Norton AntiVirus reports Suspicious.Cloud.7.F in nssckbi.dll (false positive)

lugusto
I've just updated my Zotero Standalone 3.0.8 to 3.0.10 and Norton reported one of it's components as infected. Surely its is a false positive, but a member from the development team should check it and report it to the silly company called Norton.

Caminho completo: p:\zoterostandalone\xulrunner\nssckbi.dll
Ameaça: Suspicious.Cloud.7.F
____________________________
____________________________
Nos computadores em Não disponível
Último uso 21/11/2012 em 01:00:57
Item de inicialização Não
Iniciado Não
____________________________
____________________________
Desconhecido
Número de usuários da Comunidade do Norton que usaram este arquivo: Desconhecido
____________________________
Desconhecido
Esta versão do arquivo é atualmente desconhecida.
____________________________
Alto
O risco deste arquivo é alto.
____________________________
Detalhes da ameaça
Tipo de ameaça: Vírus heurístico. Detecção de ameaça com base na heurística de malware.
____________________________

____________________________
Ações do arquivo
Arquivo: p:\zoterostandalone\xulrunner\nssckbi.dll
removeu
____________________________
Impressão digital do arquivo - SHA:
bd0d101eed2f7661ceb45bec1ae629bbbab235fc99401d44011a964438d390e4
____________________________
Impressão digital do arquivo - MD5:
0f23d247a982acecf95d968fdfd27aff
____________________________
  • Simon
    Yes, it's a false positive. Previously reported with SeaMonkey. We'll see if we can do something about this, but that thread makes it sound like Norton knew about this several months ago and still hasn't fixed it.
  • Simon
    edited November 20, 2012
    Actually, this page suggests that this may already be fixed on Norton's end. Have you tried updating your virus definitions?
  • lugusto
    Yep, it is up to date. The last automatic update from virus definitions was done at the same time I was manually updating my Zotero. I've restored the file as described at http://community.norton.com/t5/Norton-Internet-Security-Norton/NIS-2013-Mozilla-Instantbird-nssckbi-dll-flagged-and-removed/td-p/852490 and now it's all ok on my machine.

    But the silly heuristic from Norton may break more Zotero installs everywhere
  • lugusto
    edited November 20, 2012
    Reported and submited the bogus file at https://submit.symantec.com/false_positive/
  • aspergerian111
    Happened to me just now during install of Zotero 3.0.12. I don't know how to fix the problem on my Win7 computer.
  • Simon
    edited February 7, 2013
    It sounds like reporting this as a false positive for Zotero 3.0.11 was insufficient to stop Norton from detecting a false positive in the ever so slightly different version of the file that ships with Zotero 3.0.12. I reported the false positive again. You should contact Norton for instructions on how to restore it.
  • xMarc
    I just got freebl3.dll detected as Suspicious.Cloud.7.F updating from 4.0.11 to 4.0.16. (full path: c:\program files (x86)\zotero standalone\xulrunner\freebl3.dll). File submitted to Symantec. Treating as a false positive. Will let you know if it isn't!
  • dstillman
    xMarc: Thanks for submitting. Also reported here and here.
  • Norm Sash
    I'm getting the same Suspicious.Cloud.7.F on freebl3.dll that others are getting (Zotero 4). I allowed the installation to proceed and it worked... for awhile. Then Norton screamed out a heuristic virus and required me to reboot to fully remove the virus. After that, I'm back to the login database corrupted message in Zotero.

    I think Zotero needs to check this... I'm uncomfortable just forcing an override when twice now (with different signatures) Norton is saying there is a virus in the Zotero installation.
  • adamsmith
    Zotero has checked this. (Dan above is the lead developer). This is definitely a Norton bug - also indicated by the fact that only Norton thinks this is a virus. This is, frankly, not terribly impressive and maybe an occasion to rethink your antivirus solution...

    It is, btw. not even a file that Zotero itself codes, but a part of xulrunner, the software kit underlying Firefox, so it will affect other software as well.
  • aurimas
    There's really nothing Zotero can check. If you Google norton+freebl3.dll you'll see that it keeps popping up every few months and causes problems for most Mozilla-based applications.
  • dstillman
    As adamsmith and aurimas say, these are definitely false positives. The files it's flagging are part of Mozilla's Network Security Services, which is a core piece of Internet technology used by many applications to handle HTTPS connections. Malware that wants to make HTTPS connections (to hide its tracks) or intercept local HTTPS connections (to steal logins, say) probably bundles these as well, hence the heuristic detection. For the moment the best thing you can do is submit these to Norton as false positives, but we're going to see if we can do anything on our end to prevent them in the future (e.g., by signing the affected libraries).
  • aurimas
    @Dan, the libraries don't come from Mozilla pre-signed? Or do you compile XULRunner from source?
  • Norm Sash
    Thanks @all... I'm not sure why this is showing up. Maybe it has something to do with the incredible frequency of Firefox updates. Norton states that there are many thousands of users, it also states it as a high risk and released only 26 days ago.
Sign In or Register to comment.