Msedgeextensions.sb.tlu.dl.delivery.mp.microsoft.com Threat Catgegory:SNH-gen [Trj]

Note: Please do not post Personally Identifiable Information like email address, personal phone number, physical home address, product key etc.

Issue abstract: Recurring pop-up message from Norton 360 that a threat has been secured and a connection blocked because of the Trojan SNH-gen

Detailed description: Norton 360

Product & version number: 24.10.9535 (build 24.10.9535.880)

OS details: Windows 11 Ver. 24H2, OS Build 26120.2122

What is the error message you are seeing? Connection Blocked

If you have any supporting screenshots, please add them:

I keep getting these pop-ups. What does it mean (really) and what do I do? If it really is a trojan, how do I remove it?

Hello pgreen. The Windows build you posted is a preview build. Also, the 24H2 update has issues galore. Norton, officially doesn’t support BETA or insider builds on Windows or MAC. I have the same Norton version and build as you posted on both Windows 10 and 11 without any of the false positive alerts you are seeing.

Conversely, my research lead me to this article: Norton now owns Avast so I feel that this new version uses some of its coding thus nabbing this.
https://answers.microsoft.com/en-us/microsoftedge/forum/all/what-happens-with-microsoft-edge/6a1c4e58-1d1c-4adf-80f9-81a52acce8eb

Virustotal also shows this as a clean URL:

SA

Thank you! Although you haven’t pointed me to a solution (exactly), you have shed light on the problem, which is half the battle. Although I had found that same website (with the Avast question), it did not occur to me that Norton owned Avast. Silly me. I will also try running a different antivirus software to see what it does.

Interestingly, I just got a different pop-up:


Details

Threat name: Script:SNH-gen [Trj]
Threat type: Trojan Horse - This threat pretends to be something else (e.g., picture, document, or other file) to trick you into running it and infecting your computer.
Status: Moved to Quarantine
Options: Report as false positive
Detected by: Auto-Protect
On PC from: 10/19/24, 5:37 PM
Last Used: 10/19/24, 5:37 PM
Startup Item: No

Unknown
It is unknown how many users in the Norton Community have used this file.

Mature
This file was released 3 months ago.

High
The file risk is high.
____________________________

Activity

Path | Type | Status
C:\Users\paul.MOONEYGREEN\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\deciicgeolaocjpmidpoicgpmdadflgh\1.0.3_0\scripts\tracker.js | File | Repaired

Maybe that means Norton 360 has adjusted and it’s now fixed? We shall see.

In the article I posted there was an annotation that what I will quote here in"" could be the issue.
C:\Users\paul.MOONEYGREEN\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\deciicgeolaocjpmidpoicgpmdadflgh\1.0.3_0\scripts"tracker.js" | File | Repaired

In the VirusTotal results that quoted “tracker.js” entry is NOT present. Please note that a “forbidden 403” error is also shown. That is normal for a non-microsoft connection to see.
https://msedgeextensions.sb.tlu.dl.delivery.mp.microsoft.com/

That leads me to believe something Microsoft isn’t aware of is taking place. Edge updates only come from one source. Microsoft.

SA

Also that extension codec is not shown my side as being present: