I tried to run a program to which I had previously renamed and replaced its program icon, and then, File Insight reported that myprogram.exe was behaving suspiciously on my computer, and was blocked and removed. Message at task tray with a big red circle and white "x" also appeared. This was AFTER I ran a custom scan of the very same file and folder which holds it.
In File Insight, Activity, Suspicous Actions details, the information given is Event: Keystroke capture (Performed by f:\folder1\folder2\myprogram.exe, PID:4524 No action taken
Well, I cannot understand why Norton 360, and Norton Internet Security both automatically deleted this file, or program when I attempted a test run of it. I made the program begin, made a selection in the program, and BAM! File Insight blocked and removed the EXE file. Not sure what to think, since the original EXE file is trustworthy and from a trustable source. I also previously did a scan on the icon which I placed into the EXE file.
An earlier test using the same file in its renamed-only state but with the default icon of the file gave no problem with Norton. As I said, I did a scan on the icon BEFORE inserting it into the renamed file. Any ideas to look for ?
This is occuring because Norton is watching the behavior of the program and noticed that at a cetain point, it begins to record your keystrokes. Depending on the program, this may be a feature, but may also be a keylogger. If you trust this program, it is likely a false positive caused by Norton's heuristic engine. If the file meets a certain criteria, it is flagged as unsafe. It's uncommon but still possible.
If you're 100% certain the file is safe, you can add this program manually to be ignored by Norton. Try the following:
Open the Norton 360 manager (shows the giant logos for PC Security, Identity, Backup, PC Tuneup).
Click on "Settings" at the top of the window.
Click on "Antivirus" (the first option)
Click on the "Scans and Risks" tab.
At the bottom, locate the "Exclusions / Low Risks" section.
Under this section is an option for "Items to Exclude from Auto-Protect, SONAR, and ....."
Click "Configure" to the right of this option.
A window should pop up with the option to "Add" programs. Find the file/folder to exclude and click "OK"
Hope that helps!
-James
peterweb,
Just to continue, I have not yet stopped checking on this problem on-and-off again. YES, I tested on TWO DIFFERENT computers. One of them uses Norton 360, and the other uses Norton Internet Security. No other real-time security product is on the computers.
The file which Nortons eliminated as "suspicious" is absolutely NOT a keylogger. It is a "runtime engines" which runs tokenized files. The file in the untokenized form causes no trouble from Nortons. Other tokenized files for use with the runtime engine as tested cause no trouble with/from the Nortons.
I'm not finished checking into this problem; I just have not figured how more to test the problem. Meanwhile, I sent files to the Symantec site for checking suspicous files twice, and I did not yet receive information about them.
James_Carr,
I will try or retry what you said, and retest that way. The file being developed is becoming a bit complicated; but Norton attacking the runtime engine when the runtime engine runs the tokenized file, but not attacking any file when the development system runs the untokenized file, makes no sense.
Development system is open --- run the untokenized file --- everything is good and normal, no problem.
Make tokenized file and make test package --- run the runtime engine which runs the tokenized file --- Norton attacks the runtime engine.