Intel file keeps getting flagged as Trojan Horse (false positive?)

Norton 360 for Windows
1

Issue abstract: Intel file keeps getting flagged as Trojan Horse

Detailed description: Since this morning, I have run my virus scan and the same Intel file has been flagged as a Trojan Horse and quarantined twice. The initial file was apparently on my computer since 12/12/2024 but only got flagged this morning despite the fact I run a virus scan multiple times a day. I’ve now run the virus scan again but the file has apparently just appeared on my computer again right after I started it up and Norton has again flagged and quarantined this new version of the file after I ran a virus scan. Is this a file Intel is automatically downloading onto my computer and could this be a case of Norton misidentifying it as a threat? I think this is the first time I’ve ever had something flagged as a threat on my virus scan so I don’t know where else this file could be coming from other than Intel automatically downloading it somehow.

Product & version number: Norton 360 Deluxe

OS details: Windows 10

Scan results:

This was the first file that was quarantined:

Details

Threat name: Script:SNH-gen [Trj]
Threat type: Trojan Horse - This threat pretends to be something else (e.g., picture, document, or other file) to trick you into running it and infecting your computer.
Status: Moved to Quarantine
On PC from: 12/12/2024, 10:56
Last Used: 05/02/2025, 09:13
Startup Item: No

Unknown
It is unknown how many users in the Norton Community have used this file.

Mature
This file was released 2 months ago.

High
The file risk is high.

Activity

Path | Type | Status
C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_options.txt | File | Repaired

And this was the second file that was quarantined:

Details

Threat name: Script:SNH-gen [Trj]
Threat type: Trojan Horse - This threat pretends to be something else (e.g., picture, document, or other file) to trick you into running it and infecting your computer.
Status: Moved to Quarantine
On PC from: 05/02/2025, 23:08
Last Used: 05/02/2025, 23:10
Startup Item: No

Unknown
It is unknown how many users in the Norton Community have used this file.

Mature
This file was released 2 months ago.

High
The file risk is high.

Activity

Path | Type | Status
C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_options.txt | File | Repaired

2

fwiw ~ based upon posted path:
C:\Program Files\Intel\SUR\QUEENCREEK\x64\

===========================================

==========================================

  • False Positive and False Negative Submissions Portal [here]
  • Submit a file or URL to Norton [here]
  • Report a suspected incorrect detection to Norton [here]
  • Respond to incorrect Norton alerts that a file is infected or a program or website is suspicious [here]
3

Thank you for your reply. I took your advice and installed Malwarebytes and ran a scan as instructed in the link you posted (enabling the “Scan for rootkits" option beforehand). The scan came up totally clean with zero threats detected.

I have just turned my PC back on this morning and did an immediate scan with Norton and it has again found and quarantined another version of the same file, which again appears to have been created right after the computer turned on. Surely it has to be Intel that keeps installing this file every time I start up my PC as the Malwarebytes and Norton scans I did right before turning the PC off last night both came up clean. This must be a false positive on Norton’s part then, right?

You posted a link to “Report a suspected incorrect detection to Norton” in your reply. To do this it appears that you have to upload the file and send it to them. How do I do this? Is it possible to upload a file that has been quarantined?

The latest version of the file being flagged & quarantined by Norton below:

Details

Threat name: Script:SNH-gen [Trj]
Threat type: Trojan Horse - This threat pretends to be something else (e.g., picture, document, or other file) to trick you into running it and infecting your computer.
Status: Moved to Quarantine
On PC from: 06/02/2025, 08:08
Last Used: 06/02/2025, 08:10
Startup Item: No

Unknown
It is unknown how many users in the Norton Community have used this file.

Mature
This file was released 2 months ago.

High
The file risk is high.

Activity

Path | Type | Status
C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_options.txt | File | Repaired

4

Does file.net &or thewindowsclub.com article…below…sound like your machine?
fwiw ~ based upon posted path:
C:\Program Files\Intel\SUR\QUEENCREEK\x64\

================================================

Files may be restored from quarantine (for example - to your desktop) …if you do not agree with Norton
Files may be uploaded to VirusTotal for second opinion…if you do not agree with Norton

==================================================

IDK (from this distance) why Norton is detecting crashlog_options.txt file…maybe, the file is trying to call home…maybe, as Norton reports…This threat pretends to be something else (e.g., picture, document, or other file) to trick you into running it and infecting your computer. IDK

Does you machine have C:\Program Files\Intel\SUR\QUEENCREEK\x64\ path?

Sorry, I’ve no way to reproduce reported Norton event my side.

Did you review:

================================================

5

Yes my PC has the C:\Program Files\Intel\SUR\QUEENCREEK\x64\ path.

I also read the articles you posted and they say it is a legitimate process associated with the Intel Driver Update utility. It says sometimes there can be variants of this process running in the background and those can be infected with viruses. However I followed the instructions to check if the one running on my PC (there was only one version listed in the Task Manager) was legitimate by checking to make sure it had Intel under it’s Signature list and it did.

I figured out you can send the quarantined files for review as potential false positives through the Norton app itself so I’ve done that. That way I didn’t have to remove the files from quarantine, which I’d prefer not to do, just in case they are actually real threats. I’m not really sure how I will get a response though. Maybe through e-mail? I made sure I was logged in on the app when I submitted the files for review. If that doesn’t work and the problem continues, I’ll try your suggestion of removing the files from quarantine and sending them to the VirusTotal site.

Thank you for your help, it’s appreciated.

1 Like
6

Were my machine and I wanted reassurance.
I’d ask Malwarebytes Malware Removal Help Forums [here] to check my machine.

7

for example: posted for users that pass this way

590
5901148×734 50.9 KB

588
5881143×730 57.8 KB

591
5911148×733 57.3 KB

with submissions via Threat securedReport false detection. I’ve never received a response.
Norton 360 v22 Copy to Clipboard reported file hash.
Norton 360 v24/v25 Copy to Clipboard does not report file hash.

for example:

592
592556×656 132 KB

8

I didn’t actually report it either of these ways. I didn’t get the bottom Threat Secured pop-up you posted. I did get the first one but “Report false detection” wasn’t an option. The status didn’t say ‘Blocked’ as in your case, it said ‘Moved to Quarantine’ instead and there were no ‘Options’ listed.

I reported it by opening the ‘Quarantine’ section through the the ‘Security’ tab on the app. I then selected all the files, hit the 3 dots in the bottom right corner and selected ‘Send for analysis’. Then on the pop-up that appeared, I selected the ‘False positive’ option, filled in the additional info box and hit send.

*I tried to include screenshots with this post to illustrate better but it wouldn’t let me. I got a message saying “An error occurred: Sorry, you can’t embed media items in a post.”

9

for example:

587
5871151×732 53.2 KB

Quarantine 3 dots Restore drop down
Quarantine 3 dots Restore drop down1163×789 57.2 KB

bottom pic is Safe Web detection

10

630
630815×426 161 KB

11

An update: Norton had continued flagging and quarantining new versions of the file every time I turned my PC on until today. I just turned my PC on, looked to see if the file was there and it was. I then scanned it as usual with Norton and for the first time since this all started, the file came back clean. I’ll report back if that continues to be the case but I’m hopeful Norton has realised that it was a false positive and it it will stop being flagged and quarantined from now on.

1 Like
12

Final update: Norton virus scan has continued to come back clean without flagging or quarantining the file since my last post. The issue therefore appears to have been resolved.

2 Likes