• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Heur.AdvML.A false positives after new key / update

Ok, so my old Norton Security Deluxe expired and a week later I (upgraded/renewed) put in a new key for Norton Security Deluxe w/ Norton Utilities. It did it's thing and now I've got over 1,800 Heur.AdvML.A and Heur.AdvML.B and .C and Suspicious.Epi.4 and a few known to be untrustworthy files in torrents. Further info showed 12 Trojan.# out of 1,844 supposed High Risk files. How do I set the criteria to only flag the Trojans? What's worse is the nagging pop up to address the concerns that bogs down my machine. If I choose fix, it quarantines or deletes the files. This won't work b/c a lot of the files are on my other Win 7 partition and in the Windows folder. And your nuts if you think I'm going through 1,800+ one by one to exclude them all. I've changed the settings to Off for Heuristic detection and rerun the scan and it persists. So why were these files fine a few days ago and not today? And how do change the flagging criteria?

The great part is Virus Total cleared all the files I checked and Symantec approved of every single one of them? So what's wrong with this picture? Besides Symantec getting overzealous with their heuristic detection. Because I'm pretty pist. Ain't nobody got time for this! 

I've gleaned that Symantec staff don't frequent these forums because why should they care; they've already got my money so any help is appreciated by the community.

Also, besides the above questions, is there a way downgrade the virus engine to a more preferable one?

When I have to uninstall Norton to switch AV, will it take all those "unresolved" files with it? Or lock them in some Symantec proprietary file/folder wasting space and leaving my other install unbootable?

Thanks

Hola

Replies

Kudos0

Re: Heur.AdvML.A false positives after new key / update

Hello Holachic. First!! Symantec is a different entity than Norton as Norton focuses on the every day customer while Symantec has focus on Enterprise. Norton employees and admins DO frequent the forums. If I may ask, what is the product version of Norton installed? You can find that by opening the Norton UI, clicking HELP in the top right, then click ABOUT.

You said:

The great part is Virus Total cleared all the files I checked and Symantec approved of every single one of them?

Did you submit all 1800+ files or hashes to VT? Interesting if you indeed did so.

You are suggesting that at no previous time before now, Norton has detected these torrent files on your system as being malicious and nothing appears in your history? If you've had the files these detections are coming from on your system prior, AND, have shut off heuristics detection to allow them to function, your Norton product COULD have been compromised at some point before. FWIW!! These Heur.AdvML.A and Heur.AdvML.B and .C heuristic detections began back in 2016 with the rapid release definitions as noted here. These files have AI attributes which are a risk to the operating system which Norton is protecting. Suspicious.Epi.4 began detection back in 2017 and Norton is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers. The other issue from my point of view is the source of these files being TORRENT per your original post. The pop-up notifications you are seeing aren't the source of your system "bogging down", the infestation of Trojans are the cause. I would NOT advise disabling heuristics on any system for the sake of running a file which could compromise personal data or a system.

Here is my suggestion. Download and run the Norton removal and reinstallation tool. Do not reinstall Norton at this time, reboot your system. Once rebooted log into your Norton account, download and install your product directly from there.

You may also want to install and run a full system scan with Malwarebytes as a second scope for detection and see what it detects. MBAM runs excellent with Norton installed. Let us know what your results are so we can assist further.

Cheers

"From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows Server 2016 Essentials / Windows 10 Professional x 64 version 1903 / build 18362.356 / N360 Deluxe 22.19.8.65 / Norton Core v.282 on Android 2.00
Kudos0

Re: Heur.AdvML.A false positives after new key / update

Dear Soul, 

  Thanks for getting back and apologies. I was rather frustrated after reading posts for an hour+ that seemingly had no resolution or help.

Norton Version: 22.18.0.213  (via digital dl from online purchase)

Not sure what version I had last year but it was the same Norton Security Deluxe, only with 5 licenses instead of 3.

No, of course I didn't check all 1,800 files. That'd take a year and a day. I am curious though about the hashes and if Norton would produce such a file/list? No I just randomly picked about 6 or 7 files in Norton's list, found em, and uploaded em to VirusTotal. Some .exe's and .dll's. Admittedly there were some that triggered AV's, but they're ones I've never heard of before. By some I talking like 12ish out of the 70 AV's and it's nobody that you can buy in the store, if that criteria means anything?

  So the torrent files aren't the ones triggering Norton. I only run those in Sandboxie or if they are concerning I run them in Symantec Workspace Virtualization inside Sandboxie. (No offense but I preferred it when it was still Altiris) And just to clear my conscience, those torrents are used infrequently so there's no watermarks or format saving issues; and especially nowhere near justifying the price tag. That being said, yes they are in an intentionally excluded directory. I also only turned off the Heuristic setting as a test to reboot and see if all or most of the files would be unflagged by Norton. They weren't but that's not how I role on a day by day.

  The bigger thing I didn't make clear is that NONE of these files are on my current Win7 64bit or my Win7 32bit or my XP drives, which are all still bootable and in my boot selector. Earlier I tried the same experiment with VirusTotal and randomly searching the list again I could only find .exe files, no .dll's for whatever reason. Files like freecell.exe, chkntfs.exe, cmd.exe, regsvr32.exe, fontnow.exe, that are all regular Win files afaik. I also noticed they were in the Win\sys32 of a backup folder (not C:\Win\sys32) on an old WinXP or maybe even 98 drive. So ya, that folder wasn't in the root directory C:\Win\sys32 and even if that drive was hooked up all alone it couldn't have booted even if you kicked it. Why? Ask me 15-20 years ago and I might have come with some, currently unknown, reason.

  Anyway, I went to go grab a few to upload to VT and Norton started bugging again and I could see files disappear right before my eyes. PS: I do get the bogging down is b/c Norton is putting these files into a quarantine like state and has to rewrite everything around them; but why did they get flagged as an "unprocessed risk" and then when I went to that folder they were just then getting processed? Anyway, I finally deleted the folder b/c I just didn't want to deal with it but that hasn't stopped Norton. Been on a tear for well over 3 hours now with no sign of letting up. Surprisingly it hasn't hung yet as far as Task Mgr can tell.

  Of the few that didn't vanish, VT results weren't convincing. I noticed a trend of VT results though! F-Secure, Ikarus, and Rising mark every file as a Trojan, almost. Comodo and NANO had something bad to say for every file too. But nothing from Trend Micro, Kasperky, McAfee, Avast, AVG, MS, Symantec, or the other 45 AV's. I don't know who's right or who's wrong and really don't care. When I get enough time I'll try your suggestion, but since my active version of Win doesn't have anything flagged I'm not sure it'll help anything? It's frustrating b/c 15 days ago Norton was just peachy and 350 days ago (or so) it had every opportunity, just like this current version did, to scan everything, everywhere. And seeing as how these files date back to the 2004 era, I find it hard to believe that the last 15 years of Norton wouldn't have flagged at least some these files by now? 

   This all leads to, I guess, why? Why didn't last years Norton AI Heuristic engine pick up on these supposedly tainted files? And also, doesn't Norton update a users engine when a significant release is put out? Or is it perpetual only with Definitions and you're stuck with the engine you started with? Ok, last one, if I go the wipe/reinstall route, will it take the ump-teen Gigs of quarantined temp files with it or will they remain for future reference? 

  Hopefully there's more detail that might provide more insight as to what in the heck is going on here. And again, thanks for getting back and taking the time.

Kudos0

Re: Heur.AdvML.A false positives after new key / update

holachickie:

The great part is Virus Total cleared all the files I checked and Symantec approved of every single one of them?

VirusTotal makes use of the 

checkmark symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness. 

https://support.virustotal.com/hc/en-us/categories/360000162918-FAQ