• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

Unauthorized Access Blocked (open file) - Major security breach in Norton?

Past 2-3 days I have had repeated "Unauthorized Access Blocked (open file)" warnings shown up in the history log of Norton.

The "actor" file have been svchost.exe and iexplore.exe and the targets have been various files deep inside Norton folders which makes this suspicious.

I have had Norton for 3 years and I have never encountered this, I have reinstalled my computer, twice, it didnt help.

So what is this?

Replies

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Hi, Those are Microsoft processes, the first the core Windows process and the other Internet Explorer. When they try to read any of Norton's files or processes, they are blocked, and that entry is written to the log. It's normal.
Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Norton's approach to this certainly "normal", I dont doubt that, however these incidents are not, as I said this have never occured before and I see some more people on the forum having the same issue meaning this is a problem going beyond me.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Nothing suspicious. In fact, if svchost.exe didn't come into contact with Norton's files or processes quite often, then something would be wrong.
Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Do you work for Norton Bombastus?

How could you say its not suspicious if you dont know what is causing it?

I have never claimed that it is suspicious that svchost.exe may encounter Norton files (although I could make that argument for this case), I havent said that it is abnormal for Norton to approach this issues this way. What I am saying is that these incidents are suspicious and abnormal.

* 3 years user of Norton - never occured before

* More users than me encountered this lately on different Norton versions, type of computers etc

* Why would iexplore.exe/svchost.exe suddenly after 3 years want to open files?! Besides what files on my computer that DONT belong to Norton is opened and thus not logged in the logs?

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

They aren't trying to open files. They are reading files. And especially svchost.exe DOES read Norton's files on a regularar basis.
Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Are you working for Norton?

Well for 3 years they have never done that so obviously this is not "regular" at all.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

No, I just know what the system processes do.
Kudos5

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Hi Melen,

As Bombastus said, these entries are entirely normal.  Any program attempting to access a Norton file or process will be denied - even Windows processes.  The logging of these events changes from time to time as Norton tweaks which events warrant a log entry and which do not.  It is possible that Norton has simply updated the logging to capture something that was previously not recorded.  In any event, regardless of the cause of the sudden appearance of your entries, they are not anything that would be considered unusual or worrisome.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

I too have the same issue! I have never had so many medium orange risk dots in over 5 years of using Norton products. This has been occuring for about the last 4 days to me.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

I haven't seen any more of the notifications since I turned on my Computer today (Sept. 16) at around 6:00 AM ESDT. So somebody fixed the problem---I WONDER who?????

Hope it doesn't return!!!!!!!

Holly

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Yup.....  mee too,  I see no more in today's date....

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

IT's BACK. It came back on at 11:46:27.

It  had been off for 51/2 hours. I give up. Just going to live with it until my subscription comes up for renewal.

Holly

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

I have been having the same problem since September 10, with literally hundreds of these Unauthorized access blocked (Open File) warnings in my NIS history. While it may be considered "normal" for Norton to act this way, I too have never seen so many of these entries before being caused by Internet Explorer. What's worse, it clearly seems to be slowing down my browser.

Kudos2

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

There is a recently-discovered security breach in Internet Explorer - which is universally vulnerable from Version IE6 all the way up through Version IE11.

It has been reported - and accepted by Microsoft - that there is a problem.  See the following:

https://technet.microsoft.com/en-us/security/advisory/2887505

Because this is as yet unpatched - and Microsoft have not released an itinerary for the update - your defense against this vulnerability must be provided by your AntiMalware package.  Thus, until further notice, the security of your IE browsing experience is dependent upon your I/O for Internet Explorer passing through a much more comprehensive "filter" (provided by Symantec as part of NIS) than is normally the case.

The above is a normal-and-correct response from Symantec to any unpatched vulnerability.  However, there is a reason this one is more critical than usual - because it is known this vulnerability is being actively exploited.  No theory, no maybes, you visit an infected site without protection in place - and you're infected.  It's that simple - and that dangerous.

Consequences of the above:

1. Those with marginal hardware will probably notice a slight slowdown when browsing the Internet using Internet Explorer.  This is normal and correct when a comprehensive filter is in place.  It is also possible that Symantec will "fine tune" the filter for greater efficiency over time.  However, it is important to get you protected now.  Thus, "gilding the lily" is left until after basic protection is provided.

2. The performance impact described in Item 1 will be automatically mitigated once the patch from Microsoft is released and it is verified that IE has native defenses against this particular attack vector.

3. Until such time, your only defense against this vulnerability in IE is through Symantec's automatic defenses against Malware infection.  This is one of the things you pay for - to have Symantec cover your butt when - for whatever reason - others do not.

4. When Symantec first release a Live-Update to handle a situation like the above - they like to keep a handle on what is going on to ensure that I/O is properly scanned before being allowed to flow in/out of the program requiring protection.  Thus, your logs will show that Symantec is doing so.

5. Once Symantec is absolutely sure they've got the problem under control - they may reduce the level of reporting on issues where they monitor for access to "things that should not be mucked with".

6.  It is just as probable that Symantec may not reduce the level of reporting.  It depends upon how important Symantec thinks it is to have widespread acknowledgement in the record-keeping of possible attack vectors.

7.  Thus, if Symantec thinks it's important for logging to be comprehensive on a particular issue - those Log entries will show.  As a result, there will be records of "things that Symantec think are suspicious" - which will include a whole bunch of things that are utterly-normal-and-correct parts of standard Windows Housekeeping.  It's just those normal parts of Windows Housekeeping have the same usage mechanisms as used by attack vectors.

8. Consequent to Item 7, your logs will show these items - regardless of whether they are harmless or not.  As long as that stuff is shown in the Logs as handled correctly by NIS - with an orange dot to indicate same - nothing untoward has happened.  All that is happening is you are being notified that Symantec is "on guard" - protecting you from "potential nasties".

Hope this helps your understanding.

Kudos2

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

What's worse, it clearly seems to be slowing down my browser.


Norton Product Tamper Protection blocks all outside programs from accessing Norton files and processes, for reasons that should be apparent to all.  If IE, for whatever reason, is attempting to access a Norton process it needs to be blocked, and the issue is an IE problem, not a Norton problem.  Assuming that IE has always tried to access Norton and the only thing that has changed is that such actions are now logged, the slowdown would have always been there (if there actually is a slowdown), but would probably have gone unnoticed because the user would not realize that these events were occurring.  If, on the other hand, IE just recently started trying to access Norton data, then something changed in IE and Norton is properly responding to the interference.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Thank you, twixt. This is the first time I've seen any acknowledgement that something unusual is going on and that NIS is working differently for a reason. Very good and comprehensive explanation and much appreciated.

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

The new Internet Explorer zero-day vulnerability (CVE-2013-3893) is addressed by new attack signatures for Norton IPS (Vulnerability Protection).

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=nis&pvid=nis&year=2013&suid=cNDC_Consumer_2013-SU944-20130918.001

I do not see how Norton Product Tamper Protection would be involved, since it is not a malware detection component, and its job is simply to block anyything that attempts access to Norton, good or evil.  I do not think the discovery of this zero-day threat is related to the changed logging in NPTP.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

I was about to ask that very question: After thinking about it further, I was unclear on how tamper protection would be involved in protecting against an unpatched vulnerability in IE. But at least I have some acknowledgment that something unusual is going on in NIS.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


SendOfJive wrote:

The new Internet Explorer zero-day vulnerability (CVE-2013-3893) is addressed by new attack signatures for Norton IPS (Vulnerability Protection).

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=nis&pvid=nis&year=2013&suid=cNDC_Consumer_2013-SU944-20130918.001

I do not see how Norton Product Tamper Protection would be involved, since it is not a malware detection component, and its job is simply to block anything that attempts access to Norton, good or evil.  I do not think the discovery of this zero-day threat is related to the changed logging in NPTP.


Hi, SendOfJive.  The issue being discussed is notifications in the Symantec Logs of "Unauthorized Access Blocked".  This is a universal notification - it can be triggered by tamper protection, intrusion protection, standard Windows operations, malware operations - anything that attempts to modify Windows "behind the scenes" in a way that compromises security.

When new attack signatures are released, it is entirely possible that notification for currently-critical attack-vector-mechanisms are added to the logs in order to:

a) Show that NIS is doing its job

b) Give advanced users something to monitor - such that they can see the difference between "normal" activity and "unusual" activity - which can be done by examining which particular "Actor" was blocked and which particular "Target" the actor was trying to interact with in a way that NIS goes "no you're not - at least not in this way".

c) The Log entry will also describe why that particular activity was blocked.  A commonly-blocked item is "Duplicate Objects" - which are normal aspects of multi-tasking.  However, this is also a means of enabling an attack vector - so NIS flags this to indicate that it has done its due-diligence and blocked the duplicate item so it can be "sniffed" in proper order.  The fact that the item is orange indicates that NIS has properly vetted the access - once the access is made in a manner that NIS can prove to itself is safe.

For more information, see:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Duplicate-Objects-Blocked/td-p/514400

Hope this helps.

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

The notification just started when Norton made some changes in logging from an update that came out 9/9/13.
Elsewhere had noted that this logging is part of v21 and had been back added into older products.
So it's not a problem really just a logging change
Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


Calls wrote:
The notification just started when Norton made some changes in logging from an update that came out 9/9/13.
Elsewhere had noted that this logging is part of v21 and had been back added into older products.
So it's not a problem really just a logging change

Agreed.  Thanks.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

So do these log entries mean that NIS has blocked an actual threat from attacking my computer or that NIS is checking IE more actively due to the newly uncovered vulnerability? 

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


twixt wrote:

Hi, SendOfJive.  The issue being discussed is notifications in the Symantec Logs of "Unauthorized Access Blocked".  This is a universal notification - it can be triggered by tamper protection, intrusion protection, standard Windows operations, malware operations - anything that attempts to modify Windows "behind the scenes" in a way that compromises security.


Whenever "Unauthorized Access Blocked" appears in the Norton logs it is always a Norton Product Tamper Protection event.  The reason for logging these events is to aid in troubleshooting those rare instances where Norton's block might cause a poorly written program to fail to run as it should.  If a balky program's misbehavior can be correlated with its entries in the NPTP log, then we know that the program is not reacting to the Norton blocks as gracefully as it should.  Without the logs, the cause of the program's troubles would remain a mystery.  The logs can also expose malware if the "actor" in a log entry is something that should not be on your PC - but in all my years on the Norton forums, I have never seen one case where a log entry turned out to be anything other than a legitimate program that just got too intimate with Norton's workings.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

So do these log entries mean that NIS has blocked an actual threat from attacking my computer or that NIS is checking IE more actively due to the newly uncovered vulnerability? 


You must check the "Actor" and "Target" in the log for that particular entry and verify which files were involved.

A "Duplicate Object" access block from Actor: "Services.exe" to Target: "ccsvchost.exe" is a typical "harmless" item - where normal Windows activity is being flagged - because the way this activity is performed is identical to the way some infection vectors are processed.

A "File Open" block from Actor: "Iexplore.exe" to Target: "some weird file" - would be typical activity for malware trying to copy a malware "dropper" file to a Windows folder - or malware trying to connect to an already-existing-file which the malware wants to modify in order to give the malware admin access to the OS - in order to instantiate an infection vector.

In the second instance, NIS just saved your butt from the wringer.  You might want to avoid going to that website - or letting them know they've been compromised.

Hope this helps your understanding.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Hi twixt. The actor is always iexplore.exe and the target is always Program Data/Norton. Does that tell you anything?

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:
The actor is always iexplore.exe and the target is always Program Data/Norton.

Hi mtswriter:

This is just speculation on my part, but Norton Product Tamper Protection may simply be logging an interaction between your IE browser and your Norton Toobar and/or Norton Vulnerability add-ons.

I use Firefox as my default browser and ever since LiveUpdate delivered an update for Norton's Behavior and Security Heuristics on 09-Sep-2013 (see elsewhere's post here), almost every Norton file listed as the target in my Norton Product Tamper Protection history has been located in the C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\ folder where the Norton extensions for my Firefox browser are stored (see here).

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 23.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


lmacri wrote:

mtswriter wrote:
The actor is always iexplore.exe and the target is always Program Data/Norton.

Hi mtswriter:

This is just speculation on my part, but Norton Product Tamper Protection may simply be logging an interaction between your IE browser and your Norton Toobar and/or Norton Vulnerability add-ons.

I use Firefox as my default browser and ever since LiveUpdate delivered an update for Norton's Behavior and Security Heuristics on 09-Sep-2013 (see elsewhere's post here), almost every Norton file listed as the target in my Norton Product Tamper Protection history has been located in the C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\ folder where the Norton extensions for my Firefox browser are stored (see here).

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 23.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS


Hi, Imacri.  There are a couple of possibilities here.  As far as I am aware, there are legitimate reasons for Iexplore.exe to "touch" the Norton Extensions.

However, it is just as probable that a "hacked" Iexplore.exe is "touching" the Norton Extensions to try and either disable them or modify them in order to disable malware notifications.  This is typical activity for malware.

There is no real way to tell which is occurring without "sniffing".  Malware writers explicitly mimic "normal operations" as much as possible - in order to fly "under the radar" and establish their infections without the user or the AntiMalware application noticing the changes.

The above is one of the major reasons why it is impossible to be absolutely sure of the difference between "normal operations" and "malware operations" - without programmatically "sniffing" the operation.  Thus, we have product tamper detection, intrusion detection, malware detection, boot-process-modification detection and so on.

If you get an "orange dot" in the logs - it is an indication that particular access-vector has been "sniffed".  Its Actor and Target have been examined - the activity between the Actor and Target was examined - and the access was found to be legitimate. 

If the "sniff" found malware and prevented the infection-vector from being utilized - under normal conditions you'll get a log entry telling you that NIS "blocked access" to something like a file-creation process or a file-modification process for a "file that Iexplore.exe has no business playing with" and thus saved your butt.

And the reason you don't get more notification that that?  Because the true-fix for this problem is a work-in-progress.  There's no useful purpose accomplished by alarming the user about something they can't do anything about.

Microsoft have already acknowledged they're going to release an "out of order" patch to remedy the source of this vulnerability - as soon as they have something properly developed and regression tested.  Thus for users the situation is handled - as much as it can be handled for users at this time.

The above are descriptions of the kinds of operations an AntiMalware app that is "doing its job" are supposed to perform.  All is well.

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


twixt wrote:
There's no useful purpose accomplished by alarming the user about something they can't do anything about.

Hi mtswriter:

My apologies if I caused you undue alarm.  I intended the exact opposite

I agree with SendOfJive's comments in post # 19 and post # 25.  Several users in the forum (including myself) have observed a large increase in the number of unauthorized access blocks in their Norton Product Tamper Protection history in the past week for a wide range of Windows processes such as svchost.exe, iexplorer.exe, dfrgntfs.exe, etc.  The 09-Sep-2013 update to the Behavior and Security Heuristics appears to have simply resulted in an upswing in the logging of these access blocks by Norton Product Tamper Protection.

Please see my comments here in Rico_NORTIN's thread regarding one such unauthorized access block of svchost.exe.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 24.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Again, Norton Product Tamper Protection simply isolates Norton's processes from any outside interference.  Logs are kept for troubleshooting any issues that might arise from this.  People are reading way too much into these logs.  If IE had been hacked and malware were using it to try to disable Norton somehow, that malware would be doing lots of other things, too - and those other things would be prompting Norton to pop up alerts all over the place.  Norton is not going to bury genuinely suspicious behavior in a log that few users are ever going to actually check.  Quite simply, if you recognize the "actor" in the Tamper Protection log, and it is something that you know is legitimately installed on your PC, don't give it a second thought.

Attack signatures exist for the current IE zero-day vulnerability, so any attempt to exploit this will be recognized by IPS, and you will definitely get an intrusion alert (not an "Access Blocked" log entry) if you happen upon an active vulnerability exploit. 

Kudos2

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


twixt wrote:

[...].

If you get an "orange dot" in the logs - it is an indication that particular access-vector has been "sniffed".  Its Actor and Target have been examined - the activity between the Actor and Target was examined - and the access was found to be legitimate. 

If the "sniff" found malware and prevented the infection-vector from being utilized - under normal conditions you'll get a log entry telling you that NIS "blocked access" to something like a file-creation process or a file-modification process for a "file that Iexplore.exe has no business playing with" and thus saved your butt.

And the reason you don't get more notification that that?  Because the true-fix for this problem is a work-in-progress.  There's no useful purpose accomplished by alarming the user about something they can't do anything about.

[...] 


Hi twixt

Unfortunately, the Norton Product Tamper Protection feature isn't as sophisticated as what you've described above. The Norton Product Tamper Protection feature simply blocks everything, regardless of whether or not it's good or bad.

For example, an attempt to delete the Norton Internet Security program directory (Delete Directory) results in the same Medium "orange dot" Severity Tamper Protection log event as shown for an (Open File) block log event below: 

The primary purpose of the 'View Recent History' view is to present everyday users with an overview of the activities that their Norton Product has done for them recently. Given the above, it's clear that some of the log records that are being presented by the current Norton products are actually "alarming the user about something they can't do anything about". This is just one of the current issues that Symantec needs to address; Tamper Protection isn't the only feature that is causing user-anxiety problems as far as the 'View Recent History' view is concerned...

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


elsewhere wrote:

twixt wrote:

[...].

If you get an "orange dot" in the logs - it is an indication that particular access-vector has been "sniffed".  Its Actor and Target have been examined - the activity between the Actor and Target was examined - and the access was found to be legitimate. 

If the "sniff" found malware and prevented the infection-vector from being utilized - under normal conditions you'll get a log entry telling you that NIS "blocked access" to something like a file-creation process or a file-modification process for a "file that Iexplore.exe has no business playing with" and thus saved your butt.

And the reason you don't get more notification that that?  Because the true-fix for this problem is a work-in-progress.  There's no useful purpose accomplished by alarming the user about something they can't do anything about.

[...] 


Hi twixt

Unfortunately, the Norton Product Tamper Protection feature isn't as sophisticated as what you've described above. The Norton Product Tamper Protection feature simply blocks everything, regardless of whether or not it's good or bad.

For example, an attempt to delete the Norton Internet Security program directory (Delete Directory) results in the same Medium "orange dot" Severity Tamper Protection log event as shown for an (Open File) block log event below: 

[image removed in the interests of brevity]

The primary purpose of the 'View Recent History' view is to present everyday users with an overview of the activities that their Norton Product has done for them recently. Given the above, it's clear that some of the log records that are being presented by the current Norton products are actually "alarming the user about something they can't do anything about". This is just one of the current issues that Symantec needs to address; Tamper Protection isn't the only feature that is causing user-anxiety problems as far as the 'View Recent History' view is concerned...


Hi, elsewhere.  As far as I can tell from my own investigations - as long as NIS properly "blocks access" - this is an indication that whatever attack vector is being attempted has been frustrated.

However, there are also legitimate "normal operations" that Tamper Protection allows to succeed.  Because this occurs, the system must operate as described in my previous posts in order to allow valid "normal operations" - or Windows itself would not be permitted by NIS to operate correctly.

In regards to access attempts that were blocked and shown in the logs:

That "orange dot" is an indication that no matter what attack vector was used - whether it is something as obviously dangerous to product security as trying to delete the Norton folder structure - or something as subtly dangerous as trying to modify a targeted DLL or create an unauthorized DLL and add that item into a process chain - that attempt to breach security was not allowed to succeed.

As a result, the system was protected from harm - no matter what mechanism was employed in the attempt to breach security.

As SendOfJive pointed out - malware signatures for known variants would automatically pop up warning screens and NIS would take the appropriate actions to remedy the situation.

However, what about items that were "new enough" that they could only be detected by heuristic analysis? 

These would be the kind of things that would show up as Tamper Protection items only - as there is no way to automatically remediate an item for which no malware signature has yet been devised.  All that could be done in that situation would be to "block a suspicious activity" - and name the Actor/Target/Mechanism-of-action-that-was-blocked in the log.

IMO, it is important when dealing with Log Entries - for users to understand exactly what implications a particular log entry entails.  Log entries are there for a reason - they don't get added for nothing.

The fact that log entries notifying the user of new sets of "sniffing procedures" have been added recently to NIS - is thus an indication those new "sniffing procedures" are important enough to deserve comment in the logs.

Having those log entries added - without a thorough understanding of what they imply - has been responsible for the creation of this thread in the first place.

Explaining what is going on - so people understand why these new "sniffs" have been added to the system - along with what these new "sniffs" are actually telling us - is IMO an appropriate action.

An informed population is better able to discern when "something's not quite right" - as long as they know the difference between a log entry that's telling them "NIS handled this and knows why it occurred" versus a log entry that's telling them " NIS blocked this - but doesn't really have a handle on why it was attempted in the first place". 

That's what logs are for.  Amongst other things - entries are included which tell users about things the program doesn't understand well enough to know exactly what is going on - so the user can investigate that activity and determine whether it is a "normal and correct" operation or an indication of "trouble in the making". 

Programs are always "behind the curve" of human ingenuity.  Nowhere is this more obvious than in the "cat and mouse" game of Malware vs AntiMalware.  Logs are one of the tools we humans use to notify ourselves of "weirdness" that deserves investigation. 

That sometimes this "weirdness" is something the Program is unable to recognize and deal with automatically - or is utterly normal but "too new" for the program to yet be able to recognize the activity - is an inevitable consequence of the imperfection of response which is inherent in reacting to a situation rather than being proactive.

Because AntiMalware is evolving towards greater and greater intelligence when it comes to heuristics - it is also inevitable there will be more and more situations where NIS scratches its head and says to itself:  "I blocked this because it matches the activity of a nasty - but I can't yet recognize whether this is truly nasty or not - therefore I'll note it in the logs and let a human decide whether they want to investigate exactly what's going on."  This is intelligent design and responsible reporting.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


twixt wrote:

An informed population is better able to discern when "something's not quite right" - as long as they know the difference between a log entry that's telling them "NIS handled this and knows why it occurred" versus a log entry that's telling them " NIS blocked this - but doesn't really have a handle on why it was attempted in the first place". 


I agree, which is why I'm trying to get a handle on this. From what I can glean from participating in this thread, I understand that the  Unauthorized access blocked (Open File) warnings we are all seeing are the result of a heuristics update on September 9. I further understand that these log entries are a normal response by the Tamper Protection feature to any actor that tries to touch Norton's files.

What I don't understand is whether this new normal represents a heightened security stance (if you will) on the part of NIS to the recently discovered zero-day vulnerability in Internet Explorer, or an actual attempt through this vulnerability in Internet Explorer to gain access to my computer.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

What I don't understand is whether this new normal represents a heightened security stance (if you will) on the part of NIS to the recently discovered zero-day vulnerability in Internet Explorer, or an actual attempt through this vulnerability in Internet Explorer to gain access to my computer.


There is clearly a difference of opinion here, but the link to the NIS Security Update 944 announcement that SendOfJive provided in post # 19 shows that an Intrusion Prevention Signature (IPS) has been released to protect your system against the new detected IE8/IE9 vulnerability CVE-2013-3893 that twixt referred to in post # 16.  As SendOfJive stated in post # 31, if your system actually came under attack by this exploit, your NIS intrusion prevention system would immediately kick into place and block the threat.  You'd see pop-up messages red-flagging this attack, and the attack would be logged in the Intrusion Prevention and Resolved Security Risks sections of your security history.  If this attack managed to attempt a read/write/edit/delete of a Norton file before being shut down, that attempt would be logged the Norton Product Tamper Protection history for diagnostic purposes, but Norton Product Tamper Protection isn't your first line of attack against these exploits and notification of an actual attack on your system is not going to be buried somewhere in your Norton Product Tamper Protection history.

So in my opinion, it is Intrusion Prevention, and not Norton Product Tamper Protection, that is currently on a heightened security stance for this CVE-2013-3893 exploit.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 24.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Hi Imacri. Thank you for helpiing to clarify. I understand the part about Intrusion Prevention being the first line of defense, and that makes sense to me. If I were under attack, Norton would be warning me and I am not seeing any pop-up alerts or entries in my history. So I guess the question is, why is IE suddenly trying to access Norton, resulting in hundreds of "Unauthorized access blocked" entries from Tamper Prevention since the Sept. 9 heuristics update?

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

So I guess the question is, why is IE suddenly trying to access Norton, resulting in hundreds of "Unauthorized access blocked" entries from Tamper Prevention since the Sept. 9 heuristics update?


I'm wondering the same thing , but I don't think any user in the forum has a definitive answer to that question.

You'd have to ask the Symantec software engineer who tweaked the programming in the security heuristics.  Symantec apparently tested this change in the security heuristics during the beta-testing of NIS 21.x and still thought that it would be a good idea to to deliver this update to all NIS/NAV/N360 versions on 09-Sep-2013 in spite of all the questions being asked about the upswing in Norton Product Tamper Protection notifcations.  I don't know if Symantec realized how alarming all this logging in the Norton Product Tamper Protection history might appear to many people.

EDIT:

...and regarding your question about why IE is suddenly trying to access Norton files, I can only speculate that Symantec is just being more diligent about the way that IE (or any other "outside" Windows process) is interacting with the Norton Toolbar and Norton Vulnerability Protection add-ons, given that so many of the target files for these Norton Product Tamper Protection notifications are related to Norton's Firefox extensions, Outlook anti-spam plugins, etc. ... but I could be completely wrong about that.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

Interesting article. I was having a lot of the Blocks on my system but it has stopped since 9-18. The only one I get now is when I run a MBAM scan which is normal. I assume that Norton changed what it blocks during this period.

Jim

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


lmacri wrote:

mtswriter wrote:

So I guess the question is, why is IE suddenly trying to access Norton, resulting in hundreds of "Unauthorized access blocked" entries from Tamper Prevention since the Sept. 9 heuristics update?


I'm wondering the same thing , but I don't think any user in the forum has a definitive answer to that question.

You'd have to ask the Symantec software engineer who tweaked the programming in the security heuristics.  Symantec apparently tested this change in the security heuristics during the beta-testing of NIS 21.x and still thought that it would be a good idea to to deliver this update to all NIS/NAV/N360 versions on 09-Sep-2013 in spite of all the questions being asked about the upswing in Norton Product Tamper Protection notifications.  I don't know if Symantec realized how alarming all this logging in the Norton Product Tamper Protection history might appear to many people.

EDIT:

...and regarding your question about why IE is suddenly trying to access Norton files, I can only speculate that Symantec is just being more diligent about the way that IE (or any other "outside" Windows process) is interacting with the Norton Toolbar and Norton Vulnerability Protection add-ons, given that so many of the target files for these Norton Product Tamper Protection notifications are related to Norton's Firefox extensions, Outlook anti-spam plugins, etc. ... but I could be completely wrong about that.


Hi, Imacri.  I agree with what you are saying here.  The only real difference of opinion is in regard to situations where NIS is unable to identify whether or not a particular "attack vector" is malicious or not.

The original uplevel-change in reporting is IMO a prudent response to the possibility of attack vectors coming from newly created malware - which cannot - by design - yet have a malware signature which can be triggered to automatically handle an attack situation.

Malware is commonly designed to mimic "standard operations".  Thus, a malware target can be anything that Internet Explorer runs as an add-on - BHO "hijacking" is a well-known form of this.

So - amongst other things - NIS is flagging "stuff" that IE "touches".  It is normal and correct for this "stuff" to be examined.  All that has changed is the level of detail provided in the Logs by the examination process.

If, as Phone Man describes, the level of reporting has been down-leveled in the last few days to what it was before the IE vulnerability was publicized - this means IMO the vulnerability is now so well understood by Symantec that they no longer consider it necessary to report in the Logs at a higher level of detail.

This is consistent with Symantec being aware that Microsoft's response to this situation is well in hand - and that the "threat landscape" has been mapped in sufficient detail (in regards to this particular situation) that a high level of reporting is no longer required for Symantec to be reasonably certain that something has not "snuck under the radar".

As has been mentioned previously in this thread - All is Well. 

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

I don't know about PhoneMan, but I'm still getting as many Unauthorized access blocked warnings as before. And I don't know if this is related or significant, but I did a full-system scan last night and it took almost 10 minutes longer than usual.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

I have been having the same problem since September 10, with literally hundreds of these Unauthorized access blocked (Open File) warnings in my NIS history. While it may be considered "normal" for Norton to act this way, I too have never seen so many of these entries before being caused by Internet Explorer. What's worse, it clearly seems to be slowing down my browser.


Hi mtswriter:

Are you still seeing hundreds of new unauthorized access blocks for iexplore.exe everyday?  If so, does disabling all your Norton extensions in IE (Tools | Manage Add-ons | Toolbars and Extensions) decrease the number of blocks you see?

My situation is different from yours since I use Firefox as my default browser and the flood of unauthorized access blocks I saw on 10-Sep-2013 was apparently the result of Windows Disk Defragmenter (dfrgntfs.exe) trying to defrag the Norton extensions for my Firefox browser (see here).  Once the defrag was finished the flood of unauthorized access blocks stopped, and like PhoneMan observed in post # 38, I'm basically back to the occasional block of svchost.exe, services.exe, mbam.exe, procexp.exe, etc. that I've always seen in the past.  I had another burst of unauthorized access blocks of dfrgntfs.exe a few days ago but that's only because another defrag ran during one of my system idles that must have tried to defrag the Firefox v. 24-compatible Norton Toolbar files delivered via a LiveUpdate on 16-Sep-2013.  I guess that's just going to be my new normal for Norton Product Tamper Protection from now on.

I opened my IE9 browser and ran couple of Google searches today and I didn't see any blocks for iexplore.exe in my Norton Product Tamper Protection history on my 32-bit Vista OS.  I'm beginning to wonder if the tweak Symantec made to the algorithm for the Behavior and Security Heuristics on 09-Sep-2013 has uncovered some sort of problem with your IE9 browser or Norton add-in installation(s).

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 24.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

HI Imacri. My warnings continue unabated. At one point I did try turning off my Norton toolbar, having seen that suggestion in one of the other threads, but it had no effect. Other people in this thread are having the same problem with these warnings being caused by IE (I'm using 8, by the way), so it can't be just me.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

My warnings continue unabated. At one point I did try turning off my Norton toolbar, having seen that suggestion in one of the other threads, but it had no effect. Other people in this thread are having the same problem with these warnings being caused by IE (I'm using 8, by the way), so it can't be just me.


Hi mtswriter:

What Windows OS and NIS version (see Support | About) are you using?  I'm assuming Win XP since you're still using IE8.  And did you try disabling all of your Norton add-ons in IE and re-booting your PC?  My IE9 has three NIS 20.4.0.40 (NIS 2013) extensions - Norton Vulnerability Protection, Norton Toolbar, Norton Identity Protection - and any one could be triggering the blocks on your system.

I'm just grasping at straws here.  I've seen other users report that iexplore.exe is the agent for these unauthorized access blocks but very few have posted details on the frequency of the blocks and what combination of Windows/IE/NIS they have on their system.  For all I know, you all might have installed the same security patch for Internet Explorer 8 (look in Control Panel | Windows Update | View Update History) that causes Norton Product Tamper Protection to log these blocks.

You could be searching for a long time if you want a definitive answer.

-----------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 24.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


lmacri wrote:

What Windows OS and NIS version (see Support | About) are you using?  I'm assuming Win XP since you're still using IE8.  And did you try disabling all of your Norton add-ons in IE and re-booting your PC?  My IE9 has three NIS 20.4.0.40 (NIS 2013) extensions - Norton Vulnerability Protection, Norton Toolbar, Norton Identity Protection - and any one could be triggering the blocks on your system.


I'm using Windows 7 (it's a two-year old HP laptop that came with IE8) and NIS 2011 (version 18.7.2.3). I haven't upgraded these for fear of screwing things up, and until two weeks ago everything was working fine. Curiously the program has not prompted me to install the latest version of NIS even though I have that feature turned on (I got curious and looked in the settings.). I have three Norton add-ons: Norton Toolbar, Symantec NCO BHO and Symantec Intrusion Prevention. I tried disabling the first which didn't help; I don't know what the second is, and I'm loath to turn off the third. I understand this is somewhat of a needle in a haystack. Do you think the easiest thing might be for me to upgrade to IE9? I don't mind the logs so much, but it really seems to be slowing down my browser!

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

I'm using Windows 7 (it's a two-year old HP laptop that came with IE8) and NIS 2011 (version 18.7.2.3).


Hi mtswriter:

I can't guarantee that updating your IE browser and NIS will decrease the number of Norton Product Tamper Protection blocks for iexplorer.exe, but I imagine that the new algorithm for the Behaviour and Security heuristics was optimized for newer versions of Win/NIS/IE.  Someone using Win 7 SP1 will have to jump in here and let us know the latest recommended version of IE for that OS, but Windows Update should be able to deliver the latest recommended version of IE  for Win 7 unless you've declined / hidden those updates in the past (which can be easily unhidden again).  I can at least tell you that NIS 21.x (a.k.a. NIS 2014) is the latest version of NIS.

You still seem to have some concerns that you have malware that might trying to attack your system via your IE browser.  If you haven't already done so you might want to run a full system scan with the free version of Malwarebytes' Anti-Malware from http://www.malwarebytes.org/products/malwarebytes_free/.  See my comments here about PUPs (potentially unwanted programs) and PUMs (potentially unwanted modifications) before running the scan since most of these MBAM detections are usually low risk / false positives.  If full system scans with both NIS and MBAM cannot detect any malware on your system I would seriously think about upgrading NIS and/or IE.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 24.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

How reliable is the NIS upgrade process? I don't want to be worse off than I am now, but I would like to upgrade my programs including NIS and IE. Thanks again for your help and recommendations. This is the first time I've used the community, and I have found it very informative in helping me to understand what my computer is doing and why.

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

How reliable is the NIS upgrade process?


I'd say that the usual upgrade process (Support | New Version Check) is very reliable if you are upgrading by one version (e.g., NIS 20.x to NIS 21.x).  In your case, you would be jumping from NIS 18.x to NIS 21.x, so I would recommend cleaning off your old NIS 2011 first using the Norton Removal Tool (NRT) or Norton Remove and Reinstall Tool (NRnR).

Before we provide any detailed instructions, could you let us know if you use the Identity Safe feature of NIS 2011 for management of online passwords and form auto-filling on websites?

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 24.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?

I just noticed something: In the logs, all the targets are ProgramData\Norton\string of numbers\NIS18\NCO\nppw.dat. One of my Norton add-ons is Symantec NCO BHO. What exactly is that, and is it safe to disable it without compromising the security of my computer? Could that be causing the problem?

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

I just noticed something: In the logs, all the targets are ProgramData\Norton\string of numbers\NIS18\NCO\nppw.dat. One of my Norton add-ons is Symantec NCO BHO. What exactly is that, and is it safe to disable it without compromising the security of my computer?


Hi mtswriter:

The nppw.dat file is part of Norton's Identity Protection - see DougL's post here and Atomic_Blast's post here for further information.  It's related to the Norton extensions in your browser.  You could disconnect from the Internet and disable the add-on to see if it stops your blocks to satisfy your curiosity, but I would not disable it permanently (see Pi's post here about the NCO BHO).

The "string of numbers" is likely the program's unique CLSID.  In my case, the targets for all my dfrgntfs.exe blocks are located in a subfolder of  C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\.  A search for the CLSID {0C55C096-0F1D-4F28-AAA2-85EF591126E7} at http://www.systemlookup.com/ showed me that the Norton extensions for my Firefox browser (e.g., coFFPlgn.dll, IPSFFPl.dll) are the target Norton files on my system.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 24.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


mtswriter wrote:

I just noticed something: In the logs, all the targets are ProgramData\Norton\string of numbers\NIS18\NCO\nppw.dat. One of my Norton add-ons is Symantec NCO BHO. What exactly is that, and is it safe to disable it without compromising the security of my computer? Could that be causing the problem?


Hi, mtswriter.  This target is a "normal operation" for iexplore.exe - as Imacri explained - it is part of your Norton Toolbar.

I suspect that Symantec is flagging this item in IE8 because there is a real-world-attack which is trying to exploit this vector - and Symantec would rather have even "normal operations" show up in the logs - rather than hide the situation and thus deprive you of access to information which could be used to determine whether "something nasty" is happening or not.

Background information:

IE8 is not a currently-recommended Browser Version for W7 - of any flavour.  While IE8 is the latest version of IE available for WXP at the present time - IE8 was superseded in the W7 arena a very long time ago.

IE8 has some "holes" which have been "plugged" in IE9 and later.  Each IE version later than IE8 is "more bulletproof" than its predecessor - that's why new versions were released.

There are some "weird situations" (usually with custom-written software used in Corporate Environments) - where operation of a particular application is dependent upon the quirks in a particular Browser Version.  Nowadays, it is extremely frowned upon for software of this type to not be immediately upgraded - because older forms of software of this type is are common access vector for malware.

If you are not running anything "weird" - it is standard-procedure for you to upgrade to the latest version of Internet Explorer for your particular version of Windows.  For Windows 7 - the latest version of Internet Explorer available is Version 10. 

Note:  There is a release preview version of Internet Explorer 11 - currently available for download for use with Windows 7.  This is not-release-grade-software.  It is entirely appropriate for you to use Internet Explorer 10 - it is not yet appropriate for you to use Internet Explorer 11.  There will come a day - that day is not now.

It is perfectly correct and standard-operating-procedure for you to allow Windows Update to bring your browser up-to-date - unless you have been specifically warned by one of your Software Vendors that the package in question is dependent upon having an older version of the Browser available.

NIS changes its behaviour regarding how much "sniffing" to do - on the basis of the vulnerabilities in the version of IE you are running.  Thus, there will be much more "sniffing" of IE8 than IE9 or IE10 - for the simple reason that IE8 has more "holes" that must be "sniffed".  This is normal and correct.

Also, since you are running an older version of NIS - you are also less-bulletproof because your "NIS Engine" is less comprehensive in its detection-routine-depth than if you were running a newer version of NIS.  The combination of the two factors means the amount of "sniffing" is magnified by both the need for more-comprehensive-sniffing when using IE8 - as well as more-comprehensive-sniffing when using NIS 2011 - in comparison to the use of IE10 and NIS 2012, 2013 or 2014.

At minimum - I recommend an upgrade to NIS 2012 and IE10.  This is a "known good" combination with a solid record of compatibility and reliability when used with Windows 7 in either 32-bit or 64-bit forms.

The amount of people complaining about problems with NIS 2013 has decayed remarkably in the last few months.  Thus, it may be perfectly acceptable for you to try using NIS 2013 rather than NIS 2012 - but this depends upon whether or not you find the loss of the ability to use a local vault for your Identity Safe data acceptable or not.

If you wish to completely retain the flexibility to uninstall/reinstall NIS at will - and retain access to your locally-stored copies of your Identity Safe data - then NIS 2012 is appropriate as your upgrade path.

If you are willing to forgo the use of local storage for your Identity Safe data - and rely completely upon Symantec Cloud Services for the integrity and security of your Identity Safe data - then NIS 2013 seems to be an acceptably-reliable option at the current time.

While NIS 2014 (NIS 21.x.x.x - series) has been much less trouble than the early releases of NIS 2013 - there have been reports of "trouble in paradise".  Thus, it may be prudent for you to delay implementation of NIS 2014 (NIS 21.x.x.x) at this time.

Recommended update path:

1. Upgrade to NIS 2012.  This is considerably more secure than your version of NIS 2011 - it has improved heuristics and more-robust Tamper Protection functionality.

2. Upgrade to IE 10.  This is considerably more stable and secure than IE8.

Recommended update procedure:

1. Generally, I do not recommended "over the top" upgrades of NIS.  Yes they work for many (up to the vast majority) of people.  However, for those who have problems - things easily reach nightmare proportions rather quickly.  Thus, the removal of NIS using Programs and Features, then the use of the NRT (run at least twice), and then the installation of the selected version of NIS using the latest downloadable installer for that version  (www.norton.com/nis12) - is the way to go.

2. With NIS itself Installed and fully upgraded using multiple runs of Live Update until current - then I would recommend the update of IE8 to IE10.

At that point, you are running a reasonably-current installation of Anti-Malware protection - and the recommended Windows Browser version.  This should make Tamper-Protection's "job" much easier - and make your system much more resistant to "bad stuff" than your current configuration.

Regardless, you may still have Log Entries which indicate that NIS has "sniffed" things that are "normal operations".  It is entirely possible this is "normal and correct" behaviour at the present time - due to the "Threat Environment" inherent to the use of NIS 2012 and IE10 - with a "known exploit" active "in the wild".

The above will be handled shortly by a Windows Update which patches the IE 8/9/10/11 vulnerability - at which time your Log Activity may "calm down".  However, at this time, there is no way to tell if this will be the case or not - that decision is up to Symantec and thus is out of the hands of any particular user.

Hope this helps your understanding.

Kudos1

Re: Unauthorized Access Blocked (open file) - Major security breach in Norton?


twixt wrote:

lmacri wrote:

mtswriter wrote:

So I guess the question is, why is IE suddenly trying to access Norton, resulting in hundreds of "Unauthorized access blocked" entries from Tamper Prevention since the Sept. 9 heuristics update?


I'm wondering the same thing , but I don't think any user in the forum has a definitive answer to that question.

You'd have to ask the Symantec software engineer who tweaked the programming in the security heuristics.  Symantec apparently tested this change in the security heuristics during the beta-testing of NIS 21.x and still thought that it would be a good idea to to deliver this update to all NIS/NAV/N360 versions on 09-Sep-2013 in spite of all the questions being asked about the upswing in Norton Product Tamper Protection notifications.  I don't know if Symantec realized how alarming all this logging in the Norton Product Tamper Protection history might appear to many people.

[...]


Hi, Imacri.  I agree with what you are saying here.  The only real difference of opinion is in regard to situations where NIS is unable to identify whether or not a particular "attack vector" is malicious or not.

[...]


Hi twixt

The current implementation of the Norton Product Tamper Protection feature is inherently clueless; it's incapable of determining whether or not any external probing of the Norton product's files is malicious or not.

For example, if you have NIS v20 (2013) installed, then try this:

  1. Open Windows Task Manager.
  2. Open Windows Explorer.
  3. Locate a folder that contains applications (.exe) files (eg. C:\Program Files) and then run an On-Demand scan on it (right-click on it and choose 'Norton Internet Security > Scan Now').
  4. When the scan completes, open the Norton Security History log and let us know if you find the numerous Tamper Protection entries present in the Recent History view informative or not.

I raised this issue as a defect during the NIS v20 (2013) beta testing. NIS 2012 does not behave like this; it simply reports that an On-Demand scan occurred without any Tamper Protection events.

Symantec advised, during the beta testing, that this behaviour was by design and my concluding response to Symantec, regarding this issue, was this:


In any event, can the Severity level of these particular Tamper Protection entries be downgraded to 'Info' rather than 'Medium'? Or can your developers set the 'Show in the Recent History View' flag to 'No' for these particular Tamper Protection entries?

As of now, the presence of Norton Tamper Protection entries like these in the Recent History view of the Security History log is creating undue anxiety for end users of your Internet Security products, as per the thread from ManFromOz here:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Is-Tamper-Protection-Crying-Wolf/m-p/612560/highlight/true#M186747

Please take the time to review this issue; end users only want to see Tamper Protection events in their Recent History log when a threat is actually trying to shut down their Norton Internet Security product...

Norton Internet Security 20.1.0.24 Windows 7 Home Premium 7601.17803.x86fre.win7sp1_gdr.120330-1504

(01-SEP-2012)


Please consider testing the NIS v20 product as I've described above and let us know your thoughts regarding this excessive logging behaviour.

Thanks

Replies are locked for this thread.