Crypt-LE icon indicating copy to clipboard operation
Crypt-LE copied to clipboard

Published 20 hours ago verified publisher icon do-know

SONAR.PSDownloader!g1

Open X-eno opened this issue 2 years ago • 3 comments

Norton360 detects the use of LE64.exe as SONAR.PSDownloader!g1 blocks and isolate it.

X-eno avatar Mar 06 '22 16:03 X-eno

Could you please provide some more details, such as which version of the Norton360 product is used, whether it was recently updated, which version of LE64.exe are you using (and where it was downloaded from), etc? From what I can see, Norton360 pops up in search results quite a few times in the context of false positives by the look of it.

Unfortunately, it does not seem that there is a free version of the product (or a trial not requiring entering payment information), so I cannot verify this case specifically. However, Virustotal for example, while scanning LE64.exe, gets just one obscure product out of 68 flagging it. Neither it gets flagged by the Windows Defender.

The best course of action would probably be to check the recommendations of Symantec (such as regarding updating the product definitions to the latest) and report the false positive - if I understand this correctly, their products have "Incorrectly detected by Norton" or some similar option.

do-know avatar Mar 06 '22 18:03 do-know

Oh sorry, my mistake for put not much information in the issue... OS: Windows 10. Software: Norton360 Version the latest (no update available) 22.22.1.58 I updated everything i could from Norton's definitions and it stays the same for LE64.exe

le64.exe the latest (0.38) which resides in a folder since last october i think. and a new one that i freshly downloaded today, to try a "fresh" one. And i tried the le32.exe the same. The le**.exe's are from the github here.

But to explain it more exactly: Not the le64.exe itself that gets isolated its the AppData\Local\Temp... files. (Which gets generated at runtime?) like AppData\Local\Temp\par-4d61726b\cache-1633010146\ le64.exe, AppData\Local\Temp\par-4d61726b\cache-1633010146\ inc, ...

Thats Norton blocks and isolate(removes).

Hopefully i didn't forgot anything.

X-eno avatar Mar 06 '22 20:03 X-eno

Thanks for the update. If the binaries are downloaded from this project, those should be safe. They are always verified via Virustotal with every release, and I have double-checked after you raised this issue - as mentioned above, just one obscure product of 68 flagged it as suspicious (you can re-scan them as well if you like of course). Norton360 is unfortunately not used by Virustotal by the look of it (though perhaps they had a reason for that). There does not seem to be a straightforward way to communicate to the company behind the product that they are triggering a false positive either - their help pages only mention the existence of some "Incorrectly detected by Norton" button/tab somewhere within the products. If you have such option available, please try using it - perhaps this should help with the issue going away with their future updates. In the meantime I'll see if I could contact them anyway (though usually the support for commercial products is not very responsive to those who don't own those). Thanks.

do-know avatar Mar 14 '22 21:03 do-know