Endpoint ID in Help About

I'm about 90% sure I have a virus or malware that is circumventing Norton 360.  I see many processes with hexidecimal qualifiers which are tied to the windows registry.  In looking through the registry there are many places where it has different settings for what looks like different VIRTUAL desktops settings and so many features to turn this on and that on, that it seems like its setting up virtual desktops for whomever has access and limits features and what i can see when I log in locally.  I've factory reset my machine and I can still see these things running.  Norton 360 firewall often logs intrusion attempts where some processes are trying to run norton programs/updates from a virtual desktop.  There are UNSAFE websites (norton's safe search results) embedded in my DNS -- such as fp2E7A.wpc.2BE4.phicdn.net  <-- I don't know if these are in some hidden partition or if they are in the DNS for my internet service provider.  Comcast/Xfinity.  The majority of these processes are running their own versions of security protocols using SVCHOST.EXE and/or CONHOST.EXE as a surrogate/proxy to run whatever they're running.  I have 3 id's set up on this machine -- one is a Microsoft account with Administrative rights, and two local one as adm and one which is normal acct.  Whatever is going on they've found a way to run certain processes without Norton 360 being any much the wiser.  Norton blocks some of the intrusion attempts but does not say that the attempt came from an embedded process running on the machine it just says no action required. CONHOST.EXE is also running many processes that Norton is not tracking.  MSEDGE is a pain -- I've tried to block msedge.exe AND MsEdgewebview2.exe processes from accessing the internet via Firewall -- they get around this using the CONHOST and/or SVCHOST as a surrogate.  It may be circumventing Norton 360  by intercepting the live update process via DNS --  I need to block some of these programs from running under the auspices of legitimate applications.  HELP!!DNSDisplay2.png

The Unauthorized Access Blocked messages in your security history are logged by Norton Product Tamper Protection when an executable file attempts to read/write/edit/delete a Norton file.  Common Windows processes like svchost.exe, taskmgr.exe, dfrgntfs.exe, etc. as well as executable from third-party software will cause an Unauthorized Access Blocked message to be logged if they touch a file from your Norton installation. Please see post <here> in the Product Suggestions board regarding logging of these blocks. (credit Imacri)


Norton Product Tamper Protection events are not reports of malware.  Unauthorized Access Blocked (Access Process Data) messages in your security history are not reports of malware.  The most common Norton Product Tamper Protection log entries are legitimate Windows processes that Norton is preventing from accessing Norton files or processes.  


Norton Product Tamper Protection events are normal, as legitimate programs and Windows processes frequently try to access Norton files or processes.  Norton blocks attempts by outside agents - even legitimate Windows processes.  There is no need to do anything.  No need to scan with a third-party anti-malware program, no need to change services settings.  These events are not attacks.  They can be ignored.  Unless the actor in the logs is an actual malicious process that does not belong on your PC, these events are totally harmless and routine. (credit SendOfJive)

AkaDNS is this, nothing to worry about there. More than likely an Azure container address being utilized by Office: 

https://www.whois.com/whois/akadns.net

The IP 20.245.190.220 resolves to the following, and is Microsoft. Again nothing to worry about: 

https://www.ip-tracker.org/lookup.php?ip=20.245.190.220

Your embedded screenshot is a "normal Norton tamper protection process" that appears when a program is executed. Nothing to worry about there as well. I get these in history all the time. 

Unless you are an avid torrent user, visit sites that are iffy, or download freeware regularly, I wouldn't think you are infected. If you also are NOT running a VM ( Virtual Machine ) I don't see where there is the possibility of virtual processes being an infection. Do you have secure boot enabled on the machine and does it have TPM 2.0? Did you bypass any of the W11 security requirements when you did the upgrade with software such as the latest version of Rufus which will do so when creating a bootable media for install?

https://www.tomshardware.com/how-to/bypass-windows-11-tpm-requirement

SA

 

 

I flushed the DNS and the previous websites are gone (fp2E7A.wpc.2BE4.phicdn.net) -- I assume the "answer" portion in the DNS record is like call forwarding -- after the flush the following showed up immediately -- it has AkaDNS in it -- not sure if I should be worried about it -- Are the packets being sent to the middle address and they could possibly intercept/update and forward to the final destination?  See below.  I do see the entries which appear to be from Microsoft related to Office 365 --- It almost looks as if my machine is somehow set-up with WaaS and its swapping things in and out depending on who logs in.  Recall I only have the three IDs on this machine.  There are many references to CBS processes and virtual directories - I believe this is how its avoiding being detected.  I downloaded all the system events since I did the factory image reset.  I can share that but not in this open forum.  I will attach one screen shot where it threw an error trying to run a norton process and the symamsi.dll that did not pass windows signing level requirements.  I'm not sure but I believe its also loading device drivers from virtual directories that I can't access even if I log on as Administrator.

    clients.config.office.net
    ----------------------------------------
    Record Name . . . . . : clients.config.office.net
    Record Type . . . . . : 5
    Time To Live  . . . . : 19
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    CNAME Record  . . . . : geo.clients.config.office.akadns.net


    Record Name . . . . . : geo.clients.config.office.akadns.net
    Record Type . . . . . : 5
    Time To Live  . . . . : 19
    Data Length . . . . . : 8
    Section . . . . . . . : Answer
    CNAME Record  . . . . : amr.clients.config.office.akadns.net


    Record Name . . . . . : amr.clients.config.office.akadns.net
    Record Type . . . . . : 1
    Time To Live  . . . . : 19
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 20.245.190.220

 

 

  • Norton product and its version? The latest version should be 22.23.3.8  My product is the latest version.
  • What is your Operating system and its version/build?  Windows 11 Home, Version 22H2, OS Build 22621.1555, Windows Feature Experience Pack 1000.22640.1000.0
  • Norton or Windows error messages / error codes / if any are available please post screen shot  -- I get that it blocked whatever was trying to access or change it -- Task Manager?  So I had Task Manager open and it was scanning processes.  I subsequently closed task manager and I still got errors related to this.  Any idea why this is coming up?
  • NortonSecurityexe_accessblocked_042323.png
  • Steps to reproduce issue: What was the last thing you were doing with the laptop before this message/issue appeared? 

I just tried to upload the screenshot for the event error here but didn't work.  I also tried to add it as an attachment -- zip file 66K and got the following error: 

An AJAX HTTP error occurred.
HTTP Result Code: 200
Debugging information follows.
Path: /en/file/ajax/field_file_attachment/und/form-5-jt3azQgno2HxZfJZCE8mzEAGIZA3eGP6YXzxbCN-0
StatusText: OK
ResponseText:

So, I may try to save these comments and reboot to see if that resolves this (I started the reply yesterday but got busy and that might be the issue).  I did see autosave pop-up after typing new comments.

 

  • Tell us the manufacturer and model of your device. Dell Alienware m15 Ryzen Ed. R5
  • Is your router firmware the latest available?  Router firmware is up to  date.

Hello. Have you flushed your DNS cache and actually viewed entries in your system hosts file? Edge Webview2 is actually a legitimate process.

Please give us some basic information to work with and assist better:

****Please DO NOT post any Personally Identifiable Information(PII) such as your email address, product keys or phone numbers in your posts.

  • Norton product and its version? The latest version should be 22.23.3.8
  • What is your Operating system and its version/build?
  • Norton or Windows error messages / error codes / if any are available please post screen shot 
  • Steps to reproduce issue: What was the last thing you were doing with the laptop before this message/issue appeared? 
  • Tell us the manufacturer and model of your device.
  • Is your router firmware the latest available?

 

 Have you booted into safe mode? (Windows) If so do the processes continue to appear? 

https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617

SA