Detailed description: it’s two times that Norton 360 Auto-protect identify C:\program files\dotnet\packs\microsoft.netcore.app.host.win-x86\9.0.5\runtimes\win-x86\native\singlefilehost.exe file as tropjan Win32:Evo-gen [Trj]. Has anyone had a similar experience ?
Thank you.
Product & version number: Norton 360 Premium, Version: 25.5.10141 (build 25.5.10141.934)
OS details: Windows 11 24H2 (build SO 26100.4202)
Same here, looks likely to be a false positive as only Norton associated companies are reporting it. Uploaded it to VirusTotal
@ZNSimone @Ste_H Where is this file being downloaded from? Is it a Windows Update that is being pushed? Patch Tuesday isn’t here until tomorrow for June 2025 so if WU is pushing it I would be concerned. Here is AI generated information on the subject file, please note that AI is not 100% accurate all the time.
AI Overview
While
singlefilehost.exeitself isn’t inherently malware, it can be used by malicious actors to deploy malware. The name “singlefilehost.exe” suggests it’s designed to host a single file application, which can be exploited by attackers to package a malicious program within a seemingly legitimate file.Here’s why it’s important to be cautious:
- Misleading Name:
The name “singlefilehost.exe” might lead users to believe it’s a benign utility, making them more likely to run it without suspicion.
Microsoft’s .NET Single File feature allows developers to bundle an application and its dependencies into a single executable. Malicious actors have been known to leverage this for malware deployment, making it harder to detect.
Antivirus software may sometimes flag
singlefilehost.exeas a potential threat due to its association with malware, even if the specific instance is legitimate. According to a Reddit thread.
- Payload Delivery:
The file might contain a malicious payload that is executed when the
singlefilehost.exefile is run. This payload could be anything from a virus to a ransomware.In conclusion, while
singlefilehost.exeis not inherently malicious, its nature as a single-file host makes it a potential vehicle for malware delivery. It’s crucial to be cautious and verify the source and legitimacy of any application that uses this file name.Here’s a more detailed explanation:
- 1. Legitimate Use:
Single file deployment is a legitimate technique used by developers to create self-contained .NET applications, eliminating the need for users to have specific runtime versions installed.
- 2. Malware Packaging:
Attackers can leverage this feature to package malicious code within a single, seemingly legitimate executable.
- 3. Detection Challenges:
The bundled nature of single-file applications can make it difficult for antivirus software to detect malware within them.
- 4. Human Error:
Attackers might try to deceive users by using a name like
singlefilehost.exe, making them less suspicious and more likely to run the file.Recommendations:
- Verify Source: Always be cautious about running files from unknown sources.
- Antivirus Software: Ensure you have up-to-date antivirus software installed and running.
- Scan Files: Before running any file, consider scanning it with your antivirus software or an online scanner like VirusTotal.
- User Awareness: Be aware of the potential risks of running files with names that seem legitimate but could be malicious.
SA
More direct information from Microsoft on the use of this file type: @Ste_H * Please let us know what your VirusTotal response is.
And Malwarebytes forums:
https://forums.malwarebytes.com/topic/298498-net-files-false-positive-on-scan/
Trend Micro:
SA
VirusTotal says 3/72 security vendors flagged this file as malicious. AVG, Avast and Jianmin. Seeing as AVG and Avast are both the same virus detection engine as Norton seems likely its a false positive
I have no idea when this file appeared it was detected when I initiated a scan.
Norton logs says the file was on my PC since 15/04/2025, the virus was found from a quick scan yesterday. Last time I did a quick scan before this was about a week ago
Submit a file or URL to Norton for review here
For me too. On system since 15/04/24. But I don’t undestand why we are only two users with this issue…
submitted last night UK time Norton, AVG and Avast now not reporting as Virus
no idea but VirusTotal is only showing one unrelieable antivirus that thinks that file is bad now so it was a false positive.
some users of avast found the same problem but again not very many
I sent file to Norton Submission Portal and I’m waiting for a response…
One thing to note regarding there not being more users seeing this issue appear may be that not everyone has the same surfing habits and site visitations. As well as where they download files from. Another issue may also be how updated their OS is alongside other software that gets installed. There is myriad of ways for “single use” installer packages to make their way onto a computer via trusted avenues as I posted before. Malware creators are all to aware of that and use valid system files to accomplish things to their end.
SA
Same issue here, that file was quarantined from my laptop on 6/8/2025. I have a local dev website that worked for a few days afterwards but this evening gets a 503 error and event logs contain “Unable to locate application dependencies. Ensure that the versions of Microsoft.NetCore.App and Microsoft.AspNetCore.App targeted by the application are installed.” Hmm.
OK so I found the installers to replace that software containing the quarantined file i.e. Download ASP.NET Core 9.0 Runtime (v9.0.6) - Windows Hosting Bundle Installer (slightly more recent version) and it fixed the website not working. Not sure if that quarantined file was really a threat but I left it in quarantine and everything is back to normal.
@Jeff_Montgomery I downloaded your runtime from the link you provided without issues. Scanning the file after download shows safe as shown below:
Downloading the file for Visual Studio use at this URL shows safe as well: Note this is the SDK version for developers
(Browse all .NET versions to download | .NET)
These weren’t still in the “preview phase” so Norton appears to have been behind the either ball with it.
SA
