The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

now that's great news! Thanks for taking the initiative here!

I'm really happy to see that folks at Symantec actually listened and did
the necessary changes on their end.

Of course there could still be more false positives at other vendors,
but at least this one seems to be history now :-)

Thanks again,

Stefan

On 17.09.2014 15:19, Wireless wrote:
> Dear all,
> 
> it seems that Symantec has fixed the problem. We reported it as false
> positive and got quickly the following response:
>  
> Von: 
> falsepositives AT symantec.com
> <mailto:falsepositives AT symantec.com>
>  
> [mailto:falsepositives AT symantec.com]
> Gesendet: Dienstag, 9. September 2014 11:36
> An: Kurt, Andreas (ID)
> Betreff: [No Reply] False Positive submission (3613894)
>  
> In relation to submission [3613894].
>  
> Upon further analysis and investigation we have verified your submission
> and, as such, the detection(s) for the following file(s) will be removed
> from our products:
>  
>                 82E7B155FE24DE82D066204380A9AAEA - setEAPCred.exe
>  
>  
> The updated detection(s) will be distributed in the next set of virus
> definitions, available via LiveUpdate or from our website
> at http://securityresponse.symantec.com/avcenter/defs.download.html
>  
> Decisions made by Symantec are subject to change if alterations to the
> Software are made over time or as classification criteria and/or the
> policy employed by Symantec changes over time to address the evolving
> landscape.
>  
> If you are a software vendor, why not take part in our whitelisting program?
> To participate in this program, please complete the following
> form: https://submit.symantec.com/whitelist
> 
> 
> 
> According to our tests, the installer works now.
> 
> Cheers,
> Philipp
> ____________________________________
> Universität Bern
> Informatikdienste
> Gruppe Infrastruktur
> 
> Philipp Tobler
> Wireless Support
> 
> Gesellschaftsstrasse 6
> CH-3012 Bern
> Tel. +41 (0)31 631 49 99
> Fax +41 (0)31 631 38 65
> 
> mailto: 
> wireless AT unibe.ch
> http://wireless.unibe.ch/
> 
> Do you know eduroam? See http://eduroam.unibe.ch/
> ____________________________________
> 
> 09.09.2014 08:23 - Stefan Winter schrieb:
> Hi,
> 
>> are there any plans (by you or AV manufacturers) to fix this? It’s a
>> pain if all or at least many Windows users have to open CMD and enter
>> commands by hand to get eduroam running.
> 
> Neither the words "all" or "many" really apply here. Symantec is the one
> major vendor who mis-classifies the installers (and then it appears that
> it only does that "sometimes"). It's also the same vendor which
> "secures" the system by breaking the EAP method registry in Windows on
> some versions so that API calls which are working on
> non-Symantec-protected machines silently fail.
> 
> There is little we can do about broken third-party software: we reported
> bugs against Symantec Endpoint Protection, but the manufacturer's
> responsiveness is comparable to that of a black hole.
> 
> All those matches are based on heuristics; it's not possible to avoid
> false positives completely because the installers need to do their work
> in the end. The setEAPCred.exe which Symantec is jumping on
> a) modifies the registry (it pushes the password into the corresponding
> place in the registry)
> b) was built using a generic software construction framework
> 
> Symantec thinks that this is enough to call it a virus.
> 
> To be honest, the best thing I can suggest is to look at the AV market
> and consider competing products.
> 
>> BTW, I found the following information apparently related to the issue:
>>
> https://www.virustotal.com/de/file/c5999f7b7510ba7c49255dbb0a9ef66d31de1245[..]
> <https://www.virustotal.com/de/file/c5999f7b7510ba7c49255dbb0a9ef66d31de1245778b3937294eaee3ea478fdc/analysis/>
> 
> Yes, we regularly use virustotal to assess whether a positive is an
> odd-one-out from only one or few exotic AV vendors or if there maybe is
> a real issue. As you can see in the report above, that was one of the
> false positive cases. There are no real issues in the generated installers.
> 
> Greetings,
> 
> Stefan Winter
> 
>>
>> Best regards,
>> Philipp Tobler
>> ____________________________________
>> Universität Bern
>> Informatikdienste
>> Gruppe Infrastruktur
>>
>> Philipp Tobler
>> Wireless Support
>>
>> Gesellschaftsstrasse 6
>> CH-3012 Bern
>> Tel. +41 (0)31 631 49 99
>> Fax +41 (0)31 631 38 65
>>
>> mailto: 
>> wireless AT unibe.ch
>> http://wireless.unibe.ch/
>>
>> Do you know eduroam? See http://eduroam.unibe.ch/
>> ____________________________________
>>
>> 08.09.2014 11:39 - schrieb:
>> Hi,
>>
>>> I've got a report form University of Berne that Symantec Endpoint
>> Security reports virus in Eduroam Installer on Windows 8.1.
>>> See screenshots in attached mail (sorry, the mail is originally in
>> German).
>>
>> this has already been reported some time back a couple of times. its a
> false
>> positive and
>> that Symantec package has caused the CAT issues in the past eg
>> http://mail.geant.net/pipermail/cat-users/2013-April/000071.html
>>
>>
>> alan
> 
> 
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> 
> Tel: +352 424409 1
> Fax: +352 422473
> 
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature