Hi Cody:

 

Statistical submissions are generally items that are similar to suspected problems.  Anything that Norton finds that might be malicious, or is similar to something malicious is submitted to Symantec for clarification.

 

Have a look in your Intrusion Prevention logs to see if there is anything similar listed there.  Intrusion prevention is a more important indication of something wrong than the statistical submissions.  The submissions serve more of a purpose in correcting false positives than in identifying malware.

It can take several days for them to be submitted. Only a little amount of information is sent at each submission, so as to make it unnoticable for the user, and if there are a lot of submissions waiting, it'll take time. It's not of any critical importance, so let it take time and don't worry.

Hi delphinium, I checked the intrusion prevention and there are only two medium threats that were blocked, but these were from the day before I got the Statistical Submissions. I have several things going on simultaneously, including six Symantec Error Reporting messages. I just bought this product (Norton Internet Security) and it's a wee bit frustrating. Thanks for your input. Cody

Hi Cody:

 

Would you go to the Intrusion Prevention log, click on one of the entries to highlight it, and then click the "more details" button?  Let us know what the entire entry says.  We will be better able to judge whether those entries are connected to the statistical submissions, or whether they may be an indication of a threat.

Hi Cody,

 

Just to explain a bit about IPS statistical submissions:

 

The Norton Intrusion Prevention System uses signatures to detect and block exploits that leverage vulnerabilities in software programs to install malware.  When a new exploit is discovered a signature is created and distributed as quickly as possible in order to provide immediate protection.  After this initial signature is released refinements are made to perfect a new signature that is smaller and more efficient.  Because there is an increased likelihood of false positives the revised definition is first released as a test signature.   When one of these test signatures is triggered it is reported back to Symantec as an IPS Detection Statistical Submission.  These submissions help Symantec fine-tune the accuracy of the detections.  Once testing is completed the initial signature will be replaced or updated with the improved version.  While testing is in progress you are protected from the actual exploit by the originally released signature, which will trigger IPS to block, log, and alert you to any real attack.  A statistical submission alone without a corresponding IPS action would indicate a false positive.

 

Reese Anschultz provides a couple of good explanations, which I have paraphrased here, in the following thread:

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/IPS-detection-statistacal-submission/...

Hi SonOfJive, This information is very helpful. I like Norton's program and am finding out as much as I can about it's functions. Thanks so much for this info. Cody

Hi delphinium,

 

I should not have said the risks were in Intrusion Prevention.  There are eight of them located in the Full History; first attempt August 7, with the last attempt about an hour ago. Here's some info from Advanced Details:

 

1)  Saturday, August 7, 3:00 PM

 

Severity:  Medium

Activity:  Unauthorized access blocked (Access Process Data)

Status:  Blocked

Recommended Action:  No action required

 

Actor:  WINDOWS\SYSTEM32\MRT.EXE

Actor PID:  964

Target:  Program Files (x86)\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe

Target PID:  2536

Action:  Access Process Data

Reaction:  Unauthorized access blocked

Termination Session:  3

 

2)  Saturday, August 7, 3:00 PM

 

Same as above

 

3)  Sunday, August 8, 12:00 PM

 

Severity:  Medium

Actor:  C:\WINDOWS\SYSWOW64\RUNDLL.EXE

Actor PID:  3432

Target:  Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  2612

Terminal Session:  1

 

4)  Sunday, August 8, 12:34 PM

 

Severity:  Medium

Actor:  E:\SETUP\HPZSHL40.EXE

Actor PID:  2652

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  2720

Terminal Session:  1

 

5)  Sunday, August 8, 12:34 PM

Actor:  E:\SETUP\HPZSHL40.EXE

Actor PID:  2652

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  2720

Terminal Session:  1

 

6)  Sunday, August 8, 12:37PM

Actor:  C:\WINDOWS\SYSTEM32\MSIEXEC.EXE

Actor PID:  3748

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  1960

 

7)  Sunday, August 8, 1:32 PM

Actor:  C:\WINDOWS\SYSTEM32\MSIEXEC.EXE

Actor PID:  3748

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  1976

 

8)  Same as 7

 

All have a severity of Medium.

 

Thanks,

Cody