It appears that the open source Tomato router firmware, which is also increasingly being adopted by manufacturers of routers, has a bit of a problem.
One of the router’s default settings leaves port 8080 open to the Internet - with a default user name of “admin” and a default password of “admin”. Alternatively, the user name is “root” with the same “admin” password.
If your router runs Tomato, you can check whether ports are open to the Internet using the GRC ShieldsUp tool - which tries to send your system messages to commonly used ports. You can also specify the port to be scanned - in this case 8080.
If your router is exposed to the Internet:
Did you deliberately expose it and set a strong user name/password combination?
If not, panic. Then read the router’s manual to find out how to close the port (preferably) or at least set a strong password.
While you’re on the GRC website, you may wish to try the UPnP probe for Windows (which requires a small download that must be run as Administrator) and read the supporting information to see if you have that particular vulnerability. In most cases, routers and Windows are both set up to accept UPnP connections.
(I just learned that my current Windows install had UPnP enabled, and immediately turned it off. It doesn’t matter enormously, as my router is rejecting requests - but if I had a rogue program it would have slightly more difficulty communicating with the mothership.)
That is very puzzling, given that Mr Gibson hosts all his own files and is somewhat touchy about security. It could be because of the age of the program, or perhaps its need for administrator permissions?
I also see that the program is not digitally signed, and have sent a message on Twitter asking about this.
The program you linked to downloaded and Norton said it was safe, and I have run it and disabled MS’s PnP fail, but something arrived just before it with a name of a very large number of letters, which Norton exterminated before I could make note of it.
I have no idea, but it would seem a bit rude to send it before you run the program. Perhaps our Privacy Champion will come to the rescue with an answer
Almost certainly not. By its name, it looks like a temp file created as part of the download (i.e. false positive). No reply from the software author about digital signatures yet, but that’s not entirely surprising as I think he gets a lot of mail.
Did Norton identify from which folder it quarantined the file? I see the report says “fewer than 5 users have used this file”, and that it was released less than 1 week ago - both suggesting to me that it may simply be a misclassified temp file. I see there is also an ‘origin’ tab - does that add any useful information? File size would also be interesting to know.
Bear in mind too that the modern computer has dozens of different programs accessing the Internet at once, so it is also possible that something other than your web browser (and the page it was visiting) was responsible. Additionally, web browsers are not static - mine downloads several megabytes while I am away from it during the day (and/or night).
So definitely a cache file. There was a question about this in the Norton community, and it looks like a false positive from what the person has said. There is also allegedly a write-up, but Norton’s website redirects me. Ah - another link works. (Note: if you do not need to go to the Norton website I recommend against it - it behaves poorly, with popups and disabling the ‘back’ button on some pages.)
Basically, Norton is saying ‘send us the file, we think it’s malware because our heuristics say it’s malware’.
It is a Heuritic detection (ie the file involves virus like behaviour) so it is quarantined by NAV. If it is the temp file for the uPNP tester or more particularly the port prober this would not be unusual to be found to have virus like behaviour. Submit the file to Norton/Symantec to get them to look at it for possible false positive (FP). This Heur.AdvML.B has been an ongoing FP troublesome part of their engine since at least 2016 https://community.norton.com/en/forums/heuradvmlb-detected-false-positive-or-not and is because the files are normally trying to usurp the Windows Win32k Local Privileges. The action of the known bad ones in this is they act as Trojans to enable downloading of other packages and exploiting vulnerabilities.
From a write up about this detection process:
"Heur.AdvML.B is a heuristic detection designed to generically detect malicious files using advanced machine learning technology. A file detected by this detection name is deemed by Symantec to pose a risk to users and is therefore blocked from accessing the computer.
Due to the generic nature of this threat, we are unable to provide specific information on what it does. A typical behavior for Trojans like Heur.AdvML.B is one or all of the following:
Download and install other malware.
Use your computer for click fraud.
Record your keystrokes and the sites you visit.
Send information about your PC, including usernames and browsing history, to a remote malicious hacker.
Give a remote malicious hacker access to your PC.
Advertising banners are injected with the web pages that you are visiting.
Random web page text is turned into hyperlinks.
Browser popups appear which recommend fake updates or other software.
Files reported as Heur.AdvML.B may not necessarily be malicious. Should you be uncertain as to whether a file has been reported correctly, you can submit the affected file to https://www.virustotal.com/en/ to be scanned with multiple antivirus engines."
As you can see it is quite a broad check and does catch legit files, particularly vulnerability testing programs.
I love false positives, especially when the AV deletes or quarantines the file and the application that needs it for installation or operation suddenly cannot find it and summarily crashes.
After a bit of this we learn to try disabling our AV if we are confident it is not a real threat, but it does get old. It is not as if AV companies have never taken down entire companies, one of the more egregious clueless cases.