• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos2 Stats

wmiprvse.exe

Hello:

I'm using Norton Security with Backup completely updated in Windows 10 environment. I'm having multiples medium security alerts about the file:

c:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE

Has the target file:

c:\Program Files (x86)\Norton Security with Backup\Norton Security with Backup\Engine\22.8.0.50\nsbu.exe

is trying to access process data.

Sometimes, Norton ask me to reset the computer. I made a scan to the file and says there is no problem. Do I have a virus, malware or something like that? I was searching the web a some sites talks about a virus within WMIPRVSE.EXE file.

I know this is not a new topic, but what I found in forums talks about NIS and Windows 7. So, I have a doubt. Can anybody help me?

Regards,

Milton

Replies

Kudos2 Stats

Re: wmiprvse.exe

The Unauthorized Access Blocked messages in your security history are logged by Norton Product Tamper Protection every time an executable file attempts to read/write/edit/delete a Norton file.  Common Windows processes like svchost.exe, taskmgr.exe, dfrgntfs.exe, etc. as well as any executable from third-party software like CCleaner and Malwarebytes Anti-Malware will cause one of these Unauthorized Access Blocked messages to be logged if they touch a file from your Norton installation. Please see my post <here> in the Product Suggestions board regarding logging of these blocks. (credit Imacri)


Norton Product Tamper Protection prevents outside programs from making changes to the Norton product.  Norton Product Tamper Protection protects your Norton product from an attack or modification by any virus or other unknown threat. Norton Product Tamper Protection view in the Security History window displays details about unauthorized attempts to modify Norton processes.  Unauthorized access blocked (Access Process Data).  NPTP events are not reports of malware.


The most common NPTP log entries are legitimate Windows processes that Norton is preventing from accessing Norton files or processes.  Norton is simply maintaining a secure isolation from other processes running on your system.  (credit Community)

Kudos0

Re: wmiprvse.exe

Doesn't solve it, just explains it better.

Kudos1 Stats

Re: wmiprvse.exe

There isn't anything to solve.  These aren't "alerts."  They are just log entries of Norton actions, in this case, preventing a Windows process from accessing Norton process data.  This is a normal function that prevents any outside agent, even Windows, from interfering with Norton.

Kudos0

Re: wmiprvse.exe

SendOfJive:

There isn't anything to solve.  These aren't "alerts."  They are just log entries of Norton actions, in this case, preventing a Windows process from accessing Norton process data.  This is a normal function that prevents any outside agent, even Windows, from interfering with Norton.

With respect, there is something for the average user to be potentially concerned about, since the label in my history log clearly states that such Windows-induced events are an "alert" and of "medium severity". Therefore, it's not, apparently according to Norton, and innocuous log entry. If you are correct, then they need to re-categorise these events.

Kudos1 Stats

Re: wmiprvse.exe

As SOJ has explained. These are merely records of what Norton has blocked.

The fact it's an OS exe trying to access Norton is why Norton has categorized it as medium severity.

My advice ? Forget checking your history, and as long as you have the green tick and all is well otherwise, don't worry.

Windows 10 Home X 64 Norton Security Premium Current
Kudos1 Stats

Re: wmiprvse.exe

Cavehomme1:

With respect, there is something for the average user to be potentially concerned about, since the label in my history log clearly states that such Windows-induced events are an "alert" and of "medium severity".

All event detailed descriptions in Norton History are labeled "Alert Summary," even LiveUpdate summaries.  Obviously, Norton does not alert you every time it downloads new definitions, just as it does not alert you every time Tamper Protection blocks something.  I would agree that using the term "Alert" for all items in Norton History is probably inaccurate.  It does not change anything that I stated about the nature of the event or its importance, however.  Remember, you are looking at historical events, not current threats, and when it says "no action required," that means Norton has already taken care of whatever it was and you don't need to do anything further.  Tamper Protection blocks are a normal part of Norton's routine actions that happen in the background; the logs are a record of what transpired, not a warning that anything is wrong. 

Kudos0

Re: wmiprvse.exe

F 4 E:

As SOJ has explained. These are merely records of what Norton has blocked.

The fact it's an OS exe trying to access Norton is why Norton has categorized it as medium severity.

My advice ? Forget checking your history, and as long as you have the green tick and all is well otherwise, don't worry.

If a PC is left on overnight to scan, the only way that I can see if a scan has quarantined anything is by sifting / filter through the history which you recommend just to ignore. There are other reasons for looking at the history too. What is surprising is the sheer number of wmiprvse.exe alerts several per minute. For something apparently so common, and from a "friendly" source, i.e. the trusted OS, it's surprising that the history would be allowed to be filled with medium severity events. In other words, it's a suggestion for improvement.

Kudos1 Stats

Re: wmiprvse.exe

https://community.norton.com/en/forums/product-suggestions

Having said that, I turn my system off every night.

Full Scan once a month is performed manually while I have lunch, so I can check it when it's finished.

Just my way of doing things. I don't need to be a slave to software.

Each to their own. There's no "right" way.

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: wmiprvse.exe

Hello

You just have to check Quarantined, Resolved Security Risks and Unresolved Security Risks. Those headings are in the dropdown of the History Log.

I would suggest to Norton if the Logs are not important to the User, then they should be hidden from the user.

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NSBU 22.17.0.183 Core Firmware 270 I E 11 Chrome latest one
Kudos2 Stats

Re: wmiprvse.exe

floplot:

I would suggest to Norton if the Logs are not important to the User, then they should be hidden from the user.

The logs are important to the user.  But they are there to refer to when something needs to be investigated; they are not generally intended to be casually studied to discover problems when no noticeable issues are present.  For example, Tamper Protection events are logged because some software will crash if Norton prevents it from accessing Norton data.  So, if you have a program that is mysteriously crashing, you can check the Tamper Protection logs to see if Norton might be involved.  If the interaction with Norton is causing problems for a program, the Tamper Protection logs are the only thing that will reveal that relationship.  If you are not having such an issue, there is no reason to pore through the logs looking for trouble.  As long as a user understands how Norton works and what the log entries indicate, the logs can be a valuable tool.  There is a learning curve, and it is true that some of the logging dialog is not very clear or informative sometimes.  But as long as a user understands that Norton history is simply a record of Norton's past actions and not a warning system, logging can be quite helpful in making sure that things are running as they should.

Kudos1 Stats

Re: wmiprvse.exe

I'd prefer to leave the logs in place and have knowledgeable people on these forums provide an explanation of what they are, as they have done so for this particular observation. It's good to have an active and informative forum. Some other security solutions have really unhelpful forums. I also appreciate the power and utility of Norton Internet Security, it's an impressive security suite - not perfect and it can improve, but it's very good. Learning it's internals is part of the process to ensure my PCs stay secure.

I am fine with the explanations given here and it causes me to wonder why wmiprsv.exe is so active. Part of the reason, I have since discovered, it that certain Dell utilities use it and which is making me investigate why that is so and whether they are all necessary or can be removed.

Kudos0

Re: wmiprvse.exe

...and what if, perhaps coincidentally, around the same time the WmiPrvSE log showed up, the Norton program can't seem to get the Green tick, only the scary Red X?

I just noticed the security log for this same 'medium threat resolved' after I've been running every type of scan when I had the Red X show up around the same time, to no avail - scans keep coming up clean but no Green tick. Since then I've also been unable to run the Quick Scan and the Norton 360 program keeps shutting down every now and then with a lovely windows program error message.

Thoughts, suggestions, help? Does Windows10 & Norton not get along?

I'm not a computer expert, only a user, and although I like to see the reports to know what is affecting/could have affected my computer, the 'high risk' logs always concern me causing a little bit of panic since I use it for work. As far as Norton hiding these logs to prevent such concern for the less computer savvy, it might be a good idea although it does encourage more prudent use.

Kudos0

Re: wmiprvse.exe

...and what if, perhaps coincidentally, around the same time the WmiPrvSE log showed up, the Norton program can't seem to get the Green tick, only the scary Red X?

I just noticed the security log for this same 'medium threat resolved' after I've been running every type of scan when I had the Red X show up around the same time, to no avail - scans keep coming up clean but no Green tick. Since then I've also been unable to run the Quick Scan and the Norton 360 program keeps shutting down every now and then with a lovely windows program error message.

Thoughts, suggestions, help? Does Windows10 & Norton not get along?

I'm not a computer expert, only a user, and although I like to see the reports to know what is affecting/could have affected my computer, the 'high risk' logs always concern me causing a little bit of panic since I use it for work. As far as Norton hiding these logs to prevent such concern for the less computer savvy, it might be a good idea although it does encourage more prudent use.

Kudos0

Re: wmiprvse.exe

F 4 E:

As SOJ has explained. These are merely records of what Norton has blocked.

The fact it's an OS exe trying to access Norton is why Norton has categorized it as medium severity.

My advice ? Forget checking your history, and as long as you have the green tick and all is well otherwise, don't worry.

...and what if, perhaps coincidentally, around the same time the WmiPrvSE log showed up, the Norton program can't seem to get the Green tick, only the scary Red X?

I just noticed the security log for this same 'medium threat resolved' after I've been running every type of scan when I had the Red X show up around the same time, to no avail - scans keep coming up clean but no Green tick. Since then I've also been unable to run the Quick Scan and the Norton 360 program keeps shutting down every now and then with a lovely windows program error message.

Thoughts, suggestions, help? Does Windows10 & Norton not get along?

I'm not a computer expert, only a user, and although I like to see the reports to know what is affecting/could have affected my computer, the 'high risk' logs always concern me causing a little bit of panic since I use it for work. As far as Norton hiding these logs to prevent such concern for the less computer savvy, it might be a good idea although it does encourage more prudent use.

Kudos0

Re: wmiprvse.exe

Hi Jess, if you think you're not an advanced / expert user I really wouldn't delve into the history log of Norton or worry too much as to what is in there. If Norton needs you take action then it will be made very obvious to you! It's easy to misinterpret something and take the wrong actions, I've done that a few times over the years! 

I've used probably all the various AV and IS software out there over the years and I have to say that I've come back to using Norton because it gives me more confidence than anything else out there, it scores excellently in independent tests and no longer hogs my computers. I still test and review other AVs from time to time, especially before needing to decide whether to renew the license for another year or go with another product.

That said, my suggestion to Norton developers is to have a SEPARATE log or tab to show items that are quarantined. People do need to peer into that area to see if anything might have been snagged, even a false positive check to recover files there. Currently, a user needs to comb / filter through ALL the log, therefore it is inevitable that users notice all the other things in the log and justifiably get worried, even if ultimately they have no reason to, as Jess1. Can somebody please pass that suggestion on?

Just to close off my own issue stated above in this thread, my own delving into the log did however eventually highlight that the wmiprvse / Norton issue was primarily being caused due to a service called Dell Vault which I determined I did not need and disabled it. That almost completely stopped the wmiprvse / Norton alerts, the remainder I no longer worry about. So in summary, it was not a security issue for me to be worried about, just made my PC more efficient by disabling an unnecessary service.

Kudos0

Re: wmiprvse.exe

I have a Microsoft Surface Pro 3 and a Dell XPS 15 9560 running side by side.

Only the Dell has the wmiprvse.exe issue.

Cavehomme1, How did you disable the Dell Vault service? 

Kudos0

Re: wmiprvse.exe

TraderGary,

Those services are in the usual area of Windows for managing services, search for services.msc and it will all pop up. There you need to scroll through the list until you find the Dell Valut service and then edit it to disable the service from starting up in the first place. Reboot and it should resolve the problem to a large extent, perhaps completely. If you are not experienced in managing services, I suggest you really don't be tempted to disable or edit any other services, there can be serious unintended consequences. Good luck.

Kudos0

Re: wmiprvse.exe

I am having the same issue / question. Unauthorized Access Blocked (Access Process Data)

Actor: wmiprvse.exe

Target: n360.exe

Now, the thing I have an issue with is this, I keep getting random links popup on IE 11 on my Windows 8.1 system on normal sites I have gone to before (I.E. Yahoo.com, Facebook).

All showing the message above.

The key phrase is "keep getting", so I look at the Norton History and it keeps showing the same issue.

I have scanned: Full System, Malware scans, Spybot Search & destroy, CCleaner. 

I have tried Norton  Power Eraser

Something has to be triggering this random links.

I am just trying to get this to stop, Each time it happen Norton blocks the site (Thank God) and the site is different each time.  My Norton software doesn't seem to me catching the task / virus / ??? that is causing the issues.

Actually it just did it when I tried to post this.

File Attachment: 
Kudos0

Re: wmiprvse.exe

Please read the preceding posts in this thread for an explanation of why these log entries are not an indication of anything malicious.  You can ignore them.

Kudos0

Re: wmiprvse.exe

Like I said these are happening at random times and is being caused by some malware / Trojan that is on my system. Norton is stopping the links that go to these sites, but not the cause of them.

Kudos0

Re: wmiprvse.exe

Norton Product Tamper Protection entries in Norton History, which is what "unauthorized access blocked" events are, only pertain to outside programs' attempts to access a Norton file or process.  They have nothing to do with the detection of malware or the blocking of malicious actions, except in the rare case of malware attempting to interfere with Norton itself.  You may have a PUP on your system that is generating the links, but that would be something separate from the Tamper Protection log entries you cite.

Kudos0

Re: wmiprvse.exe

Cavehomme1 commented on wmiprvse.exe saying, "I have since discovered that, certain Dell utilities use it,, and which is making me investigate why that is so, and whether they are all necessary or can be removed."

Also: Is there a Dell system adjustment we can make, to stop the conflict? It is at least causing a system boot to take longer, for no good reason at all.

So, if anyone has found something clever to apply to this Dell system situation, please respond with your solution. I would like to play with it as well. We don't need Dell causing this malady. 
Oh, wait, i found Cavehomme1 suggested solution. I will try it and come back here soon.
I stopped and set DDVCollectorSvcApi.exe to manual start. (most positive control) its properties states::
"Dell Data Vault Service API exposes a COM API for working with the DDV services" 
Getting ready to reboot my Dell.

Kudos0

Re: wmiprvse.exe

Solves to some extent, at least:

Cavehomme1 suggested procedure here, reduced 6 hits to 3 hits when i set windows service "Dell Data Vault Service API " to Manual start and restarted my Dell PC.
Then i set "DDVRulesProcessor" to Manual Start & restarted again, checking to verify that they were both in fact still set to Manual Start. But again 3 "wmiprvse.exe" hits shown in Norton History. So, partly solved in my case.
Thanks Cavehomme1

further note: DDVRulesProcessor runs even after being set to manual. That don't stop it.
Then set "DDVRulesProcessor" to, "Disabled". It warned that this would stop, DDVR Colector, as well. Disabled it any way and that got rid of the other 3 "wmiprvse.exe" conflicts as well. So, here again,
~~~~~~~Thanks Cavehomme1~~~~

Kudos0

Re: wmiprvse.exe

I wiped my machine and rebuilt it. Problem solved.

Kudos0

Re: wmiprvse.exe

Papaw Mick:

I wiped my machine and rebuilt it. Problem solved.

What problem?  Norton Product Tamper Protection log entries are simply records of Norton actions that keep its processes and files isolated from other programs.  They do not affect anything.  Like any other Norton History event, no user action is required.

Kudos0

Re: wmiprvse.exe

I will not dignify that comment with a response.

Kudos1 Stats

Re: wmiprvse.exe

It would be far more logical to keep a list of quarantined items completely separate to such system logs. Otherwise people needlessly get to view stuff they really don't need to worry about too much and then quite understandably we get concerned about those Norton system logs and spend hours if not days trouble-shooting! Better for you to spend energy recommending to the Norton dev team to improve this aspect of the Norton user interface than to dismiss user concerns, thank you.

Kudos0

Re: wmiprvse.exe

If I recall correctly, on that PC I completely disabled that particular Dell service which then reduced the issue by more than half. I may have even completely removed that piece of Dell software as well, it's unnecessary.

On some other PCs I have gradually introduced using the default of Windows Defender plus a second layer of active protection, I won't name them here on this site but there are several well-known second layer options out there. I'm doing this because Norton and other security suites are becoming too complex and intrusive. I do realise that the malware threat is far more complex today, but the trick is to give the users less overhead and complexity and not to mess up the operation of other legitimate apps in the process. I'll keep Norton on a few machines for at least another 8 months until the licences expire or I decide to renew them for another year, it gives an excellent level of protection, but I hope for less overhead for me in managing it.

Kudos1 Stats

Re: wmiprvse.exe

Thank you.

Kudos1 Stats

Re: wmiprvse.exe

I am an IT guy of 32 years. Every thing from hardware / software / programming / database / forensics and more. Keeping logs are a waste of time unless it is used for tracking issues and they can cause security issues.

When a company that I worked for got hacked, after 7 audits from (MasterCard, Visa, Discover, American Express, FDIC, FEIC) and a Secret Service and FBI investigation, some of the worst dings we got were on useless logs that sometimes contained information that could be used in attacks.

I got Norton basically because it was free from Comcast. Until I got this Dual processor I5, 3.10 ghz w/ 8gb memory the thing that caused the biggest drag of resources was the Norton n360.exe mainly the web protection. I agree with the gentleman above about the overhead.

I am done with this subject.

Kudos0

Re: wmiprvse.exe

If that particular Dell service has anything to do with watching for necessary Dell BIOS and driver upgrades, I'm going to leave everything as it is, especially since Norton Security takes less than 1% of my system resources to run. I'm going to believe that the Norton engineers know more about security than I do. Instead of combing through the log files, I've gone to using the drop-down menu to look only at the items that are actually of interest to me.

Kudos2 Stats

Re: wmiprvse.exe

Norton Product Tamper Protection events are logged primarily so that if Norton's blocking action breaks an offending application, it will be discoverable.  Some poorly written programs will crash if prevented from accessing Norton, and users would have no easy way of determining the cause of the problem if not for the Norton log entries corresponding to the time of the crash.  Remember: if there is something serious going on that requires user action, Norton will alert you with a pop-up.  Otherwise, Norton handles routine matters like tamper prevention and logs them for reference. 

This thread is closed from further comment. Please visit the forum to start a new thread.