Note: Please do not post Personally Identifiable Information like email address, personal phone number, physical home address, product key etc.
Issue abstract:
This is a warning to ALL Norton users:
- NEVER let support agents use remote access to gain control over your computer. They cannot be trusted.
- Norton v24 makes unauthorized changes to your computer, without logging the changes in security history.
TLDR: As you will see below, my recent experience included a remote session in which the agent removed Norton from my computer, and then directed me to a malicious link, ran a fake scan (that presented itself as a competitor’s product), and then lied about having done so. He then pretended to be his supervisor when I asked to escalate the issue.
Detailed description:
I’ll spit this into 3 sections: (A) The Situation; (B) The Norton Support Session; and (C) The Aftermath
———————————————————
A) THE SITUATION
A few days ago, I noticed that my hosts file was empty. The hosts file in my Win10 is located at:
C:\Windows\System32\drivers\etc
• NOTE: If you don’t know how to use/edit the hosts file, don’t mess with it!
Something had done that (not me), and had erased several years’ worth of my entries in the hosts file. I had added entries shortly before the Norton “upgrade”. I decided to investigate.
My reason for opening the hosts file was that CCleaner is very slow. I did a web search, and found a thread, “CCleaner very slow startup time on my Windows 10 Pro x64 DELL laptop” on tenforums. Someone there suggested blocking items in the hosts file, as the delay on opening CCleaner is due to a built-in pause that is triggered if it cannot access the internet to send telemetry back to the company (I have blocked CCleaner’s access via firewall).
Surprised that my hosts file was empty (other than the default commented out information), I nonetheless tried adding the suggested entries from the tenforums post. Here are the lines that I added to the hosts file, which I had opened in Notepad, as administrator:
#CCleaner
0.0.0.0 ncc.avast.com
0.0.0.0 ncc.avast.com.edgesuite.net
0.0.0.0 license.piriform.com
0.0.0.0 ipm-provider.ff.avast.com
0.0.0.0 shepherd.ff.avast.com
0.0.0.0 ip-info.ff.avast.com
0.0.0.0 analytics.ff.avast.com
I then saved the file, and tried opening CCleaner to see whether the startup lag issue had been solved. No difference.
I then went back and opened the hosts file again. Oddly, the only part of my new additions that were in the file were:
#CCleaner
0.0.0.0 license.piriform.com
—All of the other added items had been removed. Suspecting that CCleaner had made the change, I closed CCleaner, added the lines back into the hosts file as administrator, and saved it. I re-opened it instantly. Same result again: only my commented-out line and the < license.piriform.com> line remained.
Next, I ran NirSoft’s Process Monitor, and repeated the addition to the hosts file and saved it. Process Monitor did not show any instances of CCleaner doing anything during that short time. I ruled out CCleaner as the cause of the deletions.
A little more sleuthing online helped me realize that Norton is owned by the same company as CCleaner. Norton had a lot of lines referring to my hosts file/folder right after I saved the file. Norton was clearly responsible for deleting the lines from the hosts file, and from that it seems reasonable to surmise that Norton v24 had wiped my entire hosts file when the purported ‘upgrade’ occurred.
I tried the same procedure several times, and the result was the same each time.
[NOTE: as I’ve since learned, some of the items I had added are also used by Norton, which explains why it edits my host file. As mentioned earlier, it doesn’t record this in the Security History, which is sneaky, and it does it automatically without a user’s consent. I have tried disabling everything in Norton v24 (firewall, AV, tamper protection, etc.), and it still edits the hosts file!]
———————————————————
B) THE NORTON SUPPORT SESSION
Now that I had strong reason to believe that Norton was the culprit, I contacted support to chat online with an agent.
The agent assured me that Norton never touches the hosts file (lie #1). I let him know that I had done investigated and found that it was the cause. His response was that he could fix the problem by connecting to my computer via remote session. I strongly dislike letting random strangers into my system, but I consented as I didn’t see how else the problem could be resolved. (As it turned out, all he needed to do was uninstall Norton and then reinstall it, which I could have done myself. Remote access was completely unnecessary).
Because I was wary of letting him access my system remotely, I specifically asked the support agent to ask for my consent at each step. He agreed, and we began the remote session.
First, without bothering to ask me for consent, he uninstalled Norton. Now my computer was completely unprotected.
His next step was to open a browser. He could see a Firefox icon in my Windows toolbar, and clicked on it (again, without asking for consent). This opened up the Profile Manager screen, and he was about to randomly select a profile to use. I had to wrestle the mouse from him by wiggling it non-stop for about 30 seconds, as I did not want him using any of my profiles.
Once I had control of the mouse, I let him know that he could use my Edge browser (which I never use), and that I would have to unblock it first (I use Sordum’s Edge Blocker). He let me do that.
I opened Edge for him, and it opened with a single tab, at the default Microsoft page that Edge uses.
He then proceeded to this link: [DO NOT USE THIS LINK, IT IS MALICIOUS!]
I just tried to open that link few minutes ago, and Norton (which I have since reinstalled myself) warned that it was malicious, so I did not attempt to continue to the page. Of course, because the support agent had removed Norton, it did not stop him from proceeding [please see note at end].
The “sbfirewall. [etc.]” link that he entered prompted him to prove he is not a bot. As soon as I realised that something bad was happening, I immediately tried to take control of the mouse again to stop it, but he tried to keep control and clicked on it anyway.
That caused a new window to open (it was not a normal Edge window). It looked like a McAffee page. He ran a scan with this “McAfee”. I watched him do this. Pop-up windows appeared multiple times saying it had removed viruses. That was a huge red flag for me, as either (a) it was all fake information, or (b) Norton had been missing a lot of viruses on my system before he deleted it! I believe my system was clean beforehand. Norton does a good job of keeping it clean, and I scan often. When it finished scanning, he closed Edge and restarted as soon as he could, denying me a chance to ask what was happening (remember, had I told him I wanted to be asked for consent at each step).
The computer restarted, and a remote session window opened with him again. I asked him why he had run a McAfee scan, and he denied that he had used McAffee at all: he was effectively calling me a liar.
To prove that I was not lying, I opened Edge, with the intent of checking the history to show him. I did not need to check the history, as Edge opened to the tab that was open during the previous session, and immediately displayed this page:
—I think that may be a legitimate McAfee page, but it is likely a redirect made after the malicious page finished going through my system.
—I could also see in the history that he had accessed the malicious “sbfirewall” link from above.
After accusing me of lying, he then tried to excuse his lie by saying, “So many tabs were open and it was opened mistakenly.” That is also a lie: all tabs that were opened were either opened by him, or by the malicious link that he sent my browser to.
Here is an excerpt from our conversation, apologies for my typos:
17:14 null: I asked you to informs me of each step so that I could consent. You agreed. You then performed multiple steps without informing me.
17:15 Rahul P: As i Have already informed you that I will uninstall this version and will install previous interface.
17:15 null: You said nothing about McAffee scans
17:15 Rahul P: Please let me proceeed if you wish to continue with resolvingt he concern.
17:15 Rahul P: I haven’t run the Mac Afee scans.
17:15 null: You ran one from Edge. It was on my screen
17:16 Rahul P: Now, Would you like to continue with installing the old interface?
17:16 Rahul P: Please open your browser
17:16 null: Please don’t call me stupid. I watched you run a McAffee scan.
17:17 null: Look - I just opened Edge, and the page you finished with is McAffee.
17:17 Rahul P: Please accecpt my apologies and let me access the browser
17:17 Rahul P: to solve the concern
17:17 null: First, why did you say I was a liar?
17:17 Rahul P: I am not saying you a liar.
17:18 null: “I haven’t run the Mac Afee scans.”
17:18 Rahul P: So many tabs were open and it was opened mistakenly
[I have since found the link he used appears in the session logs that were left on my desktop, in the file named “vps.bxlog”. I have definitive proof that he accessed that page, starting at line 4427 of the log.]
I then asked to talk with his supervisor. His response:
“17:19 Rahul P: I am sorry but, Supervisor is not availble right now.”
I asked how I can contact a supervisor, and moments later, he replied:
“17:21 Rahul P: Please allow me a moment to connect you to my supervisor”
Clearly, one of those statements was a lie. Either a supervisor was available, or one was not available.
probably Rahul P. still)
Then someone appeared in the remote session chat window, claiming to be his supervisor. The ‘supervisor’ did not attempt to identify themselves properly, and said they couldn’t talk with me using their name (They were still writing as “Rahul P.” in the chat).
I said Rahul had lost my trust, so I couldn’t tell whether I was talking with a real supervisor or just Rahul pretending to be a supervisor (I caught a phone company playing this trick in the past). The ‘supervisor’ still failed to identify themself, and when I asked to speak with them using a different method, they said I could not. They also said email was not an option. It was now or never. Instead, he directed me to the basic customer support Norton webpage that I had started with. I waited well over 30 minutes for this awful support session to begin, and the only way I could get help would be to go through that wait again, talk to another agent who would undoubtedly promise to resolve my situation and would refuse to put me through to a real supervisor. At this point I gave up.
———————————————————
C: THE AFTERMATH
After I ended the remote session, I had to run system restore because of what he did. After a successful restore, I opened Norton’s Webshield log (C:\ProgramData\Norton\Antivirus\report\Webshield.txt). It shows my attempt to see whether the link Rahul used was legitimate. This is the “Norton Real-time Shield Scan Report”:
“https://sbfirewall.xyz/w/m/b/?lp_key=173033c5ef31a1a260bf8b0f1f03e6472b83936955&clickid=cshdf3t00fes7389265g&trk=coldclck.xyz&language=en-US&dm=1 [L] URL:Block [FakeScan] (0)”
As you can see, Norton blocked my attempt to examine that link. Rahul was up to something bad when he directed my browser to that link. It’s clear that he was trying to infect my system, and that after doing that, whatever he ran on my system navigated to a login page for McAfee to make it appear as though he had used a legitimate McAfee scan, when it most probably was malicious.
Normally, I would write to Norton and report his behaviour. However, I no longer trust Norton at all, and expect that I would be lied to yet again.
Instead, I have fully uninstalled Norton v24, and reinstalled an older pre-‘upgrade’ version, and am using other software to block the ‘upgrade’ from happening again.
I will definitely not be renewing my subscription when it runs out about a month from now. I’ve used Norton products on Macs and PCs consistently since the mid 1990s (even during the terrible bloat years), and I’m fed up. I suggest you find a better non-Norton-affilliated product too. Those include: Norton, AVG, Avast, Avira, CCleaner, and possibly more.