Closed TooMuchBlue closed 6 years ago
fullphat
commented
6 years ago Hi there!
Thanks for the report - can you submit the file to Symantec for checking? I'm sure it'll be a false-positive.
We'd recommend you down Snarl from SourceForge (https://sourceforge.net/projects/snarlwin/files/Snarl/Current%20Release/) rather than other locations.
Have you tried Snarl R5.0 (https://sourceforge.net/projects/snarlwin/files/Snarl/R5/)? We've stopped developing Snarl R3.x now... 😀
TooMuchBlue
commented
6 years ago I can't seem to get the file before SEP deletes it. Making a ZIP copy doesn't help, because SEP reads inside ZIP files.
I didn't realize Snarl on Chocolatey wasn't up to date. It's typical for the version listed on Chocolatey to be static, even though the software it installs is current. Since Chocolatey is becoming a popular way to provision new workstations, maybe you could think about adopting and updating the nupkg?
Here's the URL to the package. I'll submit a separate ticket if you like. https://chocolatey.org/packages/snarl
TooMuchBlue
commented
6 years ago Hmm, Snarl 3.1 is still listed as "Current Release" in SourceForge. It could very well be that Chocolatey will start picking up 5.0 when it becomes the current release.
So when will that be? 😀
fullphat
commented
6 years ago 3.1 is still the current release as 5.0 is still in Beta, although it’s on its fifth iteration now and is pretty stable and functional (I have it running permanently in a VM). 5.0 doesn’t offer all the features that 3.1 does - notably per event class styles and fancy styles - hence why we thought it best to leave 3.1 as current for now.
We do recommend switching to 5.0 if at all possible though: it’s built on .net, is highly multi-threaded and has a nifty browser-based gui. You can read more about 5.0 at http://snarl.fullphat.net/
Snarl 3.1.0 installed via Chocolatey.
Symantec Endpoint Protection, engine version 13.2.1.26, definitions as of Feb 7, 2018 7:48 PM US Central time. Windows 10 Enterprise
SEP found and flagged C:\ProgramData\full phat\Snarl\styles\runnable\fullphat-iconart\style.exe as Heur.AdvML.B (Malware -> Heuristic Virus) and deleted it per company policy. I had an older version (don't remember which) of Snarl installed and updated to the latest available through Chocolatey and got the same result.
I'm not too worried about losing the music-centric styles, but it's some concern that one of the tools I use bears the marks of a virus. Is this something dicey that style.exe is doing, or maybe style.exe has been used as the trojan host at some point, or is it just a false-positive?
Symantic link for Heur.AdvML.B: https://www.symantec.com/security_response/sape/