Hello Norton Community.

I’m here because i would like some help (?) with something.

Today (30/08/2025), while doing my ordinary weekly full scan. Norton 360 found a Threat and Secured it.

You might say, great so nothing to worry, except that, the said Threat keeps coming back.

The File name is “_ruleset6” there’s no .exe behind it’s literally a blank file within the extension folder of chrome.Path being:C:\Users\”User Name”\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddkjiahejlhfcafbddmgiahcphecmpfh\2025.825.1605_0_metadata\generated_indexed_rulesets.

At some point i thought… why does it keep coming back? whenever i turn Chrome on… Then i tried going to the said file location, where i found MANY other little files named in a similar fashion, _ruleset# (#=a number to the rule?) so going like ruleset1, ruleset2, ruleset3, etc…

After a little while i realized that, this was the folder that contains basically stuff from Ublock Origin Lite.

The threat is seen as a ELF[MiraiDab] by Avast,Norton and other Anti-viruses alike, some people already even posted infos about it on the uBlock Origin Lite chrome store page stating that this is a ruleset file for the addblocker to know what to block and it’s been since 5 days being flagged by many other anti-viruses as a threat (5 days ago Ublock Origin Lite recieved an update too) so some of these users said it’s a false positive…

I’m no great computer IT tech dude, my stuff is mechanics and making cool watches

So, please could anyone have any potential info about it? should i be worried? can i still use my chrome to go browsing around ? I mean never go to anywhere fishy in the internet… probably the most fishy i can go is Twitter/X.

The file is been quarantined but since all it take is for me to launch chrome and of course with the auto update on, the file comes back…

Saw also that a different file named “_ruleset18” is being seen the same way by different anti-viruses, while Norton sees it as clean file…

I uploaded to Norton the file for analysis, but while on the waiting what should i do? you guys think it’s safe for me to keep going with my Browsing? or should i turn off ublock origin lite for now?

Any insight will be greatly appreciated

well while on the wait of a kind soul to give me any possible info or advice. I decided to turn off ublock origin lite and i reactivated my Adguard adblocker as a back up solution. This way the file doesn’t come back while i wait for an update from either norton (since i sent the file for analysis) or maybe an update to the anti virus or even a update for ublock origin lite to fix it. People is starting to go crazy o their webstore page in chrome…

hvis jeg var dig ville jeg nok bruge microsoft edge eller firefox til du har et svar bare for sikkerheds skyld men da den er i karantæne burde der ikke ske noget

It’s not the browser the issue, the issue is the extension. And also uBlock Origin along with uBlock Origin Lite have very good reputation as adblockers, probably they are the best or one of the best free adblockers there’s. the chances of it being a false positive are very high. besides it’s happening also with Firefox so… probably best way is what i said, for now disabling it, and using something else while waiting for a response from anywhere (either the author of the adblocker or Norton approving it to be a False positive)

Still, thank you for taking your time on writing your advice

if i was you use the vpn in norton 360 there is a ad block in

i dont have Norton VPN and the VPN inside Norton 360 is not on the same level. It’s just a normal VPN with tracker blocking capabilities.

Also, some testers already reviewed it, the Norton VPN (paid one) doesn’t stop all adds, there’s some intrusive ones that still bypass it and also some of the website i visit are now banning people that use VPN on them… so i don’t really want to get myself banned

the norton vpn is in the norton 360 if you has standart minimum and the norton 360 vpn is way better then you think it is possible the fastes there is whit a speed of over 2gb and minimum 60 in upload if you set it to closest there is so what it lack in other then security you get in speed that is better then nord vpn and more they cant get that fast it take sometime but it can do it

It’s the same on my machines, but I trust uBlock Origin and have excluded the file.

image998×591 32 KB

VPN reduces my network speed.

thanks for your kind reply!

Well, i don’t fully trust anything ever until proven contrary. So for my security, i always have 2 adblockers, 1 i leave activated at all times and the other one deactivated on standby in case the one activated starts doing a poor job or has some update issues like a few months ago Adguard adblock was bugged and wouldn’t allow me to join some of my games website.

Put it simple what i did to prevent any further issue with my Norton is, for now, i turned uBlock Origin Lite Off, then proceeded to run a full scan, had it deleted the suspicious file (since it had already 1 in the quarantine) then tried to do an update to see if while the addblock extension is disabled it would redownload it anyways, which it didn’t, so good for me when a extension is disabled chrome does not update it either manually or auto. After that i simply activated again Adguard addblocker and sent the suspicious file to Norton for Analysis.

And as you said the VPN does slows our network (like any VPN more precisely…) but there’s a mistake on some people knowledge about the VPN within the Norton 360 product. The one within the Norton 360 product doesn’t block adds it block trackers. and it does a mild job at that, for fully tracker blocking Norton has Norton Anti-track, this one does the full job. Same for VPN Norton has it’s paid version named, Norton VPN which does have adblocking features in it and also malware blocking directly within your browser as you go browsing. That being said, some reviewers said the VPN and malware function of it are great, but the addblocking abilities of it are still not on par with a true addblocker… plus now with this Online safety act that doesn’t safeguard anything and only adds more dangers, some websites have started banning the use of VPN… if you use, you get banned from the website and i don’t want that. I use only my VPN when i want to watch something on netflix or prime or crunchyroll whenever i can’t find it on my region…

Anyways, I honestly think it’s a false positive at a 99% rate but, i prefer to play it safe than sorry later.

By the way, try also sending them the quarantined file too, it could speed up the process of the analysing and giving us any updates!!

May be related: Google shifted to Manifest 3 earlier this year and block uBlock Origin in the process. If you still use Chrome version 133.0.6943.127 it will still function.

Here is an option for you:

SA

thanks for your reply

Your insight is more or less of the mark i think.

This issue started 5 days ago and it happened to me only 2 days ago. And 2 days ago from what i could gather as info, the dev for Ublock Origin Lite, which works as the successor and replacement for uBlock Origin from before Manifest V3 hit live.

My take is, he probably made a file for a rule and somehow it’s triggering AVG and Norton which is not surprising since now both are from Gen technologies.

I’m still waiting to see what Norton says about the said file, but so far, someone into the comment section for uBlock Origin Lite said it was a false positive and that the hash was not something dangerous… i’m not really into that much IT sutff, but if i correctly understood he put the file on Virustotal to analyse it and could understand the “hash” of it? whatever that is…

That being said… i’ll keep on waiting on Norton’s response and well so far Adguard is a very pleasing replacement… guess they did work hard on it… it used to be very buggy…

Thanks for the post back, let us know what the results are from the Norton submission please.

SA

Just confirming that I’m seeing the same detection of ELF:Mirai-DAB in the UBO Lite ruleset6. But only on scans - it is not being detected by Norton on download when UBO Lite downloads a new copy of the file on launch after Norton has quarantined the previous copy.

I’ve also reported the false positive to Norton..

I have also reported a false positive detection.

@kencl @Dietmar_P Does removal of UBO and install of UBO lite correct the issue with Manifest 3?

SA

Yes. I moved from UBO to UBO Lite earlier this year when Chrome changed to manifest 3. That’s been working fine until this false positive issue. Looks like I received an update to the UBO Lite ruleset6 on August 29th - that seems to have triggered the detection by my Norton full scan yesterday (August 31st).

Thank you for the feedback.
SA

It was exactly the same with my installations.

Looks like the issue is resolved. I received updates of all the UBO Lite rule sets at 12:42 today (UK time) and _ruleset6 now scans OK with Norton - zero malware detections reported.

Meantime I had installed the basic free version of Malwarebytes to perform a “second opinion” scan and that also detected no malware in _ruleset6. But I did the Malwarebyte scan before I realised that the rule sets had been updated. Unfortunately, I no longer have a copy of the previous version to test with Malwarebytes to check if that would have given the same detection as Norton.

Having checked again, the update at 12:42 was not just the rule sets - it was a full UBO Lite update to version 2025.831.1814.