Hi I'm wondering if you can help me out here, maybe with a dumb question but who knows. I am using NIS 2009 and run liveupdate every day with scans only finding tracking cookies and occasionally (like once every 4 months if that) getting an alert of a trojan being blocked or of someone attempting to hack me but being blocked. (again, extremely rare).
After finding that a webpage I often visit contained a trojan last week (though I'm fairly certain I did not access it on those days) I was running a scan and checking through the history just in case.
While going through the history, I found alot of the following:
Risk Level - Medium , Activity - Unauthorized Access Blocked (Send Terminate message to window).
and:
Risk Level- Medium, Activity - Unauthorized Access Logged ( Open Process or Open Thread)
all of these logs show .exe's accessing ccSvcHst.exe in \Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.1 25\ccSvcHst.exe. (it is sometimes \16.1.0.33\ccSvcHst.exe ).
History shows atleast 4 of these logs per day going back to 29th October, i'll summarise them since there are atleast 50 entries so apologees for the long winded approach.
The following .exe's are the ones mentioned as the Actor:
1) svchost.exe - 2 entries only, 1st one only logged, 2nd one (at same time/date as the logged) blocked.
2) explorer.exe - lots of entries, all blocked, sometimes shows as attempting to access different norton files for instance: HSLoader.exe and MCUI32.exe (same file location as ccSvcHst.exe for both), but it is 90% accessing ccSvcHst.exe.
Now for the ones I'm more concerned about, those logged, but not blocked:
1) drwtsn32.exe - the most numerous entry again for the logged but not blocked. As far as I understand drwtsn is a debugger from windows and so a legitimate application, what it is doing trying to access ccSvcHst.exe is another matter.
2) fm.exe - This is the executable from a demo of a computer game (Football Manager 2009) that was downloaded and installed from Via Steam on the 3rd November, all the entries for this item are within 3-4 days of it being installed.
3) adobeupdater.exe - located in program files\common files\adobe\updater5 , again as far as I know this is a legitimate .exe, but why is is accessing ccSvcHst.exe ?
4) msiexec.exe. - located in \windows\system32 , the sole entry for this occurs exactly one minute after the sole entry of adobeupdater.exe, so I'm assuming its connected to that.
5) mrt.exe - again located in \windows\system32 only one entry. I don't know if its significant but this occured at 0:34 on the 13th, and the next entry for anything unauthorized is 0:40 on the 14th, which was an explorer.exe blocked, where as most days there are 4 or so entries, the 13th only has this one, logged, entry.
Both the Actor and Target PID is rarely the same from one entry to the next.
Now basically, I may be panicking over nothing, but theres a few reasons for it.
1 - It says Unauthorized access (implies something is a bit messed up/confused at the very least if not infected/hacked/hijacked) but it only logs them, while it blocks others. It gives no reason for why some are blocked and others are merely logged which leads me to only two possible conclusions - it knows its a legitimate occurance so it just logs it for tidyness sake, or, it knows its not supposed to do that, but it is somehow unable to block it (which would be rather bad...).
2 - Open Process/Open Thread are labels that don't mean a whole lot, open process I would assume means it is a .exe that is running currently, but what on earth does open thread mean.
3 - As far as I know, this is all to do with Norton's Anti-Tamper software, which is there to stop viruses/people disabling the anti-virus to allow them to infect the system. If thats the case, why all the 'unauthorized access logged' instead of just everything getting blocked?.
4 - the big one. Is there any reason at all why these .exe's would be attempting to access those particular Norton files unless there was something wrong?
Thanks in advance.