A warning for ALL Norton users

Note: Please do not post Personally Identifiable Information like email address, personal phone number, physical home address, product key etc.

Issue abstract:
This is a warning to ALL Norton users:

  1. NEVER let support agents use remote access to gain control over your computer. They cannot be trusted.
  2. Norton v24 makes unauthorized changes to your computer, without logging the changes in security history.

TLDR: As you will see below, my recent experience included a remote session in which the agent removed Norton from my computer, and then directed me to a malicious link, ran a fake scan (that presented itself as a competitor’s product), and then lied about having done so. He then pretended to be his supervisor when I asked to escalate the issue.

Detailed description:

I’ll spit this into 3 sections: (A) The Situation; (B) The Norton Support Session; and (C) The Aftermath
———————————————————
A) THE SITUATION

A few days ago, I noticed that my hosts file was empty. The hosts file in my Win10 is located at:
C:\Windows\System32\drivers\etc
• NOTE: If you don’t know how to use/edit the hosts file, don’t mess with it!

Something had done that (not me), and had erased several years’ worth of my entries in the hosts file. I had added entries shortly before the Norton “upgrade”. I decided to investigate.

My reason for opening the hosts file was that CCleaner is very slow. I did a web search, and found a thread, “CCleaner very slow startup time on my Windows 10 Pro x64 DELL laptop” on tenforums. Someone there suggested blocking items in the hosts file, as the delay on opening CCleaner is due to a built-in pause that is triggered if it cannot access the internet to send telemetry back to the company (I have blocked CCleaner’s access via firewall).

Surprised that my hosts file was empty (other than the default commented out information), I nonetheless tried adding the suggested entries from the tenforums post. Here are the lines that I added to the hosts file, which I had opened in Notepad, as administrator:

#CCleaner
0.0.0.0 ncc.avast.com
0.0.0.0 ncc.avast.com.edgesuite.net
0.0.0.0 license.piriform.com
0.0.0.0 ipm-provider.ff.avast.com
0.0.0.0 shepherd.ff.avast.com
0.0.0.0 ip-info.ff.avast.com
0.0.0.0 analytics.ff.avast.com

I then saved the file, and tried opening CCleaner to see whether the startup lag issue had been solved. No difference.

I then went back and opened the hosts file again. Oddly, the only part of my new additions that were in the file were:

#CCleaner

0.0.0.0 license.piriform.com

—All of the other added items had been removed. Suspecting that CCleaner had made the change, I closed CCleaner, added the lines back into the hosts file as administrator, and saved it. I re-opened it instantly. Same result again: only my commented-out line and the < license.piriform.com> line remained.

Next, I ran NirSoft’s Process Monitor, and repeated the addition to the hosts file and saved it. Process Monitor did not show any instances of CCleaner doing anything during that short time. I ruled out CCleaner as the cause of the deletions.

A little more sleuthing online helped me realize that Norton is owned by the same company as CCleaner. Norton had a lot of lines referring to my hosts file/folder right after I saved the file. Norton was clearly responsible for deleting the lines from the hosts file, and from that it seems reasonable to surmise that Norton v24 had wiped my entire hosts file when the purported ‘upgrade’ occurred.

I tried the same procedure several times, and the result was the same each time.

[NOTE: as I’ve since learned, some of the items I had added are also used by Norton, which explains why it edits my host file. As mentioned earlier, it doesn’t record this in the Security History, which is sneaky, and it does it automatically without a user’s consent. I have tried disabling everything in Norton v24 (firewall, AV, tamper protection, etc.), and it still edits the hosts file!]
———————————————————
B) THE NORTON SUPPORT SESSION
Now that I had strong reason to believe that Norton was the culprit, I contacted support to chat online with an agent.

The agent assured me that Norton never touches the hosts file (lie #1). I let him know that I had done investigated and found that it was the cause. His response was that he could fix the problem by connecting to my computer via remote session. I strongly dislike letting random strangers into my system, but I consented as I didn’t see how else the problem could be resolved. (As it turned out, all he needed to do was uninstall Norton and then reinstall it, which I could have done myself. Remote access was completely unnecessary).

Because I was wary of letting him access my system remotely, I specifically asked the support agent to ask for my consent at each step. He agreed, and we began the remote session.

First, without bothering to ask me for consent, he uninstalled Norton. Now my computer was completely unprotected.

His next step was to open a browser. He could see a Firefox icon in my Windows toolbar, and clicked on it (again, without asking for consent). This opened up the Profile Manager screen, and he was about to randomly select a profile to use. I had to wrestle the mouse from him by wiggling it non-stop for about 30 seconds, as I did not want him using any of my profiles.

Once I had control of the mouse, I let him know that he could use my Edge browser (which I never use), and that I would have to unblock it first (I use Sordum’s Edge Blocker). He let me do that.

I opened Edge for him, and it opened with a single tab, at the default Microsoft page that Edge uses.

He then proceeded to this link: [DO NOT USE THIS LINK, IT IS MALICIOUS!]

https://sbfirewall.xyz/w/m/b/?lp_key=173033c5ef31a1a260bf8b0f1f03e6472b83936955&clickid=cshdf3t00fes7389265g&trk=coldclck.xyz&language=en-US&dm=1

I just tried to open that link few minutes ago, and Norton (which I have since reinstalled myself) warned that it was malicious, so I did not attempt to continue to the page. Of course, because the support agent had removed Norton, it did not stop him from proceeding [please see note at end].

The “sbfirewall. [etc.]” link that he entered prompted him to prove he is not a bot. As soon as I realised that something bad was happening, I immediately tried to take control of the mouse again to stop it, but he tried to keep control and clicked on it anyway.

That caused a new window to open (it was not a normal Edge window). It looked like a McAffee page. He ran a scan with this “McAfee”. I watched him do this. Pop-up windows appeared multiple times saying it had removed viruses. That was a huge red flag for me, as either (a) it was all fake information, or (b) Norton had been missing a lot of viruses on my system before he deleted it! I believe my system was clean beforehand. Norton does a good job of keeping it clean, and I scan often. When it finished scanning, he closed Edge and restarted as soon as he could, denying me a chance to ask what was happening (remember, had I told him I wanted to be asked for consent at each step).

The computer restarted, and a remote session window opened with him again. I asked him why he had run a McAfee scan, and he denied that he had used McAffee at all: he was effectively calling me a liar.

To prove that I was not lying, I opened Edge, with the intent of checking the history to show him. I did not need to check the history, as Edge opened to the tab that was open during the previous session, and immediately displayed this page:

https://www.mcafee.com/en-ca/ipz/feyncart/2web/payment.html?culture=en-ca&moguid=7443ef43-964f-4f33-8df6-b9fc70272ff2&affid=1494&SID=de0c603c-f6df-4fac-8363-6117b05cbe0a&cjevent=7eaee52c971c11ef82f202780a1eba23&csrc=cj&csrcl2=YDM3&ccoe=direct&ccoel2=am&ccstype=partnerlinks_7eaee52c971c11ef82f202780a1eba23&CID=242012&PID=101251375

—I think that may be a legitimate McAfee page, but it is likely a redirect made after the malicious page finished going through my system.

—I could also see in the history that he had accessed the malicious “sbfirewall” link from above.

After accusing me of lying, he then tried to excuse his lie by saying, “So many tabs were open and it was opened mistakenly.” That is also a lie: all tabs that were opened were either opened by him, or by the malicious link that he sent my browser to.

Here is an excerpt from our conversation, apologies for my typos:

17:14 null: I asked you to informs me of each step so that I could consent. You agreed. You then performed multiple steps without informing me.

17:15 Rahul P: As i Have already informed you that I will uninstall this version and will install previous interface.

17:15 null: You said nothing about McAffee scans

17:15 Rahul P: Please let me proceeed if you wish to continue with resolvingt he concern.

17:15 Rahul P: I haven’t run the Mac Afee scans.

17:15 null: You ran one from Edge. It was on my screen

17:16 Rahul P: Now, Would you like to continue with installing the old interface?

17:16 Rahul P: Please open your browser

17:16 null: Please don’t call me stupid. I watched you run a McAffee scan.

17:17 null: Look - I just opened Edge, and the page you finished with is McAffee.

17:17 Rahul P: Please accecpt my apologies and let me access the browser

17:17 Rahul P: to solve the concern

17:17 null: First, why did you say I was a liar?

17:17 Rahul P: I am not saying you a liar.

17:18 null: “I haven’t run the Mac Afee scans.”

17:18 Rahul P: So many tabs were open and it was opened mistakenly

[I have since found the link he used appears in the session logs that were left on my desktop, in the file named “vps.bxlog”. I have definitive proof that he accessed that page, starting at line 4427 of the log.]

I then asked to talk with his supervisor. His response:

“17:19 Rahul P: I am sorry but, Supervisor is not availble right now.”

I asked how I can contact a supervisor, and moments later, he replied:

“17:21 Rahul P: Please allow me a moment to connect you to my supervisor”

Clearly, one of those statements was a lie. Either a supervisor was available, or one was not available.

probably Rahul P. still)

Then someone appeared in the remote session chat window, claiming to be his supervisor. The ‘supervisor’ did not attempt to identify themselves properly, and said they couldn’t talk with me using their name (They were still writing as “Rahul P.” in the chat).

I said Rahul had lost my trust, so I couldn’t tell whether I was talking with a real supervisor or just Rahul pretending to be a supervisor (I caught a phone company playing this trick in the past). The ‘supervisor’ still failed to identify themself, and when I asked to speak with them using a different method, they said I could not. They also said email was not an option. It was now or never. Instead, he directed me to the basic customer support Norton webpage that I had started with. I waited well over 30 minutes for this awful support session to begin, and the only way I could get help would be to go through that wait again, talk to another agent who would undoubtedly promise to resolve my situation and would refuse to put me through to a real supervisor. At this point I gave up.

———————————————————
C: THE AFTERMATH

After I ended the remote session, I had to run system restore because of what he did. After a successful restore, I opened Norton’s Webshield log (C:\ProgramData\Norton\Antivirus\report\Webshield.txt). It shows my attempt to see whether the link Rahul used was legitimate. This is the “Norton Real-time Shield Scan Report”:

https://sbfirewall.xyz/w/m/b/?lp_key=173033c5ef31a1a260bf8b0f1f03e6472b83936955&clickid=cshdf3t00fes7389265g&trk=coldclck.xyz&language=en-US&dm=1 [L] URL:Block [FakeScan] (0)”

As you can see, Norton blocked my attempt to examine that link. Rahul was up to something bad when he directed my browser to that link. It’s clear that he was trying to infect my system, and that after doing that, whatever he ran on my system navigated to a login page for McAfee to make it appear as though he had used a legitimate McAfee scan, when it most probably was malicious.

Normally, I would write to Norton and report his behaviour. However, I no longer trust Norton at all, and expect that I would be lied to yet again.

Instead, I have fully uninstalled Norton v24, and reinstalled an older pre-‘upgrade’ version, and am using other software to block the ‘upgrade’ from happening again.

I will definitely not be renewing my subscription when it runs out about a month from now. I’ve used Norton products on Macs and PCs consistently since the mid 1990s (even during the terrible bloat years), and I’m fed up. I suggest you find a better non-Norton-affilliated product too. Those include: Norton, AVG, Avast, Avira, CCleaner, and possibly more.

Thanks for the post and information. Its beyond interest and of concern at every level. If we may ask, in what manner did you contact Norton support? Through a web search, the UI, etc? From what I am reading I believe you were not speaking to a legit Norton support person. To that effect, please allow me to escalate this to a Norton Admin and have them try to figure out whether you were or were not speaking to a Norton support agent.
Please keep in mind that someone Norton ( I personally am not a Norton employee ) may contact you here in forum or via a private message here on the forums to confer with you.

SA

png_20987
8a217a704323/2024-11-04T23:42:25.823Z

png_20983

sbfirewall.xyz
URL Analysed: sbfirewall.xyz
Norton Rating  Warning 
CURRENT CATEGORY
Malicious Sources/Malnets
Dispute submitted!

https://safeweb.norton.com/report?url=sbfirewall.xyz

=========================================

png_20984

png_20985

========================================

sbfirewall.xyz
No Malware Found
Our scanner didn't detect any malware

https://sitecheck.sucuri.net/results/sbfirewall.xyz

=====================================

png_20986
VirusTotal report

============================================

We resolved the domain sbfirewall.xyz to IP address 104.21.68.22
104.21.68.22 was not found in our database
ISP CloudFlare Inc.
Usage Type Content Delivery Network
Domain Name cloudflare.com
Country United States of America
City San Francisco, California
https://www.abuseipdb.com/check/104.21.68.22

1 Like

https://safeweb.norton.com/report/show?url=https:%2F%2Fsbfirewall.xyz%2Fw%2Fm%2Fb%2F%3Flp_key%3D173033c5ef31a1a260bf8b0f1f03e6472b83936955&ulang=en

Hello SoulAsylum,

That’s a smart question (re: how I accessed Norton Support). I should have included that in my post. Fortunately, I still have the tab open in my Firefox browser:

https://support.norton.com/sp/en/us/home/current/contact?displang=iso3:eng&displocale=iso3:CAN&env=prod&origin=ngp&partnerid=1000730&puid=5033&ssdcat=303&isplt=true

From there, I clicked on “Norton for Windows or Mac”, and then the yellow “Get Help” button. Then the white “Chat now” button in the “Chat Support” option on then next page.

Thank you for the post back.
SA

I’ve edited my last post to add a detail at the end. I should also have said that I used Firefox on my desktop computer, which is where I have Norton installed.
Thank you for looking into this.

@null_null_of_the_nul
so, what happened with your hosts file?

png_20988

what about Windows Security?

@bjm The OP is on Windows.

SA

Hi bjm,

Can you be a bit more specific about what you’d like to know (beyond what was in my initial post above), so that I can give you the info you’re looking for? I’m not sure whether my next few lines are what you need:

I added the lines that I replicated in my post (using Notepad ‘run as administrator’ to open the hosts file), and then saved the hosts file in its appropriate folder; then I immediately opened the hosts file to check it, and all that would remain was the default commented-out text (the same as you’ve shown in your post), with only two lines remaining below it, namely:
#CCleaner
0.0.0.0 license.piriform.com

(the forum is turning that into a hyperlink, but it was only plain text in my real situation).

I’ve also just tried adding my full list of CCleaner blocking lines to the hosts file again, now that I am using an older version of Norton. It saves correctly, and old Norton does not make any changes–it looks the same as when I saved it. This is the expected behavior.

Edit:

  • Regarding your “What about Windows Security?” question: that’s a fair point. I’ve never used it directly, as Norton is always the first thing I install when I re/install windows. It may have been functioning in the background, after support agent “Rahul P.” had removed Norton, but I don’t know whether or not that was the case. For all I know he had done something to disable that too.

Either way, I have since restored my computer to an earlier state. I had to remove Norton and then reinstall it from an older Norton installer file that I still had on another drive, as the system restore operation was unsuccessful at restoring Norton correctly). A scan with Norton v22.xx says my system drive has no issues at present.

Hello, this is pretty wild. Norton just installed the new experience on my PC. So far it seems pretty good. I can confirm it did not touch my host file because I have a custom host file to block ads and such. I also have ccleaner and was not aware Norton owned them! I hope you get to the bottom of what transpired. It seems rather odd that you used their internal support chat and got an agent that purportedly installed malware on your system. I did a scan similar to yours for abused IP and nothing came up on IBM exchange. I can confirm the IBM Exchange is usually pretty good at tracking malware sites and Domains. It ranks 104.21.68.22 as rank#1 (minimal/safe). If you put in utopia (208.91.197.27) that host tons of malware it shows that IP as Risky 4.3. Anyways, I’ll be interested in learning more.

We’ve recently re-evaluated the security of sbfirewall.xyz
The website rating hasn’t been changed.
To see the full re-evaluation report, please visit Safeweb

did you disable Product Tamper Protection?

Fix System Restore problems with Norton product installed
https://support.norton.com/sp/en/us/home/current/solutions/v51118464

When I remove Norton
image
I’ll call Windows Security → confirm Windows Security updates → run scan.
I figure…why not.

use Preformatted text </> to break link… license.piriform.com

All: There should also be a file named HOSTS.ICS on the Windows install as well. It is recommended NOT to modify it. You can view its content by opening it with Wordpad without issues. This file is for your home network. I suggest you at least have a look at it when time permits.

SA

I used to have to do that to get System Restore to work, but Norton stopped interfering with it at least a year ago, and since then I’ve been able to do restore operations without tinkering with Norton beforehand.

My system restored correctly and is clean at present, fortunately.

Hello @null_null_of_the_nul

v22 & v24?

maybe, someone forgot to tell Norton