Norton detection - false positive?

[HCHTech]

I've got a client who's accountant is getting a warning from their installation of Norton every time they visit my client's website - as follows:


Note the URL flagged, it's the main website, but it's finding an autodiscover.xml file. The website guy (a referral partner of mine) says this file doesn't exist on the website and all of his scans of the site come back clean.

This sure sounds like a false positive from Norton, but why would it be picking up an autodiscover file on a website? Especially one that isn't really there. None of this is making any sense.

 

[frase]

Get rid of Norton, get rid of the issue. Isn't autodiscover.xml an email config file?

Make sure that the customer does not have any forwards added in their email cPanel.
Also check the DNS Records as to verify none are added/rerouted to be sure.
It is not linked to any backlink on the website?

 

[HCHTech]

Get rid of Norton, get rid of the issue.

Not my computer, and not my client's computer. I have to decision-making ability there. I'm just trying to understand the flag. In my mind, there is no reason for an autodiscover.xml file to be on the website at all, and the web guy says there isn't. Yet, Norton is still complaining. If I can't understand it, there is no chance my client can, that's for sure.

 

[frase]

Has "The Website Guy", checked as I stated above?

 

[xrobwx71]

Isn't autodiscover.xml an email config file?

According to ChatGTP:
what is autodiscover.xml

ChatGPT said:​

autodiscover.xml is a file used in Microsoft Exchange and Office 365 environments as part of the Autodiscover service. This service helps email clients, like Microsoft Outlook, automatically configure connection settings for Exchange servers without needing manual input.

When setting up an email account, the client uses Autodiscover to find the appropriate server settings by connecting to a predefined URL (e.g., https://domain.com/autodiscover/autodiscover.xml). The server responds with an XML file containing configuration details such as:

• Mail server addresses
• Connection protocols (e.g., Exchange ActiveSync, Outlook Anywhere)
• User mailbox settings

This process simplifies email account setup, especially in large organizations, by automating the discovery of server settings.

 

[frase]

Well there you go thanks ChatGPT, that means could be a possible redirection as well or it is a misconfiguration I suppose.
Is wise to double check the clients email server settings to be sure though.

 

[Markverhyden]

autodiscover is the file used to log applications, such as Excel, Word, Power Point, etc, etc, into MS to validate the license and license type for services. For instance one has to have a CNAME DNS record for the domain in question to work properly with Exchange. It looks like Excel is what is actually making the call. It's Norton so I'd have them dump it.

And I didn't use Ch!tGPT. LOL

 

[phaZed]

You should load the page and F12 your Chromium browser - If autodiscover is there, it should be shown under the sources tab... or you should be able to see a reference to it somewhere in there.

 

[frase]

autodiscover is the file used to log applications, such as Excel, Word, Power Point, etc, etc, into MS to validate the license and license type for services. For instance one has to have a CNAME DNS record for the domain in question to work properly with Exchange. It looks like Excel is what is actually making the call. It's Norton so I'd have them dump it.

And I didn't use Ch!tGPT. LOL

Yes I would suspect though to be safe best to check the email config as well.

 

[fincoder]

This sure sounds like a false positive from Norton

Yes, and it appears to be from their "Safe Web" browser extension. There should be a way of overriding it for that URL, or disable the extension for that URL.

The web guy should install Norton, or perhaps just the Safe Web extension, and test. If they get the same problem he should submit the false positive to Norton (or fix the web site).

Norton Submission Portal

submit.norton.com

 

[timeshifter]

Why would Excel be calling for that URL?

Is there a link in a spreadsheet that refers to the accountants site, and the user doesn’t have Excel activated so it’s trying to do so?

I’d say you need to confirm what the user is doing to get that message. You said it’s when they visit the site. The calling application should be Chrome or Edge or Firefox.

 

[HCHTech]

I’d say you need to confirm what the user is doing to get that message. You said it’s when they visit the site. The calling application should be Chrome or Edge or Firefox.

Right? I think this is clearly a case of "we don't have all of the relevant information". The accountant in this case sent an email to the client saying "your website is infected, see? [Paste]". The client forwards that to the web guy, who scans the site and forwards it to me - haha. No one wants this football. I will check the sources, thanks @phaZed - after that, I'm going to punt this back - if Excel is calling it, then they must be using Excel somewhere in this mix. I'll bet once we know exactly how they are calling the site, the answer will be obvious.

 

[YeOldeStonecat]

Why would Excel be calling for that URL?

Activation from a Microsoft account, which is online. Many apps that are subscriptions do this now...not just Microsoft. Adobe was one of the early adopters of the online "suite"....when the computer is online..it'll detect that and send a few heartbeats back to mothership.

 

[britechguy]

Final Answer: False Positive.

 

[HCHTech]

Final Answer: False Positive.

That's what I'm calling it - even though the flag makes no sense to me. It is not normal for person2's installation of Norton to flag an autodiscover.xml file when visiting person1's website, shown as https://www.person1.com/autodiscover.xml called by Excel installed on person2's computer. If this was really Excel confirming activation on person2's computer, then it should be noted as living at www.person2.com/autodiscover.xml! There are definitely some mixed up pointers somewhere.

 

[britechguy]

There are definitely some mixed up pointers somewhere.

Although this particular situation is more convoluted than usual, there always tends to be some level of convolution in a false positive. I just report 'em as such and move along.

 

[timeshifter]

Well, the final answer is most likely a false positive as everyone seems to agree, I would still want to get to the bottom of it if I were involved. For two reasons: one is an interesting puzzle, and I like puzzles and like figuring things out, as probably many of us do. Secondly, in a way your reputation may be on the line a little bit. The accountant and your client are both may be a little leery about this and while they may agree, it’s a false positive in some ways it could reflect poorly on you or be a chip away at your reputation. Not a major hit, but I’d still want to clear my name

 

[HCHTech]

I would still want to get to the bottom of it if I were involved. For two reasons: one is an interesting puzzle, and I like puzzles and like figuring things out, as probably many of us do.

Yes - it's still nagging at me. They did submit it to Norton as a false positive. The client also reported that one of their customers who runs Norton reported the same detection, so he had them submit it as a false positive as well. If we could get 50 or 60 of those submissions, Norton might actually fix it...

You should load the page and F12 your Chromium browser - If autodiscover is there, it should be shown under the sources tab... or you should be able to see a reference to it somewhere in there.

I spent 30 minutes digging through these pages last night, no autodiscover file found - although the ability to search in that environment isn't intuitive or confidence-building. I don't have access to the back end (and don't want it). I wish they had never brought me into the loop now - haha. I tried to get a directory listing of the various folders by picking apart URLs of some of the pictures, but I'm guessing that stopped working several years ago when more security became the norm. I only got 404 pages in that attempt.

The website is their main sales platform - so it's complicated. Lots and lots of pages, pictures and coding. My web guy who built the site says he is calling in the "big guns", someone else he knows that is more knowledgeable for thorny problems. I'm trying to stay out of the solution path, but they keep copying me on all of the emails going back and forth.