Since soon after my Norton 360 was updated to v24 Dec 31 2024 on this computer, I have been getting sporadic alerts (average every 3 days) that a trusted app or process is trying to access my browser credentials (usually Chrome login credentials or login data for account, but at least once it said cookies instead).
The apps and processes that the alerts say have attempted such access include Windows Update, Word, Excel, Tubedigger (a video downloader I’ve used for years), ping.exe and dllhost.exe (properly located in Windows\System32). (There was also such an alert for Malwarebytes, but that one was to be expected as it scans the browser-data folders.)
In all cases the cited user account is me (call it Ardmore), except for one case where the cited user was an alternate account I created on this machine for a specialized use, but haven’t logged into in at least 2 years (call it Ardmore2).
Norton and Malwarebytes system scans, as well as Virus Total scans of the cited files, all come up clean.
Any ideas what is going on? And/or has anyone else encountered a similar situation?
The edit window apparently closed just as I was adding this additional info:
For the apps, I believe these alerts occurred just after I opened that app. And only one time for each app. For ping.exe, and dllhost.exe (which I believe is an often-invoked system file?), the alerts came without any known trigger on my part.
I trust Tubedigger, but there is no reason it should need access to my Chrome login data. In fact, I don’t think any of the apps or files I listed – despite being trusted – have any reason to access my Chrome passwords. This includes Windows Update, Tubedigger, ping.exe and dllhost.exe. I have blocked all of them in Browser Data Protection. I have allowed such access only for Malwarebytes, which was doing an on-demand scan when Norton 360 v24A generated an alert for it. (BTW I shouldn’t have included Word and Excel in the list above, because I see now that their alerts were actually cited by ransomware protection.)
Thanks for pointing out the master settings area for Browser Data Protection in Security > Advanced > Safeweb. The wording (including hovering over the circled i’s), seems to suggest that Trusted apps should be allowed to bypass password protection. But again, shouldn’t that apply only to trusted apps that legitimately require a browser password?
And I would also note that none of these same apps or files have made any more attempts to access Chrome passwords. (I am presuming that any such attempt would generate an alert, or at minimum a Security History entry. Or am I presuming wrong?)
What I was wondering is if I might be infected with some sort of sophisticated malware that somehow uses trusted programs – even when they are not active – to try to gain access to a Chrome passwords file? OR, is there some sort of bug in Norton 360 that can result in reporting behavior that didn’t actually occur? Unfortunately the first time I saw one of these alerts (it was for Tubedigger), I simply thought, “that’s an app I trust,” and since the countdown to a defaults “deny” was nearing its end, I allowed it. (BTW, that was for the Chrome file “Login Data for Account.” I wish I knew what the difference is between that and the larger file named simply “Login Data.”)
Did you clear browser cookies n cache?
Do you run browser sync?
Did you recently install any program / browser extension?
Did you recently allow push notifications?
Did you recently change site permissions?
Did you run Norton Full Scan?
Did you run Malwarebytes Scan?
========================================
Maybe, Norton wants users to be aware that an app touches your browser.
My read fwiw is that Browser Data Protection helps prevent apps from touching browser sensitive data (cookies n’ passwords).
Maybe I didn’t explain that clearly. I’m saying that Norton’s statement that Trusted apps be exempted from browser password protection is too liberal. Many trustworthy apps should have no need to access browser passwords.
BTW I was surprised to find that there appears to be NO history for browser protection events. It’s not in Security History (resolved OR unresolved), or at C:\ProgramData\Norton\Antivirus\Report, or anyplace else that I can find…
Malwarebytes Forums run a tight ship. Only staff and experts can access logs. Granted, I’ve read user posted reports with system information over on Malwarebytes Forums. I think if the user follows directions. I think only staff and experts can access requested logs. That’s what I’ve read staff & experts explain to users with privacy concerns…that only staff and experts can access requested logs. I’ve posted over on Malwarebytes Forums.
try Strict Mode?
Strict Mode: Only approved apps can change or delete files in your protected
folders. All other apps require your permission.
The BrowserProtection text has solely start and stop times for Browser Protection. Basically just tells me when I started and shut down my computer. There is nothing in there about the events I described, or any other events.
