• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos3 Stats

NSBU 22.14.2.13 is flagging things left and right

All: NSBU live update ran just a bit ago. After which it began to flag certain websites I visit every single day. As well as flagging procexp64 from Sysinternals Suite which I regularly use as well. Facebook, Neowin, AskWoody forums all are getting a red X in the safe search bar. I finally got into the AskWoody forums and they are absolutely ticked that Norton safe web is dinging their site as unsafe. Someone Norton needs to come up with a serious solution to this ASAP!!

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267

Replies

Kudos1 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

More: Safe Web need to get on this ASAP. I've asked to have this thread moved to safe web.

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267
Kudos4 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

SoulAsylum:

All: NSBU live update ran just a bit ago. After which it began to flag certain websites I visit every single day. As well as flagging procexp64 from Sysinternals Suite which I regularly use as well.

Hi SoulAsylum:

The problem with Norton Safe Web automated site scanning incorrectly flagging safe web sites as being dangerous is a legitimate problem but it likely has nothing to do with your Unauthorized Access Blocked messages.

Norton Product Tamper Protection logs one of these Unauthorized Access Blocked messages every time a "target" Norton file  like nortonsecurity.exe is touched by a non-Norton "actor" like the procexp64.exe executable shown in your screenshot.  Any executable that tries to read/write/edit/delete a Norton file, including legitimate Windows system files like svchost.exe, defragntfs.exe, etc., will cause Norton Product Tamper Protection to log one of these Unauthorized Access Blocked messages.  I've seen these so-called "blocks" for trusted programs like Process Explorer, Malwarebytes, etc. logged at Security | History | Show | Norton Product Tamper Protection for several years and they're completely harmless - see jakelong91's thread Unauthorised Access Blocked for further details.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * NS v22.14.2.13 * Process Explorer v16.21

Kudos1 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

lmacri, thanks for sharing your thoughts on the issue. However, being that you aren't experiencing this issue nor sitting at the laptop to see this take place, nor know that none of this has taken place in the past when these same processes were being used. Nor the well known websites being blocked. I must respectfully disagree with you. Even the Google home page I have set is being flagged and submitted. Never happened until today and the updates that were installed. I also know tamper protection will log an unauthorized access attempt as well. I run MBAM and Sysinternal frequently yet there are no entries other than today of Norton access blockings. So things just don't match up.

The websites that are being blocked are also being seen as blocked by others using Norton and IDS/Safe Web. Specifically at the AskWoody site. So yes, I do believe I have valid issues needing addressed.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267
Kudos3 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

SoulAsylum:

...I also know tamper protection will log an unauthorized access attempt as well. I run MBAM and Sysinternal frequently yet there are no entries other than today of Norton access blockings. So things just don't match up..

Hi SoulAsylum:

If you're suddenly seeing Unauthorized Access Blocked messages being logged for executables that weren't being "blocked" in the past then look for a recent SONAR definition update in your LiveUpdate history (I noticed one on 03-Jul-218 but I'm not sure that's the most recent SONAR update) or some other definition update related to heuristic (behaviour-based) detections.  Tweaks to the rules for heuristic detections have caused a jump in logging of these Unauthorized Access Blocked messages in the past (see my 2013 thread Stop Logging Unauthorized Access Blocked Warnings in Security History in the Product Suggestion board) and I believe SONAR (Symantec Online Network for Advanced Response) is the main engine for Symantec's real-time heuristic protection.

You recommended <here> in Jakelong91's thread Unauthorised access blocked? that they should scan their system with Malwarebytes and disable multiple Windows Services associated with remote access "to be on the safe side" so it appears you don't agree with me that these Norton Product Tamper Protection "blocks" are harmless and can be safely ignored if Norton's real-time protection isn't detecting an active threat.  We can "agree to disagree" on that point but past experience has shown me that it's highly unlikely that Norton is going to change their heuristic detection rules just to decrease the number of Unauthorized Access Blocked messages logged for trusted / safe executables.

However, being that you aren't experiencing this issue nor sitting at the laptop to see this take place, nor know that none of this has taken place in the past when these same processes were being used. Nor the well known websites being blocked. I must respectfully disagree with you....The websites that are being blocked are also being seen as blocked by others using Norton and IDS/Safe Web. Specifically at the AskWoody site. So yes, I do believe I have valid issues needing addressed.

I'm not sure how you came to the conclusion that I didn't know about the Norton Safe Web blocks for AskWoody.com and other popular sites.  Did you read my reply # 201671 in Woody's thread Norton Safe Web Giving a Spurious Warning About AskWoody before you posted in that thread today?

I've posted several times in this Norton forum about bugs in the new WebExtensions version of Norton Safe Web v2.x (see my Nov 2017 thread Bug in Norton Safe Web v2.3.0.24 for Firefox - Grey Icon on Landing Page for one example) and Symantec hasn't shown any interest in fixing these problems so I've disabled this browser extension and only enable it for testing.  I don't know if the Norton Safe Web team recently changed the algorithm they use for automated detection of malicious / suspicious web sites (see my comments <here> about false positives these automated scanners can throw if they find "suspicious" JavaScript embedded in a web page's source code) but I agree with you that something clearly needs to be done to improve the accuracy of their automated site scanning.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * NS v22.14.2.13 * Process Explorer v16.21

Kudos2 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

Hello

I have notified the Safe Web Team so that they will be aware that they will probably get a lot of requests to correct the incorrect I assume of the websites. Which ever Team created the bad Update will give Norton  a issue to fix. I did check out Ask Woody in Google and saw the red full page blockage for a phishing issue. I don't know if all the sites will show a phishing issue or not. Safe Web Team does not create the Updates for Safe Web. They have to deal with the results of bad updates..

Have a Good Night and

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.15.1.8 Core Firmware 267 I E 11
Kudos3 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

FWIW!! Several live updates have ran since the original posting in this thread. The false positives and rampant detections remain. There were no issues with any of these programs being used, no updates to those programs, totally clean systems as they always are. No PUP/Adware hidden installs. Just plain old NSBU engine going bonkers. I had a similar issue with the last update to the Core app for Android to version 1.59.1. After several removals, device restarts and reinstalls the app finally worked. In a nutshell - the QA process has gone straight to the sewers. It should not take any company weeks to figure out what the issues are and correct them. The left hand needs to begin talking to the right and both meet in the middle for a solution. Just my dime folks!!

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267
Kudos1 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

Update: A total of 12 live updates received thus far, zero changes to this monkey business of false flagging. Especially websites. Norton forums have been submitted several times.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267
Kudos0

Re: NSBU 22.14.2.13 is flagging things left and right

So glad I have a license for Kaspersky, as well.  Never had a false positive from them, ever.

Windows 10 Home X64 Norton Security Premium---Current
Kudos3 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

A couple of points:

Process Explorer has triggered Norton Product Tamper Protection events for several years (I stopped having it run in the background because of all the logging it caused).  All Norton "Access blocked" events are simply other programs (almost all of them legitimate and benign) attempting to access a Norton file or process.  Symantec does occasionally tweak the logging of Tamper Protection events, but even if Process Explorer were no longer logged, it would still be blocked from access.  As lmacri says, this is just a defensive action that causes no harm.

Second, submissions of websites via Norton Community watch, is also normal.  A submission is not an indication that there is anything "wrong" with the website, only that Symantec wants to check it, possibly because something on the site has changed.

So both Tamper Protection "Access blocked" events and NCW submissions are normal processes that are intended to include legitimate programs and websites by design.  I would not worry at all about these.  The false positive Safe Web blocks on the other hand are a concern, but those would would not be related to either of the other two items.

Kudos2 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

Update: The Safe Web team / Norton have corrected the false website flagging, I will be checking the random process flagging in a bit, will post what those results are when done. Thanks to all who have chimed in. Your views are greatly appreciated and enlisted.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267
Kudos0

Re: NSBU 22.14.2.13 is flagging things left and right

Update: Procexp64 has gone from a single instance where tamper protect shows to a separate history entry every 2-3 seconds for a single execution of the explorer file. I executed the file at 8:53:40 am and it continued flagging and making entries until 8:53:46. I then executed the same process again at 3:19:42 pm, with entries continuing until time 3:22:19 pm for the same single file execution. Almost 2 pages of entries for one file execution. Same Actor PID, same Actor location, same target PID. After this NSBU began flagging Windows Defender which in most cases in normal.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267
Kudos0

Re: NSBU 22.14.2.13 is flagging things left and right

Hello

I came across a full page blockage for a site which has not been evaluated yet. The owner of the site complained that she has been waiting 2 months for it to be evaluated. I went to check out the site itself and came across the blockage. Safe Web shows it untested. I took care of it with my Safe Web activity. I just wanted to point out that not all the errors have been fixed.

Have a Good Night and

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.15.1.8 Core Firmware 267 I E 11
Kudos2 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

SoulAsylum:

Update: Procexp64 has gone...to a separate history entry every 2-3 seconds for a single execution of the explorer file.

Yep, that has been the behavior now for several years.  It would be nice if logging for Procexp could be eliminated.

Kudos1 Stats

Re: NSBU 22.14.2.13 is flagging things left and right

Amen to that SOJ. I haven't seen things at this level in a very long time though.

Cheers

Retired military (Navy 1980-2002) "From DOS to Windows10 what a journey it has been" / MS Certified Professional / Windows 10 Professional x 64 version 1803 / build 17134.319 / NSBU 22.15.1.8 / Norton Core v.267

This thread is closed from further comment. Please visit the forum to start a new thread.