Process Lasso

Norton Security | Norton Internet Security
1

Can someone please explain the following which is being repeated every second (yes, every second) in the NIS Security Report:

 

Category: Norton Product Tamper
Protection
Date & Time,Risk,Activity,Status,Recommended
Action,Date,Actor,Actor PID,Target,Target PID,Action,Reaction,Terminal
Session
17-Jun-13 1:16:07 PM,Medium,Unauthorized access blocked (Access
Thread Data),Blocked,No Action Required,17-Jun-13 1:16:07 PM,C:\PROGRAM
FILES\PROCESS LASSO\PROCESSLASSO.EXE,2712,C:\Program Files (x86)\Norton Internet
Security\Engine\20.4.0.40\ccsvchst.exe,5276,Access Thread Data,Unauthorized
access blocked,1

2

Have you installed a utility called Process Lasso? http://bitsum.com/processlasso/

 

If so, it may be trying to control a Norton process and Norton Product Tamper Protection is protecting itself from what it sees as an attack.

 

You would need to exclude Norton from Process Lasso to stop the constant notifications.

 

 

 

3

Yes, I should have said that I have Process Lasso installed.

4

I only learned about the program's existence by Googling it.

 

Are you able to exclude programs or processes from the program's optimization? You would need to exclude all iterations of ccsvchst.exe, which is the Norton process.

 

The notifications you are seeing is probably because Process Lasso is trying to throttle or control how Norton is using the cpu. Norton is probably seeing this as something trying to take control and it is protecting itself, as it should.

 

 

 

5

It doesn’t have anything do with Process Lasso acting on ccsvchst.exe. That process is already excluded from any sort of action. Further, the ‘core engine’ that takes action on processes is in ‘ProcessGovernor.exe’, which is not what this tamper detection event is referencing.


This event is triggered by the GUI (ProcessLasso.exe) simply opening ccsvchst.exe with *read-only* access to check basic metrics for display in a list of running processes. Yes, that’s right. Read-only. The log event itself implies as much; ‘Access thread data’.

 

In the past, a temporary fix was in place that didn’t touch this process in any way, meaning it wasn’t listed.

 

Norton can alert on whatever benign threats it wants, but the bug here is that the *SAME EVENT* is repeated ad-infinitum, once per second. What good is it to repeat this tamper detection event so many times that it brings the PC to a crawl? After all, they can block any API call they don't like without having to re-issue a log entry every time!

 

If it weren’t for the endless repetition of this tamper detection event, this would not be an issue. Therefore, if Symantec is wise, I believe they will fix this bug of repetitive tamper detection events that can bring a PC to a crawl.

 

I reported this a couple years ago to Symantec, though who knows if it ever got to the right people :o. In the meantime, Bitsum will work around this issue, as we feel is is very important to interoperate correctly with Symantec products!

 

(concise)

Report to Symantec:
BUG - Redundant tamper detection event can be emitted to the log ad-infinitum, bringing the PC to a crawl in some cases.
FIX - Do not emit a tamper detection log entry if the event is the same as prior one, OR limit the number of duplicate events emitted to a reasonable rate

6

jcollake

 

Thanks for your insight into this issue.

 

You may know more about this. Does the Process Lasso program continually poll the processes? If so, this would be why Norton keeps reporting as it does. It is just doing it's job to protect the user's system from an attempt to gain access to the Norton modules.

 

It might be argued to have Process Lasso be able to realize that security software is going to behave this way and find a way to limit its' access attempts to the security modules.

 

 

 

7

Process Explorer is another program that, on some systems, will cause this same issue.

8

NIS has come to the point where it freezes in part because of this and I have been forced to stop using Process Lasso.

9

PeterNorton: Yep, PL does poll, and that's why this is occurring. Still, there's no reason for NIS to keep logging each block, at least in my book.

 

It even lends itself to a potential vulnerability; I could write a program that just opens NIS processes, requiring no special access since NIS is alerting for read-only queries, and bring NIS to its knees with all these tamper detection events :o.

 

What you suggest is what I've done in the past. It's also what I do again to fix this. Why did I make the stupid mistake of changing the behavior? Users complain that these processes aren't listed, so I tried to comply with their wises. I now have an option letting users toggle whether these proceses are ignored.

 

Status:

v6.6.0.21 beta fixed the 'access thread data' tamper detection issue

v6.6.0.23 beta fixed the 'open process token' tamper detection issue

10
jcollake wrote:

PeterNorton: Yep, PL does poll, and that's why this is occurring. Still, there's no reason for NIS to keep logging each block, at least in my book.

 

It even lends itself to a potential vulnerability; I could write a program that just opens NIS processes, requiring no special access since NIS is alerting for read-only queries, and bring NIS to its knees with all these tamper detection events :o.

 

What you suggest is what I've done in the past. It's also what I do again to fix this. Why did I make the stupid mistake of changing the behavior? Users complain that these processes aren't listed, so I tried to comply with their wises. I now have an option letting users toggle whether these proceses are ignored.

 

Status:

v6.6.0.21 beta fixed the 'access thread data' tamper detection issue

v6.6.0.23 beta fixed the 'open process token' tamper detection issue

 

@jcollake - I appreciate your prompt attention to this as I expect that no resolution is soon forthcoming from Symantec. I have noticed all these blocked accesses, too, but I've always just ignored them. So far, I haven't noticed that it has had a negative impact on performance. Perhaps I'll notice a difference once the stable version rolls out and I toggle them off. :smileywink:

 

Thanks again for taking your time to address this. You're the best.

 

11

Anytime!

 

The one unfortunate thing is that these processes are, once again, not listed in Process Lasso's process view. I wonder if Symantec might prefer it this way :o.

 

For any readers, these processes can be shown  by unchecking (in Process Lasso) 'Options / General / Ignore problematic processes'. This will induce those annoying tamper detection events. 

 

Alright, back to my own forum :)