hello there. ive seen numerous "what is this in my history" questions that i am familiar with and know that is safe, however my computer has behaved oddly today (longer than average load times, seems kinda buggy in general), and when java auto updated there were some strange postings in my history that i would like to address. please note that i am not normally a worry wort about my history and chalk most of them up as machine talking to itself
within a minute of allowing java to attempt to update (which btw SEEMED legit, and the whole install of new java had all the normal java install screens)
- sample submission: jre-7u13-windows-if86-iftw.exe
submission details CSIDL_PROFILE\appdata\local\temp\jre-7u13-windows-i586-iftw.exe
((name of the file was googled and seemed an appropriately named java install file, but in the past norton has never done a submission sample of java when updated.......)) result : pending
at the same time there was a STATISTICAL submission with the same information... plus a lotta numbers and letters which may or may not be location on hard disk..... no idea lol in what was called a "detection digest"
40 seconds later there was an
"unauthorised access blocked (access process data) actor c:\users\myname\appdata\local\temp\msi3314.tmp
actor pid 4536
target c:\program files\norton internet security\engine
20.2.1.22\ccsvchst.exe
target pid 1108
action access process data
reaction unauthorized access blocked
terminal session 1
((i never have ever remembered a java update which resulted in an attempt to access norton data that i can recall, heck im not even sure that the attempt had anything to do with the java, except that the timing is VERY suspicious and that the two statistical submissions make me wonder))
one minute and 2 seconds later there was another attempt to access norton
actor c:\windows\installer\msi20e9.tmp
actor pid 284
target same as previous attempt
target pid 1108
action access process data
reaction unauthorised access blocked
terminal session 1
all of these i BELIEVE but am not 100% certain (was only half paying attention to the comp at the time) was during the time that java was updating.
50 seconds after the last intrusion attempt into norton
an instance of "c:\program files\java\jre7\bin\javaw.exe" is preparing to access the internet (presumably to check updates after install or similar??) while at the same time firewall rules were automatically created for java(tm) platform se binary. please note the w after java in the exe name... not a typo
30 minutes later
an instance of "c:\program files\java\jre7\bin\java.exe" is preparing to access the internet (please note NO w in the exe name... not a typo)
again firewall rules were automatically created
((the following entry seemed to be around the time that i went to verify my java due to concerns at the oracle site.. i followed a link found here on norton website so should have been safe there fore i think can be ignored. acording to the verification i verified at version 7.13 and was up to date))
3 seconds later NEW firewalls were created this time to an outbound tcp, www-http
right after those firewalls were created there was an
ips detection statistical submission
signature id: 24942
local or remote attacker: 1
remote port: 51419
local port: 80
protocol: 6
signature set version : 20130201.001
etc etc etc. application name boilded down to the java, offending url was java.com it looked like the verification utility
half a minute later there seemed to be another firewall rule created.... just the sheer number of firewall rules has me a little worried
to boil down my reasons for worry
- the 2 submissions
- the 2 apparent 'intrusion attempts' into norton by 2 different .tmp files
- one java and one javaw in the logs
- the sheer number of firewall rules being created
- the fact (unmentioned till now, because it had no bearing on norton logs, was that after i updated java i attempted to run a game (tera online) which wouldnt run because it kept saying "in use by another program" even though i havent run it all day. i entertained the theory that it was due to java updating and maybe it needed java to open the launch window... but i dont know enough to be sure.
i am computer literate but NOT programming literate lol many of the references to some of the stuff in the norton history ive had to google/lookup. so please try not to be to technical :D