I run Norton AV and Firewall with live update so I always have the latest definitions. I occasionally run a manual scan of the whole computer even though I have NAV running all the time and protecting automatically. Over the years I have never found a virus with the manual scan. Any virus has always been found by NAV as soon as it arrives in e-mail or a file. Yesterday, when I ran a manual scan, an infected file was found.

What I want to know is how this file came to reside on my computer with NAV running all the time. I did submit the file and question to Symantec.

Well, I did get e-mail back from Symantec which is quoted below: This does not answer my question as to how the infected file came to reside on my computer when I have NAV running all the time and always have the latest definitions????
There seems to be no way to get Symantec to answer a question like this without paying big bucks for phone support. It's unfortunate as I have been happy for years thinking NAV was preventing infections, but it seems to have failed big time here! I wonder what this Trojan would have eventually done if I had not just happened to run a manual scan of the whole computer yesterday?

---------------------------------
From Symantec:

filename: istinstall_si*****
machine:
result: This file is infected with Download.Trojan

Developer notes:
C:\Program Files\Norton AntiVirus\Quarantine\4CB4206C is a container file of type NAV_QUARANTINE
istinstall_si***** is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions. This file is contained by C:\Program Files\Norton AntiVirus\Quarantine\4CB4206C


.

 

That file was quarantined by Norton. That is probably what you have your system set to do with them. Delete the file like the note says.

 

It could be that the virus got on your computer before the definitions that detect it were loaded, then when you ran the manual scan with a newer definition file it caught it.

 

It's technically not a virus. It's a trojan horse. Here is a link describing it.
http://service1.symantec.com/SUPPORT...rc=bar_sch_nam

It'll explain why NAV might not catch it. It's really just a program (game, screensaver) that has code in it to download other trojans or viruses.

Here's how to remove it

http://securityresponse.symantec.com...ad.trojan.html

And if you look at the first link, it doesnt even mention NAV. It says that Norton Internet Security will detect it (as it tries to connect to the Net).

~J

 

This could be true....since a trojan is a program with malicous code in it (not a virus), the variations could be almost infinite, I dont think NAV or any other anti-virus could keep up. Thats why you should have a firewall. There are anti-trojan programs out there, but what they essentially do is monitor your ports (like you firewall does), detect programs that access them (again, like your firewall), and determine if its a trojan (you can do this manually).

~J

 

We DO have a firewall, (Norton) and it does block trojans almost every day. I guess it just missed this one.

Interestingly, I downloaded and ran a couple of spyware / malware detectors and found about 20 tracking cookies other than ones like FTE uses to recognize you when you go to this site. Also found a few other more disturbing things that I deleted.

 

Yes, but the problem I have with the situation is that neither NAV or Firewall detected this and allowed it to take up residence on my computer. We purchase these programs to stop just this sort of thing from ever getting on to the computer in the first place. It is great that my manual scan using NAV detected and removed the infection, but it never should have been there in the first place with both NAV and Firewall running! Am I being unreasonable in my expectations of these programs?

 

To be in a quarantine file it WAS detected and WAS placed in a safe place. Read the email you received. I can not see what you are upset about. Everything worked perfectly.

C:\Program Files\Norton AntiVirus\Quarantine\4CB4206C is a container file of type NAV_QUARANTINE

This file is contained by C:\Program Files\Norton AntiVirus\Quarantine\4CB4206C

 

I knew you had a firewall, as you said so in your first post. However the trojan most likely slipped through one of the many "holes" in Micro$oft's IE (through a port associated with IE, and therefore allowed by your firewall). IE is notoriously buggy, and vulnerable. Since its not a virus, and doesnt act like a virus, NAV probably wont detect it until Symantec becomes aware of that variation (which they obviously are now, as it quarantined it), and add it to there definitions. The trojan wont actually cause any harm to your system. It will try to download something that will cause harm, however, your firewall should stop that. So your programs are acting the way the way they are supposed to. I'm with you in that we spend money to keep these unwanted programs off of our computers, unfortunately, somebody, somewhere has to get the "first" version of a virus or trojan.

~J

 

Well, actually, I am not explaining it well enough I guess, but it really does not matter. NAV did not detect this trojan until I ran a MANUAL scan. That is not how things are supposed to work since I always have the latest updates and definitions and NAV is always running in automatic mode. My understanding is that this particular trojan does not arrive in an e-mail. One of the virus news groups said that you get this from an infected web site or by clicking on an ad at an infected web site.

Anyway, this morning when I started the computer a another file called "embioso***** tried to access the internet. My firewall stopped it, but NAV does not recognize this as a trojan, but Macaffe does. Maybe we need to have more than one virus protection program running at all times.

These trojans are disturbing as they are not technically viruses, but should still be kept off your computer when running virus protection software

 

Thanks. This is a good explanation and if correct makes a lot of sense in understanding how a trojan could get on to a computer with virus and firewall software running. As you say if the firewall is working correctly, it should prevent the program from accessing the internet. The problem, I guess is how fast new ones pop up. As I said in the other post,, the "embioso*****" file I found this morning is recognized by McAffee as a trojan (for a few months now), but Norton still does not find it when you run a scan.

 

You don't mention if you are on dialup or DSL/Cable modem access to the internet.
If you are dialup most all prevention you can do is your NAV AV & Firewall. If on
DSL/Cable modem access, you can add a low cost router ($49-$79) that sits
inbetween your DSL/CABLE & your PC and will be an additional layer of protection
from most all internet bad things... What the router will do is act as a hardware
firewall giving access to the internet with the IP address provided by your ISP,
and gives your PC it's OWN IP address between the router & it. One doesn't know
what the other one is, thus providing added protection. In addition it can provide multiple PC access to the internet from ONE DSL/Cable hookup with direct cable or wireless connection(s). I like the NetGear brand, but LinkSys & others work as well. Note: Virus definitions / Intenet Security updates still need to be done & spyware
software (Spybot 1.3 is excellant), as nothing is 100% in this business !! Good luck !

 

for what it is worth I use mcAfee all the time and never turn it off and I go to sites that have plenty of trojans and virus's all of the time and as you said nav usualy does catch them but they do slip through the cracks every now and then
ad aware by lavasoft and winpatrol our also good programs to have installed winpatrol is a great program to have running to keep out bho's and for most users the free version of it is all that you need the paid version just gives you more information on the file but has no effect on its protection I consider it a must have program just like ad aware and mcAfee but to help answer your question think of the trojan as being a program that comes in as a trusted file then alters itself once it is installed that is about the easiest way I know to explain it even though it is not real accurate it is the same principle

 

Your computer should have an automatic scan, similar to a manual scan set up for a specific time. Have you disabled that feature?

It is good to have more than one AV program but just use a manual scan with them.

You must be visiting a lot of "shady" sites in order to pick up those files. I am all over the web and do not get that type of thing. My son is all over also and does not get them either.

If you have a broadband connection use a router with a hardware firewall.

 

Thanks everyone. We do have a broadband connection so I will look into the router option. It sounds like this would enable us to have 2 computers on the connection which would be a big plus with 3 kids ages 10 - 17! I'm sure I will have questions about routers when I have the time to look into that.

I have spybot and lavasoft and they do detect different things. I will look at winpatrol also.