Has there been a change to the Norton Product Tamper Protection feature recently?
As of yesterday, I'm no longer receiving any ' Unauthorized access logged' records under this Security History selection. Instead, programs that normally recorded a 'logged' message in the Security History are now being blocked ('Unauthorized access blocked'). As a result, NIS is generating an excessive number of 'Unauthorized access blocked' messages in the Security History for these programs.
So my question is; When was the last time you saw an ' Unauthorized access logged' message? Open NIS, click 'History' and select 'Norton Product Tamper Protection' in the 'Show' dropdown box. In the 'Quick Search' box, type 'logged' and press enter. For those interested in pursuing this, please advise the last 'Date & Time' shown in the History for the ' Unauthorized access logged' record, together with the current 'Date & Time'. This would help in determining whether a faulty update has been released ie '' Unauthorized access logged'' has stopped for everyone or if the issue is just confined to this PC.
In NIS 2010, the last entries I see as "Logged" are from 6/14. Since that time similar "Actors" are marked "Blocked".
There is a possibility this is a product improvement. In NIS 2011 Beta, ALL entries have a "Blocked" status since installation on 6/5. (This is just a guess on my part)
I will see if I can get more information on this for you.
Has there been a change to the Norton Product Tamper Protection feature recently?
As of yesterday, I'm no longer receiving any ' Unauthorized access logged' records under this Security History selection. Instead, programs that normally recorded a 'logged' message in the Security History are now being blocked ('Unauthorized access blocked'). As a result, NIS is generating an excessive number of 'Unauthorized access blocked' messages in the Security History for these programs.
So my question is; When was the last time you saw an ' Unauthorized access logged' message? Open NIS, click 'History' and select 'Norton Product Tamper Protection' in the 'Show' dropdown box. In the 'Quick Search' box, type 'logged' and press enter. For those interested in pursuing this, please advise the last 'Date & Time' shown in the History for the ' Unauthorized access logged' record, together with the current 'Date & Time'. This would help in determining whether a faulty update has been released ie '' Unauthorized access logged'' has stopped for everyone or if the issue is just confined to this PC.
I'm not aware of any changes of this type but I can look into it. There is an important factor missing from descriptions though -- the action. For the activity I see (in the beta build) "Unauthorized access blocked (Access process data)" and when I look at More Details for that item I see that Action says "Access Process Data". Different types of actions will draw different types of responses.
Let's wait 'til I hear back from the base team before gathering logs. I was just pointing out previously that you should also mention the actual Action that is being blocked in addition to the Actor and Target.
On initial blush observation by elsewhere appeared to have merit...on closer inspection of More Details unable to reconcile the exact same Product Tamper Protection Activity having changed from Logged to Blocked.
On initial blush observation by elsewhere appeared to have merit...on closer inspection of More Details unable to reconcile the exact same Product Tamper Protection Activity having changed from Logged to Blocked.
Not the action the product took, but what Action the Actor was taking (the part in parens on the first screen or listed after "Action" on the More Details screen.
I was comparing Unauthorized Access Logged ( Access Process Data ) as 99% of my History is
( Access Process Data )
Is this to what you were referring
That is exactly what I was referring to -- Access Process Data. Thanks!
It does appear that there was an update on Monday to the Access Process Data handling and you should no longer see "logged" for this type of access. What was "logged" in the past will now be reported as Blocked but the behavior should be the same in all other respects.
Reese - the behaviour has changed for me with this update. Below is a list showing the number of records written to the Security History for one particular application that triggers a Tamper Protection event. Prior to the change, the number of records recorded are very low for the this application. After the change, the numbers jump dramatically.
This is making the Security History rather unreadable. Any ideas?
Access Process Data
Date & Time Unauthorized access blocked Unauthorized access logged
Reese - the behaviour has changed for me with this update. Below is a list showing the number of records written to the Security History for one particular application that triggers a Tamper Protection event. Prior to the change, the number of records recorded are very low for the this application. After the change, the numbers jump dramatically.
This is making the Security History rather unreadable. Any ideas?
Access Process Data
Date & Time Unauthorized access blocked Unauthorized access logged
14/06/2010 08:10 4
14/06/2010 08:13 3
14/06/2010 08:47 1
14/06/2010 09:13 1
14/06/2010 09:29 7
14/06/2010 09:36 4
14/06/2010 16:32 6
14/06/2010 17:13 3
14/06/2010 17:15 1
15/06/2010 06:14 1
15/06/2010 06:41 3
15/06/2010 06:50 1
15/06/2010 18:40 4
15/06/2010 18:41 30
15/06/2010 18:42 7
15/06/2010 18:47 29
15/06/2010 18:48 38
15/06/2010 18:49 36
15/06/2010 18:54 36
15/06/2010 18:55 14
15/06/2010 18:57 28
15/06/2010 18:58 2
15/06/2010 19:18 13
15/06/2010 19:28 6
15/06/2010 19:29 15
15/06/2010 19:30 20
15/06/2010 19:32 5
That's interesting. Again, I'll have to consult with the base team as to why the overall numbers might have increased but it might just be a machine usage item.
P.S. Are you sure that it is the exact same application and associated DLLs? M.S. patch Tuesday may have changed the application behavior around the same time that you received this logging change.
That's interesting. Again, I'll have to consult with the base team as to why the overall numbers might have increased but it might just be a machine usage item.
P.S. Are you sure that it is the exact same application and associated DLLs? M.S. patch Tuesday may have changed the application behavior around the same time that you received this logging change.
Hi Reese
Yes, it is the same application that is generating the 'Unauthorized access blocked' messages in the Security History log. As for the DLLs, I can't really comment as the Security History records don't provide details at this level to enable a comparison.
Did your team provide any suggestions as to a reason why the numbers have changed so dramatically? For the period 19 June to 22 June, I now have 2386 'Unauthorized access blocked' records for this application recorded in my Security History. Is this potentially a bug as, prior to the change, hardly any records were recorded at all?
Was there a particular reason for this change in behaviour from 'Logged' to 'Blocked'? Is 'Unauthorized access logged' now a thing of the past?
Yes, it is the same application that is generating the 'Unauthorized access blocked' messages in the Security History log. As for the DLLs, I can't really comment as the Security History records don't provide details at this level to enable a comparison.
Did your team provide any suggestions as to a reason why the numbers have changed so dramatically? For the period 19 June to 22 June, I now have 2386 'Unauthorized access blocked' records for this application recorded in my Security History. Is this potentially a bug as, prior to the change, hardly any records were recorded at all?
Was there a particular reason for this change in behaviour from 'Logged' to 'Blocked'? Is 'Unauthorized access logged' now a thing of the past?
They didn't expect any additional events to be recorded. It seems like the behavior of the application in question changed somehow.
Yes, there was a reason for the logging text change from Logged to Blocked, but nothing that you can see in your product. Besides, 'blocked' is more appropriate because the 'write' or 'delete' access that was requested was blocked. In the current and beta Norton products you will no longer see 'logged' for these types of events.