• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Why no exclude for Tamper Proctection

Why is there no way to specify processes that you know are safe so that they are not blocked? Every time a process is blocked from accessing process data or thread data, and a record of this action is recorded in the Security History, many processor cycles are wasted. Completely legitimate and identifiable processes attempt these data accesses for whatever reason on a regular basis, as often as once per second, and all NIS is doing is needlessly adding to the CPU load by blocking and then recording these legitmate (although possibly unnecessary) data access attempts.

Replies

Kudos0

Re: Why no exclude for Tamper Proctection

Norton Product Tamper Protection is blocking these other  programs from accessing Norton's own processes and files.  This prevents outside agents from disrupting or compromising Norton.  The logs record this activity.  The programs, other than being denied access to Norton, are otherwise not blocked from performing their normal tasks.

Kudos0

Re: Why no exclude for Tamper Proctection

I know all that, but that's not what I asked. I'm pointing out a deficiency in the software that should be corrected. Not providing the ability to exclude known-good processes from accessing data (not a security risk) results in unnecessary and wasted CPU usage.

Kudos3 Stats

Re: Why no exclude for Tamper Proctection


mbrazil wrote:

I know all that, but that's not what I asked. I'm pointing out a deficiency in the software that should be corrected. Not providing the ability to exclude known-good processes from accessing data (not a security risk) results in unnecessary and wasted CPU usage.


Obviously, in order for the integrity of a security program to be maintained, other applications cannot be permitted to have access.  The software that needs to be corrected are the programs that are wanting access to areas that are not necessary for them to operate.

Kudos0

Re: Why no exclude for Tamper Proctection

The capability to exclude programs for other aspects of NIS is provided. Based on your interpretation, those exclusions also weaken the security, so why are they allowed? Either allow no exclusions (which would make the security software so intrusive as to be unusable), or allow users to make their own decisions as to whether another process is a security risk on their computer.

The bottom line is this -- NIS is loading the CPU unnecessarily, and excluding known-good processes should be the decision of the user, not the software company. 

It seems as thought these forums should be renamed the Make Excuses for Symantec community. Why not consider suggestions for improving the products instead of defending poor decisions on the part of the developers?

Kudos4 Stats

Re: Why no exclude for Tamper Proctection

I will tell you my experience with Symantec's corp Endpoint AV. I had virus definitions corrupted. CcSvcHst.exe and other critical AV core files were constantly being attacked by malware. Note that every hacker in the world knows that ccSvcHst.exe is the "engine" of Symantec's AV products. They also know most of the other core files.

I finally got fed up with the constant maintenance with Endpoint and went the Norton route. I am pleasantly surprised to note that I have not had one Norton core file corrupted in the five months I have been running the software.

In my opinion, Norton has done it right. It takes an over aggresive stance to any application that comes close to it's core files. This is a much better altenative than to risk access by a supposedly "safe" application. I can easily live with harmless log entries that state so and so program was blocked from accessing "x" Norton core file.

Kudos0

Re: Why no exclude for Tamper Proctection

NIS allows users to completely disable tamper protection but does not allow them to exclude legitimate processes that NIS is unable to differentiate from malware. This results in a situation in which the user has only two choices -- either disable tamper protection altogether, thus significantly hampering NIS's ability to protect their system, or to allow NIS to continue to unnecessarily consume CPU resources by blocking and logging benign attempts to access data (accessing data is not the same as attempting to disable the software, block its protective actions, or modify it's code). Adding the ability to exclude known-good processes would be a good comprimise which would reduce the load on the system while still retaining most of the tamper protection.

I will leave tamper protection enabled, but I'm tempted to disable it because I have two well-known apps of good reputation that, for whatever reason, attempt to access process data or thread data. One of these is the RoboForm taskbar icon process, and the other is Process Lasso, which monitors and regulates processes. These are both 100% benevolent, but NIS is constantly wasting resources to block them and log the attempts, and it provides me with no way to prevent this wasteful action.

If I wanted a computer that would force me to do things its way and leave me almost no ability to configure and control it, I'd get a Mac. I feel the same way about software. A security suite should, by default, do as much as possible to protect your system, but it should not preclude users from making educated changes to its operation. As NIS stands, it's configurability is somewhat limited, and for knowledgeable users, this is unnecessarily restrictive and wasteful.

Kudos1 Stats

Re: Why no exclude for Tamper Proctection

I'm reading your messages and wondering when you will provide concrete, poitive recommendations on what to change and how to change it. Being dissatisfied and complaining about it does not get anything done, other than repeating your dissatisfaction. Of which we are all well aware.

I look forward to your constructive suggestions in the future

Dick Win 10x64 current current NSBU
Kudos1 Stats

Re: Why no exclude for Tamper Proctection


mbrazil wrote:

It seems as thought these forums should be renamed the Make Excuses for Symantec community. Why not consider suggestions for improving the products instead of defending poor decisions on the part of the developers?


No excuses.  You asked the question "Why is there no way to specify processes that you know are safe so that they are not blocked?"  and I attempted to provide you with an answer.  Suggestions for improving the product should be posted here, where they will be given consideration by Symantec employees:

Norton Product Ideas

Kudos0

Re: Why no exclude for Tamper Proctection

Kudos0

Re: Why no exclude for Tamper Proctection

If you are running IE9 please switch to compatibility mode so we can see your text .......

Hugh
Kudos0

Re: Why no exclude for Tamper Proctection

Sorry. I wanted to delete that blank reply and couldn't figure a way to do it!

Kudos0

Re: Why no exclude for Tamper Proctection

Us users can't and moderators rarely do as a matter of principle.

Hugh
Kudos0

Re: Why no exclude for Tamper Proctection

I'm not running IE9 or IE at all for that matter.

Kudos0

Re: Why no exclude for Tamper Proctection

How many times do I have to say it -- Norton Product Ideas keeps telling me to correct highlighted errors and nothing whatsoever is highlighted. There's no way to post there until they fix it.

Kudos0

Re: Why no exclude for Tamper Proctection

Wow. You must have trouble reading.

What can't you understand about asking to have the ability to add process exclusions from tamper protection. That's what I said very clearly. ADD A WAY TO EXCLUDE PROCESSES FROM BEING BLOCKED BY TAMPER PROTECTION!!!!!!!!~

Kudos0

Re: Why no exclude for Tamper Proctection

Have you read my reply to you on this?

I just checked an it uses the same editor as here and has the HTML tab.

If you really want to post then use the agfe-old workaroung and after you write your text in the Ideas editor, Select all the text (CTRL + A may not be the best way) / Copy to clipboard / Paste to notepad / Select All (See before) / Copy to clipboard / Paste from Notepad back into the editor and there should not be any HTML.

Lots of others are posting so maybe it is your browser ....... <s>

Hugh
Kudos1 Stats

Re: Why no exclude for Tamper Proctection

As a reminder, please keep these forums friendly. While I encourage a good discussion, it should be a civil discussion. Any further inappropriate behavior will not be tolerated.

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
Kudos0

Re: Why no exclude for Tamper Proctection

Read my original post in this thread (the one at the top). It very clearly states that what is currently missing from NIS is a way to specify processes to be excluded from being blocked and logged by tamper protection. So, if you still can't figure it out, I'm asking them to add a way to specify processes to be excluded from being blocked and logged by tamper protection.

Norton Product Ideas is malfunctioning. Every time I click Post to try post anything there, it comes back and tells me to correct the highlighted errors, but there are no highlighted errors. Nothing whatsoever is highlighted. It is broken.

Kudos0

Re: Why no exclude for Tamper Proctection


mbrazil wrote:

NIS allows users to completely disable tamper protection but does not allow them to exclude legitimate processes that NIS is unable to differentiate from malware. This results in a situation in which the user has only two choices -- either disable tamper protection altogether, thus significantly hampering NIS's ability to protect their system, or to allow NIS to continue to unnecessarily consume CPU resources by blocking and logging benign attempts to access data (accessing data is not the same as attempting to disable the software, block its protective actions, or modify it's code). Adding the ability to exclude known-good processes would be a good comprimise which would reduce the load on the system while still retaining most of the tamper protection.


Hi mbrazil,

I added emphasis above. The problem is that if Norton allowed this, then there would be no way to block any destructive behavior by these processes in the future.

As for Norton Ideas would you mind stating what type of content you are trying to include there? Are you just typing a post and hitting "Post" or trying to include inline content from another source or what?

Would you mind telling us which browser you are using and the version? The Norton Community uses scripting so this must be enabled in your browser for it to work, though I am not suspecting this to be a problem since you are able to post on this board.

Best wishes.

Allen

Windows 7 Ultimate SP 1, 64 bit, 32 GB * NIS Vers. 21.6.0.32* Ghost 15 * IE 9, Firefox, Safari. Test laptop with W7 Home Premium 64 bit * NIS Vers. 21.6.0.32
Kudos6 Stats

Re: Why no exclude for Tamper Proctection


mbrazil wrote:

Why is there no way to specify processes that you know are safe so that they are not blocked? Every time a process is blocked from accessing process data or thread data, and a record of this action is recorded in the Security History, many processor cycles are wasted. Completely legitimate and identifiable processes attempt these data accesses for whatever reason on a regular basis, as often as once per second, and all NIS is doing is needlessly adding to the CPU load by blocking and then recording these legitmate (although possibly unnecessary) data access attempts.


I don't specifically work on this area of the technology so I don't have a definitive answer. What I can tell you is that tampering detection is watching every event on the system. At the time of the event, it is unknown what process is associated with it. It consumes CPU resources to go make that association and since we want to keep the resource usage to a minimum we don't do that. Only when a conviction occurs do we actually associate the application's name and specific details. The act of blocking the event doesn't take any different amount of time than allowing so there is no cost there. Reading in an exclusion list and searching it for a match does take more CPU resources and add extra program complexity just to prevent logging a message.

P.S. In short, allowing exclusions for Tamper Protection wouldn't gain the user anything and actually make the program more complex.

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Why no exclude for Tamper Proctection

Hi

I just wanted to know if malware could use safe windows processes to terminate norton processes?

(I know the question is lame/discussed already but just curious)

I have heard of threts using windows process to access net and fool firewall

but what about process terminations??

Midou
Kudos0

Re: Why no exclude for Tamper Proctection

 just wanted to know if malware could use safe windows processes to terminate norton processes?

 

Yes. That is why tamper protection blocks them from accessing NIS core processes like ccSvcHst.exe. If you look in your NIS logs, I am sure you will see one or more Win OS files being blocked by tamper protection.

[edit)

The fact that tamper protection blocks WIN OS files does not mean the files are infected.

Kudos0

Re: Why no exclude for Tamper Proctection


reese_anschultz wrote:

[...]

P.S. In short, allowing exclusions for Tamper Protection wouldn't gain the user anything and actually make the program more complex.


I disagree. I would have a readable Recent History log if I could tell NIS to stop logging 'Unauthorized access blocked (Access Process Data)' messages for a particular application (see below):

http://community.norton.com/t5/Norton-Internet-Security-Norton/Unauthorized-access-from-CONHOST-EXE/m-p/411808/highlight/true#M150724

Kudos0

Re: Why no exclude for Tamper Proctection

mbrazil,

<< Norton Product Ideas is malfunctioning. Every time I click Post to try post anything there, it comes back and tells me to correct the highlighted errors, but there are no highlighted errors. Nothing whatsoever is highlighted. It is broken.  >>

Have you read the two replies I've posted to you on this already? This problem with the reply editor is well known and it's a problem with the editor and not with the Forum -- it applies here too and you are able to post.

If you use the workaround  I've given you will be able to post.

Hugh
Kudos0

Re: Why no exclude for Tamper Proctection

Recent history is pointless, in my opinion, because of tamper protection, firewall acivities, and scans.  Really, the only way to make use of it is to go to the individual sections of importance.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Why no exclude for Tamper Proctection


elsewhere wrote:

reese_anschultz wrote:

[...]

P.S. In short, allowing exclusions for Tamper Protection wouldn't gain the user anything and actually make the program more complex.


I disagree. I would have a readable Recent History log if I could tell NIS to stop logging 'Unauthorized access blocked (Access Process Data)' messages for a particular application (see below):

http://community.norton.com/t5/Norton-Internet-Security-Norton/Unauthorized-access-from-CONHOST-EXE/m-p/411808/highlight/true#M150724


Point taken. I would never want to trust conhost.exe but there probably are other, more secure, apps that could cause this.

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation

This thread is closed from further comment. Please visit the forum to start a new thread.