Issue abstract:
In reviewing my Security History logs, it seems like something is sporadically enabling/disabling my “Intrusion Signatures” and “Remote Access Protection” setting
Detailed description:
I was reviewing my Security History and noticed log entries for the following settings turning off and on:
“Intrusion Signatures” and “Remote Access Protection”
(Sample screen shots below)
I did not make any of these changes myself. Wondering what is happening here?
Product & version number:
Norton 360
25.1.9816 (build 25.1.9816.914)
OS details: Windows 11 Pro, 24H2
What is the error message you are seeing?
Refer to screen shots
If you have any supporting screenshots, please add them:
Sample screen shot of recent log
Thanks in advance.
I get these same items in History but mine are consistant. They are disabled on shutdown, why this recorded dont know , surely on shutdown, everthing is disabled.
On boot or restart these are then recorded as enabled - yours seem to have lost their way for some reason. Logically I suppose they would be disabled on boot until they are subsequently enabled.
This morning, they were enabled 20 seconds after the first history item, last night disabled in last entry of day on shutdown.
I have been getting them too. I did do a Startup scan after my initial setup. Does Norton turn them off to do the scan?
Sometimes I see one or the other turned off or both for up to 1-5 minutes before they are turned back on.
I completely wiped my new PC after seeing this and reset windows and reloaded Norton. I did not do a startup scan. I have not seen it happen again yet, but it’s just been a couple days.
I am also seeing multiple “identifying..” network connections in the history. Have you been getting that?
Seems like this might not be the case for me. The timestamps do not coincide with my start up/shut down times.
I am not sure if Norton turns them off to do the scan. Hopefully someone else can confirm.
Maybe I’ll try resetting and reloading Norton. Have you noticed the issue happen again?
I just checked mine, and did notice a couple “Identifying…” network connections in my history, not sure what this could be either.
The last few days, while watching Netflix on my HP computer (Windows 10), a jumbled full screen pops up and the computer shuts down. Happened a couple of times and a found “Intrusion Signature Enabled” and “Remote Access Protection Enabled” in the Norton Security History log.
Is Netflix trying to access the computer and Norton kicks them out, thinking it is an illegit intrusion? (I have a valid Netflix subscription, and I am able to watch streaming shows for an hour or so).
Is this a Norton setup issue, and if yes, how to fix it.
P.S.
Starting happening the last couple of days only; no issue before when watching Netflix on that computer.
I do not have VPN turned on since I am protected through my Xfinity gateway.
I did a full scan of the computer and checked performance: no virus or such, no computer performance issue.
I am able to watch the Netflix show on TV.
Check to see if these occurrences coincide with a LiveUpdate. Could be that the features are disabled to get updated.
if you have windows 11, check in device security to see if Secure Boot icon is present and turned on. I picked up a virus a few days ago that turned it off, also the history showed the remote protections turned on and off twice in quick succession. i completely wiped the pc and reloaded windows from an external source. So far secure boot has stayed on, but I noticed that the “Kernel-mode hardware enforced stack protection” was turned off. I turned it on, which required a restart, and the remote access protection cycled off and back on in the history. Not sure why or when Kernal mode was turned off. Should it have been on by default after reloading windows 11?
Hi I´ve had this problem for sometime now and did a windows cleanout but to no avail. Then I used Gemeni to analyse my win 11 logs and then the dots started to connect. Here is a recap of the findings by Gemeni:
Technical Summary: False “Disabled” Logs Correlated with GPU TDR Events
Context: I have been experiencing recurring “Remote Access Protection disabled” and “Intrusion Signatures disabled” entries in my Norton Security History, even after a clean Windows re-installation. Analysis suggests these are false reporting events triggered by system-level driver resets.
Files Analyzed:
-
Norton Security History: (Visual logs showing simultaneous “Disabled” events).
-
Windows Firewall Rules: (Incomming.txt, outgoing.txt).
-
Windows Event Logs: (System events.txt, Admin Events.xml, Program.txt).
Key Findings:
-
Status Mismatch (False Positives): While Norton’s internal history logs the protection as “Disabled,” the Windows Security Center logs (Program.txt) consistently report: “Status for Norton 360 was updated to SECURITY_PRODUCT_STATE_ON” at the exact same timeframes. This confirms the protection remains active in the eyes of the OS, despite Norton’s UI reporting otherwise.
-
Hardware Trigger (GPU TDR Events): The Windows System logs show a direct correlation between Norton’s “Disabled” entries and LiveKernelEvent 141 and 117 (TDR - Timeout Detection and Recovery) errors. On my system (ASUS AMD Radeon RX 7900 XTX TUF), these micro-resets of the graphics driver appear to cause a momentary “hiccup” in system services.
-
The Mechanism: When the GPU driver hangs and Windows resets it to prevent a BSOD, it causes a brief interruption in service communication. Norton appears to interpret this momentary loss of contact with its own drivers/the network stack as the service being “Disabled.” Because the logs for Intrusion Prevention and Remote Access Protection appear in pairs with identical timestamps, it points to a service-wide reporting glitch rather than manual tampering.
Conclusion: On high-end AMD systems (specifically the 7000-series), driver-related TDR events seem to trigger false “Disabled” logs in the Norton UI. Users seeing these logs should cross-reference their Windows Event Viewer for Event 141/117 before assuming a security compromise.
2 Likes
Wondering whether this may be related?
Vulnerable Driver Blocklist is a security feature under Microsoft’s Core Isolation umbrella for Windows. For those unaware about Core Isolation itself, this is a collection of capabilities that protect “core” Windows processes from malicious software by isolating them in memory. The Vulnerable Driver Blocklist falls within this category because it essentially offers a list of drivers that are restricted by default from ever running in Windows.
Devices like cameras, microphones, keyboards, and more typically communicate with the operating system through drivers. In the past, there have been documented instances of compromised Windows drivers that were being used to exploit the OS. So, in 2022, Microsoft decided that it would mitigate this attack surface by maintaining a list of drivers known to be compromised in Windows installations.
SA
