Security history indicates problems?

Nightsky · ‎10-08-2009

I would appreciate some advice. Recently, I had problems with Norton 360 version 2 Live Updates taking a long time (5 minutes or so) and sometimes failing to connect at all. I updated to Norton 360 version 3 and this seems to have helped (Live Update now takes 1 to 2 minutes). However, one feature in the newer version of Norton 360, the Security History, has got me worried for two reasons. Firstly, because it indicates several programs preparing to access the internet, often before I have even logged on. These include alg.exe, spoolsv.exe, ccSvcHst.exe, svchost.exe, jqs.exe, lsass.exe, atiptaxx.exe and CLTLMH.EXE. Some of them are recorded several times in the Security History (for each session of using the computer). Secondly, because there are a huge number of entries saying “Unused port blocking has blocked communication. Inbound TCP connection. Remote address, local service is (xxx.xxx.xxx.xx, Port (37996)). Sometimes the same IP address appears a couple of times but in general these are all different IP addresses. Just connecting for 2.5 minutes shows 16 attempts to connect to my computer – so that is more than 6 attempts per minute! If I was to connect for longer periods there could easily be hundreds of connection attempts recorded. So my question is: is this normal, or does it indicate that there is something wrong? And if something is wrong, what do I do about it? My first thought is that the sheer number of connection attempts might indicate that my computer has been part of a botnet without my knowledge? Does that sound likely? And if so, how do I fix it? Scans of my computer never find anything except tracking cookies, which I always clear out after every visit to the internet.

yogesh_mohan · ‎07-29-2008

Hi Nightsky,

Welcome to Norton Community!

You may need to check the Security logs/History when you have some problem with security or using Internet. The files which you have mentioned like ccSvcHSt.exe, svchost.exe, lsass.exe, CLTLMH.exe,etc are all either Norton files or Windows system files which try to communicate through Internet while you use different applications. Most of these files can be trusted. The "Unused port blocking" is the security log information for the Intrusion Prevenstion/Firewall feature. This indicates that when a port was unused, some Inbound(incoming) intrusion has happened and so the Norton program blocked that communication to protect your computer. Similar intrusions are always blocked by Norton program and you are safe to go. This was discussed in various other threads like the following one:

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=55191

Yogesh

Nightsky · ‎10-08-2009

Thanks Yogesh, that is helpful. What worries me though is the sheer number of attempts to connect to my computer. In the five minutes that I connected to the internet last night there were 32 blocked connection attempts! That is almost four hundred attempts per hour! Is it normal for there to be so many?

Turbo · ‎05-02-2009

Just to put your mind at ease, and to make sure there is no malware on your PC, download, install, update, and run a full scan with the free version of Malwarebytes Antimalware. Post back here with the results. MBAM

Kurt · ‎04-08-2008

Hi Nightsky,

The so called "Smart Firewall" used in N360 today has everything, that happens on in- or

outgoing traffic through it under complete control.

I´ve seen this for a long time, without having any malwares or other

threats on my systems.

Do follow the advise of "Turbo", to run a full malware scan.

Please, don´t worrie, everything is ok !!

Take care and good luck !!

Nightsky · ‎10-08-2009

Thanks Kurt & Turbo

I downloaded Malwarebytes and ran a quick scan (I have not had time to do a full scan yet) - it found nothing.

However, just running the scan threw up some worrying things in the Norton Security History log (entries such as <Unauthorised Access logged> - or words to that effect). But perhaps that is normal because Malwarebytes has necessarily scanned some Norton 360 files?

I'm still worried about the number of connection attempts, even though they are blocked by Norton 360. Do I understand what you say, Kurt, to mean that that the average of 6 attempted connections per minute that I see is quite normal?

Turbo · ‎05-02-2009

The number of connection attempts you are seeing is quite normal, you would see similar statistics with any modern firewall installed, as long as it has comprehensive logging capabilities.

Nightsky · ‎10-08-2009

Thank you. That is what I was trying to ascertain. Nonetheless, I am surprised and shocked by this revelation. But at least it is crystal clear to me now why nobody should ever consider connecting to the internet without a strong firewall in place!