There have been posts/threads where many instances of Norton detections are being a wee bit too touchy. False positives, firewall and the AV itself putting files into quarantine where they cannot be removed, the list is long and varied. Like older 22.xx versions where we were seeing two specific files, I am back to them once again, with suspicions about maybe. These should be the main focus of what all the extra high detections are all about. Below, is a screenshot of where the two files are located and their names. In the older versions removing these files actually corrected some of the issues being seen but with each new patch release they were again reinstalled.

WA_3RDPARTY_HOST utilizes OPSWAT1920×1040 252 KB

And opening the properties for the 64 bit version I am presented with the following. These files are OPSWAT MDES SDK V4. Both the 32 and 64 bit versions.

ws 3rd party host OPSWAT405×543 46 KB

So then, lets have a look at what OPSWAT is and its enterprise uses. Critical environment Cybersecurity.

https://www.opswat.com/

And then we ask, is Norton partnered with or customer of OPSWAT? The answer is most certainly YES! Other A/V vendors are as well.

https://www.opswat.com/partners/norton

https://www.opswat.com/docs/manac/nac-v8.0.7/knowledge-base/supported-anti-virus-products

The next question coming to mind is just what is MDES or MetaDefender Endpoint. It looks like a ton of Norton scans and other feature sets are being created using these services built-in. Patch management, etc.

In conclusion, my boilerplate is that these services are directly connected to at least some of the over reactive issues being seen in our installs. One has to wonder why corrective actions take so long to create and deploy, these on my side appear to be a part of that answer. Feedback is a MUST.

SA

So I had some free time and decided to download and install the MetaDefender Endpoint tools just for a look. Norton nabbed one of its processes during the installation. The install started.

opswat metadefender installer720×414 38.1 KB

Then Norton nailed one of its processes regarding PowerShell:

norton nailed metadefender during install1024×768 93.3 KB

norton nailed metadefender during install-1924×592 64.1 KB

Once the install completed there are tons of tools present. Many of which mirror some within our Norton product.

metadefender application features sets1024×768 98.6 KB

There are tons of processes associated with the installation after it completes.

metadefender running processes1698×821 221 KB

Removal of the suite was NOT a clean deal either. Removal via Windows had some remnant folders remain after the initial removal which had to be removed. Manual removal and a reboot returned a clean boot.

Just wanted to put this information out for those interested to digest and maybe chime into the thread with observations and feedback.

SA

Maybe a part of the answer to the thread is Norton has in place their own EDR (Endpoint Detection and Response), or creating their own, within the broader spectrum of their internal services. IF, that is indeed the case, its absolutely great news. For those who aren’t familiar with the term or what its designed for, please read this article. It saves a ton of posting here lol.

**Feedback is a must folks

SA