May
07
URGENT: Does Stay On Focus or The File Tagger have a virus?
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Symantec/Norton anti-virus (AV) software has just yesterday flagged the FileTagger 2.0 (which is being tested by some beta-testers at the moment) and Stay On Focus as having the MSN.Flooder virus.
Don’t panic.
This is a “false positive”, which means that the AV software has incorrectly identified these files as having a virus. This happens because the AV software looks for certain “signatures” in files, and one of those signatures is found in my software. And many other pieces of perfectly legitimate and safe software.
It’s a false alarm, and as I was drafting this update, Symantec have actually already resolved it.
Boy that was quick!
So, first, I’ll tell you how to fix it, then I’ll give you some background, as it’s possible this type of thing might happen again in future.
The Fix:
Note: I’ve included some screenshots here, from my own PC. However, my employer’s laptop has a different version of Symantec anti-virus, which looks different. So your version might also be different. However, hopefully, you’ll be able to follow the text enough to resolve the issue.
Click the small images below to open up a new window with the full-size image.
First, you need to run the AV software’s Live Update to make sure you have the latest set of definitions from Symantec. You should have the version dated 5/30/2007 (rev. 41, if you can see the revision number - I can’t see this at home, I can at work).
Next, view your Quarantine area (see image below), and you’ll see a list of instances of the MSN.Flooder virus (plus any other viruses the have been found). Remember, there might be several instances (one for Stay On Focus, and one for The File Tagger 2.0 beta if you’re using it).
You can right-click each file, choose Details…, go to the Affected Areas tab, and it’ll show the file name(s) impacted.
Close the “Details” window if you have it open, and in the main windows, select the Stay On Focus and/or The File Tagger files instances of MSN.Flooder, and choose “Restore Item”.
The next bit varied between the two versions of AV software I’m running. The one at work (enterprise version of Symantec Antivirus) said something along the lines that the software can restore the files, implying that a fix had been found and the files could be moved out of quarantine and normal operation resumed.
The one at home (Norton Antivirus 2006) says what you can see below, which absolutely does not sound like it’s safe to restore those files. I wish the messaging was a bit clearer.
Unfortunately, I didn’t capture a screenshot of the Symantec version, so I can’t show you it now.
Press yes, and that should be everything up and running again.
The Background:
Although I am a developer by training and experience, I don’t always write my applications in “proper” languages like C++, Visual Basic, or VB.Net. These languages are very powerful, and very flexible, and therefore tend to take more time to develop applications.
There are other software development tools which bypass a lot of the complexity of these languages, in exchange for not being quite as powerful. The tools are often called “scripting” tools. They give developers who use them the ability to write simple applications very quickly.
I use the scripting tools because they allow me to write useful applications, quickly and easily, thus lowering my development time and costs. They also usually require less support. For example, out of 400+ people using Stay On Focus, only one issue has been reported (although by a number of people). Which is why I can offer it for free, rather than charging for it.
The downside of these scripting tools (and there are many of them, not just the one I use), is that people who write viruses also want quick and easy development, and no support, so they also use scripting tools to write their code.
So inevitably, the AV software companies sometimes flag any software written by the scripting tools as being viruses. Which is what happened today.
I’m using a tool called AutoIt, which is well respected by people who work with these scripting tools. It’s been around a long time, so this “false positive” by the AV software has happened before. You can see a general thread about the topic here:
http://www.autoitscript.com/forum/index.php?showtopic=34658
And one specifically about today’s MSN.Flooder alert here:
http://www.autoitscript.com/forum/index.php?showtopic=46810&hl=flooder&st=15
And finally, here is Symantec’s alert about the virus (which doesn’t specifically mention AutoIt - I’m just including it for your information):
http://www.symantec.com/security_response/writeup.jsp?docid=2003-050916-1048-99&tabid=2
So, I hope you weren’t scared too much, and hope that this resolves the issue. If not, please submit a support ticket at http://www.automateyourbusiness.com/helpdesk/
June 1st, 2007 at 4:22 pm
Hi Andrew,
It was my intention to thank you for your free software.
It is undoubtedly a good little software.
It was also my intention to present a link to it on my future websites.
Now you mention a false alarm concerning a virus.
And so I feel uneasy about it. I didn’t see anything.
And so, if I understand well, if I don’t do anything I don’t risk anything and I have nothing to fix.
Please, would you like to confirm this.
Thank you very much.
Sincerely yours
Chris
June 1st, 2007 at 9:10 pm
Hi Chris,
Thanks for the complement on the software. The link back to it would be great.
But there is no need to be alarmed. Symantec/Norton saw some code within the software which looked liked the MSN.Flooder virus, but wasn’t.
It was a case of mistaken identity, that’s all.
Nothing to be alarmed about, and nothing to do if you’ve had no warnings from your virus software.
I hope that helps,
Andy