• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Norton is not detecting JS.downloader in email attachments during download process

Norton Security is apparently not scanning downloads of attachments from my webmail account to my hard drive.

A couple of minutes after downloading, I scanned the zip file manually and Norton did then detect it as a JS.downloader and neutralised it, but I'd hoped that Norton scans email attachment downloads, not just file downloads from web sites which is scans immediately without issue.

Why does Norton NOT detecting DURING the actual download? Bear in mind that Norton Autofix says it did not find any issues. According to support chat, this is the intended behavior of Norton Security. Really? 

I understand that NS cannot scan inside the email account, or at least if it's connected via secure ports, but once that attachment is downloaded, it is obviously on my hard drive and within the scope of Norton protection, therefore I would assume that all downloads are automatically scanned?

I've tested this 4 times now and the same behaviour occurs. This is after Live update is run. Autofix does not find issues as I mentioned earlier.

Can someone qualified please confirm if this is indeed intended behaviour or not, thanks.

Labels: Virus, Email Scan

Replies

Kudos0

Re: Norton is not detecting JS.downloader in email attachments during download process

Hi Cavehomme1

A couple of minutes after downloading, I scanned the zip file manually and Norton did then detect it as a JS.downloader and neutralised it, but I'd hoped that Norton scans email attachment downloads, not just file downloads from web sites which is scans immediately without issue.

Do you have all security features enabled? Was it detected by a signature at the end or just heuristics?

Norton scans email attachments when you download them as they are essentially files downloaded from the web. Was the download over SSL?

Kudos0

Re: Norton is not detecting JS.downloader in email attachments during download process

Large Zip files or compressed files with lots of layers are problematic for email scanning.  I suspect that Norton does not scan compressed file attachments that exceed a certain size.

Occasionally, you might want to scan a particular file, removable drives, any of your computer's drives, or any folders or files on your computer. For example, when you work with removable media and suspect a virus, you can scan that particular disk. Also, if you have received a compressed file in an email message and you suspect a virus, you can scan that individual element.

Scan selected drives, folders, or files

Kudos0

Re: Norton is not detecting JS.downloader in email attachments during download process

M3gatron:

Hi Cavehomme1

A couple of minutes after downloading, I scanned the zip file manually and Norton did then detect it as a JS.downloader and neutralised it, but I'd hoped that Norton scans email attachment downloads, not just file downloads from web sites which is scans immediately without issue.

Do you have all security features enabled? Was it detected by a signature at the end or just heuristics?

Norton scans email attachments when you download them as they are essentially files downloaded from the web. Was the download over SSL?

Yes all security features are enabled and the download was over SSL, but once the file is on the drive then I guess it's irrelevant as to whether it arrived via SSL or insecure?

I guess it was detected by heuristics since "JS.downloader" appears to be a generic term? 

Kudos0

Re: Norton is not detecting JS.downloader in email attachments during download process

SendOfJive:

Large Zip files or compressed files with lots of layers are problematic for email scanning.  I suspect that Norton does not scan compressed file attachments that exceed a certain size.

Occasionally, you might want to scan a particular file, removable drives, any of your computer's drives, or any folders or files on your computer. For example, when you work with removable media and suspect a virus, you can scan that particular disk. Also, if you have received a compressed file in an email message and you suspect a virus, you can scan that individual element.

Scan selected drives, folders, or files

The file was only a few K in size but yes, it was zipped twice, so a zip within a zip. I know that some AVs have the option for the user to set how many levels of compression should be interrogated by the scanner, but under mail scan options there are few, and only related to email ports.

Are you saying that by default, if a small email file attachment is zipped just once, it will actually be scanned upon download?

Kudos0

Re: Norton is not detecting JS.downloader in email attachments during download process

Hi @Cavehomme1

If you don't mind can you upload the sample in Virustotal and provide the link. Normally Symantec doesn't detect compressed files as  "js.downloader" and in most cases they do not actually detect the compressed file itself as malicious (cause technically it's a data file)- Interesting to see this if you don't mind

Kudos0

Re: Norton is not detecting JS.downloader in email attachments during download process

M3gatron:

Hi @Cavehomme1

If you don't mind can you upload the sample in Virustotal and provide the link. Normally Symantec doesn't detect compressed files as  "js.downloader" and in most cases they do not actually detect the compressed file itself as malicious (cause technically it's a data file)- Interesting to see this if you don't mind

Interestingly the Norton scanner on Virustotal does not detect this trojan downloader, although the Norton on-demand scanner on my PC does detect it, as do a bunch of other AV scanner at Virustotal. When I unpacked it earlier I thought it would be a Word doc with macros that download the malware, but it is indeed a java script file.

Here is the VT link: https://www.virustotal.com/en/file/35f746763ecf0661bca7f3218cf51bdfdc9b7...

Here is the file analysis from Norton on my PC. It's not showing an MD5 therefore I assume it is actually using heuristics to detect the malware. This is a good thing, I'm happy Sonar or whatever module is recognising this file as potential malware, but surprised it does not scan upon download though:

Filename: notice_0000248344.doc.js

Threat name: JS.DownloaderFull Path: c:\users\cavehomme\downloads\malware suspected\notice_0000248344.zip

____________________________

On computers as of 11/04/2017 at 09:10:52

Last Used 11/04/2017 at 09:11:49

Startup Item No

Launched No

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

____________________________

notice_0000248344.doc.js Threat name: JS.Downloader

Locate  Very Few Users

Fewer than 5 users in the Norton Community have used this file.

Very New

This file was released less than 1 week  ago.

High

This file risk is high.

____________________________

Source: External Media

____________________________

File Actions

notice_0000248344.doc.js

[Contained in] notice_0000248344.doc.zip

[Contained in] c:\users\cavehomme\downloads\malware suspected\notice_0000248344.zip Deleted

____________________________

File Thumbprint - SHA:

Not available

File Thumbprint - MD5:

Not available

This thread is closed from further comment. Please visit the forum to start a new thread.