Yesterday, I had to do a System Restore (SR - Win XP SP3) back about 1-week, b/c Real Player (RP) and Flash weren't working. SR was a last ditch effort.  Had tried everything else, for over 5-hours.  So, proceeded with SR, turning OFF NIS 2011 "Tamper Protection" first.  Also, disconnected from my DSL.

The SR worked.  RP and Flash OK.   But, upon Windows restart after the SR, NIS 2011 was disabled -- "Instrusion Prevention" and "Browser Protection" were completely turned off.  Would not let me turn them back on.  Got some help from a Norton "One Button" thing, and was finally able to get NIS back by doing a (fairly small) Live Update (LU).

I've searched the Forum on this, and it seems that SR can really screw up NIS.  But wow -- having critical features disabled like this -- well, that seems extreme.  Really like (and need) SR -- it  has saved my **bleep** many, many times before, when nothing else would work.  And, never had such a problem w/NIS.

If one has some kind of (undetectable) malware on their computer (which I have long suspected), turning NIS Tamper Protection OFF seems quite risky -- the malware could concievably turn Intrusion Prevention and Browser Protection completely OFF, like mine was, during the SR.

Does NIS 2012 take a different approach on this "turning Tamper Protection OFF before SR"?  Maybe I should upgrade.  I'd sure like to find another way to do SR's.

Welcome any thoughts.

Robby

[NIS 2011, Win XP SP3, 2004 17" Toshiba laptop, "dual-core" 3.1GHz, 1.5GB mem.]

Yesterday, I had to do a System Restore (SR - Win XP SP3) back about 1-week, b/c Real Player (RP) and Flash weren't working. SR was a last ditch effort.  Had tried everything else, for over 5-hours.  So, proceeded with SR, turning OFF NIS 2011 "Tamper Protection" first.  Also, disconnected from my DSL.

The SR worked.  RP and Flash OK.   But, upon Windows restart after the SR, NIS 2011 was disabled -- "Instrusion Prevention" and "Browser Protection" were completely turned off.  Would not let me turn them back on.  Got some help from a Norton "One Button" thing, and was finally able to get NIS back by doing a (fairly small) Live Update (LU).

I've searched the Forum on this, and it seems that SR can really screw up NIS.  But wow -- having critical features disabled like this -- well, that seems extreme.  Really like (and need) SR -- it  has saved my **bleep** many, many times before, when nothing else would work.  And, never had such a problem w/NIS.

If one has some kind of (undetectable) malware on their computer (which I have long suspected), turning NIS Tamper Protection OFF seems quite risky -- the malware could concievably turn Intrusion Prevention and Browser Protection completely OFF, like mine was, during the SR.

Does NIS 2012 take a different approach on this "turning Tamper Protection OFF before SR"?  Maybe I should upgrade.  I'd sure like to find another way to do SR's.

Welcome any thoughts.

Robby

[NIS 2011, Win XP SP3, 2004 17" Toshiba laptop, "dual-core" 3.1GHz, 1.5GB mem.]

Hi yank, tks for the reply.

Yes, I agree, SR has really saved me numerous times.  But, I have never had issues with NIS after a SR, and that puzzles me as to why it occurred this time.  Over the last several years I've probably done SR's 20 times or so.  Never a problem.

I'm still unconvinced it's not malware causing this kind of NIS disabling.  Too many coincidences on this particular event, for me at least.  And, if it is malware, then turning off NIS Tamper Protection could be the major factor.

Surely there is something that Norton could do to let Windows handle SR things, w/o turning off NIS Tamper Protection and making our computer system vulnerable.  Security/Certification/Verification "signatures"  from Windows would seem to be possible when it's doing a SR.  And, NIS would receive this signature and allow the process to continue.

OK, so some things might have been rolled-back in NIS, from a SR -- but a Live Update is not that big of a deal to bring it back to a current status.  Much easier than NIS uninstall/NRT/reinstall.  To me, that's a hassle.

But, whadda I know.  Just hope it doesn't happen again.

Again, tks for your input.

Robby

Hi Robby,

You did the right thing to disconnect from the Internet before doing this - that is always a good precaution.

It is and I'm sure always will be necessary to turn OFF Norton Product Tamper Protection in order to do an SR and the reason for this is because not even SR is allowed to tamper with Norton files unless you have explicitly authorized it by turning this option OFF.

The problem with SR causing problems with NIS is unfortunately something which I don't think Norton can do anything to prevent. Here's the problem in a nutshell... When you do an SR you are overwriting some but not all Norton files with the ones present in the SR point. This can and often does cause some Norton files to be out of step with other Norton files or even the System registry itself.

Sometimes as you've discovered a simple Live Update will fix it, and other times it will require a clean reinstall to fix.

The rule of thumb is that the longer you go back in time when doing an SR the higher the chances of causing problems with your Norton software because as you go further back in time, there is typically a higher chance of causing Norton files to be out of step with other Norton files.

As Yank said though, I too consider this a small price to pay to restore my system if it has become unstable....etc.

Beyond that I would recommend that you consider investing in an Image Backup program such as Norton Ghost or some other one - there are quite a few good ones out there.

With an imaging backup program you have the ability to recover in almost no time from virtually any disaster you can think of. SR can sometimes fail - I've seen it quite a number of times before. A properly performed Image backup will not fail and if you restore from an image backup, you won't have to worry about Norton becoming messed up. You would then only have to ensure that your run live update until you retrieve all the missing updates.

Hope this helps.

Best wishes.

Allen

The reason you must turn off Norton Product Tamper Protection is because System Restore actually needs to tamper with Norton files and registry keys - they are part of the restore point.  Because of the way System Restore works, if Tamper Protection blocks the restoration of the archived Norton data, the entire restore operation will fail - it's all or nothing.  It is precisely this unavoidable tampering - overwriting some current settings and data with obsolete,information - that sometimes leaves Norton in an unusable state that requires a reinstallation. Its just one of the many limitations of System Restore.

Well my 2 cents on this, is that i’ve never experienced any other anti virus product that requires you to switch off something within it, before doing a system restore! I’ve used PC Cillin (yes very old now, from trend micro), Panda, Bitdefender, Kaspersky & Eset in my time. Im expecting replies back now, advising that Norton must be “more secure” than any of the above as it’s doing an excellent job of preventing “tamper protection” In my view if turning this option off is a requirement before a system restore, Norton needs to make this an automatic process and not rely on the user to turn a feature off.

Hi surfer1000,

I think in part that requiring the user to turn Tamper protection off explicitly could be considered an "implementation" choice. Sure the Norton software could probably be made to do this on its own but frankly I think it is more secure for the user to be required to do this, for a couple of reasons.

1. The user is giving informed explicit consent so there is nothing murky going on behind the scenes without the user being aware of it. I've seen too many complaints not just with Norton but overall where customers have become outraged when software makes changes to the system without the user's knowledge and consent.

2. If an exception is made for system restore and the Norton software turned Tamper protection off automatically I think your system is at more risk because this opens the door for malware to also try and find a way to turn it off and start modifying or removing ciritical Norton files.

My two cents worth.

Best wishes.

Allen

......I also have to wonder if  Norton was designed to turn off Tamper Protection when SR ran, what addtional desgin changes would be needed to prevent malware from turning off Tamper Protection?  

If the only way to turnoff Tamper Protection is by human physical action, than that would in IMHO be more logical, desirable and secure.

Wow, thks for all the replies, guys (and gals <g>).

@ AllenM:

Yes, I have had GHOST 14  for around (3) - years  (since something completely disabled my entire system in 2008, and I had to take it into a repair shop to get it fixed -- substantial $$$).

And I use GHOST nearly every day to backup my system.  But, have only used it once -- as a test --  to restore my entire computer.  Took well over an hour, as I recall.  SR does what I need done in about 5-minutes.

Suppose I could use GHOST to restore specific system files/folders -- if I knew enogh about such stuff to choose those files and folders, which I don't.

BTW, this "undetectable" malware, that I suspect has haunted my system for many years, has knocked GHOST out, totally, on several occasions -- requiring a complete reinstall and huge LU's.  Quite time-consuming.

In fact, GHOST is sort of knocked out right now -- after my most recent "mysterious" computer anomalies (discussed above).  It won't now do "incremental recovery points."  So, I have to wipe the backup drive and do a completely new recovery point.  Takes around 40-minutes.  This happens like *once or so per week*.  Has become SOP for me.

And.. RE Tamper Protection ("Tamper")/SR:  I still don't see why Norton can't keep Tamper ON yet still let Windows -- and *only* Windows -- do changes to system files.  There just has to be a way to do this.

Tks for your input, AllenM -- and good to hear from you again.

Robby

Hi Send.... yes, I understand and agree w/your comments.  But.. that still doesn't explain why "Tamper..." has to be turned OFF.  As, I mentioned above, to AllenM, there just has to be a way to keep Tamper ON, but still let Windows (and *only* Windows) change system files.  Seems that Norton could demand that the user provide  prior approval/authorization -- and take responsibility for the outcome -- on such Windows activity.

Tks for the input.

Robby

@ Surfer:

Exactly -- concerning having to turn "Tamper..." OFF for SR.

And I'm giving some consideration to looking elsewhere for computer security b/c of this reason (and others).  I've had many, many computer security breaches  in the last several years (way, way above "normal" for a just "casual" computer user, IMO).  NIS doesn't seem to "cut it" wrt these breaches.  [In today's dangerous cyber-world, not sure anything is really protective though.]

But, I don't like the "auto turn-off" of Tamper... either.  It should just stay ON during SR -- and have Norton find some way to accommodate this.

Do appreciate your thoughts.

Robby

Hi Robby,

If you look around the forums for threads about "Unauthorized Access Blocked" entries in the Norton Product Tamper Protection logs you'll see that a large number of recurring blocks have to do with Windows processes as the actor.  Not even Windows is allowed to modify any Norton file or process.  Considering how seldom System Restore is used (or should be used) it would seem foolish to me to create a possibly exploitable hole in tamper protection just to eliminate a minor inconvenience that users encounter only infrequently. 

@ AllenM and yank:

You both bring up the point about how malware might find a way to turn Tamper... OFF, if Norton decides to automatically turn it off with a SR.  Again, I don't advocate that automatic thing, either.  Just leave Tamper.. ON, period -- *all the time* -- but still let Windows do SR mods.

Though I greatly appreciate all of your above thoughts and input about all this, not a single person has given me any "good" reason why Norton can't do this -- leave Tamper ON during a SR (but still let Windows have access).  Perhaps it's a "proprietary" s/w issue w/Norton.  Regardless, I think it makes one's computer system much more vulnerable by doing it the way Norton is doing now.  A real "hole in the armor," that clever, knowledgeable hackers can exploit.

Tks to all on this.

Robby

@ Send...

Yes, am well famliar with that issue on "Blocks" (Firewall Activities).  At one time, was having 50-100 of these "attacks" from TCP's, around the world, every day.  And of course, saw the Windows ones -- which were not really of concern to me then.

But, I'm afraid we have a basic disagreement on SR.  I use it *all* the time when I really get in trouble.  It is one of my most important security tools for recovering from system failures.

But, arguendo... even if not done very frequently ("low probability of use/need"), the " expected value" on the performance of SR is exceedingly high, to me at least.

Still, appreciate your comments. <G>

Robby

---

Robby wrote:

I use it *all* the time when I really get in trouble.  It is one of my most important security tools for recovering from system failures.

---

Respectfully, you should be more concerned with how you are getting into trouble so often.  I have not needed to resort to System Restore or an image backup in years.  If these are malware issues you are having, you should look into tightening up your security.  Doing things like controlling which sites can use JavaScript in your browser can make an important difference in whether your PC is attacked or not.

---

SendOfJive wrote:

---

Robby wrote:

I use it *all* the time when I really get in trouble.  It is one of my most important security tools for recovering from system failures.

---

SendofJive wrote:

 

Respectfully, you should be more concerned with how you are getting into trouble so often.  I have not needed to resort to System Restore or an image backup in years.  If these are malware issues you are having, you should look into tightening up your security.  Doing things like controlling which sites can use JavaScript in your browser can make an important difference in whether your PC is attacked or not.

---

"Respectfully, you should be more concerned with how you are getting into trouble so often."

Have been concerned about that for a long time.  And, spent many, many hours on it.  But, to no avail, apparently.

And, I consider myself a very "low profile" and quite careful user of the Web.  Ex-engineer/economist, etc.  We are careful people.

Never do much of anything out of the ordinary that would expose me to security risks.  Mostly do legal research, other law stuff, sports, music videos and Facebook.  Yet, must admit my knowledge of the details concerning things like JavaScript,etc (and what web-sites I should allow to use such) are just out of my expertise.

So, I have to rely on NIS.  Clearly, that hasn't worked.

Like just now.  I'm doing some Facebook stuff.  Go to the Sys Tray to check on a NIS thing -- and.... NIS is gone.  Just disappeared right in front of my eyes.  This has happened several times before.  (Or, GHOST disappears.) Did a shut-down, cold restart and it's back.  But... what???

I fear that something is rotten in Denmark.

---

Robby wrote:

@ AllenM and yank:

 

You both bring up the point about how malware might find a way to turn Tamper... OFF, if Norton decides to automatically turn it off with a SR.  Again, I don't advocate that automatic thing, either.  Just leave Tamper.. ON, period -- *all the time* -- but still let Windows do SR mods.

 

Though I greatly appreciate all of your above thoughts and input about all this, not a single person has given me any "good" reason why Norton can't do this -- leave Tamper ON during a SR (but still let Windows have access).  Perhaps it's a "proprietary" s/w issue w/Norton.  Regardless, I think it makes one's computer system much more vulnerable by doing it the way Norton is doing now.  A real "hole in the armor," that clever, knowledgeable hackers can exploit.

 

Tks to all on this.

 

Robby

---

Hi Robby,

Sorry, I have to respectfully disagree. Windows has many vulnerabilities over time and if malware managed to take advantage of one of those vulnerabilities and infect your computer, then the malware could use Windows to make unfettered changes to the Norton files. So it really is not as simple as saying that Norton could just allow Windows to change Norton files..

I think this reason alone is enough of a reason why Symantec should not make this sort of change.

I also do not agree that temporarily turning OFF Tamper Protection puts your computer at greater risk. You took the correct precaution of disconnecting from the Internet before you did this. Nothing from outside can possibly touch your computer when you are disconnected.

Just my opinion on the matter.

Best wishes.

Allen

And, your opinions are always valuable, AllenM. <G>

Yeah, maybe you're right about Windows.  Could see how that would be a problem.  Still... I don't like -- and will never like -- the aspect of turning OFF Tamper Protection, period.  I think that is what hit me this latest time.

Even though I was not connected to the Web (DSL,etc, off) when Tamper... was disabled, I think that whatever (if) malware inhabits my computer (super-stealth rootkit?), it still zapped NIS by specifically turning off both Intrusion Prevention and Browser Protection, arguably the two most important features of NIS.  Everything else was fine.  That's just too coincidental, IMO, to have been solely a SR "disturbance" of NIS files.

That, plus the prior anomalies that led to all this -- having Real Player and Flash just suddenly go awry, when they have never done that before, and where these problems could *not* be fixed by uninstall/d-l/reinstall -- well, that really makes me think malware started all this, and finished up the job when I did a SR w/NIS Tamper Protection OFF (even with DSL disconnected).

I could envision how such malware would not be solely dependent on my being on-line, to do its damage.  Say, while I am on-line, it sets up some kind of "batch processing" resident program with logic that still works even when I'm off-line.  Something like: "IF System Restore  started, AND Tamper OFF,  THEN Execute X"  -- where X is the commands to disable Intrusion Prevention and Browser Protection in NIS.

Doesn't seem that farfetched to me.

But, I can tell I'm not winning this word-battle to get Norton to keep Tamper ON -- always -- even when doing SR.  Yet, I will continue to think this is a major vulnerability of NIS, with certain kinds of malware (like mine?).  Guess I'll have to just live with it -- if I stay w/Norton.  I don't think to accommodate my request would necessarily be "simple" -- but I'm confident that those genius folks at Norton could do it, if there was a will.

Do so appreciate your input -- and the same from all the others.

Kindest Regards,

Robby

Hi Robby,

I am certainly not saying you can't have an infection that could wreak havoc while offline. You are correct that if you had already been infected, any malware could still cause harm when you are offline.

That said, I can assure you that using SR "can" cause the issue you had with NIS. I've seen a lot of problems associated with the use of SR.

As for the issue with Flash and Real Player I would submit that they could experience the same type of issue, especially if there had been updates to either program which included changes to the registry. SR would have restored an older version of the registry which could have impacted either or both programs.

Obviously I cannot say for sure that this happened in your particular case, at the moment I'm just speaking of possibilities.

If you really do feel and are concerned that you might have some sort of malware on your computer I would suggest that you visit one of the free malware removal sites below. They are experts at this sort of thing and can either confirm that you do have malware and help you remove it or give you a clean bill of health.

In either case it would help to give you peace of mind.

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

[Links courtesy of Delphinium]

Hope this helps and please let us know if you open a ticket with either of the sites above and how things goes.

Best wishes.

Allen

Yes, tks for your thoughts, AllenM.  And I agree that my problems "could have" been caused by SR -- but, seems like a low probability to me -- esp in light of all the other problems I've had over the years.

From these past malfunctions, I have developed a "correlating factor" to predict when I'm going to be hit w/some kind of problem.  And, it's a pretty strong correlation.  That factor occurred right before my current problems started --- just as it has occurred for the great majority of my past problems.

I keep hoping I'm wrong, and that these are just random events that happen to everyone.  But, more and more, I don't think so.

And, I keep hoping -- that given I do have some resident malware on my computer -- that Norton will find some way to detect and remove it.  Ain't happening.  Been waiting on Norton to do this for several years.

So... my alternatives seem to be:

______________________________

1. Shut up, just live with it and don't precipitate the "correlating factor" that I think causes it.

Whoever put this thing on my computer does not seem intent on causing catastrophic failure of the system.  Rather, it seems the intent is just to vex and annoy me -- esp whenever I do the "correlating" thing.  I'm usually able to fix the issue -- though it can be quiet time consuming, and keeps me from doing more important things.

And, there is sort of a "freedom of expression" issue too -- if I express my thoughts on certain things (the "correlating factor"), it clobbers me.  That sux  -- to not be able to express reaonable, well-thought out, moderate opinions about things.

Also, who is to say that this malware won't turn really malevolent, at any time, and wipe out my system.  I'm sure it could do that, if it wanted.  So... I never know from one day to the next if I'll have a funtioning computer when I start it up.

2. Use the links that you have provided (and, in the past, Delphinium -- tks Del) to see if they can remove whatever is there.  Likely such an effort will take a *lot* of time on my part.  Time is in very short supply for me, right now.

And, I have made some considerable efforts on detecting/removing this in the past (though not with your above links), and all I got was system crashes.  This malware does not like to be messed with.  If you get even close to detection, it crashes the system.

So, I think if I get really, really close to disabling this malware (with help from your links), it seems quite likely that the malware will do a "poison pill" thing, and completely destroy my system.  Thus, no computer.  That's bad.

3.Take the computer into a local computer shop and let them try and find/fix the malware.  If it destroys my computer, these guys would likely know how to fix even that.  Much $$$ methinks, though.  Money is quite tight for me.  And, I'd be w/o a computer for maybe several weeks -- or more, given the computer shop's work backlog.  That's not acceptable.

4. Buy a new computer and reload, re-install everything.  Again, a big time-effort on my part -- researching which computer to buy, re-learning Win 7, trying to get some of my old hardware and software (critical to my Art Business) to work with Win 7, etc, etc.

Then, there is the cost -- easily in the $500-700 range.  Again, money is a real problem.

Yet, a new computer would solve the #3 (above) problem of not having a computer to use while this one is being repaired.  But, assuming this computer would be fixed, I'd then have (2) computers.  I don't need (2) computers.  Selling this old 2004 "boat anchor" would be unlikely.
________________________________

And, for items 2-4, above, there doesn't seem to be any guarantee that whoever put this on my system, won't just do it again, when the computer is "fixed."  So, I'd be back to zero -- well actually, quite "negative," considering the time and money spent.  This malware was able to avoid detection by NIS on installation, and it has completely avoided detection since then, too -- by anything I've tried so far.  Why wouldn't this happen again, on my fixed computer?

What to do??  I'm thinking about it.  Would welcome any ideas.

And, finally -- thank you, one and all, for the time and trouble you have spent trying to help with my problem.  As a very small token of appreciation, I would be pleased to buy any of you a nice breakfast or lunch if you ever get to Santa Fe.  Would be a pleasure to meet you.

Kindest Regards,

Robby