Endpoint Protection

Hi all,

 

does anyone else experience an increase in Bloodhound.Exploit.459 reporting throughout your networks?

As of tody, those errors start to popup when the Client-Computers open .xls-Files. Seems to be some sort of Exploit in a program is triggered when the file is read. Unfortunately there is no further explanation on the Symantec websites regarding this exploit, so I do not know what Exploit is triggered. I hope someone here can point me to a solution :-)

Regards

Stephan

 

Yes, we also see these FP, xls. file coming from mails.

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: XxXxX.xls
Location: Mail System
Computer: XxXxX
User: XxXxXX
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: 8. maj 2012  14:09:42

Yeap, Same here

Confirmed.  We are having the same issue.  It does seem to be affecting XLS files only at this point.  Unfortunately I have not received a call back from Symantec as of yet.  We have not yet come across any specific threat in any of the files, and have not ruled out that it may be a false positive detection. 

Symantec, we sure could use an answer on this one....

 

 

Here too, triggered by a .xls file in Outlook.  Action Taked was "Left Alone" and log shows an exception was generated.

We are seeing this as well on .XLS files. We have scanned several of them with multiple online scanners and all report the files are clean. I'm certain these are false positives.

Many thanks for opening this thread, Stephan-  We are looking into this matter now.

There is no need to contact Technical Support for this issue at the present time.

I will update this thread when there is more information available.

I'm in the wait for a technitican, it there any of you which have talked with Symantec about it?

Have the same issue here. Left alone /Auto-Protect..

 

Hopefully symantec comes up with a solution pretty quick.

The same with files inside Notes, and annoying information about unsuccessfull quarantine in almost every email.

i am getting the same problem just with excel files.

Yes, we're seeing this too.  Any time someone previews an Excel worksheet from within Outlook we're getting the 'Bloodhound.Exploit.459' SEP pop-up.  Opening the files outside of Outlook doesn't cause any problems and both a manual scan from SEP and other online scanners says the file is clean.

Same symptoms as everyone else. .XLS files inside emails are being flagged as Bloodhound.Exploit.459 . Quarantine fails. The files will open fine when you save them to local disk and open. 

We use:

Exchange 2008
Office 2010
Symantec Endpoint Protection 12

Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
File status: Infected

This is the message we are getting.  Hopefully Symantec does something soon

I hope it will be solved as soon as possible

We are experiencing the same thing.  Outlook and xls files but nothing quarantined and everything comes up clean.

Hello All,

I agree with Mick. "Thumbs Up" to him.

Symantec Security Response Team is looking into this and we would update this Thread as soon as there is an update on this Issue.

We're having the same here, only excel files so far and the action is 'left alone'.

On a side note, only one part of our network has this problem, the other seems to be fine. On the part that's fine people aren't allowed to preview documents in outlook, the part where we get the reports they are.

Exactly the same issue here. Only .xls files appear to be affected (no .xlsx). Event action Virus Found (Left Alone).

Only appears on xls files

We're seeing this too.   It looks like Symante for Exchange is actually removing the attachments.  That's not good.

Although, here it doesn't seem to be triggered when I send .xlsx files.  Its only the .xls.  Can someone with excel 2k confirm?

 

Same here.. waiting for fix / update

we are running SEP 12.1 RU1 and are having Bloodhound.Exploit.459 being identified in XLS documents via Outlook 2010.

was this a bad definition update? when can we expect an update.

thank you, have an awesome Tuesday all.

Hello All,

 

Here the same problems, the same "exploit" from different email/xls

 

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: *.xls
Location: Mail System
Computer: *
User: *
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: 08 май 2012 г.  15:59:59 ч.

....maybe a problem with the new  definitions ??

Waiting for answer... !

just had symantec on phone to me and confirmed they are aware of this and they are working on it for the fix globally, it seems the latest defination file they sent out might have got some issue. 

I will get an update on phone or email about the same asap.

 

keep you posted

We are seeing this false-positive as well.  SEP12.1 RU1.

Confirmed. XLSX-Files seem not to be effected.

This was brought to my attention, and couldn't find anything on it...the Hey presto!

This is just from opening from Outlook, at far as I can see.

We are getting the same false positive messages as well since this morning, however users are still able to open .xls attatchments within outlook.

Unable to find anything wrong with the file, only when pulling it out of outlook does Symantec alert. After it has been moved out of Outlook manual scans return nothing. Although it looks like this is an experimental

Risk Type
Bloodhound.Exploit.459
Experimental heuristics

Action Source
Left alone
Auto-Protect

Lots of complaints today on this bloodhound issue. For starters I lowered the level of detection and emailed the plaintifs that it is a fals positive

It started with update version R38 . Workstations with R22 have no problems.

We use SEP 12.1

Don't think for a minute that the problem is limited to .xls files, Yes, while most are .xls I have one reported on a .ppt...so keep your eyes open while we wait for Symantec to provide us with something

I have confirmed that with us all the alerts are with .xls files.  Also...I just created a brand new .xls file with just the words test file in a cell and as soon as I emailed it the alert was generated.  It seems to be related to emails as well as just opening the blank file didn't cause the problem.

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Bloodhound.Exploit.459
File: xxx.xls
Location: Mail System
Computer: xxx
User: xxx
Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed
Date found: Tuesday, May 08, 2012  3:59:22 PM

The same TEST.xls file is not found as a threat when scanned or opened directly.  It is only found as a threat when sent via email.

Hi, we faced the same 1 hour back and it is spreading like crazy. I am on call with a Symantec specialist on the phone.

Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected

on Excel files attached within Outlook --beginning this morning.

Risk name: Bloodhound.Exploit.459
File path: Bookstore.xls
Event time: May 8, 2012 7:59:12 AM

Any updates yet?

 

We're having the same issue. I've called Symantec as well and am waiting on a tech to call back.

 

The False positive would be gone as soon as the issue gets resolved by Symantec. Kindly Do not Panic.

Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected
Attachment: COAL 5-4.XLW
Security risk detected: Bloodhound.Exploit.459 Action taken: Neutralized by Quarantine failed : Neutralized by Quarantine failed File status: Infected

Does Symantec have an ETA of when this fix will be pushed out?

 

Same issue here.

Bloodhound.Exploit.459 message on 6 computers until now.

"The False positive would be gone as soon as the issue gets resolved by Symantec"

This is like telling us the bleeding will stop once its healed. How about a little more information regarding ETA? Resources? Workarounds?

I've disabled Microsoft Outlook AutoProtect for the time being to see if we can get a functional workaround while Symantec sends out notices telling us the issue will be gone as soon as they fix it.

would just be nice to be informed within the console or the security response site that there is a problem with false positives. Have been wasting much of my afternoon hunting a ghost :(

Will the fix be pushed or will we have to manualy retreive it/them???

 

A lot of people are gorwing really concerned on this.  Clients, Employees, Non-Tech People, Etc. are very worried we are infected.  We need answers!  We also need an ETA on the Fix?

Should we roll back on the definition until this is fixed?

My report server is sending out 100's of emails containing xls files, need a fix ASAP. Has anyone heard of anything yet?

It's very strange, cause it's not happening on all systems, although the have the same product (version, RU, pathces, etc) installed, the same policy applied, an so on. The same xls' pop up on some machines, and on other do not..

by the way: 12.1.1000.157 RU1

 

10x

How can they be so sure that it is indeed a false positive??.....I would like to see Symantec post some kind of evidence to the Falso Positive theory.

PLEASE !!!!!

Waiting for update here as well.

Our organization wants an update as well. Many users are skeptical, please provide ETA.

Having same problem.  Only work around I have found is to turn off Microsoft Outlook Auto-protection.

After testing on several Excel files. It only happens from Outlook with .XLS files not on .XLSX files.

I'm sure they will release details once fixed.  If it's any comfort...I created a blank spreadsheet on a system that is not infected and verified the problem.  It only picks up with .xls files sent via emails as the same file when scanned as a document saved to disk does not pick up an alert.

Works, but not such a good ideea, exposes you too much I guess; maybe just except xls' from beeing scanned for the moment..

I agree, I wouldn't turn it off  

Same here.

I get an alert only on attachments on Lotus Notes.

 

If you have the attachemnts and scan the folder there is nothing.

 

---

Got this on an xlsx file over the network.

Bloodhound.Exploit.459
Experimental heuristics

Left alone
Auto-Protect

Getting notification of "CRITICAL: NETWORK VIRUS DETECTED"

 

Bloodhound.Exploit.459
Experimental heuristics

2 differernet users in 2 different offices accessing the same .xls file are reporting the same error...

 

 

Same issue with lotus notes mail client.

I recently opened a case about this issue. Here is what I just got back.

"From the information I have, you have alert related to Bloodhound.Exploit.459. Do not worry since this is only a False Positive and currently our team is working on this issue"

"This is a known issue and these detections may be ignored.  Your security is not at risk. An announcement will be forthcoming as soon as the issue is resolved."

Hope this helps, not ready to drop my gaurd, but this might help to confirm this concern.

I think turning off Auto-protection could open the floodgates...know what I mean?

This artical is old but its working!

http://service1.symantec.com/support/ent-security.nsf/docid/2007111515160948

Article: TECH102935

I'm glad I found this thread. I thought we had a major infection underway, including calls from our customers who thought we infected them when they opened our spreadsheets.

I gotta say, it must suck to work in Symantec tech support department today.

If you have Mail Security for Microsoft Exchange running and still have file auto-protection turned on you should be safe.  I like all the protection I can get so I wouldn't turn it off.

http://clientui-kb.symantec.com/kb/index?page=content&id=TECH188271&actp=RSS

That article starts by saying "Possible"

I'm not getting that warm fuzzy feeling !!!

Thanks for the link. I had trouble loading from the link you provided, just in case others have the same problem here is the direct url http://www.symantec.com/docs/TECH188271

Yeah, in order to open the previus link you must be logged-in to Symantec

We are getting hits on .ppt as well.

That link just brings you to the main support page .. theres nothing to do with this issue.

http://www.symantec.com/docs/TECH188271

.

Are you receiving multiple instances of this with powerpoint?  I was able to create a blank .xls file and duplicate the problem and that did not happen with a blank powerpoint sent via Outlook.  It's possible that you may have a real infection if it's only 1 or 2 users or the same powerpoint file.

It Still take you to the main support page

Disabling "Enable Bloodhound (TM) heuristic virus detection" solves that problem in our environment but this is no final solution of course

Copy the link and once it takes you to the main support page, paste the URL again....this worked for me

Symantec... Any update on this issue. Please release a new definition ASAP. 

Isn't doing that opening a can or worms??...What if other legitimate Bloodhound viruses attack??...you won't be protected....

My mama always told me to wear a raincoat when going out in the rain

Glad I stumbled across this.  Am having the same issue on our network.  Looking forward to the new defs.

I disabled the Bloodhound option in order to check if this has any effect or not. After that I enabled it again. But perhaps for other companies it has more negative business impact when not being able to transmit Excel sheets than disabling one security option temporary!?

My company uses Excel heavily...a little heavily if you ask me...but what I did was instruct the end users to ignore the messages and let them know that it will be patches as soon as it becomes availble...

It is working for me

thanks for the info...will stay tuned.  It is bouncing all over the place here. Started around 10:ish...and seems to be spreading.

Good Day Mick, I am having the same issue an influx of these xls files alerts on some of my Endpoints, you help will be of great assistance, Kindest Regards Benjamin.