Symantec detects a possible malicious entry in the HOSTS file
I have received a few inquires about a new entry in the HOSTS file, wanting to know if this was correct or a false-positive. I created a brief explanation in the HOSTS FAQ but I thought I'd expand on it a bit here ...
The Symantec (Norton 2007) message most users see:
"A malicious entry in your hosts files could prevent LiveUpdate from retrieving updates for your Symantec products, including anti-virus updates. Generally, Symantec LiveUpdate server entries should not appear in your Windows hosts files. Update has detected a potential security compromise on your computer: one or more entries should not appear in your Windows hosts files."
Lists the address 'om.symantec.com' as being in the hosts file and ask what action to perform:
1.Leave the entry in the hosts file (warn me about them later)
2.Leave the entry in the hosts file (do not warn me about them later)
3.Remove the entry from the hosts file (Recommended)
Simply select Option #2 and this message should not appear anymore ...
The entry "om.symantec.com" or "tc.symantec.com" are both actually 3rd party entries from Omniture (2o7.net)
Note: these entries do not affect "LiveUpdate" nor are these entries specific to LiveUpdate, Symantec uses these on all of their pages and the message above is just a generic message.
One or more CNAMEs were encountered. om.symantec.com is really symanteccom.112.2o7.net
One or more CNAMEs were encountered. tc.symantec.com is really symantec.tcliveus.com
Where "om." = Omniture and "tc." = Touch Clarity (Omniture acquired Touch Clarity in the first quarter of this year)
127.0.0.1 sdc.mcafee.com #[statse.webtrendslive.com]
Example of other alias entries used by Ominture
As you can see above the "om." entry in not specific to the Symantec entries ...