Unauthorized access blocked (Set Regietry Security Key).

I've also noticed these things in my history log recently. I'm not 100% sure but I think they started after the most recent upgrade. Also, as the original poster pointed out...

The word 'registry' is spelled incorrectly in the history log. If nothing else, I would think Symantec might want to correct that typo.

--Ron

I have a similar log entry that happened today

Tuesday May 10th 7am central US time.

HOWEVER, I use NIS 2010 and my version is the same 17.8.0.5

so I have not gotten any version update.

My entry shows as follows:

Severity: Medium 

Activity: Unauthorized Access Blocked (Set Regietry Security Key) 

Status: Blocked 

Recommended Action:   No action Required

Advanced Details

Actor: C:\Windows\system32\svchost.exe

Target:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\

LEGACY_EECTRL\0000\Control

Action: Set Regietry Security Key

Reaction: Unauthorized action blocked

I guess what makes me very concerned is this whole Legacy EECTRL thing.

so is this a Norton function or is it an infection???

Update:

This has now happened for the 3rd time in the last 2 hours.

I also googled LEGACY_EECTRL and some info points to a Norton VQR item

Can someone from Norton please address this so we know if this is normal or if it is a sign of infection?

---

SendOfJive wrote:

I agree with RonH.  There have been several reports of this Tamper Protection entry since the latest update began to be released.  It is not unusual for these sorts of entries to suddenly appear after a change to the program.  Sometimes the new notifications are intentional, and sometimes they are not, but either way they are harmless and do not affect the safety or performance of your system.  There was a similar situation recently with "Set file attributes" entries in the Tamper Protection logs.

---

Here is why I am concerned. In my case when I check the Actor Process ID it is associated with an instance of svchost.exe.

When I go to task manager and right click on that particular svchost.exe and right click "Go to services" it takes me to

DcomLaunch ( Decom Server Process Launcher)

others who are experiencing this, when you check the PID of the actor, what servicedoes the svchost.exe run?

No I don't know much about computers, but I have to ask why would that particular svchost.exe be needing to access Norton files?

Does this sound like the svchost.exe has been/is being used to attemp to attack my system?

And why does it seem to happen several times a day only starting 2 days ago?

I appreciate any further clarification. From the other posts on here, it seems that several folks are getting the same thing.

---

Calls wrote:

Does this sound like the svchost.exe has been/is being used to attemp to attack my system?

---

These are all legitimate services and processes that are essential parts of Windows, and therefore are very likely to try to access running Norton processes from time to time.  If you find something in the Norton Security History logs that Auto-Protect and various system scans have not already alerted you to, then it is NOT malicious.

to the original poster of this thread and the others who have noticed this, are you still seeing these entries occuring? I have since May 9, 2011. Seems 2-3 entries daily.

to all those who are getting this entry-

when you check the actor pid  does it correspond to

Dcom Launch  and Plug and Play?

I'm surprised more folks dont notice this

It seems to transend NIS version ( I have 17.8.0.5) and OS ( I have Vista Home Premium 32 bit with Vista SP 2)

Am I the only one really concerned about this?

---

delphinium wrote:

Why don't you try the Microsoft forum and ask them why Windows is setting registry security keys?  It seems more appropriate than wondering why Norton is reporting it and blocking it.

---

Del- Thats a good point. Altough no other forum around is as helpful as the Norton forums

I will try to post  sometime soon in the microsoft answers forum. If anyone else posts there before me, let me know the thread. If it is indeed a microsoft issue, then I think we all need to post there so that they correct the issue.

Del- you had mentioned something about Legacy Drivers. Are they used by Norton products?

(I'm referring to the part of the registry key that reads LEGACY_EECTRL)

I'm not seeing it on my Win 7 machine, but it was a clean install of Win 7, rather than an upgrade from Vista.  There are two Vista boxes on this thread, and it may have something to do with the limited user accounts.  A security key is connected to user access.  Norton is just not allowing Windows to put a security key on two of its drivers.

Generally, legacy drivers have been left behind after an application was removed in case it was needed by the operating system later.  So I tend to think that since new applications better fit Windows increased security policies, Microsoft is trying to put a bandaid on older entries.  Norton is doing nothing more than reporting it and preventing it from ocurring.

The actual process and reasoning behind it, will have to come from Microsoft.

I think that is a good call neigh-ho-ma.  Sometimes actions and processes go on for years until something starts reporting them, and then it is just like new. 

To Send of Jive

---

SendOfJive wrote:

These are all legitimate services and processes that are essential parts of Windows, and therefore are very likely to try to access running Norton processes from time to time.  If you find something in the Norton Security History logs that Auto-Protect and various system scans have not already alerted you to, then it is NOT malicious.

---

not sure what you mean by:

If you find something in the Norton Security History logs that Auto-Protect and various system scans have not already alerted you to, then it is NOT malicious

did you mean if I don't find something?

---

Calls wrote:

not sure what you mean by:

If you find something in the Norton Security History logs that Auto-Protect and various system scans have not already alerted you to, then it is NOT malicious

did you mean if I don't find something?

---

Hi Calls,

If there is something malicious on your computer it will be detected by Auto-Protect or a system scan.  A Product Tamper Protection log entry showing Norton blocking a legitimate Windows process from accessing a legitimate Norton file is not an indication of malware - it is normal.  Yes, this particular entry is new, but there are several explanations for this that are far more likely than malware that does nothing except repeatedly try unsuccessfully to access an obscure Norton registry setting.  I mean, if it were something malicious, why would it go to the trouble to do that when Norton isn't detecting  it as malware anyway?  If malware were truly the cause of these events you would be posting about weird behaviors rather than log entries.  The odds of this being the work of malware are incredibly small.

Hi Calls,

Yeah, I think you are correct to be a little suspicious about an entry that has not been seen before.  In fact, that is the only reason to check logs regularly -  to spot things that are out of the ordinary.  So you were on the right track.  And there are still some legitimate unanswered questions about this event, for sure.  But there are just so many other reasons you could be seeing this, that malware wouldn't really concern me unless there were other disconcerting things going on as well.  If malware were trying to disable Norton, you can bet it would be doing a lot of other things too.  And as closely as you monitor your system, I'm sure you would recognize anything that was amiss instantly. 

Thanks I will try again

---

hvgsel wrote:

Plse look in your Windows Updates if you installed some around that date. There were a few extra system updtaes around end of April.

Maybe MS changed some modules, which caused this.

---

hvgsel- I followed your suggestion.

May be part of the answer

Here is what I found:

On or about April 26, 2011  there were a few Vista updaes. One of them, KB2492386, seems to have to do with

Application Compatibility Update for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: April 2011

Further-

The kinds of issues that are resolved by application compatibility updates

When you try to install and run certain legacy games or applications, you may experience one or more of the following symptoms:

• The game, the application, or the firmware is installed incorrectly.
• The game, the application, or the firmware causes system instability.
• The primary functions of the game, of the application, or of the firmware do not work correctly.

I would ask all those who have this issue to check and see if they have this Vista update, KB2492386, on or about April 26th, 2011

Now if I'm not mistaken, isn't some left over Norton drivers a LEGACY  item?

So this may account for the attempt by svchost.exe (probably the Dcom Lanucher) from attempting to access the Norton LEGACY Driver?

All I kow is I started getting this entry 1 hour after NIS 2011 updated to 18.6.0.29

Further tamper protection was added either in or at the same time as the 18.6 release. These new log events are the result of that addition and, as with most other log events of this type, generally don't indicate a problem unto themselves.