Starting yesterday, some users have told us that when Foxmarks tries to sync, Norton Antivirus complains that there is an Attempted Intrusion "HTTP Macromedia Long Filename BO" from your machine against our server. We're not experiencing any such intrusion attempt, and since we're not running Macromedia software on our server, we wouldn't be vulnerable to it anyway.
What we believe is happening is that some users have a pattern of information in their sync files that matches an overly general pattern in Norton's latest virus signature file. Every time Foxmarks tries to synchronize and write a sync file to our server, Norton sees the pattern and confuses it for a worm attack.
We waited in line for hours to chat with a customer service representative for Symantec, the makers of Norton antivirus software. As you might expect they weren't prepared to handle someone with a technical complaint about their software; nor were they very interested in hearing from someone who wasn't actually using their software themselves. But they did offer the following link which I now pass on to Norton users to report and (hopefully) resolve this problem:
Symantec Technical Support
Please let us know if you have any luck with this, and if we can help in some way, please let us know.
UPDATE: This problem has been resolved by Symantec. Please see our latest post about it.
The posted link passed me to a chat queue (I was 32nd in line). I summarized the issue (and my opinion of it) within their 256 character limit and left.
ReplyDeleteI got my Foxmarks to sync by turning off Norton Internet Security, confirming that it is the problem. I've gotten from 31st in the queue to 14, so I'll hang on.
ReplyDeleteyup - i'm just chilling out at pos. #41 :/
ReplyDelete@Mark and littleREDelf:
ReplyDeleteThanks! Please let us know how it goes for you.
I've been having the same problem. You can work around temporarily by turning off just 'Worm Protection' that way you're still protected from other stuff. This is definitely not a desirable fix and I certainly hope Symantec steps up to this one. I need Foxmarks but I can easily switch anti-virus / worm / trojan / etc. applications.
ReplyDeleteHere's a little more info on what's happening with Foxmarks and Norton. The entry says there are no known false positives but I think they are wrong.
ReplyDeletehttp://www.symantec.com/avcenter/attack_sigs/s20582.html
For what it's worth, I dug into Norton AV a bit more and found I could leave WORM Protection on but just exclude the HTTP Macromedia Long Filename BO checking. It still leaves a vulnerability, but much smaller than my previous suggestion of temporarily turning off Worm Protection entirely.
Here's how I turned off just this one check:
I'm running Norton SystemWorks Premier
From the main screen select Options ---> Norton AntiVirus ---> Internet Worm Protection ---> Configure Exclusions ---> Scroll to and uncheck HTTP Macromedia Long Filename BO ---> OK (All the way back)
I would advise to keep checking for updates from Symantec so you can turn protection back on ASAP.
I chatted with a customer service representative for Symantec, the makers of Norton antivirus who advised me to uninstall Norton Security 2007 which make no difference. Later, I discovered other way to solve the sync problem by changing to HTTPS from HTTP. It now works perfectly. Can one of you confirm that it is working in your computer please. Thank you.
ReplyDeleteRocky - that seems to be a good workaround - i changed mine from HTTP to HTTPS and now it syncs. Of course, i got the one time complaint from Firefox which is flagging the non-matching security certificate coming from FoxCLOUD.com and not Foxmark.com.
ReplyDeleteWasted an hour of my life trying to describe the problem to some asshole @ symandreck, starting @ queue #46. Told me to get to some configuration point that doesn't exist - & kept insisting that I did something wrong & unilaterally ended the chat without any help!!!!!!!!! I have a Word.doc copy of the chat transcript if anyone wants it.
ReplyDeleteAnyway, I clicked "ignore" whenever the Norton warning came up. Had to re-run Foxmarks Setup Wizard to remove conflicts, & will now try the HTTPS switch.
Will never use Norton again. & I hope Pakistan & India nuke each other off the planet.
Buckshot: My live chat with Norton this morning had the analyst saying it was OK to leave the HTTP Macromedia Long Filename BO unchecked.
ReplyDelete"Subhajit(Tue Apr 03 2007 11:03:03 GMT-0700 (Pacific Daylight Time)): Please do not worry, your computer is a safe as it was earlier."
Me: So, what you're saying this is the solution and that it doesn't leave me vulnerable to other attacks?
"Subhajit(Tue Apr 03 2007 11:03:42 GMT-0700 (Pacific Daylight Time)): Yes, please do not worry . . . It is a Browser object which Norton was detecting as intrusion . . . So, it was blocked . . . We have unchecked this actual BO"
Me: Interesting. I will share this 'fix' with the forum users of the Foxmarks product.
just a quick one to say that i've also had this problem but unchecking HTTP Macromedia Long Filename BO seems to have done the trick. thanks!
ReplyDeleteWe're still looking into how we can help push Symantec for a first-class solution for this. Is there anyone out there that is still experiencing the problem that would be willing to authorize us to use their bookmarks as a test case? Note that this would likely involve our releasing your bookmarks to Symantec.
ReplyDeleteIf you're willing to share your bookmarks in this way, please write us at support@foxmarks.com.
Janice,
ReplyDeleteThanks for the follow up. Like Todd, I would like a clean solution but can live with the unchecked BO (sorry, couldn't resist).
---> Hal in Texas
Many thanks to those of you who offered their bookmarks to help us debug this problem. We've got what we need now to replicate the problem. We'll keep you posted as we approach a solution.
ReplyDeleteI'm also suffering from this issue, but have had ISP problems the last couple of days, so wasn't able to "chime in" before now really. Can someone explain more specifically how/where to make the switch to https: ?? I understand what it's all about, but I can't open Foxmarks from my bookmarks at all. I much prefer this fix to unchecking something in Norton - at least 'til I decide whether to dump Norton or not. THANKS!
ReplyDeleteNick
Complete fix with no warnings:
ReplyDeleteOpen Firefox
Go to Tools>Add-ons
Highlight Foxmarks and click the Options button
Click the other tab at the top of the options panel
Change type to HTTPS
Change server to: sync.foxcloud.com
Click OK
I use NIS 2007 and this worked for me. I hope it helps.
After many phone calls and internet chats with Symantec I think I've finally found the correct "fix" after several failed attempts.
ReplyDeleteOpen your Norton AntiVirus 2007 Program.
Click on the 'Norton AntiVirus' tab.
Click 'Settings'
Click 'Internet Worm Protections'
Click 'Configure' [You'll go to a page titled "Virus and Spyware Protection Options"]
Click 'Configure' again.
Scroll down through all the "Signature Exclusions" until you see one beginning with 'HTTP Macromedia' even if the complete file name isn't the same as "HTTP Macromedia Long Filename BO".
Uncheck this file. This stopped the popup on my computer. If it doesn't work for you just go back and check it again to restore your settings. Look for any other Macromedia file names and try unchecking them instead. I got lucky on the first try, I hope you do too.
Regards-Lee Marks
In response to Lee Marks,
ReplyDeleteTheres no reason to turn off the signature if Foxmarks is the only place that is creating the false positive. If you read my fix and try it, you'll see it cures the issue without having to disable the signature. My guess is maybe Foxmarks is having issues with their foxmarks.com domain name. foxclouds.com is still owned by Foxmarks as is apparent if you click Todd's name it links to their previous or other domain http://www.foxcloud.com/
Try my above fix with the signature on.
@Marshall Place:
ReplyDeleteThe issue has nothing to do with domains -- it is Norton erroneously viewing bookmark synchronization as as an attack against our server. If you have certain bookmarks in your bookmark set, it triggers Norton's worm pattern detector, causing the problem.
sync.foxcloud.com and sync.foxmarks.com refer to the same server; foxcloud.com is an old domain that we are slowly phasing out. But that doesn't have any bearing on the issue at hand.
Thanks for pointing out that my profile was still pointing to the old domain. I've fixed it.
@ Todd
ReplyDeleteThat still doesn't change the fact that the issue doesn't occur on the old domain with those settings. The old domain works with NIS signatures with both http mode and https. Maybe issues with the mirror? I'm not exactly sure how you have your domains and servers setup, instead of pushing the blame unto Symantec though, maybe its worth taking another look at your mirrors and domains. If the problem is alleviated by switching to the old domain name, maybe the problem isn't necessarily a Symantec issue.
@Marshall Place:
ReplyDeleteThis has been resolved by Symantec; please see our latest post about it.
-Todd
i cant find scan with norton antivirus in the shell for norton antivirus 2007.For ex: if i want to scan any folder or a file ,by right clicking on it i cant find norton scan plz help
ReplyDelete1st getting into microsoft internet explorer then getting into google Norton pops up saying virus protection is turned off I don't know how to turn it back on please help
ReplyDeleteErm, just pointing out to the last two posters--this isn't a forum for Norton problems. For those, you'll want to visit their website and try contacting their customer support. Best of luck with that!
ReplyDelete@santu
ReplyDeleteIf you're running Vista 64-bit then this is normal. Norton 2008 does not provide the "scan with norton antivirus" option in the right-click menu. Annoying but yeah, I guess I'll have to live with it (since I'm operating on a 64-bit system as well).
I discovered this by searching for "shell extension" in Norton's help & support section.
Has anyone discovered a good antivirus package that will run a right-click quick scan under 64 bit Vista? I need to get a new A/V package and no, Norton doesn't do this, nor Webroot Spysweeper. And Computer Associates antivirus, my first choice, will not run on 64 bit yet.
ReplyDelete