Symantec LiveUpdate Security Warning revisited

I’ve blogged about this several times …[here] [here] however as I am frequently asked about this (false) prompt (mostly from new MVPS HOSTS users) I thought I would address this again … especially after seeing a response from one of their (very) uninformed commenters on their Forum

“I did not read in detail the links you provided, so this may not directly answer your question, but it may help you understand what is happening here.”

Then why bother … if you are not going to “read in detail the links” …

And then goes on to say:

“So in your case what has happened is that a piece of malware has modified your HOSTS file to include entries for ‘tc.symantec.com’ and ‘om.symantec.com’.” … talk about mis-informed … duh!

If you had bothered to read the links then you would not (hopefully) make such a truly false statement.
Here is a typical prompt Symantec users see …

If Symantec users click the drop-down arrow there is an option for:
“Leave the entry in the hosts file (do not warn me about them later)” (then this is no longer an issue …)

Let me be very clear … these are NOT entries from Symantec … although they try to disguise them as such … they both are 3rd party entries from Omniture … and they do NOT prevent Symantec products from updating themselves …

As you can see “om.symantec.com” is actually an alias for “symanteccom.112.2o7.net” and the IP addresses are all controlled by Omniture.

Even when you run a traceroute you can see above where it ends … below is just a partial list of the Omniture entries and the IP addresses … which shows that some sites prefer the “2o7.net” while others prefer to hide their identity as in the case with Symantec …

 Note: it appears that Symantec is no longer using “tc.symantec.com” on their site … most likely after I exposed this issue last time … where they were using the Privacy policy from a 3rd party (Omniture) and not their own. So this entry will be removed and will reflect in the next update …

Folks I can not control these false-positive prompts from Antispyware/Antivirus products … believe me I’ve tried … but they refuse alter their scanning techniques, so all I can do is try to explain why these entries exist … then you can decide for yourself if you have a malware infection … or a poorly writen scanner detection. There is no such thing as a infection that only alters the HOSTS file … so if that’s all that shows up in a scan then check it out or ask … I will gladly assist in determining the cause …



One Response to “Symantec LiveUpdate Security Warning revisited”

  1. I am reminded of an old story about a man
    who set up a company as a glazier
    in order to make his business do well
    he had half the employies go out at night
    breaking windows to provide work for the
    other half working during the day.
    needless to say his company grew in wealth
    with lots of work for all. lol