• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

NS back to flagging GRC InSpectre as High Risk & Removing

Today, seven months after NS flagged and removed my attempted download of GRC's InSpectre program ( https://community.norton.com/en/forums/odd-security-alert-after-inspectr... ), NS suddenly marked the downloaded exe -- which I have had on my machine all this time -- as High Risk Heur.AdvML.B , and removed it.  As I reminder, InSpectre is a standalone program which is run directly from the exe rather than installed.

Odd that that this would suddenly happen after seven months with no "objection" by NS.  I restored the file and safe-listed it.  (FYI -- though I don't think this matters -- back when I originally downloaded "InSpectre.exe" I renamed it "InSpectre (GIBSON - dl 5-16-18).exe.")  Funny thing is, Norton File Insight shows the file as Trusted, with tens of thousands of users.  And Symantec is NOT one of the few AV's that flags it as malicious on VirusTotal.  (Although, out of curiosity I tried re-downloading the program, and Symantec *does* still flag the resulting Firefox cache file, both on my machine and on VirusTotal.)

While I marked this "Need a Solution," I am looking more for any comments on whether my safe-listing the exe  is OK, though I'm pretty sure that it was.

Replies

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Hello Ardmore. I have version 0.0.6675.8. Running NSBU 22.16.2.22, its not being flagged in any way.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Thanks for the data point, SoulAsylum.  As I said, I went 7 months with no issues, so I guess it's one of those "when you least expect it..." things.  FYI, the program wasn't open when it was flagged.  I've opened it perhaps 5 or 6 times in the 7 months since downloading.  I have the same version of InSpectre as you, 0.0.6675.8.  I have NS 22.16.0.247.

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Run live update on your Norton product to get it to the current version of 22.16.2.22, reboot then see if you can get the file without it being zapped.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

OK, I Live Updated to NS version 22.16.2.22.  Then I went to GRC and downloaded the same version of InSpectre, but to a different location than the (renamed) copy I already have (the one that Norton quarantined yesterday and that I restored and safe-listed).  The Norton File Insight popup told me the downloaded file was safe.  But then 4-5 minutes later I got a popup that high-risk  Heur.AdvML.B had been identified and removed.  But what was removed was the Firefox cache file, not the newly-downloaded copy of the program.  When I test the latter with both a scan and Insight, it checks out OK.  Could that be because I had restored and safe-listed the copy of InSpectre.exe that had been flagged and quarantined yesterday?

Which leads to another question:  Where can I find the record that I safe-listed the (renamed) InSpectre.exe? I wanted to revoke that safe-listing to test again, but I can't find any record of it.  I have looked in Settings/Antivirus/Scans & Risks, and there are NO individual files listed in any of the "Configure" options.  And I can't find any record of the safe-listing -- or even the detection, for that matter -- in any of the history sections.  Could "Clear File IDs Excluded During Scans" have exclusions to be cleared that aren't spelled out in any of the other locations I mentioned?  If so, if I clicked "Clear All" would it tell me what specific exclusions (if any) are being cleared?

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Hello again. If you clear "Clear File IDs Excluded During Scans" all you will see is a warning dialog, no list of what is being removed. Check the settings in the screenshot below for the exclusion listing.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.418 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.11 / Opera GX
Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Thanks, but that was the first place I had looked and was surprised that the exclusion wasn't listed (nor was anything else).  Fyi, when I had restored the program from quarantine, the option to exclude from future detection (I forget the exact wording) was pre-selected, and I left it that way.

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Restore & exclude this file: is not the same as adding item(s) to Exclude from Auto-Protect nor the same as Exclude from All Detections.


Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

bjm_:

Restore & exclude this file: is not the same as adding item(s) to Exclude from Auto-Protect nor the same as Exclude from All Detections.


I had already seen the instructions for "restore & exclude this file" in the online manual.  But the problem is that, while it explains how to restore and exclude the file from future scans (which is what I did initially), it doesn't explain how to later *revoke* this exclusion (or, for that matter, simply find a record of what files are being excluded via "restore and exclude").   That's where I am hitting a brick wall.  Fortunately at this point it's just a curiosity thing since I don't really need to remove the exclusion -- I just wanted to experiment and see if NS was still flagging the InSpectre program after 7 months where it didn't.  But what if there were a case where I *did* need to remove the exclusion,  e.g.,where I later found out that I file I restored and excluded *should* be subject to scans?  How would I do it?

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

If you are looking to remove an exclusion you have made, go back to the Configure page. Then click on the exclusion you want to remove, then click on Remove.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

peterweb:

If you are looking to remove an exclusion you have made, go back to the Configure page. Then click on the exclusion you want to remove, then click on Remove.

Again, *THERE'S NOTHING THERE TO REMOVE*.

  I really appreciate the input from everyone, but it seems we are just going in circles.  People keep suggesting exclusion location-and-removal methods that I had already tried even before my first post -- as explained --  with no success.  No exclusions are shown in any of those places, despite logic dictating that they would.

At this point, I am concluding that NS is just buggy, at least in this case with regard to a quarantined item that I restored and excluded from further detection.

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Yes,  *THERE'S NOTHING THERE TO REMOVE*.

....this has been discussed before.   Norton program does the Restore & exclude.  Nothing for user to Remove. 
Restore & exclude this file ... with "exclude" added by Norton.  

Restore an item from Quarantine

  1. In the Norton product main window, double-click Security, and then click History.

  2. In the Security History window, in the Quarantine view, select the item that you want to restore.

  3. In the Details pane, click Options.

  4. In the Threat Detected window, do one of the following:

    • Click Restore & exclude this file.

      This option returns the selected quarantine item to its original location without repairing it and excludes the item from being detected in the future scans.

    • Click Restore.

      This option returns the selected quarantine item to its original location without repairing it. This option is available only for manually quarantined items

  5. In the Quarantine Restore window, click Yes.

    In case of non-viral threats, you can use the option that is available in this window to exclude the security risk. Norton does not detect the security risks that you exclude in the future scans.

  6. In the Browse for Folder dialog, select the folder or drive where you want to restore the file and then click OK.

  7. Click Close.

https://support.norton.com/sp/en/us/home/current/solutions/v6200368


https://community.norton.com/en/comment/7537811#comment-7537811 

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

Did you try clicking on the Configure for the option just above the highlighted option from SoulAsylum's image above? The option for Items to exclude from Scans.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

peterweb:

Did you try clicking on the Configure for the option just above the highlighted option from SoulAsylum's image above? The option for Items to exclude from Scans.

Yes I did.  Nothing there.

This is getting way too confusing, since I suspect semantics (no pun intended) is even coming into play here.  E.g., the top  of _bjm's last reply seems to suggest "REMOVE" refers to removing the offending file, when in fact I was referring to the REMOVE Real Time Exclusion button circled in your last post.

OK, just to show graphically what I had done when InSpectre.exe was "snagged," I went to the history record of the still-Quarantined Firefox cache file I mentioned earlier, and opened this dialog:

I then clicked Yes without changing anything, as I had done when InSpectre had been 'caught" and Quarantined.

Then I went to Settings->Antivirus->Scans & Risks->Exclusions/Low Risks, and scrolled to "Clear File IDs Excluded During Scans" at the bottom, held my breath, and clicked "Clear All."

The reason I say I "held my breath" is NOT because I was worried about the flagged Firefox cache file being returned from Quarantine to my file system, but rather because it doesn't give you a clue as to what else is being returned, i.e., it's not like the three lines above that where you can see exactly what files are restored from exclusion to to normal detection & potential further removal.  So I am "flying blind" as far as whether some important false positive detection(s) from the past will now end up getting removed again and thus causing potential problems.  That is why I have held off until now on doing "Clear All" for "Clear File IDs Excluded During Scans."  In fact, maybe it wasn't smart to do it even now, when the main purpose was curiosity.  I have a feeling I may regret it.  I don't know why NS doesn't give you a way of knowing what File ID's are being excluded from scans before you make them subject to scans again.

Anyway, I scanned my Firefox cache folders after this, and yes, it re-detected and re-quarantined the file.

But I scanned InSpectre.exe again, and that was NOT quarantined this time.  I guess I shouldn't be surprised, since it went for 7 months without detection before being snagged a few days ago.  (I suppose it's also possible that it had been quarantined and restored by me once before, but I don't think so.  Besides, if that was the case, why wouldn't it be back to being flagged  by NS now that I have Cleared File IDs Excluded During Scans.)?

Kudos0

Re: NS back to flagging GRC InSpectre as High Risk & Removing

TOO LATE TO EDIT, but for the record please ignore the paragraph near the top of my last post that says, " This is getting way too confusing, since I suspect semantics (no pun intended) is even coming into play here."  Upon re-reading I think I misinterpreted what _bjm was saying.

The rest still stands, however.

This thread is closed from further comment. Please visit the forum to start a new thread.