In summary, we have a file, Norton 360 says it has a keylogger in it. I can't upload it to compare wth other AV software (file is greater than 10MB). See previous posts to catch up if you haven't already.

The next step is to isolate the trigger for the signature match (hoping there's only one match as might be typical in false positive matches).

$ ls -la
*snipped* 185928871 2008-06-26 18:11 WALL-E_Demo_UK.exe

We have a handy method of doing this by splitting the file in halves until we no longer have any detections, being sure to make note of the offsets of the file splits as we go. This is not a new technique and results may vary depending on the number of signature detections within a file and the algorithm for detection (e.g. if the algorithm requires a certain offset from the start of the file to match).

$ split -b 92964436 WALL-E_Demo_UK.exe
$ ls -la
*snipped* 92964436 2008-08-03 11:59 xaa
*snipped* 92964435 2008-08-03 12:00 xab

The first file has a match by Norton 360, the second does not. I kept splitting the matched file until I no longer received a match. It happened at the following split:

$ ls -la
*snipped* 726285 2008-08-03 12:46 WALL-E_Demo_UK.exe-offset 0
*snipped* 363143 2008-08-03 12:46 xaa
*snipped* 363142 2008-08-03 12:46 xab

If we view this offset in a hex editor, this is what we see at the end of the xaa file:

And at the start of xab file:

No easy clues there, such as a registry key string and a strings command on the end and start of xaa and xab files respectively don't really give us anything as far as obvious clues go.

4SUV
hh,I
hP,I
hL,I
hL,I
t|j<

hD,I
D$T
L$D_^
tFjd
t$hW3
L$Td

Another thing to consider here is that Norton 360 may well be decompressing the file, and if we're splitting it then it can no longer decompress it to check the contents. Perhaps another approach here might be to decompress the file, potentially, install it on one computer and bring all the files into one that Norton 360 is protecting. The trouble with installing is that you need to run Process Monitor so see which files and registry changes are made and bring any files onto the Norton 360 box to see if these get detected.

Decompressing is made slightly harder because of encryption (signed .exe maybe?):

$ strings xab | grep -i chilkat
.?AVChilkatObject@@
This Zip has been encrypted with Chilkat Zip (www.chilkatsoft.com).

I'm at the point now where Symantec must examine why they detect this as containing a keylogger and issue updates if it's a false positive match. I seriously doubt such a high-profile game would be released with a keylogger in it.

Over to you Symantec. Let me know what you find. Thanks.

Update: The nice summary of the key points by Chris Boyd here.