Data Protector False Alarm
I do agree the Data Protector function is great and is able to block malicious behaviors performed by undetected ransomware. However, it may incorrectly block some actions performed by legitimate software that is unknown to Norton (reputation is low). When I try to uninstall a rare but safe piece of software, Data Protector blocks the uninstaller, causing the removal to fail.
By default, Data Protector will automatically block suspicious behaviors.
Allowing users to set Data Protector to "Ask Me" mode is a good method to solve the above issue, in my opinion.
I have run through all the steps you suggested but nothing works. I excluded the file from Data Protector (see attached screenshot) and also exclude the entire folder from Antivirus Auto Protect.
Notice that the file and its folder are in not in C drive but in a partition drive. I don't know if that makes a difference.
Auto-Protect is not the reporting engine [here].
~ you're still creating .tmp files...correct?
Is Data Protector still blocking main exe?
Is Data Protector still reporting .tmp.mdmp?
2:46:11 AM,Suspicious process attempted to modify attributes of a file protected by Data Protector,"C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Test_WinService._3c3595679e9f07e41a361a72c391ae2ed4038_5d95667f_cab_67673bf5-813e-435d-a909-1fa87e79cbe0\WER.834450f3-7c75-454e-b9ff-9f08f213f7fc.tmp.mdmp"
from your attach pdf: Target: "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Test_WinService._3c3595679e9f07e41a361a72c391ae2ed4038_5d95667f_cab_67673bf5-813e-435d-a909-1fa87e79cbe0\WER.834450f3-7c75-454e-b9ff-9f08f213f7fc.tmp.mdmp"
Maybe, add Target path to Process Exclusion: => "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Test_WinService._3c3595679e9f07e41a361a72c391ae2ed4038_5d95667f_cab_67673bf5-813e-435d-a909-1fa87e79cbe0\WER.834450f3-7c75-454e-b9ff-9f08f213f7fc.tmp.mdmp"
I don't know whether wild cards work with Process Exclusion.
Data Protector exclusions, as far as I'm aware, are per process.
Sorry, I've not figured out how to work around created .tmp files. I've needed to disable Data Protector to install known safe programs.
Sorry, I'm not Norton. I run Norton. We'll try to call attention:
When you disable Data Protector.
Does Norton still object?
I have run through all the steps you suggested but nothing works. I excluded the file from Data Protector (see attached screenshot) and also exclude the entire folder from Antivirus Auto Protect.
Notice that the file and its folder are in not in C drive but in a partition drive. I don't know if that makes a difference.
Disable Auto-Protect &or Disable Smart Firewall does not turn off Intrusion Protection, Browser Protection, Data Protector, Exploit Prevention, SafeCam, AntiSpam
fwiw ~ I've needed to temporarily disable Data Protector to install known safe programs. Data Protector objects to tmp files created by known safe installers. Granted, the created tmp files were not signed. Data Protector blocks tmp files. Developers report tmp files blocked. Users report exe blocked.
fwiw ~ often posted for developers => Exclude Xs 2
Sorry, I've no notion if "Items to Exclude" Xs 2 => Configure...will help your scenario.
Note: Data Protector exclusions are per process [info here].
Re: Data Protector is protecting AppData\Local\Temp folder
prasanna_a EMPLOYEE
Yes, you are right - appdata is not part of Protected Folders. But, we have a feature called Protected File Types, that protects files with certain extensions anywhere in the file system even if its part of app data. Can you please share the snapshot of fully qualified path of the "Target" from the security history? If the actual target file which is being deleted is a protected file type, then it would be blocked from being deleted.
Sorry, just mentioned in passing (my FWIW observations) re Data Protector.
My example [here] are for unsigned installer that SmartScreen didn't like either.
Just happened to be working with those items around the time I read your Topic.
Sorry, for my off topic sharing.
[...]
more off topic sharing:
Category: Data Protector
Date & Time,Risk,Activity,Status,Recommended Action,Status,Program Path,Program Name,Date & Time,Action Observed,Target
2/10/2024 2:46:11 AM,High,Data Protector blocked a suspicious action by Test_WinService.exe,Excluded,No Action Required,Excluded,M:\C#Program\Test_WinService\Test_WinService\bin\Debug\Test_WinService.exe,Test_WinService.exe,2/10/2024 2:46:11 AM,Suspicious process attempted to modify attributes of a file protected by Data Protector,"C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Test_WinService._3c3595679e9f07e41a361a72c391ae2ed4038_5d95667f_cab_67673bf5-813e-435d-a909-1fa87e79cbe0\WER.834450f3-7c75-454e-b9ff-9f08f213f7fc.tmp.mdmp"
Also see attached screenshot
The Windows Service I am creating is adding datetime stamps to a log file periodically. If the log file does not exist, it will create one. It is just a test program.
As a developer, you need to create a master folder for all your projects. Then exclude that folder and all sub folders from Both items in the image below.
Please tell us what Norton is telling you regarding this event. For information regarding this event > from Norton pop-up > View Details > Copy to Clipboard &or from Norton history > More Options > Copy to Clipboard > paste here.
