Winlogon.exe flagged as malware

Norton 360 for Windows
,
3

==================================

Submit a file or URL to Norton for review here

Were my machine and I wanted reassurance.
I’d ask Malwarebytes Malware Removal Help Forums [here] to check my machine.

====================================

AI Mode
The file winlogon.exe is a critical and legitimate Windows system process responsible for user logon/logoff, loading user profiles, and handling the secure attention sequence (Ctrl+Alt+Delete).

However, malware often disguises itself by using the same name and placing the malicious file in a different location. The Win32:Malware-gen flag is a generic detection for suspicious behavior, which could indicate the file is indeed malware.

Steps to Verify the File

  1. Check the File Location: The legitimate winlogon.exe is only located in C:\Windows\System32\.
  • Open Task Manager by pressing Ctrl+Shift+Esc or Ctrl+Alt+Delete and selecting Task Manager.
  • Go to the “Details” tab (or “Processes” and expand “Windows processes” in newer Windows versions).
  • Right-click on winlogon.exe and select “Open file location”.
  • If it opens a folder other than C:\Windows\System32\ (e.g., a subfolder of C:\Users\ or C:\Windows\Temp\), the file is almost certainly malicious.
  1. Verify the Digital Signature (if possible):
  • Right-click the winlogon.exe file in the C:\Windows\System32\ folder and select Properties > Digital Signatures tab.
  • It should be signed by Microsoft.
  1. Use an Online Scanner (if suspicious): If the location is incorrect, or you are still unsure, you can upload the file to a service like VirusTotal for multiple antivirus engines to scan it.

Immediate Actions if Malware is Confirmed

If the file is confirmed to be in an incorrect location:

  1. Disconnect from the Internet: This prevents the malware from communicating with external servers.
  2. Boot into Safe Mode: This loads only essential drivers and services, which may prevent the malware from running and make it easier to remove.
  3. Run a Full Antivirus Scan: Use your installed antivirus software to run a full system scan. The Win32:Malware-gen detection means your AV has already found something, so make sure it takes the appropriate “clean” action.
  4. Use a Second-Opinion Scanner: Download and run a reputable anti-malware program like Malwarebytes (free version) as a second opinion, as different programs catch different things.
  5. Use Microsoft’s Malicious Software Removal Tool (MRT): Type mrt in the Windows search bar and run the tool for an additional scan.

Important: Do not attempt to manually delete the legitimate winlogon.exe file from C:\Windows\System32\ as this will cause your system to become unusable and crash. The infected system files need to be replaced by clean ones, a process your antivirus software handles, or a full system reinstall may be necessary in severe cases.

AI Mode may make mistakes

=========================================

AI Mode
The file winlogon.exe is a vital and legitimate Windows system process. The Norton 360 Win32:Malware-gen alert indicates Norton’s heuristic analysis found suspicious patterns or behaviors that are consistent with generic malware, suggesting two possibilities: the file is either legitimate but triggering a false positive, or it is a malicious file disguised with the same name.

Determine if the File is Legitimate

The most critical factor is the file’s location:

  1. Open Task Manager: Press Ctrl+Shift+Esc.
  2. Locate winlogon.exe: Go to the “Details” tab, right-click the process, and select “Open file location”.
  3. Verify the Path:
  • Legitimate location: C:\Windows\System32\.
  • Malware location: If the folder is any other location (e.g., C:\Users\, C:\Windows\Temp\, or a folder with a slightly different name like winlogin.exe), then it is malware.
  1. Check the Digital Signature: Right-click the file in C:\Windows\System32\, select Properties, go to the Digital Signatures tab, and confirm it is signed by Microsoft.

Actions to Take

If the file is malicious:

  • Trust Norton 360: Allow Norton to quarantine or remove the file. Win32:Malware-gen is a generic detection, so the behavior warranted a flag.
  • Disconnect from the Internet: This limits the malware’s ability to communicate or spread.
  • Boot into Safe Mode: This can prevent the malware from loading and running, making it easier to clean.
  • Run a Full System Scan: Perform a thorough scan with Norton 360.
  • Use a Second-Opinion Scanner: Run a scan with another reputable, free anti-malware program like Malwarebytes to ensure comprehensive removal.

If the file is legitimate (in C:\Windows\System32\ and signed by Microsoft):

  • Confirm a False Positive: You are likely experiencing a false positive, where Norton’s heuristic analysis flagged a legitimate system process.
  • Ensure Norton is Updated: Run Norton LiveUpdate to get the latest virus definitions, as an older definition might be the cause of the false positive.
  • Submit to Norton Labs: If the issue persists with up-to-date definitions, you can submit the file as a false positive report to Norton via their official community forum or submission link.
  • Exclude the File (Use Caution): Only if you are 100% certain the file is legitimate, you can add an exclusion in Norton 360 settings, but this is generally not recommended for critical system files unless you are an advanced user.

AI Mode may make mistakes

=======================================

AI Mode
To submit a false positive report to Norton, you must use their official online Norton Submission Portal. This allows their security team to analyze the file and update their virus definitions if necessary.

Steps to Submit a False Positive

  1. Verify it is a false positive: First, confirm the winlogon.exe file is indeed in the correct, legitimate location: C:\Windows\System32\. Do not submit a file that is in an unusual location.
  2. Go to the Norton Submission Portal: Navigate to https://submit.norton.com/ in your web browser.
  3. Select your product version: The portal will ask you to select your Norton app version (e.g., Norton 360, version 24.x or newer). You can find this information by opening your Norton product and going to Help > About or Settings > About.
  4. Choose the submission type:
  • Click on “URL and File Submission” (for newer versions) or “File Submission” (for older versions).
  • Select “Open submit form” under the “False positive” option.
  1. Fill out the form:
  • Enter your email address.
  • Select “File” in the top panel.
  • Provide the Detection name (Win32:Malware-gen) and the Alert ID (found at the bottom of the Norton alert pop-up).
  • Add a description explaining that this is the legitimate winlogon.exe located in C:\Windows\System32\ and you believe it is a false positive.
  1. Upload the file:
  • You will need to browse for the winlogon.exe file in the C:\Windows\System32\ directory.
  • To meet submission guidelines, you may need to place the sample file within a ZIP or RAR archive.
  • Crucially, the archive must not be password-protected.
  • Uploads can be a maximum size of 500 MB.
  1. Submit the report: Tick the reCAPTCHA box and click “Submit”.

What Happens Next

  • The submitted file will be analyzed by Norton’s security research team.
  • They aim to address the issue and release updated definitions within approximately 48 hours.
  • You can check the status of your submission using the Request ID provided after submission.
  • Ensure your Norton product has the latest definition updates by running LiveUpdate periodically, as the issue may be resolved automatically with an update.

AI Mode may make mistakes

=================================

fwiw ~ from my W11 25H2
C:\Windows\System32\winlogon.exe

image
image461×128 45.4 KB

File: winlogon.exe
File size: 936 KB (958,464 bytes)
SHA256 checksum: CACBB90ADFC073FAFC8E1036F39EBC5148B7BCE1E97BC882211D53667DE528E3
Date/Time: 11/8/2025

image
image1221×196 21.9 KB