Pegasus Mail & Mercury

Thanks for the suggestions from this thread. Having wasted a couple of hours thinking it was a real tjn, it was a relief to see I wasn't alone :-). Now, using the exclusions in autoprotect, things seem to be going okay again. Long may it continue!

 

Woohoo! 2AM central U.S. time.  One last "Live Update" check before hitting the sack and lo and behold, there are new definitions.   I used LiveUpdate to install 'em, waited 5 minutes to makes sure they took, re-enabled "auto-protect" in the task bar and cautiously fired up PMAIL. 

PMAIL runs fine again.  I hope Symantec adds PMAIL to the suite of programs that they test virus definitions against for false positives.  It's hard to believe that it wasn't already in there already.

after some googling i found this site and submitted a request let see what happens:

https://submit.symantec.com/false_positive/index.html

InvaderZim:

I hear Trend Micro's antivirus is pretty good and less of a resource hog, and Vista doesn't really need a separate firewall (I have a hardware firewall anyway).  I also hear the Microsoft antivirus is terrible.  Any other suggestions?

I've been using F-Prot for more than 8 years, both personally and corporately, and have never had a problem like this (or virtually any other problem either). Very low resource use. Virus Bulletin also rates them highly. Their home and volume pricing is also excellent -- the home license covers up to 5 computers in the same household for one price. http://www.f-prot.com/

 - Alan

i also reported it as false positive. I think David Harris should report it as a false positive as well, since it asks whether you're the owner of the program or not.

Though the Dutch helpline (chat) wasn't aware of the bug and his chief neither, it is solved. In both 2006 as 2007 I did a life update and was very courageous: I gave c:/pmail free for norton.

This time it left win-pm32.exe where it was. 

alanjshea:

InvaderZim:

I hear Trend Micro's antivirus is pretty good and less of a resource hog, and Vista doesn't really need a separate firewall (I have a hardware firewall anyway).  I also hear the Microsoft antivirus is terrible.  Any other suggestions?

I've been using F-Prot for more than 8 years, both personally and corporately, and have never had a problem like this (or virtually any other problem either). Very low resource use. Virus Bulletin also rates them highly. Their home and volume pricing is also excellent -- the home license covers up to 5 computers in the same household for one price. http://www.f-prot.com/

 - Alan

Everything Alan says about F-Prot I can say about the free (for home use) version of AVG anti-virus.  And it is free.  I've been using AVG for years, and I'm very satisfied.

Thanks.
Cassy.

I use F-prot too, have for years, others use AVG.  There are though mailers whose data directories must be excluded from the scan - this is perfectly safe.  This incident is another reason not to use Norton  anti-virus or any Symantec product.  I have seen too many reports of trouble they have caused in other  computers, and my own experience was enough.  Cleaning my system from their effects was a nightmare.  

I have confirmed this morning that Symantec definitions version 5/17 rev. 73 no longer flag Pegasus Mail's main executable as a trojan.  

We've been using Symantec AV Corporate Edition for 9 years now and this is only the third time I've seen a false positive, as this was for winpm-32.exe being flagged as "Trojan.Dropper" with one of the Symantec definition files.  As with this false positive, each time Symantec fixed the problem in a newer definitions file within a day or two.  My only contact with Symantec support was with the first false positive a few years ago now with the Sassafras KeyServer client and it was easy and they resolved the problem without a fuss, actually within a couple hours they had a new rapid-release definition file that removed that false positive.  The other has happened a couple different times over the years, with the SFX code WinRAR uses.  In any case, that Symantec support chat excerpt earlier in this thread is quite bizarre to me.

When this problem first happened to me last night, it was on my primary, old work computer which I had actually installed some new software about an hour earlier, so you know it very well could have been winpm-32.exe had been injected by some other trojan.  I then checked my other work computer, which I hadn't installed anything new on for over a month and it too flagged it, so that made it less likely to be the real deal.  After going to this forum board and finding this thread, it definitely was a sigh of relief, to know this was a false positive.

At that point, I simply added an exclusion to the folder where I installed Pegasus Mail and restored winpm-32.exe out of the quarantine folder.  I don't know why people would need to be re-installing Pegasus, unless they had their AV settings set to delete, before quarantine.  I especially don't know why one would have lost all of their settings, when all of the Pegasus Mail configuration files are left intact, only the single winpm-32.exe was removed.  In fact, Mr. Harris might want to just have that file put on the FTP servers, along with posting the MD5 hashes of the Pegasus Mail and Mercury binaries, for future reference.  Simply putting winpm-32.exe back in the program folder is all one should need to do, once the newer Symantec AV defs have been installed.  I definitely recommend removing the folder/file exclusions, though, because it is still possible for that program folder or winpm-32.exe binary to get injected with a real trojan.  

Finally, I would suggest those ready to jump ship to a new AV product to first do some real research.  I'm not married to Symantec AV, in fact, the past couple years, I've tried out several other products, on my personal systems, but you know what, I keep coming back to Symantec/Norton.  I've had false positives, spiked CPU utilization, and other various problems with other AV products I've tried out, as well.  I haven't tried them all, so I'm not saying their isn't the "perfect AV" product out there, but in terms of problems, Symantec AV has still been the lesser of the evils that is infesting a Windows NT system with any AV products.  If you notice from the AV-comparatives report, in their testing, perhaps ironically, Symantec AV was the only one that did not have at least a few false positives. 

I agree. The url is  https://submit.symantec.com/false_positive/index.html  .

rbhall52:

I agree. The url is  https://submit.symantec.com/false_positive/index.html  .

We had response from Symantec that in the next update the problem will be solved. 

:
This Email is in relation to your recent submission through Symantec’s on-line False Positive Dispute Submission form for Pegasus mail being detected by Symantec software. In light of further investigation and analysis Symantec is happy to remove the detection from within its products.
The updated detection will be distributed in the next set of virus definitions, available daily, or weekly via LiveUpdate, depending on Symantec product version, or daily from our website at
http://securityresponse.symantec.com/avcenter/defs.download.html.
Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.
Sincerely,
Symantec Security Response
http://securityresponse.symantec.com

---

Han van den Bogaerde - support@vandenbogaerde.net
Member of Pegasus Mail Support Group.
My own Pegasus Mail related web information:
http://www.vandenbogaerde.net/pegasusmail/

I have been fighting with the trojan dropper for hours! I have been following the posts for exclusions etc. I did and update for Norton AV. I lost the latest version of Pegasus, but for some reason did not lose an older version on my computer. I still have email just an older version. I want the new version back! I just reinstalled the latest version of Pegasus and updated as to not lose information and settings. It still opens the older version. When I find the place it was stored in my computer, it says "the application has failed to start because TER32.DLL cannot be found, Resintalling this app my fix the problem" can anyone help?

First of all - thank you to you all for your suggestions and help.

I cannot access to http://securityresponse.symantec.com/avcenter/defs.download.html directly (page not found), but I finally arrived to the http://www.symantec.com/avcenter/download/pages/IT-N95.html page (trying to download the Italian latest virus defs update).

This page shows

20070517-073-i32.exe

Maggio 17, 2007

Maggio 17, 2007

15.50 MB

as the latest update. Is this the correct one? Should I download this version eve if it is dated May 17th?

Thank you in advance for your co-operation.

CEC

Hi -- I also have been at this for hours!  I finally re-installed a new version also, but then copied the winpm-32.exe file to the old directory and all my info ... was there.  The problem I am now having is in sending and receiving.  It appears that I cannot get access to the winsock (I think) as each time I send/receive it gives the error msg "bad address" which I know is definitely not the case.  SOOOOOO, can anyone help??

Hi -- I'm the one who posted the previous msg # 71.  Got the problem solved, so what I did (in previous msg) could be a general solution.  My send/receive now works, as I found out it was being blocked by Norton Firewall, so I can just change that setting and all should be OK.