Unauthorized Access in Norton?

[blackangst1]

So I was looking through my logs, and found these. I have idea what they mean. Im up to date on definitions, and use SAS for scans. I also ran a HJT and didnt see anything unusual. Any ideas? Im using Vista 32bit, Norton Security 2007.

Event Details:
Actor: C:\PROGRAM FILES\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE (PID=1092)
Target: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

Event Details:
Actor: C:\PROGRAM FILES\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE (PID=1092)
Target: C:\Windows\TEMP\symlcsv1.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

Event Details:
Actor: C:\WINDOWS\EXPLORER.EXE (PID=2024)
Target: C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
Action: Unauthorized access
Reaction: Unauthorized access stopped

Event Details:
Actor: C:\WINDOWS\EXPLORER.EXE (PID=2024)
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

Event Details:
Actor: C:\PROGRAM FILES\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE (PID=1060)
Target: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

Event Details:
Actor: C:\PROGRAM FILES\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE (PID=1060)
Target: C:\Windows\TEMP\symlcsv1.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

Event Details:
Actor: C:\WINDOWS\EXPLORER.EXE (PID=556)
Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

Event Details:
Actor: C:\PROGRAM FILES\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE (PID=1108)
Target: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped



These are just a few. There are about 25 entries with 3 or 4/day going back to Jan 31. I dont recall anything I may have done then. I surf safe, dont go to any hacking or porn sites (thats what newsgroups are for LOL). Im thinking maybe they are just like port scans, Norton stopped it, and not to worry?

 

[mechBgon]

In point of fact, you could hit a full-on exploit site by Googling for something as innocuous as "blueberry jam" these days, so don't place excessive faith in "safe-surfing" habits by themselves.

My guess is that those entries aren't a big deal. Maybe bsobel has more on that. I occasionally saw similar stuff in Kaspersky's logs when I was using Kaspersky antivirus software, as part of its self-protection behavior.

 

[gsellis]

jfgi?

I did on the EXE

You will probably have to whitelist the Quickcam app as it attempts to subclasses a bunch of system processes (not my idea of well behaved.) But it is apparently expected behavior. The other solution is to remove Quickcam.

And relax on the the Explorer one, we see this in CSA too. I think it is a flaw in the read properties. A drive search will also get an iexplorer error on about 3 system files for about the same reason.

 

[blackangst1]

Thanks guys

 

[bsobel]

Originally posted by: blackangst1
Thanks guys

Gsellis, covered it well. What your seeing is Symprotect stopping (at the kernel level) access from one user mode application into our application. We do this to prevent threats that attempt to simply 'turn us off' when they activate. Some applications (as you are seeing) do this for legitimate reasons, however we dont crash them we fail them with a standard access denied error. In the cases we know of the applications continue on properly (but for example an app that has a keyboard hook may not perform its action while our window is receiving input since we disallow the hook from our address space, etc)

Bill