Does someone have remote access to my computer? I am confused. (Norton)

Hi there,

I don’t have much technical knowledge of how computers work, so I was hoping for someone to explain to me, please, what is going on and if this is something I should be concerned about.

Basically, I have been getting a lot of messages in Norton the past few days saying, “You allowed “insert program name” to access your network resources,” and when I clicked on more information, I noticed next to local computer, it had a weird web address (the address: as you can see in my picture attached) with my IP address and then some other numbers. I am also constantly getting messages in Norton’s history about “Firewall rules updated” which concern me. I have also received a notice from Norton of Rule “Default Block Windows File Sharing,” which has the remote host as the web address (Plista) I posted above.

Does this mean someone has remote access to my computer? Or am I infected by a trojan or malware? I have done countless scans and used Norton Power Eraser, but it finds nothing. I have never heard of Plista before this issue. They appear to be some kind of German advertising company.

I am really confused about what is happening. Any help would be greatly appreciated.

Thank you.

That is a Windows app to sync your phone to your computer. It probably tried to connect to an ad network on plista and Norton rightfully alerted you to it due to your firewall rules but this is just a guess from one screenshot.

If you are worried about it, contact Norton support to find out what exactly happened.

Hi, I have had the samw thing on Norton. I hadnt downloaded anything that I had not already check and nonenof my devices are aynced. I followed the advice to clear browsing history on Chrome and also updated the brpwser. There was no suspicous activity on the account, no pop ups, no performance dips that suggested a browser hijacker. My bank details are attached to my google account and nothing was taken. The Farm.plista has now gone from Norton, including historic reports of this, last week. I am now wondering if it is a cookie somehow changing the name of the entry. Have you had any luck finding put what this was?

Firstly this has an informational rating (blue). This effectively is Norton logging what it’s doing to be transparent. When I see lots of info rated items I think “Norton is working nicely.” I wouldn’t interpret anything info rated beyond this honestly, the data here is not informing you of a risk. It’s definitely not inherently strange to see an activity log “you allowed xxxxx to access network resources” despite not personally approving such, this is because Norton will auto approve trusted apps on behalf of yourself, this prevents it popping up all the time asking for permission. If you go into “Norton File Insight” what is the detail? Does it show as trusted? Do lots of other users have the file?

Under the red marker is an IP address. Is the IP address the one of your system? I suspect it’s just showing the IP of your existing computer ie it’s approved something on your system on your behalf due to it being trusted by file insight.

I have a question that relates, will Norton catch and remove someone attempting to gain remote access ?

Have you installed/ran any sketchy programs or gone to any suspicious website lately? May have been some sort of trojan (remote access or otherwise) especially if you didn’t check out the file’s details/vet it for viruses beforehand.

Also if you aren’t bothered by the recommendation, use Malwarebytes instead of Norton. It’s pretty amazing.

Hi there. Wow, someone else is having this problem too. I contacted Norton support last week. They looked at my computer. Did Norton Power Eraser, etc., but didn’t find anything. They then fiddled around with my firewall settings, and now I no longer have anything in my security history popping up saying “you allowed “insert program name” to access your network resources,” which is a relief, but I noticed yesterday that on the old entries (as mentioned, I haven’t had any new ones pop up), “farm.plista” has appeared again as local computer even though it disappeared for a week. It comes and goes for some reason.

I really don’t know what to do now. I am just being cautious with my computer and monitoring everything. Doing “File cleanup” and scans regularly, etc. Unfortunately, I got disconnected from Norton support shortly after they changed my firewall settings and never heard back from them. I didn’t have any farm.plista.com as local computer pop up again, so I decided to leave it for now. We also submitted a dispute on the Norton website that farm.plista.com was safe, but Norton came back and said it was fine. You might have better luck if you contact them with this problem or at least get an explanation. I will keep you updated if anything happens on my end.

Hi, sorry to necro this but I have a similar problem to the OP and you seem nice and knowledgeable. I took steps to troubleshoot and are relatively secure it’s not malicious (I think), but I still have a bit of lingering anxiety and the whole thing is just bizarre to me so any insight you have would be greatly appreciated.

Basically, my alerts are the same as OP except instead of phone link the program name just says “System”. So I look at the file path, and all that says is “System”. The Local Computer is my ipv6 address. The part that really grinds my gears is that they occur pretty much every millisecond my computer is connected to the internet, including before I even log in to the system, and it’s outbound traffic called a “135 type” “neighbor solicitation”.

I reached out to Norton after multiple virus scans all came back clear and one representative confirmed that it wasn’t a virus or trojan masking anything, it was the legitimate computer system (don’t know how he could tell with no file path or anything, just System, but yeah). Another confirmed it was just tech IT language.

I guess I’m just frustrated that I don’t know what specifically is being approved, what specifically is being accessed, why it’s being done so frequently, and where it’s going to. And that I don’t know a way to find out. Which I guess is stupid, I’m aware computers are doing millions of things each second and it’s most likely just packets of data being sent back and forth between me and my router or something. But if possible I’d like to know. Have any troubleshooting tips to figure that out or know could be at the root of the problem?

doesn’t let me post here so i’m asking it in comments. i opened a redgifs link by accident and didn’t click ads or anything on the website but it redirected me to a random site it loaded fully but i didn’t click anything on it and closed out of it. i’m on a iphone.

Hi there, thank you for the reply.

I am normally very careful when downloading programs and files. I do thorough research before I download anything. Only program I have installed in the last month is “AccurateRip” (from the official website) because one of my newly bought CDs was skipping and I wanted to put it on my iTunes. I uninstalled it after using though. Research said “AccurateRip” was pretty safe.

I installed Malware Bytes a couple of days ago and nothing came up after a couple of a scans on that either. Whatever is happening is undetectable to anti virus programs. Maybe someone could help me get to the bottom of this please? It is actually quite stressful. :frowning:

Hey, so I did some testing, I think it is just Norton being a bit werid. I only recived this when visiting Nexus Mods which is a hosting site for game mods. I have been using this site for almost a decade woth no issues. It wasnt when I downloaded anything, only browsing the site itself. I havent been on the site for a week now and Farm Plista has not come back at all. I looked into Plista and they are a legit ad company that do online advertising for Lidl, cars, and a game called the Elder Scrolls Online. The reason I mention this is Nexus Mods is very popular for Skyrim and Fallout mods, which are made by the same people who make the Elder Scrolls Online. So it makes sense they would advertise on Nexus Mods.

I checked my IP address, my DNS, where my accounts are signed in and everything is and was fine. I have bought multiple things on my PC via Steam and Chrome itself meaning if someone has RA to my PC, they would have everything. I left my PC running while doing errands and there was no suspicious activity and no browser hijacking (ads popping up, change in browser).

What I think this is, is just Norton picking up the name of the website and then for some reason asigning this as your local pc but has no real impact, similar to the chrome bug on mobile when it picks up an icon for a site (like nortons logo) and all of a sudden, all the logos on your browser appear as Norton. Thinking back, I think norton has had this problem for a while, as in the past my Local PC was https (where farm.plista popped up) then my IP, but I always thought nothing of it.

I am bot a teck expert by any means, but if it was a virus or something, I feel like farm plista would always appear under the locla conputer name, and not disappear after not visiting a certain site for a few days. Maybe a website you frequent has ads from Plista (likely with who they advertise for) and Norton is just picking it up. Hoep this helps!

So to confirm you have an endless stream of items in the security history that appeared out of nowhere? If so - that’s odd to me too. It must be wasting resources at a minimum logging it non-stop.

If you go into security history like in the screenshot of the ops post what is the program path?

Can you browse to where the file is and upload it to virus total? VirusTotal

Can you also upload it to https://www.hybrid-analysis.com

Please wait for the falcon scan to complete it can take 5 to 10 mins as this is behaviour based. You’ll see antivirus results and scroll down, below that is falcon sandbox reports which is what we’re interested in. Does it come back as malicious or suspicious?

Some info on what falcon is and how it’s different to AV:

Edit noticed the file path seems to be missing? There is no c:\xxxx?

Could be a browser hijacker in the form of extensions as well. Try cleaning cookies/browser data and deleting any extension you don’t recognize. In the very worst case you would have to reinstall Windows. Have you tried uninstalling and reinstalling Norton to prevent any further edits by the malware?

Edit noticed the file path seems to be missing? There is no c:\xxxx?

Yeah there’s no file path in the report it just says “System”. That’s the part that confuses me too, if I had the filepath I could look into it, troubleshoot what it’s trying to do, etc. Without it, I’m lost, and I don’t know if there’s any other way to get that info.

I’m linking an image of one of the reports (this one was 136, neighbor advertisement, but the vast majority is usually 135 neighbor solicitation)
https://www.reddit.com/user/dEn_of_asyD/comments/1c7hisu/norton_screenshot/?ref=share&ref_source=link

It must be wasting resources at a minimum logging it non-stop

Also weird is my computer runs alright, even with this going on. I mean, it’s 7 years old with an HDD so it’s not like everything I bring up is lightning quick. But I actually stumbled upon this when I went to check something else in my security and found all these entries, this hasn’t affected anything performance-wise to my knowledge, all my programs work, etc.

My only thoughts are either (1) Norton is just going crazy logging a bunch of casual stuff my computer is doing to run normally, or (2) Something isn’t working right but it’s working enough that it isn’t a problem at the moment (don’t want it to be a problem in the future though). Prefer to be on top of this if I can be.

Do you have an Apple TV or Apple HomePods by any chance?

OK, the way Norton has reported this is actually fine. ICMPv6 is effectively a way that devices talk to one another within your home network.

ICMPv6 communications are standardised and must contain:

  1. Message type (informs us what the message is about)
  2. Message code (provides a bit more detail)
  3. A checksum (provides “integrity” - a fancy way of saying it allows our system to identify if a message gets corrupt along the way or if the message is still fully in-tact).

Specifically for Message Type: 135 and 136:

  1. Type 135 is something called “Neighbor solicitation” and is effectively a system asking across your internal network (anything on your wifi or wired in to the router via ethernet): “Hey, I’m here and my MAC address is - who else is out there on this network and what’s your MAC address?”
  2. Type 136 messages are “Neighbor Advertisements:” effectively a system responding like: “Hey I am also here - I exist here on this MAC / IPv6 address”

This allows devices to know where to find one another, and also prevents devices choosing the same IPv6 address which would break things.

The reason I asked if you had a AppleTV or Apple HomePod is because they are quite noisy at checking in, which then means the responses increase too… Still, any device will send these messages back and forth that supports IPv6. Hence, this is benign and expected. If you see an option to disable this being logged, I think it makes sense. It seems overkill to me. I am not 100% how to modify what it logs off the top of my head but I managed to do it a while back.

You can disable IPv6 and it won’t break things generally as the older standard is still used and supported by almost everything. To do that you can follow the detail here.

Hope this helps!

Thank you for your work! It’s a little weird because I tried switching over to my phone’s hotspot (which nothing else would be on) and the messages still get sent out really frequently, but that again just seems to be my computer. The phone with the hotspot is an Iphone though so maybe that’s who it’s communicating with all the time.

It does make sense though even without the iphone. My hardware (including my adapter) is 7 yrs old. It could just be set weird (a couple months ago a windows update made an old background/theme package I used for 5 years bug out and become unloadable, bricking my computer until I changed it back to the default startup w/o being logged in, so literally nothing surprises me with computers anymore). And when disconnected from a network it doesn’t send out the messages but also doesn’t seem to have a problem running anything.

Definitely helps alleviate my concerns though. Thank you again for being such a huge help!

Think about it: how would your device identify that nothing else is on that network (the hotspot). It would issue ICMPv6 messages asking who’s there. iPhone hotspot is ipv6 supported nowadays (it didn’t used to be the case).

I’m not sure how this would look. The iPhone has a lot of things on IPv6. They show as interfaces, one interface is the WiFi but then there’s a whole stack of other interfaces that bridge into cellular / WiFi / Bluetooth (as required and often simultaneously).

Namely:

lo is the loopback interface and has IPv6. This allows things to talk back to the iPhone (ie talk to itself)

en0 is your standard WiFi and supports IPv6. On iPhone 15 it supports apples network thread network so often has an extra IPv6 on top of the usual ones.

PDP_IP1 through 10 (yes 10 interfaces) is cellular data. This suggests there can be 10 ESIMs in my mind but I know the limit is 8 so perhaps the other 2 are reserved for say satellite emergency calling / emergency calling which can route via peer to peer and onto any carrier network generally. These have IPv6 addresses when active.

p2p0 is a point to point link (usually used for VPN but also data transfers). As I understand it’s mainly used for “personal VPNs” vs ones setup by say a network admin that are often “device” level. These use IPv6 where ever they can.

stf0 is a “six to four” interface (IPv6 to IPv4) this tunnels IPv6 over networks that don’t support it and are ipv4 only.

gif01 is a software interface that’s not always there

bridge0 is a software bridge between all interfaces to allow traffic to flow as required across the various networking interfaces

There are more utun interfaces - one of which often comes back as nexus and IDS501 - these are network agents that handle traffic and relay / move it around it based on triggers so it goes where it needs. These interface with the bridge.

utun0 is used for “Back to My Mac” and Airdrop. Back to my Mac is sunset but there’s still some traffic that appears to query services as back to my Mac used too.

awdl0 is Apple Wireless Direct Link (Bluetooth) to other Apple and iOS devices

This is why I say Apple is chatty on IPv6. Connect an iPhone and you’ve got potential for all this traffic to start appearing in various places across networks it’s linked too. I think the point is you can’t avoid this traffic and it’s very “noisy” in a log which is what you’re seeing. Oh and Apple networking is surprisingly complicated. I used to work on a Helpdesk in university and had many people coming in claiming they were “hacked” as all of these mysterious networks showed up in “HE Network tools” app (a great app for info on iOS) which they assumed must be spyware / crazy ex.

Honestly, a lot of that went over my head, but the parts I did understand make sense XD.

My problem is I don’t have a great brain for this kind of stuff. Like my original thinking is computer gets an IP address, and that’s that. That these conflicts wouldn’t come up often, and that if they do it might happen for a couple seconds but the technology will work it out so it doesn’t come up anymore. What I fail to really grasp (until, well, I’m exposed to it) is that these conflicts do come up often, and oftentimes the technology’s way of “working it out” is just to respond all the time.

That works where there’s a single authoritative server that issues IP addresses, such as a main router which issues an IP to everything that connects for a set amount of time. This used to be how things were done. The router would keep a log of what IPs had been issued and when they were due to expire. A new device connected it would assign an IP that it knew was free.

However in the world of IPv6 and smart technology, somebody decided making their own networking that required their own devices was a fabulous idea. Eg Apple use thread which forms its own little network. Now the idea that we would have one single source breaks down. https://m.youtube.com/watch?v=2LpA7Ji29IE - they really upsell the idea that there’s now gonna be tonnes and tonnes of routers assigning IPs :slight_smile: quite funny to me how this stuff goes.

We have applied the same logic to WiFi issues. Stick a booster in every outlet throughout the home :slight_smile: