shows my norton anti-virus as possible trojan

Discussion in 'Port Explorer' started by brotherfreakshow, Jan 7, 2003.

Thread Status:
Not open for further replies.
  1. brotherfreakshow

    brotherfreakshow Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    19
    Location:
    Ohio
    Hello-
    I am using trial verson of port explorer.(plan on
    upgrade when I have cash :p).
    My problem is this. My Norton Anti-virus 2002
    is shown in red as a possible trojan.
    Without the full version what can I do to check this
    out farther?
    :'(
     
  2. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    This is just my personal opinion of course, but I consider that anything from Symantec IS a trojan. :D :D

    Items showing in red in PE does not mean it is a trojan. It simply means it is running as a hidden process. Now, had you not *known* what it was, PE would be alerting you of the fact something *is* running as a hidden process and you need to investigate. It's all about what is running on your machine, hidden or not, and Port Explorer is an excellent tool towards that end.

    HTH
    Phil
     
  3. brotherfreakshow

    brotherfreakshow Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    19
    Location:
    Ohio
    Hello-
    Thank you Phil, I understand that PE shows hidden
    processes,and that it might not be a trojan.
    How would I confirm this?(trojan or not?).

    I used my evaluation version of TDS-3 and it showed
    no trojan mixtures.

    I am a littel confused about TDS-3 however.
    When I start up TDS-3 it says my radius
    definitions need updated.
    I have updated them off the Diamond website.

    Thanks for any info.
     
  4. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    OK, just like in your example, you *know* your Norton av is not a trojan so that identification comes from the personal knowledge of your machine and what is running. Now, if you didn't know what it was, you can right click on the process and select "What is ...." and it will ID the exe and the path to it. Try that on any process shown on your system for an example. If from that information you had no clue what it was, then that would start you on a trail of discovery to find out what it is by any of several means. Using PE you can sniff any traffiic from and to the process. PE gives you the path to the exe so you can find the file to rt-clk and get the properties. You can use PE to close the sockets used while you search the 'net for info on the exe. Again, the trick is to know what should be running on your system and verify with PE. Then if something *new* shows up and you know you have not installed anything, PE will let you know the instant it appears and you start the trail of discovery mentioned above.

    Try the right click on a process and see what it shows you. If you find a hidden process you know is not associated with any known software on your system, that should raise the hair on the back of your neck. :cool:

    Phil
     
  5. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Good advice Phil, I have nothing further to add! :D
    -Jason-
     
  6. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    I'll send you my bill in the morning. :D

    Phil (thanks for the compliment!)
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Just as an FYI, I believe that as long as you are running the evaluation version of TDS-3, it will always tell you to check for updates (which you have to do manually while evaluating that product).
     
  8. BeachComer

    BeachComer Registered Member

    Joined:
    Jan 15, 2003
    Posts:
    4
    That's normal

    That's just the auto-updater (navapw32) listening on Port 1025. When there's a new virus definitions update, it will "hear" about it and know to download it.

    I'm not sure why it's called a "hidden" thread, since Netstat and ZoneAlarm both can see it.

    --BeachComer
     
  9. wink

    wink Registered Member

    Joined:
    Dec 16, 2002
    Posts:
    52
    Hi Beachcomer,

    As far as I understand it its because this appication has no visible on screen entity and is therefore 'hidden' from view and this is why Port Explorer is showing the process in red as a 'possible' trojan (as that is a common feature of a trojan).

    When I use Messenger and minimise the application window it displays in the Port Explorer list as red, and I know the application is ok so I ignore the instance.

    Wink.
     
  10. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Wink is correct :cool: . Norton's must create a whole new process just to check for an update possibly. Otherwise Port Explorer would know that the socket has a window from Nortons, unless its hidden of course on the systray :D.
    -Jason-
     
Thread Status:
Not open for further replies.