Author Topic: symlcsv1.exe - False Positive  (Read 8751 times)

0 Members and 1 Guest are viewing this topic.

Offline komputerfreak

  • Newbie
  • *
  • Posts: 4
symlcsv1.exe - False Positive
« on: July 04, 2008, 04:40:13 PM »
After todays Avast update I am getting what I believe is a false positive for the file C:\WINDOWS\TEMP\symlcsv1.exe.

I have Norton Ghost 10 installed on XP Pro, but have the Symantec background services disabled since I rarely use Ghost and I generally detest Symantec hogware. When I do need Ghost, I enable these Services manually at that time. The first false positive occurs when Norton Ghost starts.

One way to create this problem is by simply right clicking on a drive and selecting "Properties". Since Ghost is embedded in the properties pages, it starts automatically and the false positives start popping up (not just once, always for the same file). That's how I found the problem, but just starting Ghost has the same effect. Apparently Ghost is writing this file to the Temp folder as a "subscription check" or other (which in itself sucks big time and is liable to fail for random reasons, but that's another story).  Enabling the Symantec background Services fixes this problem since this file is apparently not being written to the Temp folder then.

I don't need any specific help for my problem since the workaround is to keep Symantec Services enabled. I am posting this simply because I could not figure out how to report false positives in other ways and in hopes that it can get fixed so I can use my main memory for more useful purposes.

One final note: Although I ran across this today, it may be older than that, since I don't use Ghost on a regular basis. Also, do not try to delete symlcsv1.exe or you will loose your subscription status for Ghost (did that already and had to restore from a backup image).

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83355
  • No support PMs thanks
Re: symlcsv1.exe - False Positive
« Reply #1 on: July 04, 2008, 05:31:42 PM »
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline jsejtko

  • Avast team
  • Full Member
  • *
  • Posts: 171
    • ALWIL Software
Re: symlcsv1.exe - False Positive
« Reply #2 on: July 04, 2008, 05:47:42 PM »
Hello,

please send copy of the file to virus@avast.com, please send it in password protected archive with password "virus" without qoutes. Thank you.

Offline Saint

  • Newbie
  • *
  • Posts: 1
Re: symlcsv1.exe - False Positive
« Reply #3 on: July 05, 2008, 11:59:57 AM »
I have the same issue--repeated messages today about this file. Each time I move to chest, only to get the warning again later. I don't have Norton Ghost, but I do have Norton Internet Security. I'm interested to hear the verdict on this.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: symlcsv1.exe - False Positive
« Reply #4 on: July 05, 2008, 02:01:59 PM »
I'm interested to hear the verdict on this.
Did you submit the file to www.virustotal.com like David said?
The best things in life are free.

Offline komputerfreak

  • Newbie
  • *
  • Posts: 4
Re: symlcsv1.exe - False Positive
« Reply #5 on: July 06, 2008, 01:27:54 AM »
Sorry, I was busy yesterday (I'm in Japan time zone right now) and yes, I just submitted it. It had already been analyzed before with 0/33 positives, I re-analyzed my file with the same result 0/33:

File size: 31920 bytes
MD5...: b4a48dfb6d867d85b6356e76eee0ae61
SHA1..: f22d67a7d80b90d67c9977ce96b243e156359aa3
SHA256: 9ce15d99e9827fbcdc3c69e4c33e3958c01140a940bf31339cdcde09b0ad035f
SHA512: 0c96e5246a003e48391f8d6a6bd94e0f80e40aff79689c59f7786754e99d7a91
9a9de4f89d2a29ec9efbafb5dacda18a34a52c7a03889de614fb39cc48ab5cc2
PEiD..: -
PEInfo: -

I will go through the provided link to submit as a false positive. By now I am pretty certain that it is, since it only occurs when C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe is started as part of Ghost starting  (Symantec Core LC). It apparently places the symlcsv1.exe file into the Windows Temp folder for a short period of time, then erases it when the real symlcsvc.exe is running (that's my guess).

On a side note, it seems that there are more false positives popping up, I just had another warning about wget which I am also pretty certain that it hasn't been tampered with.

Also, I am not sure whether this is the normal setting, but my Standard Shield in Avast is set to High.

I'm going to be out for the day, but can respond again by tomorrow and also e-mail the file as requested.

Regards


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11747
    • AVAST Software
Re: symlcsv1.exe - False Positive
« Reply #6 on: July 06, 2008, 01:34:33 AM »
Are you saying that the file is not detected by any antivirus (including avast!) when submitted to VirusTotal - but avast! installed on your computer still detects it?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83355
  • No support PMs thanks
Re: symlcsv1.exe - False Positive
« Reply #7 on: July 06, 2008, 01:45:34 AM »
The virustotal VPS version can be a little behind a users version as they don't update it automatically as we users do. So that often accounts for why when it is detected on your system but not on VT.

Normal is the default setting on the standard shield, high would be scanning more files.

There have been a number of FPs recently but they are more likely to happen in the generic signatures indicated by the -gen part of the malware name.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline komputerfreak

  • Newbie
  • *
  • Posts: 4
Re: symlcsv1.exe - False Positive
« Reply #8 on: July 06, 2008, 01:57:28 AM »
That is correct. The website has this line entry for Avast

Avast   4.8.1195.0   2008.07.05   -

Unfortunately my copy of Avast autoupdated when I booted today, so I can only give you my current info
Avast   4.8.1201  with VPS 080705-0

As far as I know, my autoupdate worked and I was up to date as of yesterday/2 days ago etc, when the problem started occuring.

Also, it shouldn't matter, but I am running XP Pro under Bootcamp on a MacBook Pro. Wanted to mention it just in case.

As DavidR writes, this is one of those -gen signature detections if I remember my virus warning correctly.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83355
  • No support PMs thanks
Re: symlcsv1.exe - False Positive
« Reply #9 on: July 06, 2008, 02:45:50 AM »
You can check the, avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections, rather than have to test your memory.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline komputerfreak

  • Newbie
  • *
  • Posts: 4
Re: symlcsv1.exe - False Positive
« Reply #10 on: July 06, 2008, 04:14:03 PM »
Final Update: VPS 080705-0 seems to have fixed this false positive (at least for me)

Details:
I didn't have time this morning (Japan time) to go and check the problem again by disabling my workaround. Symantec's subscription checker is notorious for crapping out (it IS a virus as far as I am concerned), but since I do need to use Norton Ghost sometimes, I am basically restoring an backup disk image every time my Symantec "subscription" craps out. This false positive "symlcsv1.exe" created that situation, so I had to go back to a previous backup and restore my disk image (ironically by using Ghost).

VPS 080704-2, which was the virus definition file of my backup still gives multiple (in excess of 10-15) virus popups for this, but the current, updated VPS 080705-0 doesn't do this anymore under the same configuration. Fast work by Avast, thank you! As far as I can tell, this issue is fixed.

@DavidR: Thanks for the Log Viewer hint .... it didn't really work for me in this case, though, because every time the Symantec subscription service crapped out, I had to keep going back to a known good disk image, which also erased my log, of course.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: symlcsv1.exe - False Positive
« Reply #11 on: July 06, 2008, 04:34:36 PM »
Fast work by Avast, thank you! As far as I can tell, this issue is fixed.
As they usually do for fixing false positive detections.
Welcome to avast forums and feel free to come back any time you need help or just to change experiences 8)
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83355
  • No support PMs thanks
Re: symlcsv1.exe - False Positive
« Reply #12 on: July 06, 2008, 04:43:57 PM »
Final Update: VPS 080705-0 seems to have fixed this false positive (at least for me)
<snip>
@DavidR: Thanks for the Log Viewer hint .... it didn't really work for me in this case, though, because every time the Symantec subscription service crapped out, I had to keep going back to a known good disk image, which also erased my log, of course.

You're welcome, thanks for the feedback on the resolution of the FP.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.5.2415 (build 20.5.5410.561) UI-1.0.532/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro