Rob's Blog

…well, in the anti virus blogging world anyway.

Last Wednesday morning, I noticed my Norton Anti Virus software blocking JavaScript on quite a lot of reputable websites. Deciding these sites were almost certainly not all compromised, I wrote a post about it, suggesting that it was a false-positive.

Throughout the morning I noticed (thanks to the fantstic Woopra service) I was getting a few more visits than normal, mainly via Technorati.

Suddenly at around lunch time I started to get what was at the time an unprecidented number of visitors to the site – up to 5 visitors live on the site at one time. These were coming from Google – they had started to pick up my post in the search results.

The five live visitors soon grew quickly to over 40, and I started to get comments – my post soon became the place to discuss this problem, and collectivly we came up with a couple of potential temporary solutions.

Soon the live visitors was growing to around 50 or 60 at a time on the site, as more people started to link to the post to explain to their visitors why they were getting errors on their sites. Somone added the site to Digg (my first Digg I think), and that only increased visitors.

It was really interesting to watch the visits coming in on Woopra. Sites all over the web linked to my post. Ammusingly my second largest referer of all time (after Digg) is now Literotica, who linked to my post on their front page.

Thanks to all who commented, letting users know they weren’t on their own. I even got an official statement posted from Symentec, although admittedly after the fix was released.

For those who like figures, Since I installed Woopra, it has logged 3863 visits in total to my blog. It logged 1934 on Wed 10 Dec, and 357 on Thurs 11. That’s nearly 60% of my visitors in two days. Today I’ve had just the one visitor, and that’s from me to test the tracking was still working!

Overall, I’m glad I could help people with info on the error. It was great being able to watch the visits live as they came in from all over the world on Woopra – a great service.

Note: There is now a potential solution for this – see the bottom of the post.

Today when browsing the web, I started to get notifications from Norton Antivirus telling me a malicious worm was blocked. I get these occasionally, so thought nothing of it the first time, but they kept coming up, and I realised I was only browsing sites I trusted (eBay, Wikipedia etc). I clicked on “More Details” to look at what was going on.

The Risk being reported (and blocked) was “HTTP Acrobat PDF Suspicious File Download“. The sites supposedly making this intrusions attempt include:

• eBay (My Ebay)
• Wikipedia (Only when I’m logged in – I have Popups installed on my profile)
• My WordPress “Write Post” page (I had to disable the antivirus to let me write this!)

Symantec blocks the Javascript which makes certain things not function correctly (the Popups on Wikipedia, the WYSIWYG editor on WordPress).
I can fairly confidently say that these three sites aren’t trying to attack my computer! I think Symantec need to adjust their definitions pretty urgently – I can’t be the only one getting these false Positives!

[Update]: I’ve found it also affects Google Maps!

[Update 2]: This seems to affecting loads of sites, and this post is getting hundreds of hits no it’s appearing on Google. Scott Clark has posted a screenshot of the problem on Flickr.

[Update 3]: JasonC has posted a possible solution. I have a slightly different version of NAV, and this is how I fixed it:

1. Opened Norton Antivirus (double clicked on the icon in the system tray)
2. Clicked “Settings” on the internet section
3. Clicked “Configure [+]” next to “Intrusion Exclusions”
4. Scrolled down to “HTTP Acrobat PDF Suspicious File Download”, and unchecked it
5. Clicked “OK” on all open screens.

Note, this may leave you open to this particular worm, do so at your own risk. (See update below – this shouldn’t be required any more)

[Update 4]: Symantec claim to be working on a fix for this.

[Update 5 (2008-12-11)]: This now apears to be fixed in the latest Live Update. If you have applied the fix suggested above, I suggest you undo this (after running Live Update) to ensure your computer is fully protected.