Intrusion Prevention is Not Enabled

Hi, all.

I noticed that for the past 2-3 weeks, more often than not, Intrusion Prevention seems not to be enabled--i.e., no detection in Security History. This happens regardless of whether I cold boot or warm boot (restart) my computer. In this scenario, what you'll see in Security History is a previous record of Intrusion Prevention being enabled, but not one from the moment you currently either cold booted or warm booted your machine--which is what you should see. Now, you may be wondering what caused the aforementioned "previous" instance of Intrusion Prevention to be enabled. As far as I can tell, it's due to chance. Aside from that there is actually one other way of causing Intrusion Prevention to be enabled. And that is via a Live Update that contains IPS definitions. Such an install will force Intrusion Prevention to be enabled.

If you guys wish to see whether you could replicate this problem on your computer, after either you cold or warm boot your machine, go straight to Security History and check whether Intrusion Prevention has been enabled for the current session. Do not launch a Live Update before you do this, since if it happens to contain IPS defintions it will ruin the experiment. Intrusion Prevention should be automatically enabled with or without new IPS definitions. Also, I suggest taking note of the time at which you booted your machine for comparison with the time Intrusion Prevention was detected. Under normal circumstances, it shouldn't be more than a 1-2 minute difference. If, however, the detection time is from an earlier boot, say, from an earlier one during the day, or worse from a previous day, then, congratulations, you have now successfully replicated the problem I've been experiencing of late. And that's not a good thing. 

I've experienced this on three different machines. Two with Win 10, both with the Fall/Autumn creators update 2017 installed. One with Win 7. Oh, and removing and reinstalling Norton on one of the machines with Win 10 didn't change anything. The problem persists.

Don't thank me yet. No guarantee we will get a reply here.   wink

Thanks, peterweb. 

 I was wondering whether you would indulge me and contact one of the Norton people about this and see what they have to say on the matter. I'd be much obliged. 

Done.

 

I know it used to show up every time you restarted your computer.

Hi, floplot.

Aha! I knew I wasn't imagining things. 

In my opinion there are actually too many different functions in Norton Security to rely on just one Green Checkmark in the Systray. I'm probably the only one thinking like this,

No. You're not the only one. 

My IPS definitions were updated this morning from 20180413.061 (Security Update 1760) to 20180417.061

Hi, Imacri.

Earlier, mine was updated to 20180418.061.

And a side note. Stop looking at the History. It only drives users crazy trying to figure things out. Only look at it if you are having problems, or the system tray icon shows orange and red. That is why Norton included this feature....for troubleshooting.

Hi, peterweb.

I'm afraid I fall into the same camp as lmacri and floplot on this in that I don't believe the green check mark in the system tray is entirely reliable. At any rate, everything all three of us have been saying in this thread is based on mere conjectures. So, I was wondering whether you would indulge me and contact one of the Norton people about this and see what they have to say on the matter. I'd be much obliged. 

Hello

I am guessing since they changed to .061 instead of .001 or.002 at the end of the code showing the date, it looks like they have changed the logging of the history. I know it used to show up every time you restarted your computer. When I first saw this, I too thought something was wrong and I restarted once more only to find it still hadn't shown up. It appears they only log it now when the definitions change and they don't seem to be changing as often. Perhaps something else is going to the cloud partially like the SDS Definitions.

In my opinion there are actually too many different functions in Norton Security to rely on just one Green Checkmark in the Systray. I'm probably the only one thinking like this, but that is the way I think. Some may think I am wrong, but it's my opinion.

Have a Good Night and

Thanks.

Hi lmacri

Your point is taken and is true. But with the multiple layers of Norton protection, including the online definitions that are used as long as there is an internet connection, the downloaded defs are not as critical as they used to be. That could explain why it takes about a week of no downloaded defs to trigger the red X in the tray icon. If they were more critical, one would think that Norton would flag the problem much earlier.

It is my understanding that the online defs are the absolute latest up to date detection defs, so should be sufficient until a new SDS def file is downloaded.

 

peterweb:

..As I noted, as long as your Norton icon in the system tray is showing green check mark, all protections are active and working correctly. Including the currency of all malware definition files....

Hi peterweb:

This might be splitting hairs, but a green check mark in your system tray only means your real-time protection features are enabled in your settings.  It doesn't guarantee that your definitions are updating correctly.  

Many users, including myself, reported a issue in December 2016 where Automatic LiveUpdates stopped delivering SDS Definition updates.  It took a full week before I saw a pop-up warning that my SDS (virus) Definitions were out-of-date, and during that week every Automatic LiveUpdate ran to completion without throwing an error and my system tray icon continued to display a green check mark.  Quick Scans are only scheduled to run during system idles after a new SDS Definition set is installed, which also meant that Quick Scans stopped running on my system for the entire period that SDS Definitions were not being delivered.  See CanadianSteve's thread NIS Downloading All Updates But SDS Definitions.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.7.3 * NS Premium v22.14.0.54 * MB v3.4.5

Inquirer:
What is the date of the most recent detection of Intrusion Prevention having been enabled in your Security History log?

Hi Inquirer:

My IPS definitions were updated this morning from 20180413.061 (Security Update 1760) to 20180417.061 (Security Update 1761).  My image below shows that there were no new entries logged in my Intrusion Prevention history between 13-Apr-2018 and 18-Apr-2018.  I went back through my security history and it looks like the daily "Intrusion Prevention has been enabled" entries stopped logging at every boot-up after my Norton installation was updated to v22.14.0.54 on 03-Apr-2018.  This might be a minor glitch in the logging, but it might also be an intended feature change to keep the size of the security log as small as possible by only logging important updates to the IPS definition set and/or engine.  Someone from Symantec might be able to provide further insight, but I'm not overly concerned as long as my IPS defs are updating correctly and my security history is logging the correct versions.

Both my subfolder and Security History log indicate that the IPS definitions are up-to-date, though I'm not sure what the extra subfolder 20180411.061 is for.

That's normal, at least on my machine - see my image in Mehul Patel's thread IPSDefs Not Updating Properly.  Whenever a new IPS definition set is added the previous definition set is temporarily retained and older definition sets are purged.
------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.7.3 * NS Premium v22.14.0.54 * MB v3.4.5

It would appear that Norton has changed the amount of logging information it is collecting. It does not mean that the protection feature is not active. As I noted, as long as your Norton icon in the system tray is showing green check mark, all protections are active and working correctly. Including the currency of all malware definition files.

And a side note. Stop looking at the History. It only drives users crazy trying to figure things out. Only look at it if you are having problems, or the system tray icon shows orange and red. That is why Norton included this feature....for troubleshooting.

Looking at my History for Intrusion Prevention, as you say, the entries only appear when a new IPS definition is downloaded. I suggest that what we are seeing is just the process of the update being completed. It is just reporting that there is a new definition, and as part of the process the IPS feature is reset to enable the new definitions to be in effect. Then the IPS service is restated and that is what is recorded in the History. 

Hi, peterweb.

Here's the thing, though. It wasn't like this before. Being one of those "people"  who like to check Security History often, I know for a fact that up until about two or three weeks ago Intrusion Prevention would always become enabled within a minute or two of the computer starting or restarting. And I always checked it before launching a Live Update. So, that means the detections were not due to new IPS definitions having been installed. Besides, oftentimes there would be no new release of IPS definitions for several days and yet there would be detection each and every time I turn on my computer during that period.

Hi, Imacri.

Yes. Intrusion Prevention is definitely turned on in Settings.

Both my subfolder and Security History log indicate that the IPS definitions are up-to-date, though I'm not sure what the extra subfolder 20180411.061 is for.

Subfolder

Security History

And since I just reinstalled Norton on this particular machine a week ago, there's only one entry page under Intrusion Prevention.

I'm curious. What is the date of the most recent detection of Intrusion Prevention having been enabled in your Security History log? 

Looking at my History for Intrusion Prevention, as you say, the entries only appear when a new IPS definition is downloaded. I suggest that what we are seeing is just the process of the update being completed. It is just reporting that there is a new definition, and as part of the process the IPS feature is reset to enable the new definitions to be in effect. Then the IPS service is restated and that is what is recorded in the History. 

 

intrusion prevention in History.JPG

This is not saying that IPS was not working before this. If you check your Norton Icon in the System Tray and it has a green check mark, all Norton protections are enabled.

 

Hi Inquirer:

Go to Settings | Firewall | Intrusion and Browser Protection tab and confirm your Intrusion Prevention is ON.

According to the Virus Definitions & Security Updates page at https://www.symantec.com/security_response/definitions.jsp (as well as the detailed IPS defs release history <here>) the latest IPS definitions were released on 13-Apr-2018 (rev 61 = 20180413.061).

Do you have a subfolder for the latest 20180413.061 definitions in the IPSDefs folder on your hard drive?  The location should be something similar to C:\Program Files\Norton Security\NortonData\22.x.x.x\Definitions\IPSDefs):

If your IPSDefs folder shows that you have the latest 20180413.061 IPS Defs but the Intrusion Prevention section of your Security History reports you are using an older definition set try clicking the Clear Entries button, re-boot, and monitor the entries in your history. I've noticed that the entries in Antiphishing, Intrusion Protection, and certain sections of my security history sometimes stop logging after a maximum number of entries is reached (e.g., 10 pages, 20 pages, etc.) and I need to clear the entries to get newer entries logging again.

------------
32-bit Vista Home Premium SP2 * Firefox ESR v52.7.3 * NS Premium v22.14.0.54 * MB v3.4.5