Norton Antivirus detected as Ransomware

[Scubnubby]

 Norton Security was detected as Ransomware right after a Live update patch.

I have been running Malwarebytes Premium and Norton Security side by side without problems for a while. However, something suddenly went wrong just now.

Here's the order of events.
- My computer had just rebooted since it had just have a crash.
- Right after it booted again I went through my routine of updating virus definitions of both malwarebytes and run norton live update.
- Malwarebytes update finishes first as usual. Norton says it has a new patch, as it sometimes does. I install it.
- Immediately after the patch has finished, I run live update again since often it seems to have some definition updates for the new patch.
- And here is is when it went wrong, during the the live update, Norton says it failed. about 0.5 - 1sec after malwarebytes has a pop-up that says it blocked ransomware.
- Everything that was quarantined as ransomware seems to be Norton Antivirus files. (norton doesnt work anymore since its quarentined)

Not sure what to make it, I didn't do anything out of the ordinary here.
Also, on the Malwarebytes dashboard it still says 0 Real-Time Protection detections for some reason, its probably not important, just thought it blocking ransomware would count as Real-Time Protection.

I tried doing the log thing with running mbam.exe /developer. But since that doesnt seem to work for some reason, ill just post some screenshots for now so you can at least see what was detected.

[cli]

Hi, 

I'll need the logs and detected file to better assist you. Please revisit Please read before reporting a false positive and follow the directions corresponding to the MBAM version you have.

[Scubnubby]

My bad, i was trying to follow instructions for wrong MBAM version before. No wonder it didn't work

in reports there is the protection event that says, 'Ransomware blocked' I am guessing you need the log for that one, since all my scans where normal.

Since the file where quarantined, I guess i have to restore them. Isn't that risky though? What if its not a false positive?
The file you want is "C:\Program Files\Norton Security\Engine\22.19.8.65\NortonSecurity.exe" I am guessing?

Should I just restore it and see if I can add the file? How serious of a risk do you think this might be?
I'll add the log in here for now.

MbamLog.txt

[Crewguy]

I have the same issue. After running Norton Live Update this morning Malwarebytes quarantined nortonsecurity.exe as ransomeware. I totally reinstalled Norton Security Suite (Xfinity version) and when I ran Live Update, Malwarebytes quarantined it again. 

[shadowwar]

Can you please attach the nortonsecurity.exe zipped here so i can fix this?

Or can you also attach the mbamservice.log located here:

C:\ProgramData\Malwarebytes\MBAMService\logs

 

[Scubnubby]

Here is the log I think you need.
There is also a file called MBAMSERVICELOG.LOG.bk1 in the same folder, but that seems to be from 5 days ago. Not sure if that's something you need.

If you really need it I can try and add the Nortonsecurity.exe tomorrow, don't wanna risk restoring it right now in case its bad.

MBAMSERVICE.LOG

[Crewguy]

I hope this helps you.

NewZip.zip MBAMSERVICE.LOG

[shadowwar]

Thanks. This should no longer be detected.

 

[Scubnubby]

So this was a false positive then? Nothing to worry about?

[shadowwar]

Correct. Nothing to be concerned with.

[Crewguy]

Thank you

[shadowwar]

Note.

In some instances this may be still detected. The file is ok and will need to be added to exclusions if still detected.

[Concerned]

I bought a new Dell PC on Thursday and spent time over the weekend getting it set up.  After the initial Windows setup the first steps for me were to A) Run all Windows updates,  B) Install Malwarebytes (I have it on 2 other computers).  Then on Saturday I installed Norton Antivirus. The initial installation of Norton went fine once I removed Mcafee that came on the computer.  I install antivirus and anti malware on any new PC before loading anything else.  I have run both Norton and Malwarebytes on my other 3 computers in the house for several years and for the most part they work ok together.  The only exceptions is the fact that Norton logs Unauthorized Access to NortonSecurity.EXE by MBAMSERVICE.EXE as blocked, a Medium Severity event, several times per day. None of them are reporting the problem described below.

As soon as I ran the first update to Norton 360 I received the same Ransomware notification from MalwareBytes as described by Scubnubby above.  The same files are identified and quarantined. At that point Norton will not run.  I deleted the quarantined files and reran the Norton install from scratch 2 times.  Each time it flags NortonSecurity.exe as ransomware as soon as I run LiveUpdate.  Malwarebytes flags during the Process Update step.  I do not get this problem on any of my other computers.  All of my screen captures of this event would be identical to those above but dated Sept 21.

I have marked the Norton folder to be excluded from the install per directions above and now it seems to do Norton updates correctly. However, since this was several days past when the above thread implies the problem of a False Positive was fixed I am concerned.  I don’t want to finish transitioning to this new computer until I can be sure it is clean. I am questioning whether I should have taken this approach to exclude the file.

Can you confirm this is still a false positive or do I need to take other actions? If false positive, when will it be fixed?

Thank You,

 

[tetonbob]

@Concerned- this is likely a false positive, but to be sure, please provide the log located at C:\ProgramData\Malwarebytes\MBAMService\Logs\MBAMService.log

Thank you.

[Concerned]

Thanks for the quick response Bob.

Here is the requested file.

MBAMSERVICE.LOG

[tetonbob]

Hi @Concerned - this was indeed the same false positive. This is a code-side FP and not resolved in the same manner as a database FP. We are working towards a code-side solution but for now the type of workaround you performed would need to be used for this specific type of false positive.

We apologize for the inconvenience and ask for your patience.

[Concerned]

Thank you for the update. I hate to keep the entire Norton directory on the exclusion list for a long period.  Was this tied to one specific update that I have now applied (and can therefore remove the exclusion), or do I need to keep the exclusion in place until you have a code update?

[tetonbob]

The FP is caused by the Ransomware Protection component reacting (incorrectly in this case) to certain functions being carried out by the live update.

You could just exclude this one file, I believe
C:\Program Files\Norton Security\Engine\22.19.8.65\NortonSecurity.exe

That being said, it's a generally safe practice to use mutual exclusions between multiple security products installed on a single system.

And, if you prefer, you can remove the exclusion. But until we release a new component update, you may get another FP.