In the last 24 hours we have received a large number of reports both via our the Symantec and Norton forums and also via our FP reporting process regarding unexpected Intrusion Prevention detections for multiple trusted web locations. These sites were detected because of an errant detection on our part, aimed at targeting a specific type of malicious network traffic. We make great efforts to avoid detection of clean network traffic, testing each signature thoroughly against known good network traffic, including using both live and historical content from many popular websites. What happened in this case is the result of two specific problems that occurred:
1) an element of the malicious network traffic we targeted for detection was common to many clean websites, and
2) our detection was missing a key constraint that would have prevented detection of the clean sites
As of earlier this morning (PST) this issue has been fixed and an updated detection released via our LiveUpdate service. If you are still experiencing unexpected “HTTP Zombie Exploit Toolkit Request” detections and are skeptical about the issue, please update your Norton or Symantec product using LiveUpdate, and the issue should be corrected. Instructions on how to update your product using LiveUpdate can be found at the link below:
http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080417124026EN&ln=en_US
Please don’t hesitate to report this or any additional detections you believe to be False Positives if this fix does not resolve the issue for you. Our False Positive reporting page is available here:
https://submit.symantec.com/false_positive
We sincerely apologize for any inconvenience this may have caused you or your customers, and we would like to thank each of the members in our user community responsible for bringing this to our attention so quickly.