Request for Assistance with Norton 360 Antivirus False Positive Detection

Dear Norton Support Team,

I hope this message finds you well. I am writing to seek assistance regarding a false positive detection issue that we have encountered with Norton 360 Antivirus.

Our software installation package has been identified as a false positive by Norton 360, and the antivirus software has automatically removed the installation package from our users' systems. While we understand the importance of security measures to protect users from potential threats, our software is a legitimate and trusted application that should not be categorized as malicious.

We attempted to resolve this issue by submitting a false positive report through the Norton website at https://submit.norton.com/?type=FP. However, we have encountered a limitation with the submission process. The form restricts file submissions to a maximum of 90MB, and our software installation package exceeds this size limit. As a result, we are unable to submit the necessary information and files to address this false positive detection.

We kindly request your assistance in resolving this matter promptly. Our software is essential to our users, and the false positive detection is causing unnecessary inconvenience and disruption. We are committed to ensuring that our software is free from any security concerns and complies with all industry standards.

To help us address this issue effectively, we request the following:

  1. Provide an alternative method for submitting false positive reports, which can accommodate files exceeding 90MB in size.

  2. Expedite the review process for our case, as our users rely on our software for their day-to-day activities.

  3. Work with us to whitelist or exclude our software installation package from future false positive detections in Norton 360.

We understand the importance of maintaining a secure environment for all Norton 360 users and appreciate your efforts in ensuring this. We believe that with your assistance, we can resolve this matter and prevent further false positive detections.

Please feel free to reach out to us for any additional information or clarification regarding our software. We are committed to cooperating fully to rectify this situation promptly.

Thank you for your attention to this matter, and we look forward to a swift resolution.

Sincerely!

We have removed the detection of the Walnut Coding software from our products. @huanggaomin please let us know if you experience any other issues.

Filename: Walnut Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe
Full Path: C:\Users\user\Desktop\Walnut Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe

Developers 
MATRIX LEARNING TECH PTE. LTD.

Version 
2.0.8.0

Identified 
10/28/2023 at 5:22:06 PM

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 11 days  ago.

Trusted
Norton has given this file a trusted rating.

Source File: 
Walnut Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe

File Thumbprint - SHA:
b65392bd2aa57afe1dfa824773c46491dac0c00d63b92308dcf7fea068495ae9
File Thumbprint - MD5:
f32fcca8262b30a644e9d204ad760deb
 

png_17396.png

Hello @huanggaomin, thank you for reporting the detection and providing the download link. We are looking into it and will keep you updated here.

@bjm_ thank you for all your work above, appreciated yes

Filename: Walnut Coding.exe
Full Path: C:\Users\user\drive\C\hetao\walnutcoding\Walnut Coding.exe

Developers 
MATRIX LEARNING TECH PTE. LTD.

Version 
0.41.3.0

Identified 
10/28/2023 

Last Used 
10/28/2023 

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 11 days  ago.

Good
Norton has given this file a favorable rating.

Source File: 
Walnut Coding.exe

File Thumbprint - SHA:
6a093ab4ea5582c104f027b122ee192ed8674ed9e430fab261974f62ea1922a2
File Thumbprint - MD5:
7fb9aefb14bef410c1d8e609bfe53b30

VirusTotal [here]
--------------------------------------

IP Abuse Reports for 47.245.105.193
ISPAlibaba Cloud LLC
Usage Type Data Center/Web Hosting/Transit
Domain Name alicloud.com
Country Singapore
City Singapore, Singapore

​​​​​​​This IP address has been reported a total of 236 times from 137 distinct sources. 47.245.105.193 was first reported on May 26th 2023, and the most recent report was 3 months ago.

Old Reports: The most recent abuse report for this IP address is from 3 months ago. It is possible that this IP is no longer involved in abusive activities.

https://www.abuseipdb.com/check/47.245.105.193

-------------------------------------

52.76.85.154 
ISPAmazon Technologies Inc.
Usage Type Data Center/Web Hosting/Transit
Hostname(s)ec2-52-76-85-154.ap-southeast-1.compute.amazonaws.com
Domain Nameamazon.com
Country Singapore
City Singapore, Singapore

----------------------------------------

png_17375.pngpng_17379.png

Filename: Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe
Full Path: C:\Users\user\Desktop\Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe

Developers 
MATRIX LEARNING TECH PTE. LTD.

Version 
2.0.8.0

Identified 
10/28/2023 at 12:55:37 PM

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 11 days  ago.

Poor
There are some indications that this file is untrustworthy.

Source File: 
Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe

File Thumbprint - SHA:
b65392bd2aa57afe1dfa824773c46491dac0c00d63b92308dcf7fea068495ae9
File Thumbprint - MD5:
f32fcca8262b30a644e9d204ad760deb

VirusTotal [here]

-----------------------------

png_17381.png

 

https://u3d-update-sg.wntss.com

domain wntss.com does not resolve
https://safeweb.norton.com/report/show?url=wntss.com = = Caution => Suspicious

https://safeweb.norton.com/report/show?url=https://u3d-update-sg.wntss.com = Caution => Suspicious

domain u3d-update-sg.wntss.com resolves to IP address 18.164.124.34
https://www.virustotal.com/gui/ip-address/18.164.124.34/detection

A MD5 or SHA256 hash of the file is required. The file can not be larger than 90MB and must exist in virustotal (virustotal.com)

Submission failed
Hash submissions require the file to exist on Virus Total: https://www.virustotal.com
Hash must be a MD5 or a SHA256 of the file
Please make sure all fields are correct and that the file is not larger than 90MB

---------------------------------------

Submission failed
URL submissions require the file to be available without any username / password
It must be a direct download URL
Please make sure all fields are correct and that the file is not larger than 90MB

---------------------------------------

@huanggaomin

file is known to VirusTotal [here]
file size [File size: 249 MB] as you noted is issue 

We'll try to call attention:

as you noted:

'Upload a file' =
Submission failed
Please make sure all fields are correct and that the file is not larger than 90MB


I'll try 'file hash'....file has to be known to VirusTotal 

Submission failed
Hash submissions require the file to exist on Virus Total: virustotal.com
Hash must be a MD5 or a SHA256 of the file

-----------------------

Edit: trying to get file known to VirusTotal

https://www.virustotal.com/gui/file/b65392bd2aa57afe1dfa824773c46491dac0c00d63b92308dcf7fea068495ae9

I'm seeing WS.Reputation.1 detection
WS.Reputation.1 may clear after Norton gathers more telemetry

Filename: Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe
Threat name: WS.Reputation.1 Full Path: C:\Users\user\Desktop\Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe

On computers as of 
10/28/2023 at 12:44:03 PM

Last Used 
10/28/2023 at 12:46:04 PM

Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe

Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exeThreat name: WS.Reputation.1

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 11 days  ago.

Medium
This file risk is medium.

https: //u3d-update-sg.wntss.com/overseas_v1/20231015/Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19. exe
Downloaded File  from wntss.com
Source: External Media

Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe

File Actions

File: C:\Users\user\Desktop\Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe Removed

File Thumbprint - SHA:
b65392bd2aa57afe1dfa824773c46491dac0c00d63b92308dcf7fea068495ae9
File Thumbprint - MD5:
f32fcca8262b30a644e9d204ad760deb

----------------------------

VirusTotal = No matches found

File: Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe
File size: 249 MB (261,136,096 bytes)
MD5 checksum: F32FCCA8262B30A644E9D204AD760DEB
SHA256 checksum: B65392BD2AA57AFE1DFA824773C46491DAC0C00D63B92308DCF7FEA068495AE9
Date/Time: 10/28/2023 

------------------------------

Were you able to submit at https://submit.norton.com/?type=FP with direct download URL or file hash? 
Do you have Submission ID?

Okay, I'll try to reproduce...my side.

Were you able to submit at https://submit.norton.com/?type=FP with direct download URL or file hash? 

You can direct download our software by this link. 

https://u3d-update-sg.wntss.com/overseas_v1/20231015/Walnut+Coding_win32_2.0.8.0_Setup_2023.10.15_15.01.19.exe

Our customer report this event with this screenshot below.

20231028-204433.jpeg

Report a suspected incorrect detection to Norton
https://support.norton.com/sp/en/us/home/current/solutions/v126152382

Submit a file to Norton
https://support.norton.com/sp/en/us/home/current/solutions/kb20090602171902EN

Respond to incorrect Norton alerts that a file is infected or a program or website is suspicious
https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230832EN


Please tell us what Norton is telling you regarding this event.
For information regarding this event > from Norton pop-up > View Details > Copy to Clipboard &or from Norton history > More Options > Copy to Clipboard > paste here.

For second opinion choose File &/or Search hash at VirusTotal 
Is the file known to VirusTotal? 
Is the file free and publicly available?
Is the file sign'd? 

Maybe, you can provide direct download URL or file hash.
for example: