I Don't Want Norton To Delete My Viruses And Hacktools!

tansqrx

Jun 2 2006, 12:50 AM

I have a quite unique problem regarding Norton AV and viruses. I do software security research as a hobby. As such, I routinely harbor various “hacktools”, keylogers, exploit code and viruses on my machine.

My problems began when I installed Norton Systemworks 2006. As usual Norton AV done a full system scan. This time however I forgot to dismount my virus directory and lost several years worth of downloads and research. This did not hurt that bad since I had all the viruses backed up but pissed me off none the less.

What really irritates me to no end though is Norton tries to delete certain “hacktools” from the system without warning. This includes Cain and Able, netcat, and even nmap. I DO NOT WANT THESE DELETED! They are very legitimate tools for my machine and I need them to do my research. Besides I have no idea why nmap or netcat would be considered a hacktool, they both have very valuable non-hacker uses.

Does anyone know how to take care of this annoyance? If not what general system suite would you recommend? I like Norton for the high level of protection and frequent AV definitions. It has gotten me out of sticky situations when surfing into the underbelly of the Internet. I hate to loose it but Symantec is starting to leave me no choice.

abhiram

Jun 2 2006, 01:53 AM

Believe it or not, I've had the same problem once. It's quite easy to overcome, you just tell Norton which folders not to scan and also set the virus detection mode to 'Always ask me what to do'.

I'm using Norton 2005 which I've installed with GooglePack, but I think it should work in Norton 2004 and 2003 also.

Click Options in Norton Antivirus and then click on 'Auto-Protect' on the left. The Auto-Protect option will expand. Click on 'Exclusions' below it and then set the folder you want to be excluded on the right. Do the same thing for 'Manual Scan'.

If you're not sure where the hacktool or virus is, you can set Auto-Protect ->'How to respond when a virus is found'->'Deny Access to the infected file' and also set 'Manual Scan'->'How to respond when a virus is found'->'Ask me what to do'

This worked for me. Hope it helps you out.

Grafitti

Jun 2 2006, 02:59 AM

Or here's a great idea! Replace Norton with another virus scan that isn't so finnicky about deleting all non-active viruses. Or use a program like PGP to encrypt those files so norton doesn't recognize them. how about PGP's virtual disk? that would keep them all in one safe place, and it's only a click away to open them all.

vhortex

Jun 5 2006, 04:39 PM

well i guess why norton wants to delete nmap and necat is that most of the time they are used to attack systems other than perform research.

though norton is not a problem on my side but i have used it a few years ago and if i can remember you can exclude certain directories from the scan.

I encountered though a problem when nmap is currently running in the machine since norton will popup and wil force you [maybe depends on version of norton] to remove or kill the process.

--

never been my problem now since i switch to *Nix when performing those research task. =)

--
AVG is equally a pain in the ass when it detects a virus either active or passive in your system. even source codes of viruses was filtered out and moved to the virus vault.

--
when performing viral research, i just switch to no AV system [no anti virus] coz i have a spare box of system and I have a cd mirror of winXP. The whole system loads from CD and a spare harddrive is only used as data disk for temp and so on.. only problem though is that I got the CD from an anonymous org member from my club. the second problem is that if you need registry edits.. it is a hell to configure to allow that and mount the registry into the harddrive.

I do perform port mapping alot to test proxies ability.

tansqrx

Jun 8 2006, 08:49 PM

I have searched to no end to find a place to exclude directories. The big problem is the weekly scan, you know the one that run when you are not there and always forget about. In the weekly scan it just deletes the files without asking you what you want to do.

As for the action you want to take, Norton does not exactly give you very many options. I have the Cain and Able setup file in my downloads folder. Whenever I download a new file, Norton pops up asking me if I want to delete the Cain and Able file. At the bottom there is an action, *Exclude. Like this is an option, there is only one choice. Even with it set to exclude it still happens every time. If I didn’t know better this is almost a software bug. It’s just getting too annoying.

vhortex

Jun 9 2006, 01:34 PM

QUOTE(tansqrx @ Jun 9 2006, 04:49 AM)

... I want to delete the Cain and Able file. At the bottom there is an action, *Exclude. Like this is an option, there is only one choice. Even with it set to exclude it still happens every time. If I didn’t know better this is almost a software bug. It’s just getting too annoying.

i feel your pain about that, it happens to me also a few months ago but with office scan.. it wants me to kill cain and abel because i was running as a client. though this is hilarious on my side since there is no security exploits in running a client..

i was nagged also to delete cain and abel everytime i download it. the popup is per chunk of download in my dload accelarator.

techocian

Jun 10 2006, 10:38 PM

These are just like what latest medicines do. If you want a strong medicine, that strong medicine will kill off stuff you dont want AND some stuff that you actually need.

So far, i've been using only up to Norton 2002 since i really do not need such a high security computer for what i do (play games). Even so, Norton 2002 gets very annoying when it blocks internet access for almost every program on the computer unless it is Microsoft certified or something. Especially now when I've just got Norton Internet Security 2006 and it has that new "Learning" feature, which to my opinion, is an irritable and annoying aspect of Norton that shouldn't be added there in the first place.

Of course, soon after i learned how to turn it off and now Norton asks me whenever i use a program that uses the internet. But my first week of Norton 2006 was a nightmare, and it was a little buggy too, as sometimes when i open the Norton window, the borders will show up and the "content" will be empty (So you see whatever is in the backround of that window). Surprisingly, it fixed itself, fortunately for me.

retardset

Jun 11 2006, 09:29 AM

Google for AVG free best virusscanner ever

Darkwolf11235

Jun 11 2006, 09:14 PM

First a question... if you are collecting viruses and don't want to delete them than why did you get an anti-virus program?
Ways to fix this.

-The simplest solution would be to just get rid of Norton, but if you don't want to do that than there are several other things you can do to protect your viruses and spyware.

-You can tell Norton not to do automatic scans or updates

-You can completely disable Norton so that it won't scan anything unless you tell it to

-When Norton detects a virus it should give you the option of whether or not you want to keep that program, along with that it should also give you the option of not considering the program a virus

I hope these help they are the only ways i can think of at the moment to solve the problem.

tansqrx

Jun 13 2006, 10:39 PM

I have to agree, the learning feature is horrible but I see it as being bad from a different perspective. From what I read, Norton “learns” what wants to access the Internet and then allows it. What keeps Norton for “learning” that a piece of spyware wants to access the Internet and then just allows it. I turned this feature off as soon as I found it. I also turned off automatic program option. This basically lets any program that is on a white list access the Internet without you being prompted. From my experience there are quite a few programs that I don’t want accessing the Net. An example of this is Explorer.exe. Quite frankly I do not want a program with such low level access to my system touching the Net. I also block such things as Windows Media Player (some of those “content protected” files have nasties hiding in them), notepad, and any other application that I feel has absolutely no business accessing the Net. If someone has never run a secure firewall before, they might be surprised what wants to phone home.

Latest Entries

tansqrx

Jul 20 2006, 07:56 PM

It appears that my specific problem with Hypercam has been resolved. Hyperionics, the maker of Hypercam apparently complained to Symantec about including Hypercam in their database of spyware.

QUOTE

UPDATE July 3, 2006... Symantec agreed with our dispute and is removing HyperCam from the list of "Spyware". This should be effective with their next security database update. This is a good news for all of us at Hyperionics and all our customers. Thank you, Symantec, good luck fighting the real spies, pirates and virus writers!

Looks like I wasn’t the only one complaining about Symantec’s poor judgment on this one. You can refer to the rest of the article at http://www.hyperionics.com/hc/hc_nis.asp.

This next part is to address the concerns of nightfox. There are several good reasons that I believe Hypercam is not a good tool to use by hackers. From my experience I have found that when a machine is compromised, the attacker is usually remote and has a command line to work with. If the attacker wants to monitor the activity on the victim’s machine then Hypercam would be the last thing to use. It is true that Hypercam can be setup to show no signs that it is running but none of those options could be used from a command line or added to a startup script. These options must be set in the GUI and then the Record button is pushed. An attacker would have to VNC into the machine and set all of this up without the user knowing which is quite unlikely. Additionally this would have to be performed every time the machine is rebooted which would raise the frustration of the attacker and his chance of being caught. Hypercam is also a commercial closed source program so there is no chance of an attacker modifying the source code and adding this functionality (which is a moot point because this in itself would change the program signature).

There is also another possibility where this scenario has a higher probability of being executed and that is where the attacker has physical access to the machine. In this case I would think that Hypercam would be the least of the victim’s worries. Although this is most likely the best use of an attacker using Hypercam, moderate physical security should take care of this problem.

In the end I believe that the benefits of Hypercam far outweigh possibility of an attacker using Hypercam. Certain safeguard already exist that prevent Hypercam being used in a stealthy way from a remote perspective.

P.S. The reason I mentioned Windows Media Player as being spyware is that it constantly talks to the Internet while being used. It has the capability of doing such things as asking the Internet what the title of the mp3 that I am playing is and recommend stores for buying similar products. It also has the sometimes scary job of reporting usability data back to the mothership or asking unknown sources if it is OK to play content protected data. (heard of several horror stories where “content protected” music or movies turned out to be a virus or trojan). All of this adds up to make me deny WMP at the firewall and never let it talk to the Internet and thus I can somewhat consider it spyware.

warallthetm

Jul 10 2006, 04:20 AM

i had the same problem. A while back i had a server in my home, and i was running variouse tools to test its security. They were mostly rats,keyloggers ect. But norton kept on deleting them, so i put it on a cd so norton cant delete it, and run it from there

vhortex

Jun 29 2006, 06:06 PM

QUOTE(HeLLRaiSer @ Jun 29 2006, 12:06 AM)

I have no Anti-virus installed in my PC, because i do not open any illegal websites

or any serials crack websites. plus i dont let the virus to enter in my PC

these day i am working on linux Firewall

If you are running windows then you are better of dead as of now. I can bet 101% that your OS is now infected. base on your next sentences, I assume that you are using Linux but are you aware dear sir that even if you dont visit illegal sites, that you can still get worms and viruses.

There are programs that are lurking and scanning all IPs that they can find that responds to pings.. better turn off that ping reply from your firewall. And there is a 70% chance that you are connected to an ISP, if you are not then you are one of those lucky guys that have big bucks to run your own connections.

ISP's most of the time are clogged by viruses since they always identify themselves on system scans to enable the subscribers to see them. I dont know if on some countries a turn around for this flaw was implemented. And since you and the ISP have a full trust connection then I can safely say, that once your ISP get infected then you can get infected too.. that is from a trusted zone that may go past your firewall.

I have written virus from the past and still testing on better ways to avoid them and the next best approach is to use Antiviruses and firewalls.. the best option and not the practical one is to write your own Operating System and believe me that I have undergone that path since I was totally pissed off from MSDOS viruses way years ago.

In the end, I just get myself an AV since I do have a virus free system but I need to rewrite all system programs that I need. From text editing to image processing.. The process alone will make me thousand of years behind in terms of technological improvements.

Just my few cents..

NOTE:
I have succesfully planted a worm a couple of years ago using port mapping..

better find much more secure way to run you firewall.. I bet that you need to turbo charge your IP rules.. I dont know exactly what it is called on your Linux system but on my Linux it was called IPtables..

If you got more spare money and your ISP uses windows as server for IP leasing, you can even use IPtables to mask your pc and let outside connectiosn to your PC directed to another unit. That is logically you can have two computers using the same IP, one is hidden using the IPtables rules and the one exposed to be seen [no rules].. I will no longer tackle this stuff since in our country, this is a matter of dispute about its legality..

nightfox

Jun 29 2006, 05:37 PM

QUOTE(tansqrx @ Jun 27 2006, 11:42 PM)

They’ve gone too far this time. I just got a popup about the most hideous threat that I have ever seen.

Spyware.HyperCam
http://securityresponse.symantec.com/avcen...e.hypercam.html

Are they serious? How in the world could Hypercam be a threat? Who in their right mind could even come up with such a thing? Will Windows Media Player be next?

I'm starting to doubt that you're as knowledgable as you claim. You may be book smart, but are you street smart? Learn to open your eyes and read things:

Behavior
Spyware.HyperCam is a video capture program that can covertly record your actions on a computer. It can be used for legitimate purposes when the computer user is aware of its presence on the computer.

That's also stating that it COULD be used for malicous purposes as well, such as when the computer user ISN'T aware of its presence. I have the same complaint agains WinVNC as I use it to remotely do maint. on other computers on my network and it is even labled as spyware for the fact that it could be used malicously.

So, no, Windows Media Player couldn't possibly be next unless it has a hidden keylogger in it.

Degrees & diplomas say you might be book smart, but I'm only in high school and I'm already working for my school's technology department because I have the skills to pickup things quickly. Out of all 7 of us summer workers, I'm the most responsible & trustworthy so I get treated well. They trust me to configure network switches (CISCO) and new computers, and here and there I get the ability to hop onto our NetWare server console. Yet, I don't have any kind of degree or diploma. You just have to be street smart and use common sense.

See where I'm getting at? You attacked Symantec for wrongly claiming a program as spyware. Just because YOU might use it legitimately doesn't mean someone else will... do you see where I'm taking this?

[N]F

nightfox

Jun 29 2006, 05:17 PM

QUOTE(Darkwolf11235 @ Jun 11 2006, 05:14 PM)

First a question... if you are collecting viruses and don't want to delete them than why did you get an anti-virus program?

Normally you can download viruses in ZIP files and set them lose ONLY when you want to. Except, it is DANGEROUS to let a Windows machine even get on a LAN, let alone the Internet, without some sort of anti-virus.

I have Norton 2004. I find it best to turn off automatic scanning so it won't delete any viruses you want.

Also, I hope you're being VERY careful with your virus collection... Virus collecting is about as dangerous as radioactive sample collecting...

QUOTE

I have no Anti-virus installed in my PC, because i do not open any illegal websites

or any serials crack websites. plus i dont let the virus to enter in my PC

these day i am working on linux Firewall

I hope you're NOT using Windows as your primary OS then... it doesn't matter if you go to crack website/illegal websites or not. That's BS right there... There have been studies done and you can get a virus within the first 6 seconds of being online to a full 5 minutes. The Internet is a network. Viruses and worms spread through networks. LANs or the Internet, it doesn't matter. Malicious code WILL find its way into your computer. Actually, you could be infected right now and not even know it. Don't put all your trust into a firewall. A firewall is just that, a FIREWALL. It can block some traffic, like worms, but does it stop them from coming in via email? Nope.

[N]F