This undisclosed virtual flash card app made in the former USSR is supposed to be the best of its kind, although it insists on running with Administrator privileges. This could be merely due to no new software development yet by the source to follow the latest multiple user account abilities of Windows, or this could be an excuse.
The method followed:
Ran Microsoft Sysinternals' Process Monitor, including the suspect app, while using the suspect app and excluded the more common recurring operations that were collected by Process Monitor.
The result so far:
Multiple occurrences of the following reads, along with curious registry key value lookups to include Internet Explorer's Security Settings.
2:59:31.5232386 PM 0.0000532 [undisclosed].exe 4260 FASTIO_READ C:\Program Files (x86)\Norton 360\NortonData\21.0.1.3\Definitions\VirusDefs\20140717.001\VIRSCAN7.DAT SUCCESS Offset: 10,461,979, Length: 65,536 File System
These accesses continued for a while but did not appear to begin at the start of the file (based on the offset values) but appeared to continue to the end of the file. Perhaps the data is being read in preconfigured blocks at a time.
Is the US version of N360 export restricted? Are there any products out there capable of modeling and tracking snooping activity like that of this undisclosed study app? Clearly the crucial point is that this app probably shouldn't be running at Administrator-level privileges. Any thoughts on better ways to monitor this app using tools other than Sysinternals' Process Monitor? I am definitely interested in others' experiences manually tracking suspicious software. This app isn't supposed to be malware, but it could possibly be infected; I don't know.
Note: A little more context about the "virtual flash card app": 'flash card' as in 'note index card'. This is an app meant to help with spaced repetition for memorizing study material, so it has no business snooping around in N360's data files!