topic Re: Offending URL from Flash player uninstaller.exe? in Norton Internet Security / Norton AntiVirus

Offending URL from Flash player uninstaller.exe?

Calls — Sat, 06 Nov 2010 00:55:17 GMT

Vista Home Premium 32 bit with Vista SP2

NIS 17.8.0.5

I'm thinking this is not anything to be concerned with, but I though I'd check with the experts here

I just downloaded the flash player uninstaller from the adobe/macromedia website

(uninstall_flash_player.exe)

I noticed that at the same time I downloaded this There was an entry in my history as follows:

IPS Detection Statistical Submission

Local or Remote Attacker: 1

Sigset version 20101104.004

Application Name: \DEVICE\HARDDISKVOLUME1\PROGRAMFILES\INTERNETEXPLORER\IEXPLORE.EXE

Offending URL: download. macromedia. com /pub/flashplayer/current/uninstall_flash_player.exe (I spaced this out so nobody would accidentally click on it)

remote address: 96. 6.11.191

Now it says status pending No action required

So is this something that might be an issue/dangerous?

The actual file uninstall_flash_player.exe was acutially shown to be ok

Now one other thing, why did file for flash player not get checked by Download insight???

Re: Offending URL from Flash player uninstaller.exe?

SendOfJive — Sat, 06 Nov 2010 01:35:09 GMT

Hi Calls,

IPS Detection Statistical Submissions that are not accompanied by an alert that an attack was blocked by IPS are false positives. The Norton Intrusion Prevention System uses signatures to detect and block exploits that leverage vulnerabilities in software programs to install malware. When a new exploit is discovered a signature is created and distributed as quickly as possible in order to provide immediate protection. After this initial signature is released refinements are made to perfect a new signature that is smaller and more efficient. Because there is an increased likelihood of false positives with the revised definition, it is first released as a test signature. When one of these test signatures is triggered it is reported back to Symantec as an IPS Detection Statistical Submission. These submissions help Symantec fine-tune the accuracy of the detections. Once testing is completed the initial signature will be replaced or updated with the improved version. While testing is in progress you are protected from the actual exploit by the originally released signature, which will trigger IPS to block, log, and alert you to any real attack. A statistical submission alone without a corresponding IPS action would indicate a false positive, involving only the test signature.

Re: Offending URL from Flash player uninstaller.exe?

Tywin7 — Sat, 06 Nov 2010 01:34:37 GMT

This use to happen to any .exe downloads. Try downloading the .exe of your favorite files and you will see Norton reporting the URL as offending. I think this is due to the fact that downloading the exe is mistaken for the download of malware, which also use a similiar tatic to download .exes.

Re: Offending URL from Flash player uninstaller.exe?

Calls — Tue, 09 Nov 2010 03:23:05 GMT

so its all cool?

what about

why did file for flash player not get checked by Download insight???

Re: Offending URL from Flash player uninstaller.exe?

SendOfJive — Tue, 09 Nov 2010 03:37:52 GMT

Calls wrote:
what about
why did file for flash player not get checked by Download insight??

I downloaded this file as well, using Firefox, and I did get the Download Intelligence popup saying the file was safe. I'm not sure why your experience may have been different, although there have been some descrepancies with Download Insight that have been reported here. I am running NIS 2011 so perhaps it has something to do with the version, although more likely it was just a glitch,

Re: Offending URL from Flash player uninstaller.exe?

Calls — Tue, 09 Nov 2010 13:42:55 GMT

Sorry, I didn't phrase m question well.

I was wondering why NIS 2010 Download Insight didi not seem to scan

Flash10l.ocx file upon download.

It scanned the flash player uninstaller exe file, but not the Flash10i.ocx file

Re: Offending URL from Flash player uninstaller.exe?

Calls — Wed, 10 Nov 2010 04:37:21 GMT

Does download insight not check on ocx files?

Re: Offending URL from Flash player uninstaller.exe?

SendOfJive — Wed, 10 Nov 2010 04:43:56 GMT

The Flash Player installer and uninstaller files are ,exe files. You wouldn't download Flash10l.ocx separately. Auto-protect would take a look when Flash10l.ocx was written to disk.

Re: Offending URL from Flash player uninstaller.exe?

Calls — Wed, 10 Nov 2010 14:05:55 GMT

it looks like downlod insight did NOT scan the flash player installer just the uninstaller. Is that something to be concerned about?

Re: Offending URL from Flash player uninstaller.exe?

delphinium — Wed, 10 Nov 2010 15:32:35 GMT

SendOfJive already answered this. Insight does not scan every file coming into your machine. It scans executables. ocx files are considered to be a form of active x control and are components to be used by the executable file, which was checked. Auto-protect scans everything.

It is perfectly normal.

Re: Offending URL from Flash player uninstaller.exe?

jarrycanada — Wed, 10 Nov 2010 21:20:30 GMT

i've had this problem before. the in browser install app can set norton off. even give you a warning if it's too new of a file. you have nothing to worry about as long as you know you installed that app and not someone else, ie a website you've gone too did that in the background with out you knowing. if your really scared you can run the file in question by virustotal.

it's because of problems like this that I use the manual installer for adobe so I can scan it first to besafe, a bit of a pain but it doesn't upset norton.

http://kb2.adobe.com/cps/191/tn_19166.html#main_ManualInstaller

Re: Offending URL from Flash player uninstaller.exe?

Calls — Thu, 11 Nov 2010 13:58:57 GMT

I just thought that SoJ said there was an installer.exe and that is what I'm saying I DO NOT see scanned

Re: Offending URL from Flash player uninstaller.exe?

delphinium — Thu, 11 Nov 2010 17:33:28 GMT

I thought you said originally that the .exe was scanned and you wanted to know why the other wasn't. So which is it????

"Sorry, I didn't phrase m question well.

I was wondering why NIS 2010 Download Insight didi not seem to scan

Flash10l.ocx file upon download.

It scanned the flash player uninstaller exe file, but not the Flash10i.ocx file"

Re: Offending URL from Flash player uninstaller.exe?

Calls — Thu, 11 Nov 2010 18:22:10 GMT

The uninstaller exe was scanned. But I do not see that the installer exe was scanned.

Another IPS Detection Submission issue

Calls — Tue, 23 Nov 2010 03:31:02 GMT

NIS 2010 17.8.0.5

Vista Home Premium 32 bit, Vista SP2

OK I know I have posted before about IPS Detection issues, but this one may be a little different

Description IPS Detection Statistical Submission

Signature ID: 23318

Local or Remote Attacker: 1 (Does 1 mean local or remore???)

Application Name: \DEVICE|HARDDISKVOLUME1\PROGRAMFILES\INTERNET EXPLORER\IEXPLORE.EXE

Offending URL: ie.conduit-download.com/6/264/CT2642706/Downloads/IE/Releases/6.2.3.0/10-11-14-17.56.02.676/

TranslatorBar_5.exe

Status: Waiting

Recommended Action: No Action Required

So does this mean this item downloaded on my computer?

I checked everywhere and I do not see TranslatorBar_5.exe

Checked applications Raiting from Norton GUI and this item was NOT shown there

Does it mean it tried to download and was stopped??

At thsi point is there anything I need to do?

Ran malewarebytes scan-CLEAN

Rand NORTON Quick Scan-CLEAN

Re: Another IPS Detection Submission issue

Calls — Tue, 23 Nov 2010 04:05:12 GMT

just wondering if this is saying something tried to intrude

Re: Another IPS Detection Submission issue

SendOfJive — Tue, 23 Nov 2010 05:00:45 GMT

Hi Calls,

Please refer back to your earlier thread:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Offending-URL-from-Flash-player-uninstaller-exe/m-p/322044/highlight/true#M133988

[Edit: Threads are now merged]

OK Really confusing IPS Statistical Submission

Calls — Tue, 07 Dec 2010 03:57:36 GMT

I understand that most of these if they say no action required, but this one throws me

Went to malwarebytes.org to download a clean install of malwarebytes

it takes me to the cnet download site for malwarebytes

but then my security history shows this

IPS Statistical submission

Offending url: software-files-l.cnet.com/s/software/11/65/78/91/mbamsetup1.50.0.0.exe then a bunch of numbers and letters

so is this safe to download malwarebytes from?

also when I get to the download site at cnet, there are so many things on the page, hard to see which is the mbam download

Re: OK Really confusing IPS Statistical Submission

AllenM — Tue, 07 Dec 2010 04:33:18 GMT

Calls wrote:
I understand that most of these if they say no action required, but this one throws me

Went to malwarebytes.org to download a clean install of malwarebytes

it takes me to the cnet download site for malwarebytes
ok
but then my security history shows this
IPS Statistical submission
Offending url: software-files-l.cnet.com/s/software/11/65/78/91/mbamsetup1.50.0.0.exe then a bunch of numbers and letters

so is this safe to download malwarebytes from?

also when I get to the download site at cnet, there are so many things on the page, hard to see which is the mbam download

HI Calls,

This is perfectly normal and nothing to worry about. I don't see a lot of things on the CNET site. The MalwareBytes download button is on the upper left hand side and has MalwareBytes identified in the download button itself.

You should also see a Download Insight event which clearly states that the file is safe.

Best wishes.

Allen

Re: OK Really confusing IPS Statistical Submission

Phil_D — Tue, 07 Dec 2010 04:31:40 GMT

Hi Calls,

I agree with AllenM that there is no reason for concern.

I believe SendOfJive and others have explained this before. Undoubtedly what you are experiencing is the result of a new test signature. Please see this post by Reese Anschultz.

If it's any comfort, I updated Malwarebytes today and have a similar IPS Submission entry:

...Offending URL: data-cdn.mbamupdates.com/v0/program/data/mbam-setup...