Norton says it's blocked an attack from a PCPitstop URL. Is this l

[Kara Gray]

Just received a Norton Security "high severity" warning that an intrusion attempt by 54.240.160.8 was blocked with the IPS Alert name "Web Attack" Malicious File Download 14." It says the attacker URL was files.pcpitstop.com/cab/ntrights.exe.

 

Is this something legit that Norton is flagging by mistake? I sure hope so!

Kara

[Glen Heavilin]

Same thing happened to me. Windows 10, Norton Security all up to date.

[IntelGuy]

Yes, it is a false positive by Norton. files.pcpitstop.com/cab/ntrights.exe is PC Matic trying to update the Active X control silently in the background.

[bikes_r_me4]

I just was forced to uninstall PC Matic from my computer because it hijacked it through using this process. I noticed that your software created it's own user account on my computer and in doing so, was using ntrights.exe to create multiple instances of users on my system. I'm running Windows XP SP 3 and now have the following profiles that were created by your program:

 

PCPitstopSVC

PCPitstopSVC.CONTROL-PC

PCPitstopSVC.CONTROL-PC.000

PCPitstopSVC.CONTROL-PC.001

PCPitstopSVC.CONTROL-PC.002

PCPitstopSVC.CONTROL-PC.003

PCPitstopSVC.CONTROL-PC.004

 

and so on... all the way up to

 

PCPitstopSVC.CONTROL-PC.431 which is when I killed your software on my computer.

 

This never happened before. I've been using PC Matic for about a year now and never had any problems like this. The Supershield is still working and upon viewing the Security Report, it seems the processes running at the time when this was happening were:

 

find.exe, cmd.exe, net.exe, net1.exe, ntrights.exe, reg.exe, regsvr32.exe, wscript.exe, PcPitstopScheduleService.exe, hostname.exe

 

This same thing happened on all of our computers that have PC Matic installed. We have already contacted PC Matic support and put in 2 help tickets. The numbers are BXB114-69808 and DPT-243-48552 and have not received any responses from tech support.

[Kara Gray]

Well, I was thinking this was no big deal until I saw the above from bikes_r_me4. I don't have these bogus user accounts on my PC, perhaps because Norton is blocking this process. I'd love to hear someone from PC Matic weigh in on this, or a report back if/when bikes_r_me4 gets a response from tech support.

[IntelGuy]

All tickets are responded to within 24 hours, usually much sooner, often within just a few minutes, but the target is 24 hours. BXB-114-69808 was answered in two minutes, DPT-243-48552 was answered in 17 minutes. If you did not receive the replies you may need to check your junk mail folders both locally and at the online email client.

 

The multiple account issue only occurs on Windows XP. You will not see it on other versions of Windows. The developer has pushed out a change that should automatically remove the extraneous accounts. We are looking into why the issue occurred in the first place.

 

As far as Norton blocking the process, that is a false positive and they should not be blocking our software. Please open a ticket at our help desk from the link below so that we can obtain more information about the computer:

 

http://pcpitstop.com/store/service.asp

[bikes_r_me4]

All tickets are responded to within 24 hours, usually much sooner, often within just a few minutes, but the target is 24 hours. BXB-114-69808 was answered in two minutes, DPT-243-48552 was answered in 17 minutes. If you did not receive the replies you may need to check your junk mail folders both locally and at the online email client.

 

I'm sorry, but no responses to either ticket were received. The spam folder was also checked and it did not land in there either. We are still awaiting a response from tech support. At this point in time we are in fear of reinstalling the software on our machines until an official fix is released and an explanation is given.

 

I forgot to mention initially that the same thing happened with 1 machine we have that runs Windows Vista Business. All of our other machines are Windows XP.

Edited December 31, 2015 by bikes_r_me4

[IntelGuy]

Thank you for the additional information. Please add [email protected] to your address book and see if that helps our replies to get through. I will also send responses from my private email address and see if they get through that way.

[tousley]

Same problem here. I'm ticket #FQR-733-57420 on a Win 10 system and have sent in the log file but haven't heard anything back. For those out there having the same issue, when you download the ntrights.exe file right from PC Pitstop, it passes the Norton anti-virus scan just fine. I use Norton 360 and it appears the detection occurs in Norton's Intrusion Protection Service. Contacting Norton is a non-starter unless you are a real techie, as they can't replicate the problem, so they send you instructions for capturing all packets, but it's full of acronyms and interface instructions so good luck with that. I'm hoping PCPitstop gets on the phone to Symantec as I have several friends who I've recommended PC Pitstop to that are having the same issue.

[Janet Petermann]

I'm having the same issue. I have been using PC Matic for over a year with no problems. Now Norton is blocking an "attack by malicious spyware" or some such thing from pcpitstop. Hope PC Pitstop gets this figured out since I paid for this service and can't use it?

 

Thanks.

[JamesNigh]

[IntelGuy]

We have uploaded the file to Norton and are waiting for them to add it to their whitelist. In the meantime there should be a way to locally add the file to Norton's exclusion list.

[viaveneto2]

Same situation. I have both Norton and PCMatic on both my PC and laptop. The PC runs Windows 7 and I have no problems. On the laptop I have just installed Windows 10 when I started to get the error message from Norton about "intrusion attempt by 54.192.206.131 blocked"

IPS Alert Name: Web Attack: Malicious File Download 14. However, I just ran a PCMatic manual scan on the laptop and had no problems. Is this something I should ignore or worry about it? I'm not a computer expert, so please don't reply with IT technical jargon. Thank you.

[IntelGuy]

It is safe to ignore that warning. You can add it to the Norton exclusion list while we are waiting for Norton to respond to our white listing request.

[tousley]

Any word on this yet? My ticket #FQR-733-5720. The screenshot you show is not an exclusion list. It only prevents Norton from notifying you with the pop-up intrusion warning. Meanwhile, it keeps detecting the threat in the background, using computer resources and slowing other processes when it detects the threat and throws up the warning.

Thanks for any help you guys can offer on this.

[IntelGuy]

That is correct, then screen shot posted by the customer is not the exclusion list. There should be a procedure for adding the file locally to the Norton white list.

 

Norton has sent a response that our file has been successfully added to their global white list. If you are still seeing it being detected you may need to update the definitions for your Norton product.