1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

NortonAV--updat32.exe

Discussion in 'Security and Privacy' started by Welshjim, 2005/11/20.

  1. 2005/11/20
    Welshjim

    Welshjim Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    I have been using NAV Intelligent Updater (not Live Updater) to download new NAV virus definitions for years. (My NAV subscription is up to date.)
    http://www.symantec.com/avcenter/download/pages/US-N95.html
    (This allows me to have the very latest definitions installed daily rather than waiting for Live Update's perhaps once a week update.)
    Recently when I click on an already downloaded virus definition file to run it
    1) It takes perhaps 10-15 seconds before anything happens (it used to run immediately)
    2) It finally installs
    3) Then I get a Zone Alarm firewall popup asking if I will allow "updat32.exe" to access the internet to reach 63.240.76.198 which is ns14.attbi.com. I deny. See image below for more info on ns14.attbi.com.


    Has anyone else had this experience? Should I be concerned? Should I allow updat32.exe to access this site?

    MORE DETAIL--A search on Google suggests that updat32.exe has been part of NAV for years, but for an obscure function ( "Filename for Beta Virus Definitions sent via Scan and Deliver "),
    http://www.symantec.com/avcenter/iu.filename.change.html
    and for people who have NAVCE (NAVCorporate Edition), per another Symantec site which says:
    "Symantec Scan and Deliver
    All Symantec AntiVirus programs are designed to isolate or quarantine any code entering the system which it deems infected.An item will only be quarantined when the system is unable to repair the infected code using its current set of virus protection definitions.
    Once data has been moved to the Central Quarantine, the incurable viruses
    can be submitted to SSR for analysis.The theory here being that if there isn’t a cure, Symantec will attempt to find one.This technology built into NAVCE is
    known as Scan and Deliver. "
    I do not have NAVCE.

    According to the ZA firewall message, updat32.exe is in a folder whose path is C:\Documents and Settings\username\Local Settings\Temp\RarSFX0. When I try to find/open this directory, I am told there is no such path. (I have "Show hidden Files" checked in Folder Options.) Search, however, finds a version of updat32.exe in the C:\Windows\Prefetch folder (UPDAT32.EXE-04784ECB.pf).
    I have deleted the Prefetch file again and again, but it comes back the next time I install a virus definition update.
    I find nothing on Symantec's Support Search page on updat32.exe, except for the above mentioned site indicating its function.
    I get the notice after I have both downloaded and installed the latest NAV virus definition updates. So it is not stopping me from updating. As mentioned, I usually click Deny, and nothing adverse seems to happen. (The NAV window shows the virus definitions as updated to the current date.)
    Not to confuse the issue several other programs have very recently also started to ask permission to access ns14.attbi.com (63.240.76.198). (I should take notes on which, but I do not remember which programs, now.)
    I am sure that I could do away with the ZA notices if I permanently allowed updat32.exe (or other files) to access ns14.attbi.com (63.240.76.198).

    My main question is "Is there any downside to allowing this access to 63.240.76.198?"

    See attached image for info on ns14.attbi.com (63.240.76.198).
    It seems like a legitimate site.
    A secondary question would be "why is AT&T getting involved in the NAV virus definition updates (and activities on these other sites) "? But I will be happy with an answer to my "main question ". :)
    Comcast is my ISP
     
    Last edited: 2005/11/20
  2. 2005/11/20
    Dennis L Lifetime Subscription

    Dennis L Inactive Alumni

    Joined:
    2002/06/07
    Messages:
    2,557
    Likes Received:
    2
    Since your a paying customer, I would send a email to Symantec. Ask if "updat32.exe" (request it's proper path) and ns14.attbi.com acceptable behavior when performing virus updates via NAV Intelligent Updater.
    Hope they have timely responses to customer emails ... been a couple of years since I used their products.
     

  3. to hide this advert.

  4. 2005/11/21
    Alchemy

    Alchemy Inactive

    Joined:
    2002/01/07
    Messages:
    18
    Likes Received:
    0
    Hi Jim,

    Unfortunately, I had to turn in my laptop which had the Corporate Edition of NAV on it and I do not run any Symantec products on my other machines, so I am unable to check the legitimacy of that file. It does seem as though you may have picked up some Beta virus definitions along the way. I would go with Dennis' recommendation to contact Symantec on that file since you do not run the Corporate Edition or perhaps someone using CE will weigh in on the subject. Did you try the "More Info" button on ZA to see what they have to say about the file?

    Did you see this this thread in the ZA forums? It seems to indicate that this would be an allowable program. A poster indicates that is is part of each download and does go into the prefetch folder. He apparently deleted it from the prefetch folder with no apparent consequences.

    As to that IP address, if you input it at Dshield-IP Info they have that IP address flagged as a legitimate DNS server, which could be one that Symantec uses.

    Let us know what you find out.

    Steph
     
  5. 2005/11/21
    Welshjim

    Welshjim Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    Alchemy and Dennis L--
    I have done what you both suggested some time ago.
    The Symantec tech people had no clue.
    " understand from your message that you are receiving alert from ZoneAlarm, that updat32.exe is trying to access the Internet.

    I recommend that you allow updat32.exe, since it needs the Internet access to download the latest Virus Definitions.

    I suggest that you click on the link provided below and follow the steps provided to configure your Firewall with Norton AntiVirus (NAV) 2005:

    Title: 'Configuring your firewall for use with Norton AntiVirus 2004 or 2005'
    Document ID: 2003082012355706
    > Web URL:
    http://service1.symantec.com/Support/nav.nsf/docid/2003082012355706?Open&src=con_ols_nam

    Now, in order to determine whether your system is infected by any virus, I recommend that you run an Online Virus Scan. To run an Online Virus Scan, please refer to the following document from our Online Knowledge Base that has instructions you need to follow:

    Title: "How to use Symantec Security Check to scan for viruses or online threats "
    Document ID: 2002031510570647
    >Web URL:
    http://service1.symantec.com/SUPPORT/analyzer.nsf/docid/2002031510570647?Open&src=con_ols_nam
    "
    As you can see from the second sentence, they think allowing updat32.exe has to do with being able to download the virus definitions, which it does not based on what I can observe. But I followed the advice in the two links provided anyway. No change.

    Concerning the thread on the ZoneAlarm forum, the "Guru" never really answered chipkost's question (which was quite similar to mine). The Guru rather gave a reference (which I gave in my first post above) which mentions that updat32.exe is part of the Scan and Deliver program if you used NAV Corporate Edition and applies to beta versions of virus definitions. That does not seem to apply to chipkost and it definitely does not apply to me. Per the info in the reference, I am downloading "fully QA'd Virus Definitions ", not Beta versions.
    It is interesting that in chipkost's case updat32.exe was trying to access a different site (UUNET) than in my case.

    Appreciated your input!!
     
  6. 2005/11/21
    Welshjim

    Welshjim Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    I would like to repeat something I said in my first post in hopes it will help solve the mystery
    "According to the ZA firewall message, updat32.exe is in a folder whose path is C:\Documents and Settings\username\Local Settings\Temp\RarSFX0. When I try to find/open this directory, I am told there is no such path. (I have "Show hidden Files" checked in Folder Options.) " And "Hide Protected Operating System Files" is unchecked.
    Can any one tell me how to access that RarSFX0 folder?
     
  7. 2005/11/21
    charlesvar

    charlesvar Inactive Alumni

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Hi Jim,

    I can access that Temp folder on my system: if you can see hidden folders, so should you, what's in there?

    On mine, an example of executes in there was an install for Msn Messenger v7.5 which I installed from there. Users are not supposed to be able to access that folder so every once in awhile I'd get a message from Msn about installing it. I just did it on my own after creating a drive image.

    Regards - Charles
     
  8. 2005/11/21
    Welshjim

    Welshjim Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    charlesvar--I can get as far as the Temp folder. See Post #9 below for the contents.
    symlcsv1.exe is a "Symantec Core Component ".
     
    Last edited: 2005/11/21
  9. 2005/11/21
    charlesvar

    charlesvar Inactive Alumni

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Jim,

    I would clean that folder out. Copy whats in there before you do that, but that's what I would do and go from there. Or if you have drive imaging, even better.

    I clean that folder out with SystemSecuritySuite periodically (I think you have that sofware).

    Regards - Charles
     
  10. 2005/11/21
    Welshjim

    Welshjim Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    charlesvar--Interesting suggestion. Many thanks.
    And I will try it after your comment on the following
    1) Do you mean delete the Temp folder, itself, or the contents?
    2) I should have posted this in the first place, rather than the image
    Directory of C:\Documents and Settings\UserName\Local Settings\Temp

    11/21/2005 05:40 PM <DIR> .
    11/21/2005 05:40 PM <DIR> ..
    11/17/2005 09:24 PM 102 8A56EAB7.TMP
    11/21/2005 01:50 PM 8,528 IUCheck.log
    11/21/2005 12:24 PM 1,019 jusched.log
    11/21/2005 12:24 PM 16,384 Perflib_Perfdata_238.dat
    11/21/2005 12:33 PM 0 scw9.tmp
    11/21/2005 12:25 PM 26,112 symlcsv1.exe
    11/21/2005 12:42 PM 33,843 TWAIN.LOG
    11/21/2005 12:42 PM 3 Twain001.Mtx
    11/21/2005 12:42 PM 156 Twunk001.MTX
    11/19/2005 06:08 PM 0 Twunk002.MTX
    11/21/2005 01:00 AM 33,708 VIRUPDAT.INI
    11/20/2005 10:26 AM 32,768 ~DF156F.tmp
    11/20/2005 08:32 PM 32,768 ~DF372D.tmp
    11/21/2005 12:24 PM 32,768 ~DF394E.tmp
    11/19/2005 11:27 AM 32,768 ~DF3CBF.tmp
    11/20/2005 10:26 AM 32,768 ~DF4071.tmp
    11/21/2005 01:13 PM 16,384 ~DFA42D.tmp
    11/20/2005 01:01 PM 32,768 ~DFBE12.tmp
    11/21/2005 12:24 PM 32,768 ~DFC17A.tmp
    11/19/2005 11:27 AM 32,768 ~DFC33A.tmp
    11/20/2005 01:01 PM 32,768 ~DFD648.tmp
    11/20/2005 08:32 PM 32,768 ~DFEA0F.tmp
    22 File(s) 463,919 bytes
    2 Dir(s) 136,353,660,928 bytes free

    The 11/21/05 12:24 PM time is about the time I installed the latest updated virus definition updates from NAV Intelligent Updater. And jusched.log is involved with Sun Java updates.
     
  11. 2005/11/21
    charlesvar

    charlesvar Inactive Alumni

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Hi Jim,

    I meant the contents, not the folder.

    I remember a post by Christer statng that when you download something to a designated folder, the system first will download it to the temp folders first, then transfer it to the folder specified. He was able to see this because he has a "slower" system - what he calls his BOAC, translated means "spare parts" I think.

    Regards - Charles
     
  12. 2005/11/22
    Christer

    Christer Geek Member Staff

    Joined:
    2002/12/17
    Messages:
    6,560
    Likes Received:
    71
    Hi Jim and Charles!

    First off, my BOAC is a Box Of Assembled Components which were all brand new ...... :eek: ...... 4½ years ago. As for "slower ", it still gets me into trouble faster than I need ...... :D ...... !

    Anyway, I don't know if this is applicable to automated downloads but if you manually download something from a site to e.g. D:\Installation, then the download will first go to C:\Documents and Settings\UserName\Local settings\Temporary Internet Files\Content.IE5\XXXXXXXX where XXXXXXXX represents one of the subfolders named "eight random letters and digits ". Then the downloaded file is copied/moved to the user selected destination folder.

    For the active user account, the folder(s) "Content.IE5 and the subfolders" do not show in Windows Explorer but only a large number of files. I have only one account and have never seen "my own" Content.IE5 folder but I have checked other systems. Logged in to userA, the subfolders for userB are visible in Windows Explorer and vice versa.

    On rare occasions, it has happened that a TIF folder (with subfolders, the XXXXXXXX folders being empty) has ended up in my C:\Documents and Settings\UserName\Local settings\Temp folder. I don't know the answers to the "what-why-when" questions but maybe there is a connection to Jim's situation and I would almost expect an automated download to be extracted into C:\Documents and Settings\UserName\Local settings\Temp and to be executed from there. (It is defined under "Environment Variables ", right?) Then, as we all complain about with a lot of "temp files ", they do not get deleted when done but lingers until the pedantic user deletes them. In this specific case, though, it seems like the file(s) get(s) deleted after being executed.

    About the Prefetch Folder, maybe I misread what Jim wrote but the executable itself doesn't get into that folder. It is a reference to the executable and what it needs to get started.

    This was not an answer to any of the questions but my take on to where downloads go and from where they are executed.

    Christer
     
  13. 2005/11/22
    charlesvar

    charlesvar Inactive Alumni

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Thanks Christer for the clarification, couldn't remember which temp folders you wrote about.

    Regards - Charles
     
  14. 2005/11/22
    Welshjim

    Welshjim Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    Several different comments --so forgive the rambling.
    Christer--Thanks for your insight. I could not access Content.IE5 either when I first got my XP PC. When I opened TIF in Windows Explorer, there was no Content.IE5 folder. (Of course I had allowed Hidden Folders to be shown.) But I found that if opened TIF and then typed \Content.IE5 at the end of the address line|Enter, I was allowed to see my Content.IE5 folders!! Some others have found this to work; some not.
    Anyway, back to updat32.exe.
    I tried the above technique to try to access the mysterious RarSFX0 folder, but no success. I have no idea if this is some misinformation from ZoneAlarm, but the following reference implies the virus definition updates are RAR files.
    http://www.dslreports.com/forum/remark,12585393~mode=flat
    This thread also suggests that updat32.exe has a legitimate function in addition to the one about Beta Update files mentioned in the Symantec article.
    On my PC, the only place I find updat32.exe is the Prefetch folder--not in a Temp folder or in Content.IE5. (Of course it has several numbers and letters added to it, like UPDAT32.EXE-04784ECB.pf, which I understand is normal for files in the Prefetch folder. I believe a .pf file can act as an executable. The extra numbers are added to avoid conflict in case the normal executable--without extra numbers--were to be in the same folder. ) If I delete the .pf file, it comes back with the next manual download and installation from Intelligent Updater. I never find a "plain" updat32.exe file. But ZoneAlarm is very clear that updat32.exe (not the .pf file) is making the request to access the internet.

    charlesvar--If you are still reading :) you can see from the dslreports.com article that maybe updat32.exe is OK. Too bad Symantec could not just tell me this. Anyway, based on you suggestion of yesterday, I deleted the UPDAT32.EXE-04784ECB.pf file from Prefetch, removed the updat32.exe entry from ZoneAlarm's Program Control, manually deleted as many files from that Local Settings\Temp folder as I could (some, like perflib, would not delete), and ran System Security Suite to delete Temp files in general. On reboot I first went into Safe Mode to find that all files in that Temp folder had apparently been deleted. But upon booting into normal Windows there were already a few files in the folder (including a new perflib). There was, however, no updat32.exe file in Prefetch. Since a new virus definition update was available, I downloaded and installed it. Imagine the pleasant surprise I had that it installed quickly and I got no Zone Alarm notice. The pleasant part disappeared, however, when I went to ZA's Program Control to find that not only was updat32.exe again listed but the Access to the internet was set at Allow!! And, of course I had an updat32.exe file in the Prefetch folder. That is one crafty program. (The .pf file has no Digital Signatures tab, so I cannot check that.)

    In view of the dslreports.com article, I am ready to give up fighting updat32.exe.

    Thanks to all for your help.

    P.S. Now I have to find out what symlcsv1.exe in the Local Settings\Temp folder is. But I will post that in another thread. ;)
     
  15. 2005/11/22
    Christer

    Christer Geek Member Staff

    Joined:
    2002/12/17
    Messages:
    6,560
    Likes Received:
    71
    Jim,

    Thanks for the tip ...... :) ...... it worked on my computer. Content.IE5 and the subfolders appeared in the left hand pane too and I could view it all. Finally, I can clear the TIF folder and in Windows Explorer see what is still there (something is ...... :confused: ...... I think)!

    I'm alsmost certain it can not. I have compared a few entries in the Prefetch folder with the corresponding "executables" and it is very unlikely that any of them can be run. The entries in the Prefetch folder are kind of Windows "Notes" on how to optimize system start and application launch.

    It's not the download but the installation (execution of updat32.exe) that prompts Windows to put its "Notes" back.

    I agree with ZA ...... :eek: ...... !

    Before reading your latest post, I was going to suggest that the RarSFX0 folder had something to do with WinRar. The downloaded contents go into that folder and get extracted, run and subsequently deleted. Windows has taken its Notes and put them in the Prefetch folder and that is all that remains of the session. Maybe we (you) should be happy about a program that actually deletes the temp folders when done ...... :cool: ...... !

    A parallel is Automatic (?) Windows Update. As I understand it, the update KB898461 enables smaller update downloads because the Package Installer is now permanently installed on the system and does not have to be included in each and every download. My guess is that updat32.exe is a similar installer that has to be included in each download. The fact that ZA auto configures updat32.exe is a clear indication that it is legitimate, right?

    (The reason for the (?) in "Automatic (?) Windows Update" is that I believe updates downloaded to the local hard disk use Windows Installer. Only the automated function use the Package Installer.)

    Christer
     
  16. 2005/11/22
    Christer

    Christer Geek Member Staff

    Joined:
    2002/12/17
    Messages:
    6,560
    Likes Received:
    71
    I went Google on symlcsv1.exe and had a few ominous hits ...... :( ...... !

    Christer
     
  17. 2005/11/22
    charlesvar

    charlesvar Inactive Alumni

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Still with you Jim :)

    I find it odd that ZA automatically gave access, which I think means that updat32.exe is either component of a process you have given permision to access already or is being executed by a "trusted" program. The only way to control that is thru ZA pro which does look at process components and that might not be enough. Remember that thread at Wilders on ZA and processes that piggyback on trusted apps?

    Ultimately you'd need process control software like PGuard or SSM to control that sort of behavior.

    Regards - Charles
     
    Last edited: 2005/11/22
  18. 2005/11/22
    Welshjim

    Welshjim Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    Christer--
    Yes, I know, but actually most of the hits never flat out say it is bad. In fact they often confuse symlcsv1.exe with symlcsvc.exe .
    I scanned with NAV, AdAware, Windowsecurity Trojan Scanner and HJT. The first three found nothing bad. www.sysinfo.org/startuplist.php never heard of it. I also use SpywareBlaster and I have MS AntiSpyware running.
    I have posted my HJT log.

    Back to updat32.exe. My total knowledge about Prefetch comes from here
    http://www.pcmag.com/article2/0,1759,1683520,00.asp
    http://www.theeldergeek.com/prefetch_parameters_-_altering.htm
    Still seems strange that the .pf version of updat32.exe is created and saved, since I understand you to say it winds up in Prefetch after updat32.exe has been used. Does not seem much purpose to that since I understand Prefetch to help the next startup.
    Do you think we really have a RarSFX0 folder hidden somewhere on the PC?

    Actually, I would have thought ZA would not permit something like that. Even Internet Explorer and Outlook Express have to ask ZA permission the first time they want to access the internet. I no longer have a problem that updat32.exe re-appears on the ZA list, but automatic setting to Allow is a bit much.

    Glad you can see Content.IE5 again!! :)
     
  19. 2005/11/22
    Christer

    Christer Geek Member Staff

    Joined:
    2002/12/17
    Messages:
    6,560
    Likes Received:
    71
    Jim,

    No, not permanently but my guess is that the download creates it and it gets deleted after the process of extracting/executing. Windows takes Notes on almost everything that runs (except programs running from a DOS window) and in this case, the next time updat32.exe is downloaded, extracted and executed, Windows will have it Notes to make it happen quicker.

    (Speculating mode on:
    Downloads from Internet Explorer end up (temporarily) in one of the "eight letter/digit folders" within Content.IE5, probably because IE knows its name. Other applications have no knowledge about the "random name" and can not use the folders. They have to create their own download folders in the location specified in "Environment Variables ".
    Speculating mode off.)

    Bad choice of words on my part. I meant "when updat32.exe is executed ". The *.pf file is actually updated each time the associated application is run.

    I use Norton Internet Security and that FireWall auto configures stuff that symantec has verified to be legitimate. It's strange, though, that it doesn't auto configure its own stuff, like new LiveUpdate versions.

    Christer
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.