Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer is being attacked but all my scans are clean.


  • Please log in to reply
5 replies to this topic

#1 jocose

jocose

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 14 July 2011 - 01:19 AM

My computer is being attacked but all my scans are clean.

Every scan I run says my computer is clean but my Norton security is constantly blocking
attacks. The information below is from one of the attacks in my recent history.
------------------------------------------------
Severity- Medium
Activity- Unauthorized access blocked (Open Process Token)
Status- Blocked

Actor -C:\Program Files\Microsoft Security Client
Antimalware\Msmpeng.exe

Target- C:\Program Files\Norton Internet Security \Engine\18.6.0.29\ccSvcHst.exe
------------------------------------------------
I went back in my history and found out that this started about 3 months ago.
I've tried different scans but nothing is helping.
So far it seems like my Norton is blocking everything but now I'm having connection problems
where I lose the website I'm on.

Thanks in advance,
Jo

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:11 AM

Posted 14 July 2011 - 08:08 AM

"Unauthorized access blocked (Open Process Token) Blocked" notifications are caused by other programs and applications accessing Norton's files and the event is logged by Norton Product Tamper Protection (NPTP).

Norton Product Tamper Protection prevents outside agents from interfering with Norton's operations by blocking or limiting the access that other programs have to Norton files and processes. This technology is essentially a self-protection feature against any program (good or malicious) which may attempt to access and modify Norton files.

Your Norton security products contain tamper protection features that prevent malicious code from determining their status. This tamper protection also prevents the Windows Security Center from determining the status of your Norton security products.

FAQ - Norton Products

It is not uncommon for legitimate programs (to include Windows itself) to attempt access, get logged by NPTP for doing so and appear repeatedly in these logs. As long as the Actor file identified in the log is a legitimate program you recognize, there is no need for concern about the notification as it is normal and expected behavior for Symantec (Norton Internet Security) users. I do not use Symantec products but have read that if you click on an event, then click on "Details" more information is available about what actually occurred.

ccSvcHst.exe is related to the Symantec Service Framework and displays the GUI (Graphical User Interface) of Norton Security Suites.

Msmpeng.exe is the process used by Windows Defender and Microsoft Security Essentials to scan for and deal with malware (remove, quarantine, prevention).

See this Norton discussion thread which talks about Norton Tamper Protection and Open Process Token Options.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jocose

jocose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 14 July 2011 - 08:21 PM

Hi quietman7,

Thank you for responding so quickly.
I'm relieved that it wasn't a virus or malware. I was starting to give my DH nasty looks even
though he swore he hadn't used my computer to go online. :)

I did get the Uniblue Registery Booster. It cleaned out a lot of errors and my computer seems to be
responding faster.

Can I remove msmpeng.exe? Even though I know what it is, I still want to stop it.
I removed Windows Live OneCare Safety Scanner from my programs but I still have Microsoft
Security Essentials.
Since I have Norton, I figure I can just remove Microsoft Security Essentials. I don't need both
of them and I've read that programs like that can work against each other.

Thank you again,
Jo

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:11 AM

Posted 15 July 2011 - 06:20 AM

Can I remove msmpeng.exe? Even though I know what it is, I still want to stop it.

Not unless you uninstall MSE as it is required to scan for and deal with malware.


Since I have Norton, I figure I can just remove Microsoft Security Essentials. I don't need both

That is correct. Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource management. Even if one of them is disabled for use as a stand-alone scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "False Positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that virus or suspicious file. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found when that is not the case.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms while trying to use it.

Using Norton with MSE is most likely causing a conflict and the reason for the Norton Product Tamper Protection notifications. To avoid these problems, use only one anti-virus solution.

Anti-virus vendors recommend that you install and run only one anti-virus program at a timeYou can always supplement your anti-virus by performing an Online Virus Scan.


I did get the Uniblue Registery Booster. It cleaned out a lot of errors and my computer seems to be responding faster.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

:step1: Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

:step2: Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

:step3: Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

:step4: Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

:step5: The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jocose

jocose
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 16 July 2011 - 01:24 AM

Hi quietman7,

Thank you again. I've removed the MSE and the "attacks" have stopped. I appreciate your help.
Also, thank you for the link to the free online scanners article.

Have a good weekend,
Jo

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:11 AM

Posted 16 July 2011 - 06:04 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users