• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

NIS 2011 allows downloads from malicious sites

Going to malicious site...

here is example with hxxp://celebsalon.net/2/1.php [link edited to prohibit accidental clicks; replace hxxp with http]

then in order:

site in opening, .exe malware file is downloading and only than Norton waking up and load it own page content with warning message.

Strange actions order to protect, isn't?)

---

if something new appears - it is not that it is better than old [NIS 2011 comparing NIS 2010]


<<Edit: Message subject edited for clarity>>

Replies

Kudos0

Re: NIS 2011 allows downloads from malicious sites

Going to malicious site...

here is example with hxxp://celebsalon.net/2/1.php [link edited to prohibit accidental clicks; replace hxxp with http]

then in order:

site in opening, .exe malware file is downloading and only than Norton waking up and load it own page content with warning message.

Strange actions order to protect, isn't?)

---

if something new appears - it is not that it is better than old [NIS 2011 comparing NIS 2010]


<<Edit: Message subject edited for clarity>>

Kudos0

Re: NIS 2011 allows downloads from malicious sites

Deceptive thread subject line here

It's not that the Norton Site blocking message is fake,  but that Norton a) shows the message late and b) that the download from that site is allowed to download.

Quads

Kudos0

Re: NIS 2011 allows downloads from malicious sites

may be is, sorry for that. I just want to say that the Norton message about blocking is not true: site can be accessed before Norton blocks it.

If I think right - download can be only after the page is loaded. So if file is starting to download than the page was loaded and was not blocked by Norton as it says after that.

Kudos0

Re: NIS 2011 allows downloads from malicious sites

another example:

go to hxxp://dkejlky.co.cc/v2/out/sk.exe

first you will receive original page: 404 error - page not found

after that Norton's page about that this site was pseudo blocked.

Click "Continue" and you receive original page with error 404 again.

Site blocking is not working and it is providing fake messages about that site was blocked, but it is not blocked as we can see - page content and downloads are able from this pseudo blocking sites. Norton's misleading page messages...

Kudos1 Stats

Re: NIS 2011 allows downloads from malicious sites

Nikko223,

 

That's an interesting test. I think the downloads are not getting caught by Download Insight. However, can anyone comment on what happens after the file is downloaded completely. I think the real time protection should be able to scan the file and act on it.

 

Any thoughts.

 

-MbR

&quot;Mythbuster is now a SUPER keylogger crusher&quot; - MbR
Kudos0

Re: NIS 2011 allows downloads from malicious sites

This is very dangerous behavior.  Another thing I would like to chime in is that using the Norton DNS should block this download right?

Norton Internet Security 2011 , Windows 7 Home Premium 64 bit (Check if you are eligable for a FREE Norton upgrade)Success is 10 percent inspiration and 90 percent perspiration.”--Thomas Alva EdisonI'm not a Symantec employee and my posts do not represent the views of Symantec.
Kudos2 Stats

Re: NIS 2011 allows downloads from malicious sites

File downloaded is detected as Trojan.FakeAV!gen29 by Norton

Though I do see it would be nice to see if Norton shows it's a bad site it would block everything from the site including downloads so there will be no download to click etc.

Quads

Accepted Solution
Kudos3 Stats

Re: NIS 2011 allows downloads from malicious sites

Thanks for reporting that.  I sent a note to our Symantec Safe Web team to investigate the particular behavior of blocking the page but allowing the file download.

I did confirm in our isolated infection network that even though the file is downloaded that both our Ubiquity/Reputation technology and our Sonar 3 technology detect and remove the file.  Do NOT try that at home or work. 


Thanks,
John

Kudos0

Re: NIS 2011 allows downloads from malicious sites


John_Harrison wrote:

I did confirm in our isolated infection network that even though the file is downloaded that both our Ubiquity/Reputation technology and our Sonar 3 technology detect and remove the file.  Do NOT try that at home or work


Thanks,
John


Quads does  

Quads

Kudos0

Re: NIS 2011 allows downloads from malicious sites

Quads always do something, that strictly restricted))) only give him a new link, and as soon as possible... 

Quads, view Norton Trusted feature, that have no payload (at least I can't find it):

- create a new text file;

- enter two letters: MZ

- save and close editor (simple editor like Notepad.exe, not like MS Word it will add other housekeeping data to file)

- change file extension to be able to view Norton File Insight info (for example to .exe or .msi or .dll or .sys or others)

File will be Norton Trusted, why.... so simple to scan file was added to white list... i have no answer

Kudos0

Re: NIS 2011 allows downloads from malicious sites


Niko233 wrote:

Quads always do something, that strictly restricted))) only give him a new link, and as soon as possible... 

Quads, view Norton Trusted feature, that have no payload (at least I can't find it):

- create a new text file;

- enter two letters: MZ

- save and close editor (simple editor like Notepad.exe, not like MS Word it will add other housekeeping data to file)

- change file extension to be able to view Norton File Insight info (for example to .exe or .msi or .dll or .sys or others)

File will be Norton Trusted, why.... so simple to scan file was added to white list... i have no answer


I can confirm that.  But if you save it as EXE directly from notepad, it would be "unknown" freaky.

To save as exe, change the menu save as text file to all files

Norton Internet Security 2011 , Windows 7 Home Premium 64 bit (Check if you are eligable for a FREE Norton upgrade)Success is 10 percent inspiration and 90 percent perspiration.”--Thomas Alva EdisonI'm not a Symantec employee and my posts do not represent the views of Symantec.
Kudos0

Re: NIS 2011 allows downloads from malicious sites

>Niko233 wrote:

>Quads always do something, that strictly restricted))) only give him a new link, and as soon as possible... 

>


Tywin7 wrote:

I can confirm that.

Everybody knows about Quads actions))))

Kudos0

Re: NIS 2011 allows downloads from malicious sites

I wonder if this has been fixed.

I just watched this video (http://www.youtube.com/user/acafacaa1?feature=mhum#p/u/1/2NaXSIHaDls) and lots of websites get blocked but the malware is downloaded. The video is from 22-10-10.

This thread is closed from further comment. Please visit the forum to start a new thread.