Norton Antivirus 2011 removes the exiftool 8.50 application

[rugru]

Hi Phil,

I have the following problem with exiftool version 8.50:
First run for one jpg-File with exiftool(-k -a -u -g1 -w txt): all is ok, txt-File is created.
Second run for one jpg-File with exiftool(-k -a -u -g1 -w txt): NAV 2011 removes exiftool(-k).exe from my computer (Win7, 64bit).
The problem is reproducible. I have no problem with exiftool version 8.31 or 8.42.

Regards
Rudolf

[Phil Harvey]

Hi Rudolf,

Can you use NAV to scan exiftool(-k).exe manually to see if it has a problem with it?

- Phil

[Phil Harvey]

FYI: I just used an online service to scan exiftool(-k).exe (version 8.50), and the following virus scanners found nothing:



The MD5 for this file is 8b7856ee7c2c77081cb511a379246d4f

- Phil

[rugru]

Hi Phil,

NAV finds nothing if I scan the file. I think some program-actions are suspect for NAV, it writes: Versuch, einen Remote-Thread in einem Prozessadressraum zu starten (Performed by c:\users\gru\appdata\roaming\microsoft\windows\sendto\exiftool_8-50(-k -a -u -g1 -w txt).exe, PID:4612).

Regards, Rudolf

[Phil Harvey]

Hi Rudolf,

I can't explain this difference since my technique for generating the executable is identical (using the same system with the same version of Perl and the same version of the packager), and there are no significant structural differences in ExifTool between the versions you mentioned.

Perhaps someone else running Norton Antivirus has some ideas.  Maybe there is a way to configure it to suppress this behaviour.

- Phil

[Phil Harvey]

It sounds like some other people are seeing this new problem with NAV using software that was OK before:  read here

I suspect that you would have the same problem now if you went back to the older versions of exiftool.  My guess is that the difference is a change in NAV.  I suggest taking this to an NAV forum for help.

- Phil

[rugru]

Hi Phil,

The problem is exactly as discribed in the other board (your link: read here).
Your older versions still works perfect. I don't know how this NAV Sonar-Protection works, maybe if enough user trust exiftool, it will be accepted?

Regards, Rudolf

[Phil Harvey]

Hi Rudolf,

OK.  Well, as I said I don't think this is a problem with ExifTool.  But since the older versions work, it could be that future versions will work too.  If you can't get 8.50 to work by changing some NAV settings, then at least this provides some hope.

- Phil

[BogdanH]

Hi,

...I don't know how this NAV Sonar-Protection works, maybe if enough user trust exiftool, it will be accepted?

I just can't resist: what kind of AV software is that, relying on "..if enough user trust.."?

I'm a freebie... I've tried all free Windows AV software (just name it) and the only one that does the job as it should, is Avira Antivir: light on resources, ultra-fast and easy to configure. Needless to say, that after almost two years of use, I never had any troubles. Actually I don't even notice it's running -until "something" happens 

Bogdan

[pelic9425]

Hi All!

I'm using GeoSetter & ExifTool GUI on Windows 7 SP1 (64) with Norton Internet Security 2011.

I generally download & install the latest version of ExifTool when prompted. I tried to do this for Version 8.50 yesterday, but as others have found, NIS deletes ExifTool 8.50.
NIS 'SONAR' appears to delete 8.50 as soon as it has downloaded, and does not appear to allow installation to start.

I've now re-installed ExifTool 8.49, and that is working fine - perhaps version 8.51 will have no problem!

Thanks to all concerned for extremely useful programmes. 

[pinguicula]

I've just tried installing ExifTool 8.51 and encountered the same problem with Norton Internet Security.

I was able to install 8.49 without any trouble.

[Phil Harvey]

Darn.  OK, well thanks for reporting on this.

This points to some difference in exiftool.exe between 8.49 and 8.50 that Norton doesn't like, but I can't understand this because there were no notable changes between these 2 versions.

Also, I find it unlikely that my Windows development system could have picked up a virus or something since I don't use it for anything else and I don't think that it has even been connected to the internet since version 8.49 was released.

But I'll see what I can do about installing NAV on my Windows system and play around with it myself to see if I can learn anything new.

- Phil

[Phil Harvey]

I've got Norton Antivirus 2011 fully installed and running, and other than REALLY slowing down exiftool (by a factor of 10 the first time I launched it), I don't have any problems when just double-clicking on "exiftool(-k).exe" version 8.51 or dragging and dropping an image file to extract information.

So I'm going to need some help to be able to reproduce this problem.

1) What are the steps you take when you lauch exiftool.

2) Do you have any special NAV settings (mine are all the default right now).

Thanks.

- Phil

P.S. I've just started a full system scan just to see if NAV finds any potential viruses.

[Phil Harvey]

The full scan finally finished (it took about 4 hours!), and it found only 37 "tracking cookies" that it didn't like.  But the nasty HTTP cookies won't be related to our problem.

Also, I completely uninstalled exiftool and downloaded 8.51 from my web site then extracted it and ran it both as a drag-and-drop application and from the command line.  I tried both reading and writing information with no problems.  Norton Antivirus 2011 is installed and active with all protection enabled.

My system is Windows XP.

I am at a loss since I am not able to reproduce this problem.  I am more confident than ever that this is a NAV issue and not an ExifTool problem, but I am disappointed that I was not able to track it down further.

- Phil

Edit: I just tried re-downloading 8.50 and testing it too.  Again, no problems.

[pelic9425]

Hi!

Earlier this week I was prompted by GeoSetter to install Exiftool 8.51 - it was again deleted by Norton, as was 8.50, so I reverted to 8.49 without problem.

With no obvious changes to my set-up, I tried again today to install ExifTool 8.51. This time it installed without problem, and I was able to use GeoSetter as usual.

It looks as if a Norton auto-update in the last few days has corrected the problem for the moment.

I don't know if it is significant, but about six months ago, my earlier Norton installation announced that it had dealt with a threat from ExifTool, and had deleted it.
This was a copy of ExifTool that I had downloaded to try, but had not got round to installing. It had been downloaded at least two months before Norton objected - I suspect that the reaction was triggered by one of the Norton auto-updates, which appear to come daily,

-David (pelic9425)

[ali]

Hi,

I had reported the same problem earlier as well and can confirm that I was able to install 8.51 today without NAS interfering. It seems to work fine, what it didn't a couple of days ago.

Alfred

[Phil Harvey]

Well, that's good enough for me.  With great relief I will now end my testing so I can dump this Norton software since it is a terrible drain on all of my system resources (CPU, disk, network), and interferes with some of my other software.  (Probably worse than most viruses out there...)

- Phil

[BogdanH]

...so I can dump this Norton software since it is a terrible drain... ...(Probably worse than most viruses out there...)

^ -you've made me laugh 

Bogdan

[rugru]

Hi Phil,

With ExifTool 8.51 and 8.52 used as Windows Executable, the problem with NAV remains on my computer (Win7). Fortunately, I found a description on the net, how to exclude ExifTool from scanning with NAV:
Link: http://community.norton.com/t5/Norton-Internet-Security-Norton/SONAR-is-deleting-programs/m-p/192632.
Paragraph with yellow background: '2. Files when restored from quarantine are convicted again by SONAR'.
After performing the steps of this paragraph I can use ExifTool as Windows Executable without hassle.

Regards, Rudolf

[tbaetge]

I use Exiftool with Geosetter on two computers, both with NIS 2011 but different operating systems. On the Windows XP machine there ist no problem. On the other one, running Windows 7 64bit, NIS Sonar always removes ExifTool.

Regards,
Torsten

[Phil Harvey]

Hi Torsten,

Thanks for this information.

I have just posted this in the Norton AntiVirus forum

- Phil

[Phil Harvey]

Update:  Symantec has been quite responsive about this.  In the Norton forum they said that they can't reproduce the problem with exiftool 8.56, but I submitted 8.50 using their "false positives" form and received this response:

We are writing in relation to your submission through Symantec's on-line Security Risk / False Positive Dispute Submission form for your software being detected by Symantec Software. In light of further investigation and analysis Symantec is happy to remove this detection from within its products.

The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version, or daily from our website at

http://securityresponse.symantec.com/avcenter/defs.download.html.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor, Symantec offers the possibility of adding your software to its database of known clean files in order to reduce the possibility of false positives. If you wish to participate in this program, please complete the following form.

https://submit.symantec.com/whitelist

Sincerely,

Symantec Security Response

So it sounds like this problem should be fixed at their end.

- Phil