I recently went through my norton history, and it turns out since November 2nd at 5:01 Norton has been reporting: C:\WINDOWS\SYSWOW64\WBEM\WNIPRVSE.EXE Unathorized Access Block

Now since then i have more than 200 occurrances of this medium risk block. I have searched other threads and they say there is nothing to worry about, but i think it is a litttle too much. they come in about packs of 5~7 per a minute every like two hours or so when my computer is on, or sometimes just one occurance. I checked the file with norton insight and it says its trusted and has the windows signature but it still seems fishy. It also has the file registered as old, 2 years and 9 months but i think that could be forged by some virus. Further, on many of my searches it says that the file WNIPRVSE>EXE should be under C:\WINDOWS\SYSTEM32\WBEM\ and not SYSWOW64, so i am a bit confused as to if the one in SYSWOW64 is legit or not.

Finally i have also had continues blocks on MRT.EXE and CONHOST.EXE from C:\WINDOWS\SYSTEM32\ from  accessing norton and changing the registry respectively. What confuses me most of this is that when i check CONHOST.EXE's properties i see the date created as 8/9/2011 and the date last modified as 7/18/2011 which makes no sense to me as it can't be modified before it was created leading me to think that it was changed by an illegitiment program/virus.

Please help!

P.S. Also if someone could tell me how to make any exception for WNIPRVSE.EXE if its legit so it stops popping up in my history, given that it would be a false positive. Thanks Again!

Sure: I am running Windows 7 Home Premium 64-bit and am running Norton Security Suite Version 5.2.0.13 from Comcast, and currently have a really outdated version of MBAM which i don't really use anymore (haven't updated in like a year lol). I'm not sure if this matters but i do not torrent so that might change something but i do not know. Other than that i cannot think of anything else that would help solve or contribute to solving this problem. As far as I know nothing of significance happened on november 2, no fishy or large downloads.

Hi Friscis,

What you are seeing is not out of the ordinary.  As dickevans said, Norton Product Tamper Protection will block any outside agent, even legitimate processes such as WIndows components, from accessing Norton files or processes.  All of the actors you mention are Windows processes.  SYSWOW64 is present in 64-bit versions of Windows and is necessary in order to run 32-bit applications on the 64-bit system.  It contains the same files as are found on a 32-bit copy of Windows\System32, so there is nothing sinister in seeing a Windows process running from that folder.

Norton Product Tamper Protection is not intended as a malware detection component and you should not be inferring anything malicious from the logs.  They record every event so that any issues that might arise from an interaction between an actor and NPTP can be investigated.  All events are logged for this reason and this should not be a concern - it does no harm.  Yes, malware might try to interfere with Norton, but that would be secondary to other, more obvious signs of infection.  The Tamper Protection logs alone, especially when the actors are legitimate programs or Windows processes, are not a reliable indicator of malware.  Unless you have symptoms of an infection, or have had malware detected on your system by other means, you should disregard the Tamper Protection logs.  As I like to point out, all Norton logs are records of past events - if any user action or notification was necessary, Norton would have alerted you at the time that the event occurred.

Okay Thank You for your very thorough response, I will keep that in mind and not worry about it. Thanks Again, Both of You 

I recently went through my norton history, and it turns out since November 2nd at 5:01 Norton has been reporting: C:\WINDOWS\SYSWOW64\WBEM\WNIPRVSE.EXE Unathorized Access Block

Now since then i have more than 200 occurrances of this medium risk block. I have searched other threads and they say there is nothing to worry about, but i think it is a litttle too much. they come in about packs of 5~7 per a minute every like two hours or so when my computer is on, or sometimes just one occurance. I checked the file with norton insight and it says its trusted and has the windows signature but it still seems fishy. It also has the file registered as old, 2 years and 9 months but i think that could be forged by some virus. Further, on many of my searches it says that the file WNIPRVSE>EXE should be under C:\WINDOWS\SYSTEM32\WBEM\ and not SYSWOW64, so i am a bit confused as to if the one in SYSWOW64 is legit or not.

Finally i have also had continues blocks on MRT.EXE and CONHOST.EXE from C:\WINDOWS\SYSTEM32\ from  accessing norton and changing the registry respectively. What confuses me most of this is that when i check CONHOST.EXE's properties i see the date created as 8/9/2011 and the date last modified as 7/18/2011 which makes no sense to me as it can't be modified before it was created leading me to think that it was changed by an illegitiment program/virus.

Please help!

P.S. Also if someone could tell me how to make any exception for WNIPRVSE.EXE if its legit so it stops popping up in my history, given that it would be a false positive. Thanks Again!

Hi Friscis,

You're welcome.  If you check the Norton Product Tamper Protection log periodically, I think you'll note that the same processes often appear frequently as actors.  In my case I see that Windows\System32\Services.exe is showing up several times a day.  CONHOST is one that a lot of people see.  Once you get used to seeing the "regulars" in the log, you'll get a better sense of what is normal and what you should expect to see.