Hey all,
I just had 3 quick alerts in the "tamper protection" section of my norton's internet security program.
I have seen these before but the were either blocked or just logged.
This time I see that it logged the event but then terminated it 20 seconds later.
I also see the API_MAP action that I have never seen before on my warning.
Do you guys think that my Nortons protection let its guard down and let the first action at 5:02:20 just be logged and then found out its corrupting the security software so it stoped it 20 seconds later?
Why does it just log event and not block all of them
I also had a "user logged out" and a "user logged in" message in the history files...never seen before.
5:02:20pm
Actor = c:\windows\system32\svchost
Actor PID = 2300
Target = C:\Program Files\Norton Internet Security\Norton Internet Secuirty\Engine16.2.0.7\ccSvcHst.exe
Target PID = 2900
Action = Open Thread
Reaction = Unauthorized access logged
5:02:40pm
Actor = c:\windows\system32\svchost
actor PIS = 2300
Target = C:\Program Files\Norton Internet Security\Norton Internet Securit\Engine16.2.0.7\ccSvcHst.exe
Target PID = 2900
Action = Terminate Process
Reaction = Unathorized access blocked
5:02:41pm
Actor = C:\windows\system32\werfault.exe
Actor PID = 3876
Target = C:\program files\ norten internet security\norton internet security\engine\16.2.0.7\ccsvchst.exe
target pid = 2900
action = API_MAP_VIEW_OF_SECTION
reaction = unathorized access blocked
Thanks
Marc