Hi, first post to the community, and I'm hoping someone can help me put this question to rest. I had Norton 360 on my old laptop. A friend gave me a copy of Google Sketchup Pro 7 on a CD (I'm assuming it was shareware). When N360 scanned the disk, it said it found adware on the d: drive (CD-ROM) which it then proceeded to quarantine and remove. This is what File Insight said it found:
google.sketchup.pro.7.1.4871.0-ismail.exe (Adware.Lop)
So, if the file was never installed on my c: drive, how did N360 remove it, and could the file have done anything to my computer without actually being installed? I'm imagining that this is exactly what N360 is supposed to do, in order to prevent getting the supposed adware on your computer in the first place, yes? File Insight also reports "launched" in relation to this, but as I said, I never installed sketchup on my laptop. Also, File Insight reported a number of registry actions that it either removed or repaired. Since the program was never actually installed on my laptop, could this just be the way N360 handles a risk it finds on a CD?
Afterward, I downloaded the free version of malwarebytes, and it found two registry changes which appear to have been related to N360 being installed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntirVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
Not really worried about those (unless I should have been), and never observed any bad behavior on the part of my old laptop. Also never saw anything else in any scan performed by N360 after the incident with the CD. Finally, I checked Virus Total; it does report that Symantec identifies this file as adware, while other scanners such as Avast and Kaspersky do not (other scanners seem to think the sketchup file is something else like Artemis, HackTool, or a Trojan). Is it also possible that this was a false positive?
Any information is appreciated!
Hi, first post to the community, and I'm hoping someone can help me put this question to rest. I had Norton 360 on my old laptop. A friend gave me a copy of Google Sketchup Pro 7 on a CD (I'm assuming it was shareware). When N360 scanned the disk, it said it found adware on the d: drive (CD-ROM) which it then proceeded to quarantine and remove. This is what File Insight said it found:
google.sketchup.pro.7.1.4871.0-ismail.exe (Adware.Lop)
So, if the file was never installed on my c: drive, how did N360 remove it, and could the file have done anything to my computer without actually being installed? I'm imagining that this is exactly what N360 is supposed to do, in order to prevent getting the supposed adware on your computer in the first place, yes? File Insight also reports "launched" in relation to this, but as I said, I never installed sketchup on my laptop. Also, File Insight reported a number of registry actions that it either removed or repaired. Since the program was never actually installed on my laptop, could this just be the way N360 handles a risk it finds on a CD?
Afterward, I downloaded the free version of malwarebytes, and it found two registry changes which appear to have been related to N360 being installed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntirVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
Not really worried about those (unless I should have been), and never observed any bad behavior on the part of my old laptop. Also never saw anything else in any scan performed by N360 after the incident with the CD. Finally, I checked Virus Total; it does report that Symantec identifies this file as adware, while other scanners such as Avast and Kaspersky do not (other scanners seem to think the sketchup file is something else like Artemis, HackTool, or a Trojan). Is it also possible that this was a false positive?
Any information is appreciated!
Delphinium,
Thanks for the info on the registry keys (that pretty much confirms what I was thinking already). How about the quarantine and removal from the CD? Should I be worried if I never actually opened or installed Google Sketchup from the CD?
Thanks!
Hi jimsam9,
Can you check Norton Security History for Resolved Security Risks, Unresolved Security Risks and Quarantine to see if the threat is contained in any of those. It is not possible to remove a file that is on a CD. Was all of this the result of a scan, or did Auto-Protect block the file? It is possible that autorun was enabled and the file was launched without any action on your part. Sometimes the list of registry changes reported are those that are associated with the threat and will be listed even if they did not actually happen in your particular case. As you can see, there are a lot of loose ends, so a bit more information on what happened and the current status of the threat would be helpful.
SendOfJive,
Thanks for the quick reply. This was found as a result of a scan, and I don't think it was an autorun issue. The file is listed under Resolved Security Risks, it did not appear under Unresolved Resolved Security Risks, and it does show up under Quarantine where its status is "quarantined", and the recommended action is "resolved - no action".
Does that help?
Hi jimsam9,
Quarantine actually contains a copy of the malicious file. Chances are, Norton would not be able to remove the original file from a CD, as it would on a hard drive, so it may continue to see it and block it on the CD. The enumerated registry changes are probably not actual - Norton does tend to list changes that have been associated with threats that it has quarantined, rather than changes that were actually detected on the system.
So, since I never actually installed the program (I got scared about when N360 found the purported adware and decided not to use google sketchup just in case), my machine is probably OK, yes?
jimsam9 wrote:
So, since I never actually installed the program (I got scared about when N360 found the purported adware and decided not to use google sketchup just in case), my machine is probably OK, yes?
Yes, I would say you are fine. Since Norton was able to detect the threat in a scan, Auto-Protect would also have blocked it had it tried to run, which it did not do. If the installer never ran you could not be infected, anyway. Kudos to you for thinking to scan the CD first before launching the program. That's always a smart thing to do.
SendOfJive,
Thanks for all the help (you too, Delphinium!). You have helped put my mind at ease. I really appreciate the speedy replies!
Jim