Norton Personal Firewall -- Virus threat?!

Raccoon · April 20, 2010, 9:17am

Cannot install Comodo due to false-positive detection of Norton products.

Hello,

This is my first bug report in a LONG time; I’ve installed Comodo on hundreds of machines over the past 3+ years. Many many thanks for everything you guys do (including implementing our feature suggestions)!

I had problems today installing Comodo on a user’s Windows XP machine. This is a church office computer, has been running the same Dell OEM copy of XP for the past 5 years, but is relatively in good shape.

Comodo prompts with an error message during install, that it detects Norton Personal Firewall is installed on the system, and that it must be uninstalled before Comodo can continue with installation.

Norton Antivirus, I am told, was installed once upon a time about 2 years ago. It is NOT on the system today.

I have…

Checked the Start menu for all users,
Checked the Add Remove Programs for all users,
Checked the Harddrive for “Norton” and “Symantec”
Checked the Registry for “Norton” and “Symantec”
Checked the Services and other Boot areas
Ran a plethora of Sysinternals and NirSoft utilities to scan and monitor the system for Norton-like behavior.
Installed Norton Personal Firewall, then Uninstalled it.
Ran Norton’s own Norton Removal Tool.
Rebooted between each step.
Given up.

This is a pretty scary bug, as it represents an attack vector for viruses to prohibit anti-virus software from being installed. Simply spoof some residue of competing anti-virus/firewall software all about the system, thus spooking Comodo (and others?) from ever being installed.

As an anti-virus software–Comodo should be capable of treating Norton products AS a virus and remove them as part of the installation procedure! ;D

Please look into this bug. If you require any sort of data from this system, send me whatever script/executable you need me to run to help you nail this sucker.

Obsessively yours,

Eric

PS. Please try and cut down on the number of GID objects Comodo uses. You already exceed WinAmp and are coming dangerously close to Firefox. These are two of the dirtiest GID hogs out there – and Comodo has now moved into 2nd place!

Kyle142 · April 20, 2010, 9:44am

It cause there are some traces of Norton on the PC… Comodo think’s it’s installed. It’s not a bug.
You’ll have to run the norton removal tool. and if that doesnt work… google how to remove norton firewall traces.

Raccoon · April 20, 2010, 9:57am

Please read my post again.

Already ran Norton Removal Tool.

Even tried Installing then Uninstalling Norton.

Even hand picked through the entire harddrive and registry for “norton” and “symantec”. Nada!

Kyle142 · April 20, 2010, 12:33pm

I did read your entire post! Comodo doesn’t just randomly flag a computer and not install… it just isn’t logical.

There is obviously some traces of Norton on the PC. IMO - you should goto the norton forums and say that the removal tool you provided is not cleaning all the traces. (Maybe your using the wrong version or year?)

You could skip all that hassel and reformat. It’s been a decent 3+ years since thats been formatted… (You said the system is an XP OEM install, Vista was released 2007… so its likely this user hasn’t formatted in a while…)

Chiron494 · April 20, 2010, 2:46pm

You could try to run a registry cleaner such as Comodo System Cleaner:
http://www.comodo.com/home/support-maintenance/system-cleaner.php

This may solve the problem. Logically though the Norton Removal Tool should have worked unless it’s aimed at removing newer versions of Norton than the one that was installed. I suppose you could look into that.

Raccoon · April 20, 2010, 7:10pm

Could you guys post the registry keys, etc, that the CIS installer scans for Norton and other products?

Please Please Please?!

Honestly, there should be an override for the installer. What happens when malware catches on that Comodo can be thwarted this easily? This is a serious attack vector!

languy99 · April 20, 2010, 8:09pm

do you know what version the norton that was installed is? If you do you can read about how to remove it here. http://service1.symantec.com/support/ent-security.nsf/pfdocs/2002031914291648?open

Raccoon · April 20, 2010, 10:06pm

I honestly don’t know what version of Norton Personal Firewall was previously installed. There are no references anywhere on the machine, at all, to Norton, Symantec, or Firewall.

I ran CSC as recommended above, and still get the error message from CIS installer that Norton Personal Firewall must be uninstalled first. There is no override or option offering to “uninstall” it for me.

Next up is to run Sysinternal’s FILEMON and REGMON while CIS is installing to find the trap that CIS keeps hitting. I was hoping I could get that information here without spending 2 hours reviewing REGMON logs.

If you guys have a debug version of CIS’s installer, that would be helpful.

sderevyanko · April 22, 2010, 1:55pm

Check the following registry keys:
k1=HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CcFWSettg.FirewallSettings
k2=HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7}
k3=HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CcFWSettg.FirewallSettings\CLSID

If exist at least one of them COMODO can’t be installed.

Little_Mac · April 23, 2010, 1:59am

Here’s a few resources:

http://www.askdavetaylor.com/how_can_i_fully_remove_norton_antivirus_from_my_system.html

http://www.bleepingcomputer.com/forums/topic34671.html

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

LM

Alan_Borer · April 26, 2010, 8:23pm

Hi

Perhaps Windows Security Centre still believes that Norton is present. Please see
https://forums.comodo.com/install-setup-configuration-help-cis/cleanup-tool-for-comodo-internet-security-t36499.15.html

In post 17 I asked about

NET STOP WINMGMT /Y
cd "%windir%\system32\wbem\"
RD /S /Q "Repository"
NET START WINMGMT /Y

And in the following few posts Ronny and I exchanged questions and answers which may be relevant to you.

I would advise not acting on the above unless the Security Centre tells you Norton is still present.
I strongly recommend that you rename the directory instead of removing it,
because I have seen warnings that a “corrupt” system may be unable to rebuild the repository,
so it may be prudent to have an escape route to get back to how things were.

I think my repository is mostly good, but there are 4 off .NET Framework items that fail to rebuild.
I do not think my system has been the same since I ran the clean-up script a few dozen times “on-the-trot” whilst trying to deal with many permissions issues.
It was only some weeks after this that I realised that whilst I was trying to see which keys had permission issues, the poor old Repository was deleted and part way through a rebuild was being zapped, again and again and again.

jancha · May 6, 2010, 10:04pm

k1=HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CcFWSettg.FirewallSettings k2=HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} k3=HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CcFWSettg.FirewallSettings\CLSID

million thanks to you! confirming this was indeed the necessary bit to get rid of that bloody message. comodo guys, it’s kindof uncool that those entries can let you down… there was no trace except for this left. just FYI.

Kyle142 · May 9, 2010, 10:54am

I’m working on a program that will be useful for problems like these…
https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/security-app-remover-discussion-t55649.0.html