Did norton's let its guard down and let this attack happen for 20 seconds?

Hey all,

I just had 3 quick alerts in the "tamper protection" section of my norton's internet security program.

I have seen these before but the were either blocked or just logged.

This time I see that it logged the event but then terminated it 20 seconds later.

I also see the API_MAP action that I have never seen before on my warning.

Do you guys think that my Nortons protection let its guard down and let the first action at 5:02:20 just be logged and then found out its corrupting the security software so it stoped it 20 seconds later?

Why does it just log event and not block all of them

I also had a "user logged out" and a "user logged in" message in the history files...never seen before.

 

5:02:20pm

Actor = c:\windows\system32\svchost

Actor PID = 2300

Target = C:\Program Files\Norton Internet Security\Norton Internet Secuirty\Engine16.2.0.7\ccSvcHst.exe

Target PID = 2900

Action = Open Thread

Reaction = Unauthorized access logged

 

5:02:40pm

Actor = c:\windows\system32\svchost

actor PIS = 2300

Target = C:\Program Files\Norton Internet Security\Norton Internet Securit\Engine16.2.0.7\ccSvcHst.exe

Target PID = 2900

Action = Terminate Process

Reaction = Unathorized access blocked

 

5:02:41pm

Actor = C:\windows\system32\werfault.exe

Actor PID = 3876

Target = C:\program files\ norten internet security\norton internet security\engine\16.2.0.7\ccsvchst.exe

target pid = 2900

action = API_MAP_VIEW_OF_SECTION

reaction = unathorized access blocked

 

Thanks

Marc

Message Edited by MarcHatzi on 01-13-2009 04:03 PM
Message Edited by MarcHatzi on 01-13-2009 04:23 PM

BTW no software firewall ever lets its gaurd down. Its called self protection and every software firewall out there has it.

I am not behind a rooter and using NIS2009. I just got the same messages again 5 minutes ago. I dont notice anything worng with the computer.

 

If it is normal than why is Nortons alerting me to it?

 

Thank You for your help

 

Marc

Message Edited by MarcHatzi on 01-13-2009 04:38 PM

You can allow both programs. Open up NIS and click on “settings” next to Internet. Then click on Program Control and change those programs to “allow”. svchost is allowed for me. Also you can turn off Automatic Program Control and turn on Advanced Event Monitoring for better control over what NIS does.

NIS laert you about blocking a program is normal. It  shows you that Norton is doing its job.

So you do not think these were attacks by hackers? I am so close to buying a new computer now. Hopefully they were not attacks.

They are not attacks or hackers. Both processes are normal Windows processes. If you were being hacked you wouldn’t see alerts like that. Just Google the programs and see for yourself. Also its best to get a router. A hardware firewall is your best line of defense to inbound attacks.

Its very easy to figure out whats going on if you do some research yourself. I did not know what werfault.exe was cause I do not use Vista. So I simply plugged it into Google and got the answer for you.

Hey all,

I just had 3 quick alerts in the "tamper protection" section of my norton's internet security program.

I have seen these before but the were either blocked or just logged.

This time I see that it logged the event but then terminated it 20 seconds later.

I also see the API_MAP action that I have never seen before on my warning.

Do you guys think that my Nortons protection let its guard down and let the first action at 5:02:20 just be logged and then found out its corrupting the security software so it stoped it 20 seconds later?

Why does it just log event and not block all of them

I also had a "user logged out" and a "user logged in" message in the history files...never seen before.

 

5:02:20pm

Actor = c:\windows\system32\svchost

Actor PID = 2300

Target = C:\Program Files\Norton Internet Security\Norton Internet Secuirty\Engine16.2.0.7\ccSvcHst.exe

Target PID = 2900

Action = Open Thread

Reaction = Unauthorized access logged

 

5:02:40pm

Actor = c:\windows\system32\svchost

actor PIS = 2300

Target = C:\Program Files\Norton Internet Security\Norton Internet Securit\Engine16.2.0.7\ccSvcHst.exe

Target PID = 2900

Action = Terminate Process

Reaction = Unathorized access blocked

 

5:02:41pm

Actor = C:\windows\system32\werfault.exe

Actor PID = 3876

Target = C:\program files\ norten internet security\norton internet security\engine\16.2.0.7\ccsvchst.exe

target pid = 2900

action = API_MAP_VIEW_OF_SECTION

reaction = unathorized access blocked

 

Thanks

Marc

Message Edited by MarcHatzi on 01-13-2009 04:03 PM
Message Edited by MarcHatzi on 01-13-2009 04:23 PM

Marc,

 

From your logs it is not firewall related at all, I believe it is merely Norton's tamper protection reacting to windows svchost reading the Symantec file ccSvcHst.exe.

 

svchost.exe is the Vista system service which, among many other things, also runs the Vista indexing/search services and keeps track of all files on the pc. Everytime it attempts to read/index the symantec ccSvcHost.exe file NIS logs the fact that the file was accessed.

 

I have always had the same log entries as you have posted when running Vista and now Win 7.

 

At least that's always been my understanding of it but maybe someone from Symantec can confirm it for you. 

Hi MarcHatzi,

 

svchost.exe is a process belonging to Microsoft Service Host Process in the Microsoft Windows Operating System, which handles processes executed from DLLs. WerFault.exe is a part of Windows Error Reporting technology (WER) in Windows Vista. WER captures software crash and hang data from end-users who agree to report it.

 

For it's functioning, the above two files- svchost.exe and WerFault.exe may need access to ccSvcHst.exe file from Norton program at different occasions.Here the Norton Product Tamper Protection in Norton Internet Security 2009 logged it as an unauthorized access as the target is a Symantec file. Norton Product Tamper Protection will block any processes or services that attempt to access or change Norton files. Here the access is Logged, not blocked. Logged, however, does a bit more than simply logging the event. The actor is allowed to do whatever it was trying (open a thread or process for example) but with its access rights reduced so that it can't tamper with the Symantec resource.

 

I think, this is a normal behaviour and don't see anything that could compromise the security in your computer. Kindly check the below thread in this forum where the same issue has been dicussed with respect to ccSvcHst.exe and services.exe.

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=28660&query.id=856356#M28660

 

Hope, this will help you to understand the situation.

 

Yogesh