NIS 2011 allows downloads from malicious sites

Niko233 · ‎06-25-2010

Going to malicious site...

here is example with hxxp://celebsalon.net/2/1.php [link edited to prohibit accidental clicks; replace hxxp with http]

then in order:

site in opening, .exe malware file is downloading and only than Norton waking up and load it own page content with warning message.

Strange actions order to protect, isn't?)

---

if something new appears - it is not that it is better than old [NIS 2011 comparing NIS 2010]

<<Edit: Message subject edited for clarity>>

Quads · ‎07-21-2008

Deceptive thread subject line here

It's not that the Norton Site blocking message is fake, but that Norton a) shows the message late and b) that the download from that site is allowed to download.

Quads

Niko233 · ‎06-25-2010

may be is, sorry for that. I just want to say that the Norton message about blocking is not true: site can be accessed before Norton blocks it.

If I think right - download can be only after the page is loaded. So if file is starting to download than the page was loaded and was not blocked by Norton as it says after that.

Niko233 · ‎06-25-2010

another example:

go to hxxp://dkejlky.co.cc/v2/out/sk.exe

first you will receive original page: 404 error - page not found

after that Norton's page about that this site was pseudo blocked.

Click "Continue" and you receive original page with error 404 again.

Site blocking is not working and it is providing fake messages about that site was blocked, but it is not blocked as we can see - page content and downloads are able from this pseudo blocking sites. Norton's misleading page messages...

mythbuster · ‎12-10-2008

Nikko223,

That's an interesting test. I think the downloads are not getting caught by Download Insight. However, can anyone comment on what happens after the file is downloaded completely. I think the real time protection should be able to scan the file and act on it.

Any thoughts.

-MbR

"Mythbuster is now a SUPER keylogger crusher" - MbR

Tywin7 · ‎09-02-2010

This is very dangerous behavior. Another thing I would like to chime in is that using the Norton DNS should block this download right?

Norton Internet Security 2011 , Windows 7 Home Premium 64 bit (Check if you are eligable for a FREE Norton upgrade)
Success is 10 percent inspiration and 90 percent perspiration.”--Thomas Alva Edison
I'm not a Symantec employee and my posts do not represent the views of Symantec.

Quads · ‎07-21-2008

File downloaded is detected as Trojan.FakeAV!gen29 by Norton

Though I do see it would be nice to see if Norton shows it's a bad site it would block everything from the site including downloads so there will be no download to click etc.

Quads

John_Harrison · ‎06-04-2008

Thanks for reporting that. I sent a note to our Symantec Safe Web team to investigate the particular behavior of blocking the page but allowing the file download.

I did confirm in our isolated infection network that even though the file is downloaded that both our Ubiquity/Reputation technology and our Sonar 3 technology detect and remove the file. Do NOT try that at home or work.

Thanks,
John

John Harrison, aka “Dr. Drive-By”
Symantec Security Technology and Response

Quads · ‎07-21-2008

John_Harrison wrote:

I did confirm in our isolated infection network that even though the file is downloaded that both our Ubiquity/Reputation technology and our Sonar 3 technology detect and remove the file. Do NOT try that at home or work.

Thanks,
John

Quads does