Jump to content

Norton Antivirus detected as Ransomware


Recommended Posts

 Norton Security was detected as Ransomware right after a Live update patch.

I have been running Malwarebytes Premium and Norton Security side by side without problems for a while. However, something suddenly went wrong just now.

Here's the order of events.
- My computer had just rebooted since it had just have a crash.
- Right after it booted again I went through my routine of updating virus definitions of both malwarebytes and run norton live update.
- Malwarebytes update finishes first as usual. Norton says it has a new patch, as it sometimes does. I install it.
- Immediately after the patch has finished, I run live update again since often it seems to have some definition updates for the new patch.
- And here is is when it went wrong, during the the live update, Norton says it failed. about 0.5 - 1sec after malwarebytes has a pop-up that says it blocked ransomware.
- Everything that was quarantined as ransomware seems to be Norton Antivirus files. (norton doesnt work anymore since its quarentined)

Not sure what to make it, I didn't do anything out of the ordinary here.
Also, on the Malwarebytes dashboard it still says 0 Real-Time Protection detections for some reason, its probably not important, just thought it blocking ransomware would count as Real-Time Protection.

I tried doing the log thing with running mbam.exe /developer. But since that doesnt seem to work for some reason, ill just post some screenshots for now so you can at least see what was detected.




Link to post
Share on other sites

My bad, i was trying to follow instructions for wrong MBAM version before. No wonder it didn't work

in reports there is the protection event that says, 'Ransomware blocked' I am guessing you need the log for that one, since all my scans where normal.

Since the file where quarantined, I guess i have to restore them. Isn't that risky though? What if its not a false positive?
The file you want is "C:\Program Files\Norton Security\Engine\\NortonSecurity.exe" I am guessing?

Should I just restore it and see if I can add the file? How serious of a risk do you think this might be?
I'll add the log in here for now.


Link to post
Share on other sites

  • 2 weeks later...

I bought a new Dell PC on Thursday and spent time over the weekend getting it set up.  After the initial Windows setup the first steps for me were to A) Run all Windows updates,  B) Install Malwarebytes (I have it on 2 other computers).  Then on Saturday I installed Norton Antivirus. The initial installation of Norton went fine once I removed Mcafee that came on the computer.  I install antivirus and anti malware on any new PC before loading anything else.  I have run both Norton and Malwarebytes on my other 3 computers in the house for several years and for the most part they work ok together.  The only exceptions is the fact that Norton logs Unauthorized Access to NortonSecurity.EXE by MBAMSERVICE.EXE as blocked, a Medium Severity event, several times per day. None of them are reporting the problem described below.

As soon as I ran the first update to Norton 360 I received the same Ransomware notification from MalwareBytes as described by Scubnubby above.  The same files are identified and quarantined. At that point Norton will not run.  I deleted the quarantined files and reran the Norton install from scratch 2 times.  Each time it flags NortonSecurity.exe as ransomware as soon as I run LiveUpdate.  Malwarebytes flags during the Process Update step.  I do not get this problem on any of my other computers.  All of my screen captures of this event would be identical to those above but dated Sept 21.

I have marked the Norton folder to be excluded from the install per directions above and now it seems to do Norton updates correctly. However, since this was several days past when the above thread implies the problem of a False Positive was fixed I am concerned.  I don’t want to finish transitioning to this new computer until I can be sure it is clean. I am questioning whether I should have taken this approach to exclude the file.

Can you confirm this is still a false positive or do I need to take other actions? If false positive, when will it be fixed?

Thank You,


Link to post
Share on other sites

  • Staff

Hi @Concerned - this was indeed the same false positive. This is a code-side FP and not resolved in the same manner as a database FP. We are working towards a code-side solution but for now the type of workaround you performed would need to be used for this specific type of false positive.

We apologize for the inconvenience and ask for your patience.

Link to post
Share on other sites

  • Staff

The FP is caused by the Ransomware Protection component reacting (incorrectly in this case) to certain functions being carried out by the live update.

You could just exclude this one file, I believe
C:\Program Files\Norton Security\Engine\\NortonSecurity.exe

That being said, it's a generally safe practice to use mutual exclusions between multiple security products installed on a single system.

And, if you prefer, you can remove the exclusion. But until we release a new component update, you may get another FP.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.