Norton & Compressed Files

  • Thread starter Deleted member 2913
  • Start date
Status
Not open for further replies.
D

Deleted member 2913

Thread author
I didn't knew Norton could have download insight on compressed files too.

I downloaded a harmless sample from testmypcsecurity called keylogtest. Its in zip.

I extracted & Norton detected it. I checked quarantine & the detection at the end mention download insight.

If I disable Norton auto-protect & extract keylogtest, enable auto protect & open the extracted folder or execute keylogtest then Norton doesn't detect it. With auto-protect enabled if I again extract it to the same folder then Norton detects it.


Plzz test & verify.

If malware hub testers here disable autoprotect to extract the samples then Norton would not detect the samples, offcoz if the above is correct & the samples in question are download insight detection & not signs, sonar, etc...
 
  • Like
Reactions: Venustus, Jrs30, Daniel Hidalgo and 2 others
Daniel Hidalgo

Daniel Hidalgo

Level 34
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Mar 17, 2015
2,387
When I used norton the first times in the hub, I disabled them self-protect extracted and into a normal scan, and how did the results were not positive.
However nevertheless not disable auto-protect and download the samples (in a VM, of course) and the extract and Download Insight detected and automatically, eliminated. Having positive results (which I personally surprising)
Download Insight and SONAR (in my opinion) are the most powerful tools in Norton, however this depends on self-protect.
yesnoo said:
If I disable Norton auto-protect & extract keylogtest, enable auto protect & open the extracted folder or execute keylogtest then Norton doesn't detect it. With auto-protect enabled if I again extract it to the same folder then Norton detects it.
Click to expand...
I think it could be a bug, just that it would be illogical norton which was first detected (by Donwload Insight) and no time after (it happened to me too)
 
  • Like
Reactions: Deleted member 2913, Jrs30, Venustus and 1 other person
D

Deleted member 2913

Thread author
I mentioned in my first post that the detection should be download insight detection. Offcoz if the detection is sign detection then it would be detected as signs are locally or cloud present, similarly sonar BB.

I dont know how download insight detection works?

But the case I mentioned with keylogtest sample is not like happened that time i.e its repeatable i.e any time I try that way its not detected.
 
  • Like
Reactions: Venustus, Jrs30 and kev216
bjm_

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
668
Based on the type of application you use to download your file, your Norton product does one of the following:
  • Analyzes the file based on its reputation details when the download is complete.
  • Analyzes the file based on its reputation details when the file is executed.
 
  • Like
Reactions: Venustus, Deleted member 2913, Jrs30 and 3 others
Daniel Hidalgo

Daniel Hidalgo

Level 34
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Mar 17, 2015
2,387
yesnoo said:
I dont know how download insight detection works?
Click to expand...
Download Insight uses reputation information exclusively when it makes decisions about downloaded files. It does not use signatures or heuristics to make decisions. If Download Insight allows a file, Auto-Protect or SONAR scans the file when the user opens or runs the file.


Managing Download Insight detections
 
  • Like
Reactions: Venustus, Deleted member 2913, Jrs30 and 1 other person
Ink

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Archive files without password-protection can be detected/flagged almost immediately (no extraction required).

BLOCKED.png
 
  • Like
Reactions: Deleted member 2913, Jrs30, kev216 and 1 other person
Daniel Hidalgo

Daniel Hidalgo

Level 34
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Mar 17, 2015
2,387
Is correct if the compressed file is not password as mentioned @Huracan can be analyzed what this within the zip file

I've been tested disabling auto-protect, on-demand scanning was not detected but again enable auto-protect and run the norton file is detected is removed by download insight, my conclusion is this (maybe I'm wrong) as such the file does not have a signature in the database, but is detected via cloud (for the insight network).
 
  • Like
Reactions: Deleted member 2913, Jrs30, Venustus and 1 other person
D

Deleted member 2913

Thread author
venustus,

You disabled autoprotect & extracted keylogtest & enabled autoprotect & executed keylogtest, right?
If you did the above then yes even on execution the sample is not detected.
 
  • Like
Reactions: Daniel Hidalgo
D

Deleted member 2913

Thread author
If you didn't disable autoprotect then the sample should be detected, strange, dont know why it was not detected?

Are you using Norton Security or previous NIS or something? Dont know if there is difference or not?
 
  • Like
Reactions: Daniel Hidalgo and Venustus
Venustus

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
yesnoo said:
If you didn't disable autoprotect then the sample should be detected, strange, dont know why it was not detected?

Are you using Norton Security or previous NIS or something? Dont know if there is difference or not?
Click to expand...
The latest Norton Security 22.6
If you get a detection, then I must have something misconfigured??
Could you please confirm that you or any one else gets a detection?
Thanks!!:)

I went here:
Feature Settings Check – Download of Compressed Malware » AMTSO

The archive was not detected, but the file was detected upon extraction!
cvikrpfrabhtiftzxvkrgfqdeekmxrqvalpxtkulznvzvadmqhrqxjlykvmazjrplkzylizjalwfcenxmupnfrkeypyjtfzpowom
 
Last edited:
  • Like
Reactions: Daniel Hidalgo, Deleted member 2913, Rishi and 1 other person
Ink

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
venustus said:
In my case with all settings at MAx,Norton did not detect the archive even upon extraction!
Upon executing:
lozvaivkwfxooxvjpdxrwobnxrhzoqybzzycnizwclqobteligpgazyuhzhkjtlxgvagxygenjpcjqfqbazpreuarosuwcqhkjqd
Click to expand...

The software in the .ZIP file requires .NET Framework by Microsoft for it to run successfully.:)

yesnoo said:
I was trying it.
I have Norton Security installer 22.5.4.24. I didn't updated it as was just trying it. Later I uninstalled.
Click to expand...
Norton Security is the install-and-forget type of security software, even a notice could use it, so what was your verdict?
 
  • Like
Reactions: Daniel Hidalgo, Deleted member 2913, Rishi and 1 other person
Status
Not open for further replies.

Similar threads

Jengo
    • Like
    • Thanks
    • Applause
New Update Norton Security 22.24.1.6 for Windows is now available!
Replies
51
Views
3,374
Norton
simmerskool
simmerskool
Bot
    • Like
Norton Security 22.23.10.10 for Windows is now available!
Replies
0
Views
451
Norton
Bot
Bot
Bot
    • Like
Norton Security 22.23.9.9 for Windows is now available!
Replies
3
Views
693
Norton
Jengo
Jengo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top