NIS alert me of an intrusion attempt from liveupdate.symantecliveupdate.com

Norton Security | Norton Internet Security
1

someone can help me understand this message from IPS, which says, "an intrusion attempt has been blocked from liveupdate.symantecliveupdate.com "? :smileysurprised:

 

Attack.jpg

2

someone can help me understand this message from IPS, which says, "an intrusion attempt has been blocked from liveupdate.symantecliveupdate.com "? :smileysurprised:

 

Attack.jpg

3

Hi Mountain_Cougar:

 

It appears that Norton detected the attempted installation of the Click Potato adware.  The xvidsetup.exe installation file is likely some sort of malware like a backdoor trojan (see here) that tried to install itself after you browsed to an infected webpage or tried to install some infected software.  Assuming Google Translate is working correctly (:smileyvery-happy:), it appears that Norton blocked the installation and is reporting that no further action is required on your part.

--------

Windows Vista Home Premium 32-bit SP2 * NIS 2011 v. 18.6.0.29 * IE 9.0 * Firefox 8.0.0
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

4

Hi imacri, I know that NIS blocked the clickpotato ... But I do not understand is how the IPS can say that "the name of the attacker is: liveupdate.symantecliveupdate.com" You can read this in the IPS report, under paragraph which reads: action taken.

 

Regards

5

Hi Mountain_Cougar,

 

Can you check the Windows Hosts file and see if there is an entry there for liveupdate.com?  Let us know if you find that, or other entries that seem to be for security sites.

6

Hello SendOfJive, this is my hosts folder:

 

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost


7

Hi Mountain_Cougar,

 

OK, no problem with the Hosts File - it looks perfect.

 

Do you have any weird toolbars or programs running?

 

8

Hi SendOfJive:

 

I know this doesn't sound logical, but is it possible for liveupdate.symantecliveupdate.com to be listed as the attacking site if the threat is detected during an Insight Network scan using the virus definitions hosted in the cloud (i.e., on the Symantec server)?

-------

Windows Vista Home Premium 32-bit SP2 * NIS 2011 v. 18.6.0.29 * IE 9.0 * Firefox 8.0.0
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

9

Hi lmacri,

 

I'm not real sure what this is all about.  I don't know if there was a redirection to a malicious site, or if the IP address for symantecliveupdate.com is spoofed and really goes somewhere else.  I'm checking on some things in the meantime.

10

Hello once again.

 

I have no added toolbar in my browser, only the one belonging to Norton Internet Security. the only complements that I use in my browser (Firefox 8.0) are AdBlockPlus 1.3.10

Thanks for the support, hopefully we can uncover the cause of this rare event

 

11

Hi Mountain_Cougar,

 

A Symantec employee was kind enough to get back to me with some thoughts on this.  It is apparently a case of a DNS query being intercepted, sending you to a malicious site.  The address for liveupdate.symantecliveupdate.com was possibly spoofed.  DNS provides the numerical IP addresses to locate sites requested by their domain names on the internet.  Most likely, in this case, instead of being sent to an address for a LiveUpdate server as requested, your DNS query was hijacked and you were routed to clickpotato.tv, where the attack originated.  IPS recognized the threat and blocked it.

 

Incidentally, in case you are wondering what might happen if you ended up at a site pretending to be LiveUpdate, and it tried to download a fake Norton update, the answer is that the "update" would not install.  All update packages are digitally signed, and the authenticity of each update is verified by LiveUpdate in your Norton program before it can be installed.

12

 Hello SendOfJive!

 

Thank you very much for providing reliable information obtained from a Symantec employee. Now I'm much more peaceful and no doubt about the safety of my system, and of defense capability of IPS.

Once Again, thanks for taking the job of talking to an employee who has first-hand information :smileywink:

13

Hi Mountain_Cougar,

 

You're welcome.  I trust that this was just a one-time occurance where you just happened to get routed to a malicious site.  Please let us know if you encounter this type of thing again, as this should be a rare event that you should not see too often.