Symantec's Excel false-alarm causes Patch Tuesday 'outbreak' panic

Issues new ‘rapid release definition’ to solve false-positive.

Symantec issued an emergency update on Wednesday for Symantec Endpoint Protection after admins across the globe reported inbound Microsoft Excel email attachments were being detected as “Bloodhound.Exploit.459”.

Alarm and confusion struck dozens of IT admins on Microsoft’s Patch Tuesday, some who feared a major outbreak was taking place as one of the world’s most popular spreadsheets made its way to inboxes.

“My report server is sending out 100's of emails containing xls files, need a fix ASAP. Has anyone heard of anything yet?”, commented one of over 100 Endpoint Protection administrators who took to the security company’s forum on Tuesday.

Confusion was compounded by reports that the detection only occurred when Excel (.xls) files were previewed within Microsoft Outlook, but not when the file was opened outside the email client.

Without official word from Symantec until late Tuesday, another admin tested whether it was a false-positive by creating a new Excel file with the word “Test” in a cell.

“[A]s soon as I emailed it the alert was generated,” the user reported. “It seems to be related to emails… just opening the blank file didn't cause the problem.”

Another later wrote that Symantec was working on a fix global “globally”, claiming to have been informed by its support staff the latest definition file Symantec distributed may have had an issue.

Symantec has not said what caused the problem but on Wednesday issued a special “rapid release definition”, normally reserved for “newly emerging threats”, which would nix false-positive detections.

It had advised earlier that admins should ignore the detections since files it received “appear clean”.

While false-positives are not uncommon, they are generally not welcomed by admins.

In February, Microsoft's increasingly popular antivirus product Security Essentials also caused alarm when it accidentally detected "" as hosting the Blackhole exploit kit.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about ExcelGoogleMicrosoftSAP AustraliaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts