Hi, I don't know what this is being caused by but i have multiple computers with the same issue all started on 9/2, roughly about the same time.

Could this be an issue cause by virus or windows issue.  

Yes indeed!! If you are shutting down and restarting multiple times in one day that would account for the logs being created. And, its normal behavior with the VPN set to auto-connect as my screenshots show. In my case, and I apologize for not asking you if you were as well, I leave my PC's booted 24/7 and perform a restart once a week to clear caches, etc. I had that mindset about your issue and assumed you were doing so as well or something similar. No need to contact support, you are good to go. The worry I had was all computers having a tons of entries in history, the shutdowns and restarts explain that perfectly.

As is always the case you are most welcome for the assist. I didn't mean to scare you with getting to the root of the issue. I am always pro-active at finding the cause vice looking at the symptoms as the cause. Hope that makes sense. Stay healthy out there!!

SA

 Ok, so what you are indicating is that would always appear every time you log on to the internet. My computers are not continiously online. They are used primarily for Homework and Roblox, and only used for about two hours, the thing is, that my kids turn of the computers and then turn them on when they want to go back to either play Roblox, listen to music, or Do homework. They turn the computer at least 3 times during the afternoon after school. So I would assume then, that the log would be created every time the computer auto connects to the VPN, is that assumption correct?

And You have been SO Kind in helping me. Thank you SO MUCH!! believe me I am having hart attacks here...lol Should I call Norton Assistance to maybe explain why this is happening?

Thank you again.

Updating: The event viewer shows the following for the VPN connect:

VPN disconnect. No other entries for the time frame of the test nor since.

SA

My laptop connected via WiFi as a test. Set the VPN "auto connect to ON", established the VPN connection. The following appeared in "Recent History" vice in Product Tamper Protection. I allowed the VPN to stay connected for 2 minutes and received only this one entry. SVCHOST will always be the connection entry point for a VPN or any other remote access client:

I then disconnected the VPN and disabled the auto connect. The following I pulled from history.

So on a single computer it appears these entries would be normal, having a history logged continiously suggests something isn't normal. Replacing the router was a good move on your part as well to remove IT as a possible source of the issue. I would of course done the same. As for why you are seeing multiple entries in one login session I am at a loss. I run my VPN religiously and don't see that level of history logging on any of my machines. I will have a look at my event viewer as well to see what is there.

SA

 Good Afternoon, Thank you for your response, 

All of my computers are connected via Wifi, and they are not on at the same time. I went down to Xfinity, Replaced the Gateway, changed the admin password and set the firewall to Medium settings. All computers Have VPN enabled as you  see here on the Screenshots, though the Split tunnel is not enabled because I did not know what that was prior to researching it this morning. Every computer LOGS the NOrton Tamper protection at the moment the go online. I tested this, by booting the units without the wifi adapter, once the adapter is plugged in and connected, the moment it connects, it created the (create) log, and the id used points to the Ras client the moment it splits it. 

IF, you had turned the Norton VPN on within N360, and set split tunneling as well as the auto connect, your VPN will initiate the Rasclient connection as it is the "split-tunneling" feature in Norton 360. You MUST have the VPN ON to enable it. The  ip address 10.252.0.235 is the default internal gateway of your X-finity supplied router/combo device. The ip address 34.220.163.165 belongs to Amazon, AWS services. This is most likely where the VPN services are located which are being used by Norton.

Also, none of this accounts for ALL your computers on the same network seeing the same issue simultaniously. Are your computers configured to connect to a remote client or server? If not I would factory reset your X-finity device and start fresh with it. 

SA

So this morning I figured out that after RasClient successfully established a link to the Remote Acess Server using the following Server addres 34.220.163.165 port vpn2-1, ITS THEN followed by (a second later) the usersystem has dialed a connection named Norton VPN, tunnel ip addresse 10.252.0.235 this is what creates the log. The ip is a private ip. I reinstalled windows on my laptop and as soon as installed Norton and was online it created the same file. Why is it tunneling?

Every computer on your network are getting the same access blocked log entries. Contact X-finity support if you aren't sure about what settings to change in your router and how. Their tech support can remotely look at your modem logs possibly and determine if your firmware is up to date. And assist with what they may see as a possible network intrustion. They have that access, we here on the forums unfortunately don't. Norton is preventing intrusions into your computers, it cannot however, prevent intrusions from within a potentially already compromise router. They may advise replacing the current router with a new unit and assist in setting it up for you. 

SA

meaning at the moment they cant access the computers, their just able to see internet access or they are accesing the computers am sorry am so worried about this. 

The Windows process svchost.exe is a legit Windows process that CAN be used to compromise a machine. As before, Norton is blocking those attempts so they aren't getting into legitimate Windows and/or Norton processes. Killing the svchost. exe process most likely will kill your internet connection. I wouldn't play with it. 

SA

svchost.exe is there anyway to try to end the process? or is that them connected to the machine?

The tamper protection events are indication that Norton is stopping the intrusions. Finding the source is the key to ending it.

SA

Does that mean they have acces to the computers once they get passed the router firewall? And Thank you so much, I will do that once i get home.

Reset the Norton firewall:

Probing means an outside actor is getting past your X-finity router firewall. If one machine were seeing these entries personally I wouldn't be concerned. Since ALL your machines are seeing them that is a red flag. I would set your router firewall to medium settings and reboot the router. Keep an eye on the Norton history for the same scenario where all machines again see these entries in history. 

Also, IF, Xfinity does NOT require IPv6 disable it in your router and reboot it. https://www.xfinity.com/support/articles/about-ipv6

SA

 What do you suggest my Router firewall settings to be set at?  Probing meaning someone is trying to have access to the computers on the network? and How do i reset the Norton's firewall. 

Thanks for the post back. By network issues I'm saying a common cause is being driven over your home network. All your internet traffic originates from your router via your ISP aka provider. For every machine to be seeing the same entries your network is most likely being probed. Gaining access to your network for probing begins at the router level. X-finity isn't filtering something on their end. Your router should be automatically downloading new firmware as Xfinity releases it. There should be an area in router settings to do a manual check though. ISP's aren't well known for keeping their firmware current regarding threats. I have FIOS and manually run a firmware check once a week from the router settings just to make sure there isn't anything awaiting install. Perform a firewall reset both in Norton and your router. Reboot your router after you have reset the Norton firewall in each computer. Lets see if that clears anything for you.

This is the link for the user manual for your router. https://fccid.io/UIDTG4482/User-Manual/Users-Manual-4676983.pdf

SA

 Yes, the computers are on the same network. Xfinity Gateway Arris GP, Model# TG4482A. I have accessed the admin page and changed the password. But the firewall settings I left at as default. I did not wanted to have any conflicts with computer firewalls.  Router Firmware is TG4482PC2_4.10p3s1, dont know if thats up to date. I don't know what am looking at when viewing the logs on the gateway. I have checked for devices connected and it seems like nothing out of the ordinary. What do you mean Network issues, as in am being hacked remotely and someone is trying to disable the NPTP so it allows access to the computers? am kinda getting worried. I noticed it on 9/6 and it tryed to created at least 6 different times during this day.

Very frustrated dad indeed...

Hello!! These are showing as Norton Product Tamper Protections and normally are nothing to be concerned about. You said you are seeing this on multiple machines, I can only assume ALL the machines are on the same network? If that is the case, I would look at your router settings related to security. If you haven't ever changes the factory defaults for router settings login its an issue. Most defaults can be seen on the internet for most router manufacturers and be exploited. Wired or WiFi. Another issue could be the router firmware is out of date and has vulnerabilities being actively probed. Look at your router logs and also its connected devices for any devices you are not familiar with and remove those devices. Update your router firmware and reboot the router. Multiple machines seeing the same issue would suggest you have a network issue vice a Norton issue.

SA