The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Wireless <wireless AT unibe.ch>]

Dear all,

it seems that Symantec has fixed the problem. We reported it as false positive and got quickly the following response:

Von: falsepositives AT symantec.com [mailto:falsepositives AT symantec.com]
Gesendet: Dienstag, 9. September 2014 11:36
An: Kurt, Andreas (ID)
Betreff: [No Reply] False Positive submission (3613894)
 
In relation to submission [3613894].
 
Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:
 
                82E7B155FE24DE82D066204380A9AAEA - setEAPCred.exe
 
 
The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html
 
Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.
 
If you are a software vendor, why not take part in our whitelisting program?
To participate in this program, please complete the following form: https://submit.symantec.com/whitelist

According to our tests, the installer works now.

Cheers,
Philipp
____________________________________
Universität Bern
Informatikdienste
Gruppe Infrastruktur

Philipp Tobler
Wireless Support

Gesellschaftsstrasse 6
CH-3012 Bern
Tel. +41 (0)31 631 49 99
Fax +41 (0)31 631 38 65

mailto: wireless AT unibe.ch
http://wireless.unibe.ch/

Do you know eduroam? See http://eduroam.unibe.ch/
____________________________________

09.09.2014 08:23 - Stefan Winter schrieb:

Hi,

> are there any plans (by you or AV manufacturers) to fix this? It’s a
> pain if all or at least many Windows users have to open CMD and enter
> commands by hand to get eduroam running.

Neither the words "all" or "many" really apply here. Symantec is the one
major vendor who mis-classifies the installers (and then it appears that
it only does that "sometimes"). It's also the same vendor which
"secures" the system by breaking the EAP method registry in Windows on
some versions so that API calls which are working on
non-Symantec-protected machines silently fail.

There is little we can do about broken third-party software: we reported
bugs against Symantec Endpoint Protection, but the manufacturer's
responsiveness is comparable to that of a black hole.

All those matches are based on heuristics; it's not possible to avoid
false positives completely because the installers need to do their work
in the end. The setEAPCred.exe which Symantec is jumping on
a) modifies the registry (it pushes the password into the corresponding
place in the registry)
b) was built using a generic software construction framework

Symantec thinks that this is enough to call it a virus.

To be honest, the best thing I can suggest is to look at the AV market
and consider competing products.

> BTW, I found the following information apparently related to the issue:
> https://www.virustotal.com/de/file/c5999f7b7510ba7c49255dbb0a9ef66d31de1245[..]

Yes, we regularly use virustotal to assess whether a positive is an
odd-one-out from only one or few exotic AV vendors or if there maybe is
a real issue. As you can see in the report above, that was one of the
false positive cases. There are no real issues in the generated installers.

Greetings,

Stefan Winter

>
> Best regards,
> Philipp Tobler
> ____________________________________
> Universität Bern
> Informatikdienste
> Gruppe Infrastruktur
>
> Philipp Tobler
> Wireless Support
>
> Gesellschaftsstrasse 6
> CH-3012 Bern
> Tel. +41 (0)31 631 49 99
> Fax +41 (0)31 631 38 65
>
> mailto: wireless AT unibe.ch
> http://wireless.unibe.ch/
>
> Do you know eduroam? See http://eduroam.unibe.ch/
> ____________________________________
>
> 08.09.2014 11:39 - schrieb:
> Hi,
>
>> I've got a report form University of Berne that Symantec Endpoint
> Security reports virus in Eduroam Installer on Windows 8.1.
>> See screenshots in attached mail (sorry, the mail is originally in
> German).
>
> this has already been reported some time back a couple of times. its a false
> positive and
> that Symantec package has caused the CAT issues in the past eg
> http://mail.geant.net/pipermail/cat-users/2013-April/000071.html
>
>
> alan


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66