Explain This...

Last week I was testing Norton IS Beta 2011. I download a trojan from MDL to see how long it would take to become detectable. Simple test really. I must point out the file was never executed.

Today Norton has gone wild saying I have Banking.InfoStealer which was the bot.exe file I downloaded last week. However, Norton says the bot's activity includes several infected dll files within the system folder.

I am not complaining about the Trojan, but if the file wasn't executed, how did it place these dll into my system32 folder? Does Norton execute such unknown applications for some kind of monitoring?

 

I've heard about this before. It sounds like Norton has a habit of reporting what the malware would do if it executes, instead of reporting what it has actually done on your system. Meaning, there may never have been any infection of your system, and Norton could be just mouthing off about what the bot.exe file would do if it were to run. It's hard to confirm that now, though, since we don't know whether Norton deleted any infected files it found or took other similar measures, so we can't really look for the files in the filesystem and come to conclusions based on whether the files are even there or not (viewed from a clean boot, like a Linux live cd, of course, to avoid rootkits from hiding the files). You could ask Norton's support, but they're probably going to be useless.

 

Ah, its not just me then

 

That was my case Windchild... Where nothing was executed from my USB drive because of AppLocker and Auto-Run disable...But still Norton told me that 07 files and 53 registry files were got infected and cleaned my NIS 2010..

Even i asked their CC support and they told me that malware executed, but i told them that i have already enabled my AppLocker, so how it could be possible...and i was shocked when they asked what is AppLocker Policy.. LOL

 

You are not alone..It was me who first reported this thing here...Even i was so confused by this behavior from Norton.. I thought that my AppLocker policy was compromised, but soon i realized that it pretty rock solid, and it was Norton who mis-informed me about infection which was never happened.

 

I should've remembered it was you, AvinashR. I tried to remember the name, but it escaped my memory.

Norton's behavior here is just plain strange. Their customer support doesn't seem to know much of anything, so probably the only way to really get to the bottom of what Norton is trying to do here is by contacting someone in the development team who actually knows about things.

Another thing that could be done is finding some harmless software that Norton detects as malicious (even 'clean' password sniffing tools often qualify as malware for most AVs), a software that can be known not to try any exploits to get itself running without permission from the user. Take care not to run that software - blocking it with SRP/AppLocker or HIPS if necessary - and wait for Norton to detect it. If Norton still claims the software that was never executed has done all kinds of stuff to the system, then Norton is just sick in the head.

 

I have a dropper of Stuxnet ..So it would be great to see, what Norton will show or claims after detecting it...

 

Well I, Avinash and 3GUSER had somewhat similar discussion regarding Norton file prediction earlier here from Post #115 and still didn't find the proper answer The support also didn't contact me either