Norton Tamper Protection and Open Process Token

Norton Security | Norton Internet Security
1

There have been a couple of threads dealing with programs being blocked by Norton Tamper Protection and some confusion about what these logged events actually mean.  This thread got me curious about what is actually happening when programs repeatedly show up in Norton Tamper Protection logs.  I looked in my logs and noted that whenever the Google Installer (GoogleUpdate.exe) had a firewall log entry saying that it was preparing to access the internet, there was a corresponding entry showing the program being blocked in the Norton Tamper Protection logs.  It appears that the action that Norton Tamper Protection blocks, Open Process Token, is the Google Installer interacting with the Norton ccSvcHst.exe process in some prohibited way that I am not fully grasping.  Google (the search engine, remember?) has little useful information about this.  Could someone clarify exactly what is happening when the Open Process Token action is flagged by Norton Tamper Protection and what programs, such as Trusteer Rapport and Google Installer, are doing when they trigger these blocked events?  Since the firewall's Program Control has the Google Installer set to automatic and shows it is allowed all outbound communication I am puzzled why there should be any type of interaction that would bring Tamper Protection into play.

2

Yogesh,

 

Indeed, I had reviewed that thread prior to my post here.  However you will notice that every post in that thread, including yours, treats this as a firewall issue, i.e., GoogleUpdate.exe is blocked from the internet by the firewall and a log is created.  But this is not a firewall issue as far as I can tell.  GoogleUpdate.exe is not being blocked from accessing the internet - it is being blocked from accessing ccSvcHst.exe and the report of this is not in the firewall log, but rather in the Norton Tamper Protection log.  I think the access token in question here belongs to the Norton process, not the Google Installer process.  Unless I completely misunderstand how Norton Tamper Protection works, I do not see how a blocked Open Process Token entry in the NTP log would result from an action of the firewall, which is, after all, providing a completely different function and maintains its own separate logs.  What am I missing?

3

I agree with SendOfJive with regard to the Tamper Protection rather than the firewall.  We have seen many programs try to change Norton files in the log to facilitate whatever it is that they are doing.  In my log, I have Firefox, Internet Explorer, Adaware, MBAM, and some rather more bizarre program compatibility error logs.

 

Most of these programs are allowed to access the net but are not allowed to change any Norton files.  Most of them retire gracefully, and take what they can get without further problems.

 

We have seen one or two programs that have not retired gracefully and have actually caused a conflict situation with Norton that required their removal.

 

To me what we are seeing with the programs that Jive finds of interest, is an alternate way for the accessing program to handle the refusal by Norton to alter its files.  It simply refuses to work, but does not cause a conflict.

 

In trying to work out the difference between programs, and program reactions, I am thinking that these programs are trying to change Norton's scanning priorities for downloads in order to protect their own code from possible damage during the download scan.  I can see no other reason for the number of programs trying to adjust Norton files.

 

Hopefully SendOfJive will also have a theory on why this is taking place, and we would love to hear from Symantec.

4

SendOfJive -

 

The following is a link to some serious investigation of just what Google does with some of their software. Took me awhile to find this but you should be very careful with this file; see this report HERE . 

 

I'm not sure that any unknown or 'not totally undisclosed' (perhaps better term) process should be allowed to access any part of your system whenever it wants to.  Why do most programs or processes look to interact with other services?  Mainly for inspection of what the other process does and then whether the inspecting program needs to hook into that process to further its goal (a file search service would want to do this so that it could index files faster) .  Norton is taking the hard stance of nothing hooks or changes its service or processes. 

 

Does this help any?  Seriously take a good look at what Google is doing; I removed all Google software from my system just because of this problem.  If I want to search for something, I use my browser.  But this is a personal decision.

5

There have been a couple of threads dealing with programs being blocked by Norton Tamper Protection and some confusion about what these logged events actually mean.  This thread got me curious about what is actually happening when programs repeatedly show up in Norton Tamper Protection logs.  I looked in my logs and noted that whenever the Google Installer (GoogleUpdate.exe) had a firewall log entry saying that it was preparing to access the internet, there was a corresponding entry showing the program being blocked in the Norton Tamper Protection logs.  It appears that the action that Norton Tamper Protection blocks, Open Process Token, is the Google Installer interacting with the Norton ccSvcHst.exe process in some prohibited way that I am not fully grasping.  Google (the search engine, remember?) has little useful information about this.  Could someone clarify exactly what is happening when the Open Process Token action is flagged by Norton Tamper Protection and what programs, such as Trusteer Rapport and Google Installer, are doing when they trigger these blocked events?  Since the firewall's Program Control has the Google Installer set to automatic and shows it is allowed all outbound communication I am puzzled why there should be any type of interaction that would bring Tamper Protection into play.

6

Looking at the information in the link provided by dbrisendine, it appears that the most dire behaviors are actually being ascribed to malware posing as GoogleUpdate.exe rather than to the legitimate file.  What I have was installed when I downloaded the latest version of Google Earth.  The biggest criticisms of the real Google Updater are that it runs as a service that starts automatically and it checks for updates constantly.  Most advice I've seen suggests to disable automatic startup, but not to remove the thing entirely since that could negatively impact the parent application's ability to be updated.

 

I am not really surprised that every time GoogleUpdate.exe wants to phone home, Norton has to tell it to mind its own business as far as its taking a gander at what ccSvcHst.exe is up to.  The Google Installer is one of those annoying product "features" that installs unannounced and feels entitled to use whatever resources it wants in the name of a better "user experience."  Living with it is the price I pay for the benefit I get from Google Earth.  

 

I don't really have a theory about why GoogleUpdate.exe trips Norton Tamper Protection but I think dbrisendine's point about seeing if there were a benefit to hooking into ccSvcHst.exe might have some merit.  Perhaps Google is taking offense at having to ask anyone's permission to access the internet and is looking to shut down or cripple any program arrogant enough to question Google Installer's actions.  Google probably just doen't like being interfered with when it's doing it's job any more than Norton does.:smileyindifferent:

 

 

Don't anthropomorphize computers - they hate it.

 

 

Message Edited by SendOfJive on 06-10-2009 09:52 PM