Symantec intercepts hello.red when explicitly targeted to Windows

[memophen]

When the example script hello.red or a home-brewed script is compiled with option -t Windows, the executable is intercepted by Symantec Endpoint Protection (12.1.1101.401), due to the risk "Suspicious.Cloud". This concerns Red v0.3.2, compiled on a Windows Vista platform.

It does not happen when I compile with -t MSDOS or with no target option at all. (May I conclude that MSDOS is the default target on a Windows platform?)

For hello.reds and other Red/System programs, I see no difference whether it's compiled with Windows or MSDOS as target: the executables look pretty much the same and Symantec keeps quiet.

[dockimbel]

Indeed, this is the virustotal report for future reference.

[dockimbel]

There are a few header entry values that needs to be fixed, we'll see if that makes the binaries pass the AV heuristics, if not, we'll contact each AV vendor for whitelisting them.

[dockimbel]

I have submitted false positive reports to a few vendors, waiting for their acknowledgement.

[dockimbel]

I have received an answer from Symantec:

In relation to submission [3278929].

Having reviewed the information provided we are unable to reproduce or confirm the issue
described.

Please  ensure that you are using Symantec's latest virus definitions for detection. These
can be found using live update or alternatively via the URL below.
http://securityresponse.symantec.com/avcenter/defs.download.html

If the issue persists with the latest definitions, please respond to this email providing the
additional information below in order for us to analyze the problem further:

- Details of the message or a screen shot of the message received
- Exact step by step instructions on how to recreate issue
- Details of the Symantec product and version being used 
- Detection log(s) from the product

If other versions of the file(s) in question have previously triggered false positive
detections please mention this in your response and include all available file
versions. 


Sincerely,
Symantec Security Response
http://securityresponse.symantec.com

I cannot give them any details about the Symantec product used as Virustotal does not give such information...

A new test on VirusTotal shows that other AV vendors have fixed their heuristics, but AntiVir and Symantec have not.

[dockimbel]

A new scan on virustotal still shows the false positive. I have resubmitted a new report to Symantec, hoping that this time they will do something about it.

[dockimbel]

Symantec is not reporting any false positive in a new scan, so I'm closing this ticket.