Security History and Statistical Submissions

I have several Statistical Submissions that are Pending in the Security History.  I've listed some of the info from one below:

 

Description:  IPS Detection Statistical Submission

Signature ID:  23318

Local or Remote Attacker:  1

Remote Port:  49322

Local Port:  80

Protocol:  6

Signature Set Version:  201100805.004

Application Name:\DEVICE\HARDDISKVOLUME1\Program Files (x86)\INTERENT EXPLORER\IEXPLORER.EXE

Offending URL:  openaccess.oldapps.com/mozilla.org//firefox./releases/3.6.8/win32

 

There are also other statistical submissions with different stuff as well.  They're all Pending.

 

I would appreciate any help at all.

 

Thanks,

 

Cody

I have several Statistical Submissions that are Pending in the Security History.  I've listed some of the info from one below:

 

Description:  IPS Detection Statistical Submission

Signature ID:  23318

Local or Remote Attacker:  1

Remote Port:  49322

Local Port:  80

Protocol:  6

Signature Set Version:  201100805.004

Application Name:\DEVICE\HARDDISKVOLUME1\Program Files (x86)\INTERENT EXPLORER\IEXPLORER.EXE

Offending URL:  openaccess.oldapps.com/mozilla.org//firefox./releases/3.6.8/win32

 

There are also other statistical submissions with different stuff as well.  They're all Pending.

 

I would appreciate any help at all.

 

Thanks,

 

Cody


I would appreciate any help at all.


 

 

Help for what ?! There is nothing to help you with . This is normal . They are currently pending , soon they will be submitted. Don't worry , find something else to worry about :smileywink:

 

It can take several days for them to be submitted. Only a little amount of information is sent at each submission, so as to make it unnoticable for the user, and if there are a lot of submissions waiting, it'll take time. It's not of any critical importance, so let it take time and don't worry.

Hi delphinium, I checked the intrusion prevention and there are only two medium threats that were blocked, but these were from the day before I got the Statistical Submissions. I have several things going on simultaneously, including six Symantec Error Reporting messages. I just bought this product (Norton Internet Security) and it’s a wee bit frustrating. Thanks for your input. Cody

Hi Cody:

 

Would you go to the Intrusion Prevention log, click on one of the entries to highlight it, and then click the "more details" button?  Let us know what the entire entry says.  We will be better able to judge whether those entries are connected to the statistical submissions, or whether they may be an indication of a threat.

Hi Cody,

 

Just to explain a bit about IPS statistical submissions:

 

The Norton Intrusion Prevention System uses signatures to detect and block exploits that leverage vulnerabilities in software programs to install malware.  When a new exploit is discovered a signature is created and distributed as quickly as possible in order to provide immediate protection.  After this initial signature is released refinements are made to perfect a new signature that is smaller and more efficient.  Because there is an increased likelihood of false positives the revised definition is first released as a test signature.   When one of these test signatures is triggered it is reported back to Symantec as an IPS Detection Statistical Submission.  These submissions help Symantec fine-tune the accuracy of the detections.  Once testing is completed the initial signature will be replaced or updated with the improved version.  While testing is in progress you are protected from the actual exploit by the originally released signature, which will trigger IPS to block, log, and alert you to any real attack.  A statistical submission alone without a corresponding IPS action would indicate a false positive.

 

Reese Anschultz provides a couple of good explanations, which I have paraphrased here, in the following thread:

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/IPS-detection-statistacal-submission/...

Hi SonOfJive, This information is very helpful. I like Norton’s program and am finding out as much as I can about it’s functions. Thanks so much for this info. Cody

Hi delphinium,

 

I should not have said the risks were in Intrusion Prevention.  There are eight of them located in the Full History; first attempt August 7, with the last attempt about an hour ago. Here's some info from Advanced Details:

 

1)  Saturday, August 7, 3:00 PM

 

Severity:  Medium

Activity:  Unauthorized access blocked (Access Process Data)

Status:  Blocked

Recommended Action:  No action required

 

Actor:  WINDOWS\SYSTEM32\MRT.EXE

Actor PID:  964

Target:  Program Files (x86)\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe

Target PID:  2536

Action:  Access Process Data

Reaction:  Unauthorized access blocked

Termination Session:  3

 

2)  Saturday, August 7, 3:00 PM

 

Same as above

 

3)  Sunday, August 8, 12:00 PM

 

Severity:  Medium

Actor:  C:\WINDOWS\SYSWOW64\RUNDLL.EXE

Actor PID:  3432

Target:  Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  2612

Terminal Session:  1

 

4)  Sunday, August 8, 12:34 PM

 

Severity:  Medium

Actor:  E:\SETUP\HPZSHL40.EXE

Actor PID:  2652

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  2720

Terminal Session:  1

 

5)  Sunday, August 8, 12:34 PM

Actor:  E:\SETUP\HPZSHL40.EXE

Actor PID:  2652

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  2720

Terminal Session:  1

 

6)  Sunday, August 8, 12:37PM

Actor:  C:\WINDOWS\SYSTEM32\MSIEXEC.EXE

Actor PID:  3748

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  1960

 

7)  Sunday, August 8, 1:32 PM

Actor:  C:\WINDOWS\SYSTEM32\MSIEXEC.EXE

Actor PID:  3748

Target:  C:\Program Files (x86)\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe

Target PID:  1976

 

8)  Same as 7

 

All have a severity of Medium.

 

Thanks,

Cody

 

That looks good Cody.  Just as it should be.