Norton 360 reports TThrottle virus-like activity

Started by SafeOnline, June 13, 2015, 11:39:58 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

SafeOnline

June 13, 2015, 11:39:58 PM
When I run Security History in Norton 360 aka Norton Security Suite I see that every 1-3 seconds, without letup, TThrottle tries to access process data, but is blocked. The target is n360.exe, the executable for Norton itself.  Norton reports the activity as: Unauthorized access data blocked (Access Process Data).  The severity is called medium.  The default Security History scan is Recent History, which contains the last 2 pages of 100 entries each.  When TThrottle is running, page 1 is all about TThrottle being blocked, and it covers roughly 3-4 minutes of data collection.  It doesn't spill over onto page 2, fortunately.  The addition of every new unauthorized access attempt results in the oldest attempt being deleted.  Of course, any other type of activity, benign or not, that occurs within the 3-4 minute window is lost also.

Why is TThrottle even doing this?

fred

#1
June 14, 2015, 12:36:35 PM
Quote from: SafeOnline on June 13, 2015, 11:39:58 PM
Why is TThrottle even doing this?
I need more than that to answer.
Can you send met the log, my e-mail is in the about box at the end....
What I need to know is access to a specific port etc access to what process data.

1) Do you use BOINC and have you set "Connect with BOINC client" at the BOINC tab?
2) Any rules in the Rules tab?



fred

#2
June 17, 2015, 06:27:20 AM
1) TThrottle uses port 31416 or any other set by the user. This port is used to connect to the BOINC client.
2) It uses port 80 to check for any updates, but does so only when a user clicks on the check update button.
3) The program needs to check the system PID list in order to check if any exe has any child processes.
Some BOINC projects use a wrapper that starts a number child processes.
So TThrottle contacts the BOINC client gets the PID of the wrapper, next it has to run down the entire PID list to check if any one of them is a child process.
That may be why you get Access Process Data of n360.exe because it's in the PID list to scan.
4) The exe and driver are signed with a certificate, so the program is traceable and any unauthorized changes show up.

SafeOnline

#3
June 17, 2015, 09:54:24 PM
Currently I'm always running 3 instances of a process that uses a wrapper, so 3 instances of the wrapper.  Thanks for the explanation.
Print
Go Up Pages1
User actions