Norton Tamper Protection Log

Discussion in 'Prevx Releases' started by davidbaldwin, Feb 13, 2011.

Thread Status:
Not open for further replies.
  1. davidbaldwin

    davidbaldwin Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    29
    Re: A Bit Disappointed With Support

    Check your Norton Tamper Protection log :rolleyes:. I am not bashing Prevx. I have used Prevx for years since it was recommended to me. The concept is great. I want Prevx to work and succeed. The way it is "supposed to" co-exist with other security products is highly desirable, especially considering that a multi-layered approach to malware protection has been shown superior to relying on a single protection product. On the other hand, I hate that Norton360 is such a monster program, but I use it because it has saved my a$$, and (version4) has some really nice features.

    But, there are some programs which constantly "test" Norton's self-protection by incessantly knocking on ccsvchost.exe's door, and Prevx is one of them. An analysis of my Norton Product Tamper Protection log shows that GOOGLEUPDATE.EXE is blocked EVERY 60 MINUTES. Even Window's own SERVICES.EXE and DLLHOST.EXE are blocked on an IRREGULAR basis (once or twice per day).

    However, PREVX.EXE is a true regular in this Norton Tamper Protection log, more than any other program including GoogleUpdate. My recent experience mentioned in this forum about my BSOD (blue screen due to a stray issue identified by PrevxHelp and Prevx support) occurred after Windows started hanging at the "Microsoft Corporation" green bar while starting Windows Vista normally. Following 2 Feb at about 9:35am, I could no longer start Windows normally - only in Safe Mode, until I uninstalled Prevx (in safe mode).

    PrevxHelp and Prevx Support were both involved in the analysis of my mini.dmp files. (Thanks :D ) However, I have just uncovered these Norton logs tonight, which document unusually excessive unauthorized access by PREVX.EXE. They show that PREVX was blocked hundreds of times in a matter of minutes on 22 Jan and again at certain times between 1 Feb to 2 Feb. I'm unsure of the exact timings, but I suspect this occurred when Windows was hanging and failed to start normally. I'd had one earlier instance (suspect 22 Jan) and then blue screens and Safe Mode only following 2 Feb.

    I reinstalled PREVX on Feb 13 for the purpose of re-uninstalling it. Uninstall actually hung and I had to reboot before I could uninstall it. I have not achieved a perfect uninstall as pxrts.sys is STILL in my system32\drivers folder. Example of Norton Product Tamper Protection log:

    Category: Norton Product Tamper Protection
    Date & Time,Risk,Activity,Status,Recommended Action,Date,Actor,Actor PID,Target,Target PID,Action,Reaction,Terminal Session

    2/13/2011 1:02 AM,Medium,Unauthorized access blocked (Access Process Data),Blocked,No Action Required,"Sunday, February 13, 2011 1:02 AM",C:\PROGRAM FILES\PREVX\PREVX.EXE,5096,C:\Program Files\Norton 360\Norton 360\Engine\4.3.0.5\ccsvchst.exe,2072,Access Process Data,Unauthorized access blocked,1

    Typically, entries in this log are considered relatively harmless. Programs knock and Norton doesn't give them access, but logs who they are. On Jan 22, the log shows Prevx knocked 146 times in 60 seconds. Yes, that's a log entry similar to the above repeated 146 times during the same minute. The log shows repeats of this excessive behaviour for durations of 4-6 minutes.

    I will email Prevx Research with the excessive portions of my Norton Tamper Protection log (.txt) with a link to this post. I will also try to re-install / uninstall Prevx again and send the initial scan log. For now, Prevx will remain off this system (I'm waiting for Prevx4 :thumb: ). I'm still not convinced SafeOnline is without its bugs either, as I recently reported suspicions that it caused "Internet Explorer (Not Responding)", in a different thread.

    For PrevxHelp, it would certainly be helpful for Norton-Prevx co-existence if PREVX.EXE could avoid the consistent listing in the Norton Tamper Protection log. Although harmless when not excessive, it does show conflict. It seems like I've been typing for an hour, so I'll shut-up now and send those logs. Besides, the Grammys are on TV :cool:
     
    Last edited: Feb 14, 2011
  2. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Re: A Bit Disappointed With Support

    Yes I know but even though Prevx is continuously "testing" Norton's Tamper Protection I am experiencing no problems, no slowdowns, no hiccups, in short if I had not known about this behaviour from the log I wouldn't know it does exist.
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I've split these posts into a new thread for clarity :)

    The Norton Tamper Protection Log is logging whenever Prevx attempts to scan its memory or access modules as they're being loaded into it. Prevx is not trying to test Norton's protection and this isn't indicative of an incompatibility - just the normal procedure for a security program (you should see what Norton tries to do to Prevx's memory :)).

    You may be able to add Prevx to an exclusion list within Norton to prevent it from logging the event, but the only slowdown or incompatibility that would occur would be the fact that they're writing to a log whenever Prevx scans their memory - otherwise the two should coexist very peacefully.

    Let me know if you have any questions!
     
  4. davidbaldwin

    davidbaldwin Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    29
    Thanks for the clarification Joe.

    I still suspect the excessive logging (Jan 22, 12:45pm, 146 blocks logged in 1 minute, as emailed to you) was telling a different story prior to my blue screen problems, but in general, I agree these logged events are harmless and as you describe :thumb:

    I look forward to running Prevx again with no issues. You're a big help, and whatever they're paying you I'm sure it's not enough ;)
     
Thread Status:
Not open for further replies.