Hello,

Norton 360 Deluxe suddenly detects a Virus called Hacktool in many tools from NirSoft (https://www.nirsoft.net/).
I copied one entrance to the clipboard (I have the German version of Norton):

Dateiname: whoistd.exe
Name der Bedrohung: Hacktool
Vollständiger Pfad: D:\PortableApps\PortableApps\_WSCCPortable\NirSoft Utilities\whoistd.exe

____________________________

____________________________

Auf Computern ab 
14.11.2020 um 08:30:55

Zuletzt genutzt 
14.11.2020 um 08:30:55

Startobjekt 
Nein

Gestartet 
Nein

Art der Bedrohung: Virus. Programme, die andere Programme, Dateien oder Computerbereiche infizieren, indem sie sich einfügen oder anhängen.

____________________________

whoistd.exe Name der Bedrohung: Hacktool
Suchen

Viele Benutzer
Tausende Benutzer in der Norton Community haben diese Datei verwendet.

Schon länger bekannt
Diese Datei wurde vor 7 Monaten  veröffentlicht.

Hoch
Das Risiko dieser Datei ist hoch.

____________________________

Quelle: Externer Datenträger

____________________________

Dateiaktionen

Datei: D:\PortableApps\PortableApps\_WSCCPortable\NirSoft Utilities\ whoistd.exe Blockiert
____________________________

Dateiabdruck - SHA:
Nicht verfügbar
Dateiabdruck - MD5:
Nicht verfügbar
 

This affects 20 tools, so excluding them manually is very much work, because this requires multiple clicks for each application (the Norton UI is not user-friendly, not intuitive and has  a bad User Experience).

So, what now?

OLLI

NirBlog
The official blog of nirsoft.net
Antivirus companies cause a big headache to small developers.

https://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/

Thanks  -

Hello,

today I was able to download all tools, so Norton updated the signatures!
Thank you for sharing the link to https://submit.norton.com/

Best regards

OLLI

Okay
Thanks

Did not try, in case there is really Virus / Maleware in the Nirsoft tools.

OLLI_S:

Thank you, I will report some of the Nirsoft tools at https://submit.norton.com/

Curious, were you able to run NirSoft tools after excluding the extracted NirSoft package folder >
https://community.norton.com/en/comment/8493043#comment-8493043 

Thank you, I will report some of the Nirsoft tools at https://submit.norton.com/

OLLI_S:

I also contacted Nir Sofer and asked him why there is a virus found in his toold.
He replied:

No, it's not a bug in my tools, it's a bug in your Norton 360 software, you should contact them and request them to fix the problem.

Respond to incorrect Norton alerts that a file is infected or a program or website is suspicious 
https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230832EN#:~:

Report a suspected incorrect detection to NortonLifeLock
https://support.norton.com/sp/en/us/home/current/solutions/v126152382

I also contacted Nir Sofer and asked him why there is a virus found in his toold.
He replied:

No, it's not a bug in my tools, it's a bug in your Norton 360 software, you should contact them and request them to fix the problem.

I will send him the article (see my last posting) and ask him if this DLL hijacking vulnerability might be the reason.

Regarding this article there are "DLL hijacking vulnerabilities in Nirsoft tools":
https://borncity.com/win/2020/04/16/dll-hijacking-vulnerabilities-in-nirsoft-tools/

So it seems correct that Norton blocks them.
But I am not a security expert that can be useful here or estimate the risk.

FWIW ~ Maybe, try... clear Norton History > temporarily disable Auto-Protect [SONAR Protection & Download Intelligence].   Security tab > Advanced

Download and Extract fresh NirSoft package to convenient location ... e.g., Desktop.  Add extracted NirSoft package folder to >

•  Items to Exclude from Scans

• Items to Exclude from Auto-Protect, Script Control, SONAR and Download Intelligence Detection

Excluding a file from the Norton scans reduce the level of protection of your computer and should be used only if you have a specific need. You should only exclude items if you are confident that they are not infected.

. https://support.norton.com/sp/en/us/norton-360/22.20.5.39/solutions/v3672136

Post back progress -
Lets hear from Community -