Unauthorized Access Logged: msiexec.exe

OK so looks like there are lots of legit reasons why unauthorized access could be triggered.  I’ve read that mrt.exe can do it.  However, I’ve gotten one that I did not see a lot of traffic on - msiexec.exe.  Both out of the system32 folder and out of the syswow64 folder.  Can I sleep at night?


dbrisendine wrote:

If your malware scans (Norton and others, if you have them) are clean, then yes. 

 

 


And , do you see or feel any strange behaviour? Than it looks like you are safe

Thanks for the quick replies.  No strange behavior that I have picked up - just checking with the smart people.  Any quick explaination as to why msiexec would trigger it?

Are you getting a logging about Unathorized Access Blocked messages?  Then the MS installer is trying to access the Norton process; Norton is protecting itself.  As to what the MS install service / process is doing, I think you would have to check with MS on that.

OK so looks like there are lots of legit reasons why unauthorized access could be triggered.  I’ve read that mrt.exe can do it.  However, I’ve gotten one that I did not see a lot of traffic on - msiexec.exe.  Both out of the system32 folder and out of the syswow64 folder.  Can I sleep at night?

Hi Hi_deer,

 

I think, this is similar to the following thread:

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=28660

 

msiexec.exe belongs to the Windows Installer Component and is used to install new programs that use Windows Installer package files (MSI). For it's functioning, the Windows Installer may need access to ccsvchst.exe file from Norton program at different occasions. Here the Norton Product Tamper Protection in Norton Internet Security 2009 logged it as an unauthorized access as the target is a Symantec file. Norton Product Tamper Protection will block any processes or services that attempt to access or change Norton files. Here the access is Logged, NOT Blocked. Logged, however, does a bit more than simply logging the event. The actor is allowed to do whatever it was trying (open a thread or process for example) but with its access rights reduced so that it can't tamper with the Symantec resource. No need to worry about this and you are Safe to go.

 

Yogesh

I'll provide a little bit more information - this is an unauthorized access logged - I have had nothing blocked.  The "actor" was syswow64\msiexec.exe, the target was my \Norton Ghost\Agent\VProTray.exe.  Another time, system32\msiexec.exe was the "actor" and \Norton Ghost\Agent\VProSvc.exe was the "target".  I've also had a number of mrt.exe.  It is puzzling to me that I would see such random events which is why I am curious as to why msiexec would need to access these processes. 

As stated in post #6, this is just logging of the access attempt.  Since not blocked, the access was granted but no changes where allowed.  Possibly, the MS installer service wants to catalog what has been installed (do you have MS Installer cleanup installed?).  Until you research what MSI wants (have to ask Microsoft on that one), I would not allow the action full access.  Possibly, the repeated attempts will go away once the change is made to the files (could be tagging the process to say it is cataloged) but we can not say due to the uncertain workings of MS software.