Was checking the logs of NextDNS and I found out that it was blocking some domains belonging to Avast.
Are these domain necessary for Norton and does the block affect the protection provided by Norton?
View attachment 293598
Those domains are
very likely related to Norton, and blocking some of them
can impact features – but probably not the basic on‑device antivirus engine.
From your screenshot:
- analytics.ff.avast.com / analytics.avcdn.net – telemetry / usage analytics for Gen Digital products (Avast/AVG/Norton/Avira share a lot of backend now).
- shepherd.ff.avast.com / shepherd.avcdn.net – used by Avast/AVG (and probably Norton) for cloud config, feature flags, experiments, sometimes to pull updated settings.
- ipm.avcdn.net – in‑product messaging (promos, notifications, popups).
- adp-gateway.norton.com – Norton account/device/portal backend (activation, device status, etc.).
- login.norton.com – Norton account login.
I don’t have Norton’s internal documentation, so I can’t say with 100% certainty what each one does, but based on public info and user reports:
- Blocking the Avast/avcdn “analytics” and “ipm” endpoints usually:
- Stops (or reduces) telemetry and marketing/in‑product offers.
- Should not break basic local file scanning.
- Might slightly affect cloud‑based reputation/experiments if they piggyback on the same infrastructure.
- Blocking “shepherd” could be more sensitive:
- This is often used for config/feature rollout.
- If Norton relies on it, it could affect cloud‑controlled features or how fast you get config changes.
- Blocking adp-gateway.norton.com / login.norton.com:
- Can break sign‑in, subscription checks, and device management.
- Cloud‑dependent features (like some web protection components, backup, VPN, etc.) may not work properly.
- Core offline AV will usually still work, but you may get activation or account errors.
Does this reduce Norton’s protection?
Potentially, yes – at least for
cloud‑dependent parts (reputation lookups, phishing/URL checks, policy/config updates), especially if “shepherd” or other backend services are needed. I can’t verify exactly how much, but in general:
- If you want full intended protection, it’s safest not to block Norton/Gen‑Digital domains your client is contacting.
- Blocking obvious login/account domains is almost guaranteed to break some functionality.
Practical recommendation
- In NextDNS, allowlist at least:
*.norton.com- The specific
avcdn.net / ff.avast.com hosts Norton is calling (the ones you see in the log).
- After allowlisting, check Norton:
- Can it update definitions and check subscription without errors?
- Does Web/URL protection show as fully enabled?
- If you really want to block telemetry:
- Start by only blocking obvious analytics/ipm endpoints and leave shepherd/activation/login domains allowed.
- Monitor Norton for any warnings or failed update/connection messages.
In short: these domains are very likely part of Norton’s shared backend with Avast/AVG. Blocking them may not kill the local AV engine, but it can interfere with cloud features and account functions, so allowlisting them is the safer choice if you want full protection.
