Norton Security alert on Electrum node.ispol.sk

[cryptospin]

Helo,

Just have an issue with electrum 3.3.4. When it connetcted to node: node.ispol.sk Norton antivirus show an alert and block connection to this ip.
It show the Warning: System Infected: PUA.Coinminer Activity 5 and connetct it with ELECTRUM-3.3.4.EXE
I check signature of electrum file and it's good.

This alert can easily replay when in manual mode connect to this node: node.ispol.sk with Norton Security

I have a screenshot but as I understand can't add it at this time. it accesable by this link: https://dropmefiles.com/zpA5U

What do you think?

[1715038564]

1715038564

[1715038564]

1715038564

[1715038564]

1715038564

[HCP]

Reading the Symantec description of this type of threat... it appears they might just be detecting connections to specific IP addresses associated with "Coinminers"... hence why it only triggers if you connect to "node.ispol.sk".

Unusual network activity (e.g. connections to mining-related websites or IP addresses). For example, you may notice unexpected PowerShell processes connecting to IP addresses associated with xmrpool[.]net, nanopool[.]org, moneropool[.]com, and similar addresses.

If the alert doesn't show up when you connect to other nodes, then you should be fine... Norton is just scanning your network and preventing connections to what it considers to be a "bad" IP... If it shows up when connecting to ANY Electrum server, then I'd start to be really concerned... although, you already stated you checked the signature file.

Also, can you confirm that you installed Electrum to a non-standard location (or are using the standalone/portable version)? Your alert message shows it is running from a very unusual location...

[cryptospin]

Yes, Electrum installed to a not default location. This is exactly that place where i chose to install it.

This issue only appear when conntected to node.ispol.sk.

I have already made transaction on this wallet version with my ledger device and it went to the right address.

Thanks for answer.

[Abdussamad]

you can switch servers

[Pmalek]

The address seems to be clean according to VirusTotal - https://www.virustotal.com/#/url/c9fbbc7411cc0d754fbdf7a2e5c16f86549a8b0d5a9708ec224b07c6f58c4b52/detection

[ryap12]

This is why I don't use Norton as an anti-virus because it affects some of my running softwares plus I am not that techie. It also takes my time to work on something whenever Norton blocks it. Hope you get to figure it out or got answers from above. They said it's okay and it's clean so I guess it is safe then.

[Lucius]

~snip~

Nothing is wrong with Norton Security, I use it for years without any problems. Compared with some other security solutions I can say that has proven to be the best. You may be bothered by notifications which are turn on, or something like that, but it is very easy to enable / disable any option.

cryptospin, you can try to report this issue to Norton, maybe it is just false positive detection. Even before Norton ( and some others AV) blocked Electrum as threat, and they fix that. For more info visit this thread.

[cryptospin]

I was not so worried about this issue as i use hardware wallet and trust to norton security. But I thought that this fact might be interesting to the community.
Thanks to all.

[joniboini]

I was not so worried about this issue as i use hardware wallet and trust to norton security. But I thought that this fact might be interesting to the community.
Thanks to all.

It is indeed interesting. At least it shows that some Electrum server address is somehow detected as malicious because it was detected to run Coinminer which is a famous web browse mining apps if I remember it correctly. Maybe the owner of the server run its own web based mining apps or he apply that script for any request coming to his server (if that is even possible), so his client needs to run Coinminer first before his request got confirmed (not sure about this, just my speculation).

Thanks for the info.