Norton detects threat: Win32:Evo-gen [Trj] after upgrading Windows

Norton 360 for Windows
1

Received this message after upgrading to Windows Beta V.26120.4520 ge_release. We prevented your connection to tlu.dl.delivery.mp.microsoft.XXX because it’s a dangerous webpage. This is not a threat. Reported it to Norton. The URL needs to be added to your exclsuions.

2

@Murdoch First, that version of Windows is an insider build which Norton does NOT officially support BETA releases and other BETA software. Conversely, I have submitted the URL to Norton , Norton is showing this URL as safe: Note - What is the current version and build of Norton installed? How was this detected? Via webbrowser and an extension?

Malware CAN be a threat via legitimate links, in this case Norton isn’t showing that it is such.

SA

3

I have had the same issue. Windows Update will try to install a new build, then right at the end Norton pops up and says inetcpl.cpl is infected with Win32:Evo-gen [Trj].

Norton build 25.6.10221 (build 25.6.10221.939)

I have another PC with the same exact build, same exact Windows Update. It does not detect it as a threat.

They both DO run insider builds. Just odd how one detects it as a threat and not the other one. :man_shrugging:

4

@trongod In your case this appears to be Norton and its new Avast setup being over aggressive. Here is some AI generated information for you in that regard:

AI Overview

"Win32:Evo-gen [Trj]" is a generic detection used by some antivirus programs, like Avast and Norton, to identify potentially malicious files. It often flags files that exhibit characteristics similar to known trojans, but it’s not always a definitive indication of malware. False positives are common with this type of generic detection, especially with files generated by software development tools..

Here’s a breakdown:

  • Generic Detection:

“Win32:Evo-gen [Trj]” is a broad term used by some antivirus software to identify files that share traits with known trojans. It’s not a specific virus strain, but rather a classification for suspicious behavior.

  • False Positives:

Antivirus programs sometimes flag legitimate files, especially those generated by software development, as “Win32:Evo-gen [Trj]”. This can happen when the file’s structure or behavior resembles that of a known threat.

  • Developer Concerns:

Developers of software, particularly those using Visual Studio, have frequently reported issues with Avast and other antivirus software flagging their executables as “Win32:Evo-gen [Trj]”. This can cause problems with user installation and testing.

  • Possible Causes:

Some reports suggest that files under a certain size (e.g., under 1MB) are more likely to be flagged. Additionally, the way a program is built (e.g., using certain libraries or frameworks) can trigger this detection.

  • What to do:

    • Verify the file: If you suspect a false positive, you can upload the file to VirusTotal to scan it with multiple antivirus engines.

    • Report as false positive: If you are confident it’s a false positive, report it to your antivirus vendor.

    • Add an exception: If you trust the file and are sure it’s safe, you can add it to your antivirus’s exclusion list.

    • Seek expert advice: If you’re unsure, consult with a security professional or your development team.

SA