“HTTP Acrobat PDF Suspicious File Download” – False Positives?

Note: There is now a potential solution for this – see the bottom of the post.

Today when browsing the web, I started to get notifications from Norton Antivirus telling me a malicious worm was blocked. I get these occasionally, so thought nothing of it the first time, but they kept coming up, and I realised I was only browsing sites I trusted (eBay, Wikipedia etc). I clicked on “More Details” to look at what was going on.

The Risk being reported (and blocked) was HTTP Acrobat PDF Suspicious File Download. The sites supposedly making this intrusions attempt include:

  • eBay (My Ebay)
  • Wikipedia (Only when I’m logged in – I have Popups installed on my profile)
  • My WordPress “Write Post” page (I had to disable the antivirus to let me write this!)

Symantec blocks the Javascript which makes certain things not function correctly (the Popups on Wikipedia, the WYSIWYG editor on WordPress).
I can fairly confidently say that these three sites aren’t trying to attack my computer! I think Symantec need to adjust their definitions pretty urgently – I can’t be the only one getting these false Positives!

[Update]: I’ve found it also affects Google Maps!

[Update 2]: This seems to affecting loads of sites, and this post is getting hundreds of hits no it’s appearing on Google. Scott Clark has posted a screenshot of the problem on Flickr.

[Update 3]: JasonC has posted a possible solution. I have a slightly different version of NAV, and this is how I fixed it:

  1. Opened Norton Antivirus (double clicked on the icon in the system tray)
  2. Clicked “Settings” on the internet section
  3. Clicked “Configure [+]” next to “Intrusion Exclusions”
  4. Scrolled down to “HTTP Acrobat PDF Suspicious File Download”, and unchecked it
  5. Clicked “OK” on all open screens.

Note, this may leave you open to this particular worm, do so at your own risk. (See update below – this shouldn’t be required any more)

[Update 4]: Symantec claim to be working on a fix for this.

[Update 5 (2008-12-11)]: This now apears to be fixed in the latest Live Update. If you have applied the fix suggested above, I suggest you undo this (after running Live Update) to ensure your computer is fully protected.

68 responses to ““HTTP Acrobat PDF Suspicious File Download” – False Positives?”

  1. it’s fixed.
    run liveupdate.
    and undo all the steps listed on this page to undo the not-checking.

  2. I was getting this problem on CNN this morning after getting a LiveUpdate yesterday. Downloaded the new update today and it appears to have gone away, at least for now.

  3. I’m also having difficulty with accessing many popular websites due to this flakey rule in Norton Internet Security 2009.
    Symantec needs to fix this soon…

  4. Norton tech support said to run Live Update to fix it, and that took care of things. So they were responsive (although their chat support person took 15 minutes to come up with that answer).

    Oddly, one of the web sites I visited that had the problem was able to fix it before I did the update, for their web site. Not sure what they did.

    Thank you, Rob, for posting this in your blog. It helped to know that it wasn’t just the one web site I was working with…

  5. I ran across the same problem this morning when accessing my blog admin area (thought my site was hacked).

    Ran the live update a few minutes ago and that fixed it.


  6. I’ve been getting this all day too on various Ning sites (chat) and mySpace (3rd apps) – I checked out Norton and it said it wasn’t a false positive – but – hopefully whether it is or is not a threat they will remedy it. I’ve done the Norton LiveUpdate and it continues to happen. Very strang doings today 🙂

  7. This is apparently affecting all computers with Norton AV (any version) with worm protection enabled. Live update does not solve the problem as of 12/10 2:00 PM Pacific time, Temporary fix is to go to AV settings, Worm protection, configure, find the entry “HTTP Acrobat PDF and uncheck the box. This will eliminate the warning messages until Norton can provide a fix through live update. This problem was caused by the last Norton AV update issued within the last 12 hours. We do not believe it is related to any other source ( example: last Microsoft security updates)

  8. Looks like today’s update had fixed it !!! At least Symantec fixed it within 24 hours. Mind you, I think someone in their shop should check why a rep. tried to charge one of your bloggers $175 to troublehsoot !!!???

  9. Yep, got in to the office this morning and it’s all working ok.

    If anyone is stil;l getting the problem after doing a live update, let us know.

  10. Hi all,

    My name is Gunnar and I am working for an external European Symantec-Support-Team. I am sorry to hear that you have experienced some problems caused by the False Positive condition. As Mike mentioned in his post above, the new update has corrected it, but I would still like to present you with the official statement from Symantec:

    On December 10, Symantec posted a modification to an IPS signature that caused a False Positive condition with our customers. Customers may have experienced a virus warning or in some cases, partial loading of Web pages. The signature was released to all consumer products. On the enterprise side, only Symantec Client Security was impacted.

    The specific signature at fault was the “HTTP Acrobat PDF Suspicious File Download” signature. This signature was triggered by generic JavaScript, which is used on certain Web sites. The signature was released around 1 a.m. PT on Wednesday, December 10. The signature was corrected and made available to Symantec customers at approximately 10 a.m. PT, 9 hours after the initial release.

    Because the majority of our consumers receive updates automatically, they will already have been updated with the corrected signature. Any consumer customer that does not automatically download signatures, is unlikely to have experienced the False Positive. If they have, manually running Live Update will resolve the issue.

    Symantec would like to apologise to any customers affected by this false positive for any inconvenience it may have caused.

    Best Regards,
    Norton Forum Assist Team

Leave a Reply

Your email address will not be published. Required fields are marked *