NIS blocking iTunes update (open process token ccsvchst.exe)

Hi,

 

NIS reports that ...\APPLE SOFTWARE UPDATE\SOFTWAREUPDATE.EXE tried to open the process token of ccsvchst.exe and was blocked.


See attached screenshot (in French (DON'T ASK!)).

 

Should apple updater attempt to mess with a NIS file?

If the attempt is legit: how to allow it?

 

Thanks for any suggestions. Chris

 

 

Hi chris1024

Has the itunes update installed correctly and is the itunes programme working correctly?  If it is there is nothing to be concerned about with this type of report as it’s in French I need to check that on the left hand side it says something like, no action required.  Many different programmes stray into Norton’s area and Norton will report this as intrusion prevention and will block it, Norton is not blocking the programme from running it is just saying keep out.

 

 

ATB

 

intesec

Hi intsec,

 

Thanks for your reply.

 

Here's the full sequence of events:

 

Open iTunes.

There is a new version, would you like to install it?

...with an iTunes download listed as 98.06MB.

 

OK.

 

Up comes the progress bar for the first download of  20.40MB ...and it stops at 19..90MB.

Plus or minus at the same time that the download stops, NIS intercepts Apple updater tickling the NIS file ccsvchst.exe - and blocks it.

 

The download drops dead just before the first download completes. NIS history makes no comment about blocking the download, there is only the single msg about updater.exe being blocked from having a go at ccsvchst.exe.

 

I also have a hardware firewall: logs show nothing blocked by the firewall to this machine anywhere near the time of the Apple update run.

 

I have repeated this exercise several times over several days, always with the same result: that single warning from NIS, nothing dropped at the hardware firewall, and the first Apple download stops just short of completion.

 

Baffled!

WHY is Apple updater messing with NIS process ccsvchst.exe?

Is it a legitimate thing for Apple updater to want to do?

 

Your question about the french stuff.

Top:

Severity: Medium.

Activity: Unauthorised access blocked (open the process token).

Status: Blocked.

Recommended Action: No action necessary.

Left:

Action: Open process token.

Reaction: Unauthorised access blocked.

Right:

Actions: No actions available for this element.

 

Which is all just fine except one small detail: I don't get my iTunes update :smileymad:

...so I can't answer your first question about the update installing correctly or not.

 

Chris

 

 

 

 

Two typos: sorry

 

intesec (forgot the first 'e') :smileyembarrassed:

stops at 19.90MB (double decimal-point)

 

Chris

 

Hi chris1024

If the release date of the itunes update is recent then Norton maybe blocking it because Apple have not informed Norton of the new signature of the update, and as it is new Norton has a reputation for software that logs the amount of users safely using the software and if the reputation is low then Norton will block it you may like to inform Norton using the process below.

 

If the file is not being quarantined then navigate to, remove risks automatically and set the switch to ask me close all programmes and restart the computer.  Don’t forget to reset the switch?

 

Norton evaluates false positives so if you think your getting a false positive please click on the link below to submit it with the relevant details to access the file.  Norton can assess it for being a false positive if it is a false positive Norton should release an update shortly for the file(s) concerned.

 

https://submit.symantec.com/false_positive/

 

 

ATB

 

intesec

Hi Chris:

 

These unauthorized access blocked messages in your history log are a normal function of Norton Product Tamper Protection.  A log entry will be created in your security history every time any process attempts to read/write/edit/delete a Norton file, and this includes common Windows processes like svchost.exe, dfrgntfs.exe, etc.  If your system was actually under attack by malware you'd be notified by one of Norton's real-time Auto-Protect features like SONAR or Download Insight so it is safe for you to ignore these unauthorized access blocked messages.

 

Please see the post here in the Product Suggestions board  here asking that Symantec either stop logging these unauthorized access blocked messages in the security history or reduce the severity from Medium to Info.

 

EDIT:

 

I've had problems lately downloading the iTunes installer with my Firefox browser, but it seems to work fine with IE.  Have you tried downloading the offline installer from http://www.apple.com/itunes/download/ ?  I live outside the US and that link redirects me to the correct installer for my region / language.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS


lmacri wrote:

Please see the post here in the Product Suggestions board  here asking that Symantec either stop logging these unauthorized access blocked messages in the security history or reduce the severity from Medium to Info.


This is a case that illustrates why logging is necessary, why it rates a medium severity level, and why it should not be discontinued.  If, in fact, there is a repeatable correlation between the Apple updater failing and its being blocked by Norton Product Tamper Protection, that would indicate that the updater is not reacting well to the Norton rebuff.  There normally shouldn't be a problem like this, but sometimes these things do happen - some programs do not respond gracefully to the denied access and will refuse to carry on normally as they should.  Assuming this is a Norton issue, the logs are the ONLY practical way the user has of associating the failed download with Norton.  Without the logs, the source of the problem would be a mystery and the user could spend hours in a fruitless search for the cause of the issue.

 

That being said, the idea to use the offline installer would seem to be a very good solution.  Norton is not objecting to the file or the download, just the action of the updater as it relates to Norton itself.  The only other workaround, assuming it is demonstrated that Tamper Protection is the culprit and that the updater is safe, would be to temporarily turn off Tamper Protection - not something that I would recommend, but sometimes there may be no other choice.

Thanks all for your inputs.

 

My own thoughts:

 

ccsvchst must protect itself (what good is security software that allows arbitrary programmes to mess with it?).

 

I'm not the only person on the planet running NIS and iTunes on the same machine, so to me this smells like an Apple issue: their update process should not drop dead when it fails to mess with known-to-be-protected NIS componants.


A couple of surprises for me:

 

1. This same machine has successfully updated iTunes for years (zero reconfig, zero tweaks to NIS settings other than whatever my NIS subscription does in the background).

 

2. No trace of this issue shows up in Google.

...maybe I am the only one on the planet still running old NIS(20.4.0.40) & trying to update iTunes!

 

I'll move the machine to current NIS and see if that changes anything.

If not, I will simply not update iTunes on this machine, and maybe one of these days I will uninstall and reinstall iTunes.

 

Thanks again for your suggestions.

 

Chris

 

Hi chris1024:

 

Just to let you know, I updated from iTune v. 11.1.2.31 to the latest v. 11.1.3.8 on 06-Nov-2013 using the offline installer from http://www.apple.com/itunes/download/ and had no problems.  I use NIS v. 20.4.0.40 on a 32-Vista machine.

 

I've used NIS since 2009 and had no objection to the way that Norton Product Tamper Protection logged unauthorized access blocks until Symantec released the Behavior and Security Heuristics update of 09-Sep-2013.  Many users now see thousands of these blocks flooding their Recent History, usually when a disk defrag runs on their system (see my screenshot here), and then panic because they believe their system is under attack by malware.

 

EDIT:

 

One other thing you could check - go to Performance | Norton Tasks and check the Last Run date of your Norton Insight task.  If this background idletime task hasn't run for several days then the application trust rating for the latest iTunes installer might be out of date.  You can manually run the task by clicking the yellow run button next to the task name to ensure your local trust ratings are current.

 

Manual Norton Insight.jpg

 

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40 * iTunes 11.1.3
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Hi Imacri,

 

Well, I moved to NIS 21.1.0.18

Ran iTunes

OK the update.

19.90/20.40MB of the first download completes as usual.

Ctl-Alt-Delete to stop the process (updater is as usual completely stuffed and unable to stop itself).

Then the trip to new NIS history to view the normal message - but this time the message is not there.

Then the trip to the hardware firewall logs to see if something got blocked - as usual nothing there.

Right at that moment my ISP went down nationwide ...wouldn't it be amusing if Apple updater caused that (just kidding).

 

Anyhow, ISP came up again a couple of hours later (interestingly they lost their fibre net and their mobile net, but their IP-TV continued working just fine ...had me scratching my head for a while: I was "obviously" connected so the fault "must" be in my LAN).

 

BUT you interest me with your download link: that's the full installer - can you just run it over an existing install?

That would be a fine solution for me if it works.

I have no concerns about losing iTunes music - originals are in FLAC on a Linux box with multiple offsite backups so I'm reasonably bullet-prrof in case of accidents - iTunes is only running on this machine to pump MP3s into my wife's iPod.

 

Chris

Hmmmm,

 

Had a look at Insight: it seems good (*after* the move to NIS 21.1.0.18, but too late now to look before the move)

Apple's updater  2.1.3.127 is marked as Approved (dates 2yrs 5mo back).

 

BUT whilst I'm there I see firefox.exe 25.0.1.5064 flagged as having less than five users in Norton community.

LESS THAN FIVE?

 

Chris


chris1024 wrote:

... BUT you interest me with your download link: that's the full installer - can you just run it over an existing install?

That would be a fine solution for me if it works.


Hi chris1024:

 

Yes, I have automatic updating disabled in iTunes and always update over my current installation using the offline installer from http://www.apple.com/itunes/download/.  I download the installer to my hard drive and then use the Run command to run the installer as shown here.  I usually get two UAC (user account control) pop-ups on my Vista machine in the middle of the installation and have to click OK to allow the installation to run to completion but I've never had an issue using these offline installers.

 

I just right-clicked on C:\Program Files\Mozilla Firefox\firefox.exe (v. 25.0.1.5064), selected Norton Insight from the pop-up menu, and here's what I see:

 

Firefox Trust Rating.jpg

 

 

Since you've just upgraded to NIS 21.1.0.18, your Norton Insight task might not have had a chance to run during a system idle and update your local application trust ratings.  Try running the Norton Insight task manually as described in message # 9 and then run another Norton Insight scan by browsing to C:\Program Files\Mozilla Firefox\firefox.exe, right-clicking to bring up the context menu and selecting Norton Insight.  If it still reports less than 5 users, click on the Check Trust Now shortcut to force another Insight scan.

 

If that doesn't work, a re-boot and a few more manual LiveUpdates might be required to get NIS v. 21.1.0.18 fully updated.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40 * iTunes 11.1.3
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Hi Imacri,

 

I don't see what you tried to show - I see a 100x100px gif showing no more than a triangle.

Nevermind: downloading now and will try the iTunes install-over route tomorrow morning (its TV-time here) and see what happens.

 

Insight did its stuff, still less than five users (you + me = already two). FF is not a worry for the moment.

 

Will report back tomorrow.

 

Chris

 

 

Hi chris1024:

 

The triangle you saw is a temporary place holder for the image file.  Once my .jpg is reviewed and approved by a forum administrator you'll be able to see it.  On my machine, Norton Insight reports that "Hundreds of thousands of users in the Norton Community have used this file" when I scan C:\Program Files\Mozilla Firefox\firefox.exe v. 25.0.1.5064.

 

There was an issue with the Norton Insight server on 14-Nov-2013 (see Ardmore's thread here) and there was a 12-hour period where software updates for third-party software like Adobe Flash, etc. consistently failed.  Forum administrator Mohan_G reported here that the problem was solved well before you tried your iTunes update on 18-Nov-2014 but I'm beginning to wonder if some people are still having intermittent issues connecting to the Symantec servers.

 

Let us know how the iTunes update goes - we can suggest a few other workarounds if you run into problems.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 * Adobe Flash 11.9.900.152
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Hi chris1024:

 

Me again.  Sorry to interrupt your TV viewing :smileyvery-happy: but forgot to ask you if you need the 32-bit (iTunesSetup.exe) or 64-bit (iTunes64Setup.exe) version of iTunes.  The download link at http://www.apple.com/itunes/download/ should automatically re-direct you to the correct installer for your Windows OS, but if you run into problems and need the offline 64-bit installer for v. 11.1.3, it can also be downloaded from http://support.apple.com/kb/DL1615.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40 * iTunes 11.1.3
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Hi Imacri,

 

All is bliss and joy here :smileyvery-happy:

New NIS, new GeForce driver, and my wife's music happily sitting in new iTunes!

 

Thanks for the oh-so-simple hint - the problem has gone away (and was not a NIS problem in the first place).

 

I had not realised that it was possible to run iTunes full-installer on top of an existing installation!

There are many posts on the web talking about uninstall needed before reinstall - that  seemed like hard work because iTunes on this machine is used maybe once a year to pump up the iPod but updates seem to come in every month or so.

 

Chris

 

EDIT-1: despite several reboots & manual updates & connected idle overnight & many reboots & manual updates, NIS Insight still shows less than 5 users for FF 25.0.1.5064 - FF runs in French, but even so....

I will keep an eye on it.

 

EDIT-2:

uninstalled FF-French

new download FF-English from mozilla.org

new installation to different folder.

...still less than 5 users! Ho-hum.

 

 

Hi chris1024:

 

Thanks for letting us know the update with the offline iTunes installer from the Apple website worked.  I've done several of these type of over-the-top updates since I first installed iTunes 8.0 on my laptop and I've never experienced a failure.

 

I'm still not sure why Norton Insight is reporting that fewer than five users in the community are using firefox.exe on your system.  If my suggestion to manually run the Norton Insight task (message # 9) and then click Check Trust Now link in the Norton Insight report to force another Insight scan of firefox.exe (message # 12) doesn't work, you might want to monitor killyourtv's recent thread here about a possible conflict with NIS v. 21.1.0.18 and Firefox v. 25.0.1.  I asked if (s)he could check the trust rating of firefox.exe on their system but haven't heard back yet.

 

The actual trust rating that Norton Insight has assigned to your firefox.exe file is more importantant than the number of users in the community.  The highest rating is Norton Trusted, which means that Norton's Smart Firewall assigns an access level of Allow to the program and allows all network access attempts by the program.  My firefox.exe currently has a slightly lower trust rating of Good, which means that Smart Firewall assigned an access level of Auto and automatically makes a decision each time the program receives inbound or outbound traffic.  As more users in the community update to Firefox 25.0.1 it's possible that this trust rating could eventually improve from Good to Norton Trusted.  When a program trust rating falls to Unproven or lower that's usually when you start seeing performance issues. 

 

The trust ratings for all installed programs can be viewed at Performance | Norton Insight.

 

Firefox Norton Trust 20 Nov 2013.jpg

 

 

The current firewall rules for all programs requiring Internet access can be found at Settings | Network | Smart Firewall | Program Rules | Configure.  If you hover you mouse over the icon in the Trust column the pop-up should also tell you the current trust rating of the program.

 

Firefox Smart Firewall Rules 20 Nov 2013.jpg

 

 

Kudos to SendOfJive for explaining the finer points of the Smart Firewall program rules here.  A support article on Smart Firewall program control can also be found here.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40 * iTunes 11.1.3
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Hi Imacri,

 

Yes - I've been running many manual "insights" including yet another a few seconds before typing this.

 

The FF-English download package itself shows up with "hundreds of users".

firefox.exe installed from that download package still shows less than 5 users and is rated "Bon" (NIS-French) = "Good"

 

It is not (yet) rated at the highest NIS-French level: "Approuvé" (from your previous post I guess this is "Norton Trusted" in NIS-English). I'm not worried about FF.

 

Case is closed for me.

Thanks for your help.

 

Chris