Just after Norton 360 updated itself to ver. 24.xx on my Win10 notebook, my UDM-Pro’s (security gateway) Unifi Network Security app started reporting and blocking – every single day – this security alert signature: “ET WORM TheMoon.linksys.router 1”
The source IP reported is this Windows 10 notebook (which is running the updated Norton 360) and the destination IP reported is my UDM-Pro gateway IP address, on port 8080.
I’m thinking it’s possible that Norton’s new version 24, or a specific new feature, is triggering these outgoing network probes that my UDM-Pro gateway is mistaking for a worm signature and thus flagging and blocking.
Does the updated version of Norton 360 have a setting for “network scanning” or “vulnerability scanning” that I can adjust or temporarily disable to test? If there’s an option to exclude router IPs or specific ports, that may also help.
Hi there
I am experiencing exactly the same challenge.
Watching the Norton 360 scan schedules and by manualy running a Norton 360 scan I can replicate this. Within a few seconds of running the scan I get an alert and it shows up in my log file one my Ubiquiti Dream Machine
Hello @Kerry_Hunt , @persist
fwiw ~
==============================================
Are you Smart Mode with Notifications?
Maybe, try Windows Settings Mode…as test.
How risks are detected [here ]
Learn more about Smart Firewall [here]
Configure Smart Firewall settings [here ]
Learn more about Real-Time Protection [here ]
Learn more about Antivirus settings [here ]
Learn more about Norton scans [here]
Learn more about Exploit Prevention [here]
Respond to the man-in-the-middle attack alert [here]
Learn more about Wi-Fi Security [here]
Learn more about Intrusion Prevention [here]
@bjm Thanks for the link to the thread @ community.ui.
My Norton 360 Firewall Automatic Network Control is set for “Smart Mode with Notifications.” How will changing it to, “Windows Setting Mode” be a test? What and where am I looking for?
If the Unifi Network security detection is a false positive, I can Allow This Threat Signature in Unifi Network.
@toddinator posted in the Unifi thread:
More searching on the internet led to the following discovery - AVAST and Norton merged recently, and apparently, the latest release of the Norton antivirus platforms is now using the AVG code. The executable file name has been changed, but it is likely the problem behind the intrusion detection issues we are seeing now.
Yeah, that’s why I wondered about Windows Settings Mode which uses Windows Firewall rules. Takes Norton Smart Firewall out of the equation.
Norton™ is part of Gen™ - a global company with a family of consumer brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner.
Do you think the Norton 360 full virus scan would detect TheMoon ET worm on my Win10 notebook if it was present? While I’m still getting security warnings from my UniFi Network app that it’s blocking outbound traffic from Port 8080 from same Win10 notebook, my just completed Full Virus Scan with ver. 24.10.xx of Norton 260 reports, “No Security Risks.”
I am experiencing the same problem on my UDM SE. It started this week when the new version of 360 was updated on my laptop. I get an email notification that a network intrusion attempt was detected and blocked and when I check the router’s description of the source it shows my laptop that has the new 360 version and describes the threat as the ET-Worm. I get this alert twice a day. My other 2 computers with the previous version of 360 still on them are fine for now and not showing this intrusion attempt. I’m trying to find out if I can delay the update on those machines for now.
In addition the new update has caused my Quick Scans to go from only taking 5 minutes to 82 minutes.
Does Norton know of these problems and are fixes being worked on? How do you bring this stuff to their attention for solutions?
I have the same problem. 
All: Having a security solution on your routers will cause issues with false positive detections. Having a UDM SE appliance sitting in your network with that solution on it is most likely triggering version 24.xx. Conversely, in this thread Avast is named as the culprit, both Norton and Avast use the same engine so…may be related.
SA
Same here, Norton 360 running on windows 11 devices, connected via UDM PRO.
Any fcst in sight for a final solution? It looks obvious an issue for Norton to solve, I think.
None in the thread is giving any credence to the former post I posted. Built-in security solution on routers and other firewall appliances WILL trigger false negatives. No matter what A/V you are using.
SA
Don’t know if this info helps since my router isn’t Unifi and it uses Threat Prevention to scan all traffic. Immediately following V24 installed TP began alerting me of significant “likely covert” increase in traffic to destination port 8080. After comparing the timing of the alert trigger with the router’s traffic log, I was able to pin the data uploads to an Avast ip address. I have a “temporarily” firewall rule in the router to block all traffic to that destination port. The rule is triggered multiple times a day but hasn’t interfered with what I do online. I reverted back to N360 V22 so not sure if the firewall rule would interfere with V24’s functionality. The TP alerts have stopped as well.
OP here. I’ve been following your helpful Unifi forum link on this issue. It’s given me a high level of confidence that the daily Unifi Network worm detections I’m receiving are all false positives. Thanks!
My issue with your statement is that prior to ver. 24 of Norton 360, Unifi’s built in security didn’t complain. Now it does. @Puzzler reverted back to N360 V22 and his Threat Prevention alerts have apparently stopped. All A/V vendor offerings aren’t the issue. The issue is with this particular N360 update. While I can ignore or “Allow This Threat” inside Unifi Network, the better Solution would be Norton fixing the current N360.
Absolutely in agreement. Reverting to V22 is (hopefully) a stop gap but time will tell.
There have been some discussion on this forum about the scope of data being accessed by N360. Don’t know how other A/V apps compare. Some users aren’t disturbed while others aren’t too comfortable. Some examples-----
Need to add that I’m not sure if reverting to V22 stopped the traffic or the router firewall. I suspect it’s the firewall since I kept one computer on V24 and didn’t get TP alerts. Don’t know about your router but in mine, firewall rules precede Threat Prevention scans. I’ll disable the firewall over this weekend, keep the computer with N360 V24 offline, and see if V22 triggers TP alerts. If no alert, then it’s highly likely the issue is V24 (whether it’s a bug or just the way the app functions). If I get alerts, then the problem is systemic across Norton’s apps.
Update. I disabled my router’s firewall rule this morning and kept only the computers running N360 V22 online. Within an hour or so, my router’s Threat Prevention was triggered for significant traffic covert channel detection. So, in my case, this behavior is not isolated to V24. If N360 is triggering these events (which looks likely since the bulk of traffic is going to Avast’s ip address), then the behavior extends to V22.
In reviewing the traffic logs over the past two weeks or so (i.e. pre- and post- firewall rule implementation) there’s a noticeable decrease in uploaded data volume. What remains a question, at least in my case, is whether blocking this traffic to Avast is undermining N360’s security protection, but I’m comfortable with that. I run full scans every day as well as scan with other apps (e.g. Malwarebytes) and, so far, everything seems fine. Then again, some malwares these days are very hard to detect so you never know.
Probably should add that the TP alerts are not ET WORM TheMoon.linksys.router. My router isn’t linksys or Unifi. Also, Threat Prevention and UDM may have some different threat signature nomenclatures.
Good observation. Something I had not taken into account is my network is setup in a NAT-NAT scenario. Wondering whether my setup makes any difference as we are directly ethernet into the Verizon ONT the ISP router. My ISP device represents TV routing, VOIP routing and phone. Its WiFi is disabled as is IPv6. My personal router is connected via LAN port #1 on the ISP router into the WAN of my personal router. I have 2.4./5 GHz WiFi and an IOT channel separated from the others. Its running the entire home network on this devices as well as all my wired clients. I’m not seeing excess outbound traffic on Norton 360 version 22.24.8.36 BUT! Will have to review my laptop with 24.xx installed for the same traffic issue you are seeing. I did note the last time it was booted that there was excessing memory usages at idle time. I will check the BIOS to see if there are settings there that may be causing it.
SA
Thanks for looking into your system. I don’t use any equipment from my ISP. Have a modem and a separate router with VLAN set up isolating all networks. Have a dedicated network for IOT. Don’t use VOIP. All connections are wired except the guest network, which is isolated by default. Guest network is rarely used.
I may uninstall N360 completely to see if that makes a difference. That’ll have to wait since I need to set up firewall rules in whatever A/V app I use, which takes time and I have to play catch up on other pressing life chores.