and it doesn't modify any system files.


                Best Regards,

                Kate


                Kate Dulko
                Customer Relations

                The Welkin Suite

                twitter: @KateDulko
                skype id: d_katerina
                e-mail: kate.dulko@welkinsuite.com

                 

                  


                #8

                joe.briatico

                  Posted 09 Nov 2016

                  Just tried to install Spire 3 and received the same error. I thought this was fixed





                  I attached a doc that shows the Norton Screen and the failed TWS screen

                  Attached Files


                  #9

                  dave

                    Posted 10 Nov 2016

                    edit: oops - just realized that this was an old thread.. i'll not delete this post though, in case the info from a recent install is still useful.



                    I've also seen this from Norton. It reports it as a SAPE virus, https://www.symantec.com/security_response/sape/ , which I think means that it didn't necessarily find some specific code signature that it can associate with a known virus but instead found some bits that look similar to what viruses use.





                    Heur.AdvML.B is a heuristic detection designed to generically detect malicious files using advanced machine learning technology. A file detected by this detection name is deemed by Symantec to pose a risk to users and is therefore blocked from accessing the computer.



                    The alert text on my machine was:





                    Filename: welkinsuite.autoupdater.exe

                    Threat name: Heur.AdvML.B

                    Full Path: c:\program files (x86)\the welkin suite\the welkin suite\updaterservice\welkinsuite.autoupdater.exe

                    ____________________________

                    ____________________________

                    On computers as of 9/7/2016 at 3:20:49 PM

                    Last Used 10/19/2016 at 10:09:22 AM



                    Startup Item

                    No

                    Launched

                    No



                    Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.

                    ____________________________

                    welkinsuite.autoupdater.exe Threat name: Heur.AdvML.B





                    Very Few Users

                    Fewer than 5 users in the Norton Community have used this file.



                    Very New

                    This file was released 22 days ago.



                    High

                    This file risk is high.

                    ____________________________



                    Source: External Media

                    Source File:

                    msiexec.exe



                    File Created:

                    welkinsuite.autoupdater.exe

                    ____________________________

                    File Actions

                    File: c:\program files (x86)\the welkin suite\the welkin suite\updaterservice\ welkinsuite.autoupdater.exe Removed

                    ____________________________

                    File Thumbprint - SHA:

                    f40914ffcdacd061ed560b1565c5257ef624befcfce79968c1fb91c271ebd016

                    File Thumbprint - MD5:

                    Not available



                    #10

                    kate.dulko

                      Posted 15 Nov 2016

                      Hi Joe, Dave,



                      Thank you for your contacting us with this issue and all the provided information.

                      The reason why heuristic detection in the mentioned antiviruses reacts in such a way on TWS files is because of the auto-updater functionality in the IDE. The Welkin Suite is based on the Visual Studio Isolated Shell 2013, this way its installation/update should be performed for all users and using Administrator rights is necessary.

                      Antiviruses may detect this behavior as a potential malware and based on your settings - even delete such files immediately.

                      Another reason of why this may happen is that we have released new installer and auto-updater just about several weeks ago and antivirus companies do not have so much positive history of that files yet.

                      We kindly ask you to unblock the application in your virus scanners so it won't delete the file and you would be able to install it.

                      We will contact the support of Norton Screen and Symantec to check the reason for this behavior and adding TWS installation files to the whitelists.



                      Best Regards,

                      Kate

                      Kate Dulko
                      Customer Relations

                      The Welkin Suite

                      twitter: @KateDulko
                      skype id: d_katerina
                      e-mail: kate.dulko@welkinsuite.com

                       

                        





                      Boost Your Productivity. Get Started Today

                      Try Free Trial