http://msmvps.com/blogs/hostsnews/archive/tags/Omniture+2o7.net/default.aspxTags: Omniture 2o7.netenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/hostsnews/archive/2008/08/30/1646253.aspxSat, 30 Aug 2008 05:46:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:1646253winhelp20021http://msmvps.com/blogs/hostsnews/archive/2008/08/30/1646253.aspx#comments<p>I&#39;ve blogged about this several times ...[<a target="_blank" href="http://www.mvps.org/winhelp2002/hostsfaq.htm#Norton_2007">here</a>] [<a target="_blank" href="http://msmvps.com/blogs/hostsnews/archive/2007/08/08/symantec-detects-a-possible-malicious-entry-in-the-hosts-file.aspx">here</a>]&nbsp;however as I am frequently asked about this (false) prompt (mostly from new MVPS HOSTS users) I thought I would address this again ... especially after seeing a response from one of their (very) uninformed commenters on <a target="_blank" href="http://community.norton.com/norton/board/message?board.id=nis_feedback&amp;message.id=6341">their Forum</a> ...</p> <p><em>&quot;I did not read in detail the links you provided, so this may not directly answer your question, but it may help you understand what is happening here.&quot;</em></p> <p>Then why bother ... if you are not going to &quot;read in detail the links&quot; ...</p> <p>And then goes on to say:</p> <p><em>&quot;So in your case what has happened is that a piece of malware has modified your HOSTS file to include entries for &#39;tc.symantec.com&#39; and &#39;om.symantec.com&#39;.&quot;</em> ... talk about mis-informed ... <strong>duh!</strong></p> <p>If you had bothered to read the links then you would not (hopefully) make such a truly false statement.<br />Here is&nbsp;a typical&nbsp;prompt Symantec users see ...</p> <p><img width="615" src="http://www.mvps.org/winhelp2002/liveupdate.jpg" height="382" alt="" /></p> <p>If Symantec users click the drop-down arrow there is an option for:<br /><strong><em>&quot;Leave the entry in the hosts file (do not warn me about them later)&quot; </em></strong>(then this is no longer an issue ...)</p> <p>Let me be very clear ... these are <strong>NOT</strong> entries from Symantec ... although they try to disguise them as such ... they both are 3rd party entries from <a target="_blank" href="http://en.wikipedia.org/wiki/Omniture" title="Wikipedia description of Omniture">Omniture</a> ... and they do <strong>NOT</strong> prevent Symantec products from updating themselves ...</p> <p><img width="439" src="http://mvps.org/winhelp2002/blog/symanteccom1.gif" height="342" style="border:1px solid black;" alt="" /></p> <p>As you can see &quot;<em><strong>om.symantec.com</strong></em>&quot; is actually an alias for &quot;<em><strong>symanteccom.112.2o7.net</strong></em>&quot; and the IP addresses are all controlled by Omniture.</p> <p><img width="722" src="http://mvps.org/winhelp2002/blog/symanteccom2.gif" height="409" style="border:1px solid black;" alt="" /></p> <p>Even when you run a traceroute you can see above where it ends ... below is just a partial list of the Omniture entries and the IP addresses ... which shows that some sites prefer the &quot;2o7.net&quot; while others prefer to hide their identity as in the case with Symantec ...</p> <p><img width="425" src="http://mvps.org/winhelp2002/blog/symanteccom3.gif" height="403" style="border:1px solid black;" alt="" /></p> <p>&nbsp;<strong>Note</strong>: it appears that Symantec is no longer using &quot;<em>tc.symantec.com</em>&quot; on their site ... most likely after I <a target="_blank" href="http://msmvps.com/blogs/hostsnews/archive/2007/08/08/symantec-detects-a-possible-malicious-entry-in-the-hosts-file.aspx">exposed this issue last time</a> ... where they were using the Privacy policy from a 3rd party (Omniture) and not their own. So this entry will be removed and will reflect in the next update ...</p> <p><img width="450" src="http://mvps.org/winhelp2002/blog/touchclarity.gif" height="84" style="border:1px solid black;" alt="" /></p> <p>Folks I can not control these false-positive prompts from Antispyware/Antivirus products ... believe me I&#39;ve tried ... but they refuse alter their scanning techniques, so all I can do is try to explain why these entries exist ... then you can decide for yourself if you have a malware infection ... or a poorly writen scanner detection. There is no such thing as a infection that only alters the HOSTS file ... so if that&#39;s all that shows up in a scan then check it out or ask ... I will gladly assist in determining the cause ...</p><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=1646253" width="1" height="1">Omniture 2o7.net