Symantec detects a possible malicious entry in the HOSTS file

I have received a few inquires about a new entry in the HOSTS file, wanting to know if this was correct or a false-positive. I created a brief explanation in the HOSTS FAQ but I thought I’d expand on it a bit here …


The Symantec (Norton 2007) message most users see:


“A malicious entry in your hosts files could prevent LiveUpdate from retrieving updates for your Symantec products, including anti-virus updates. Generally, Symantec LiveUpdate server entries should not appear in your Windows hosts files. Update has detected a potential security compromise on your computer: one or more entries should not appear in your Windows hosts files.”


Lists the address ‘om.symantec.com’ as being in the hosts file and ask what action to perform:
1.Leave the entry in the hosts file (warn me about them later)
2.Leave the entry in the hosts file (do not warn me about them later)
3.Remove the entry from the hosts file (Recommended)


Simply select Option #2 and this message should not appear anymore …
The entry “om.symantec.com” or “tc.symantec.com” are both actually 3rd party entries from Omniture (2o7.net)
Note: these entries do not affect “LiveUpdate” nor are these entries specific to LiveUpdate, Symantec uses these on all of their pages and the message above is just a generic message.


One or more CNAMEs were encountered. om.symantec.com is really symanteccom.112.2o7.net
One or more CNAMEs were encountered. tc.symantec.com is really symantec.tcliveus.com


Where “om.” = Omniture and “tc.” = Touch Clarity (Omniture acquired Touch Clarity in the first quarter of this year)



As you can see above the Privacy Policy is actually from TouchClarity (Omniture) and not from Symantec … folks this is nothing new, many companies disguise their entries (see below) including several other Antivirus companies.


127.0.0.1  sdc.mcafee.com #[statse.webtrendslive.com]
127.0.0.1  wdcs.trendmicro.com


Example of other alias entries used by Ominture



As you can see above the “om.” entry in not specific to the Symantec entries …



8 Responses to “Symantec detects a possible malicious entry in the HOSTS file”

  1. Hi Mike,

    I got this alert and was giving 3 options from Symantec.

    1. was to delete.
    2. was to ignore and remind later.
    3. was to ignore.

    I’m using NIS 2007. You can also disable host file scanning by going to NIS/Run Security Inspector/Configure/Categories/Setting/and uncheck IP Addresses.

    I also reported the issue to Symantec.

    Regards,
    Tim

Leave a Reply