Anyone an expert on Norton Personal Firewall?
This is a discussion about Anyone an expert on Norton Personal Firewall? in the Windows Security category; Are there any Norton firewall experts out there who can tell me why I'm unable to stealth-block a persistent Trojan scanner? OS is Win2K SP3. The firewall app is Norton Personal Firewall, part of Norton Internet Security.
                                        
          Are there any Norton firewall experts out there who can tell me why I'm unable to stealth-block a persistent Trojan scanner?
 
OS is Win2K SP3. The firewall app is Norton Personal Firewall, part of Norton Internet Security. I've ensured that the firewall is reasonably well configured.
 
The problem is that every day now, for about six months, I'm continually bombarded with Trojan attacks. These are blocked by NPF but, with each, an alert is signalled on the screen and has to be investigated and serviced, otherwise (apparently) the block is lifted after 30 mins. But with this obvious scanning Trojan hitting my machine every 15 secs on occasions, I think you can see that this situation's intolerable.
 
The source originates from ever-varying IP addresses and possibly comes from a number of infected machines somewhere on my ISP's customer network. The variation in IP address is very wide and, anyway, many of the addresses are in the same range as that of my ISP, so I can't selectively block.
 
Incidentally, my machine is clean. There are no outgoing comms to unknown machines. Neither is my machine on a network; it's standalone.
 
I traced the incoming addresses as being machines on the same international network as my ISP (Tiscali) but when I informed Tiscali, they didn't want to know. So, I'm left to deal with the problem myself, at my end.
 
In Personal Firewall/Intrusion Protection, I've got the following two settings checked:
 
Detect Port Scan Attempts
Enable Autoblock
 
Autoblock, according to my Norton handbook, prevents a scanned attack from gaining access to the system, so keeping that setting checked seems sensible. However, there's some ambiguity over the "Detect Port Scan Attempts" setting. The handbook recommends enabling this if you want to be notified when the firewall detects a port scan. However, elsewhere, Norton states that Trojans and the like will only be blocked if first detected, which implies that you must always have "Detect Port Scan Attempts" checked.
 
So, what's the correct position, here? Would it be safe to uncheck "Detect Port Scan Attempts" and just keep "Enable Autoblock" checked, so that I don't have to keep servicing the alerts? Or are those two an AND function? I can't test this in any secure way, as I get constantly scanned.
 
What gives with the 30-minute limit on the autoblock? Surely, a firewall, once configured and with an up-to-date database of definitions, should permanently block - period?
 
Incidentally, in the Customise section of Personal Firewall Settings, there's a related setting called "Alert when unused ports are accessed". I've had that unchecked for a long time but it's not stopped the Norton alerts for this Trojan.
                                    
                                OS is Win2K SP3. The firewall app is Norton Personal Firewall, part of Norton Internet Security. I've ensured that the firewall is reasonably well configured.
The problem is that every day now, for about six months, I'm continually bombarded with Trojan attacks. These are blocked by NPF but, with each, an alert is signalled on the screen and has to be investigated and serviced, otherwise (apparently) the block is lifted after 30 mins. But with this obvious scanning Trojan hitting my machine every 15 secs on occasions, I think you can see that this situation's intolerable.
The source originates from ever-varying IP addresses and possibly comes from a number of infected machines somewhere on my ISP's customer network. The variation in IP address is very wide and, anyway, many of the addresses are in the same range as that of my ISP, so I can't selectively block.
Incidentally, my machine is clean. There are no outgoing comms to unknown machines. Neither is my machine on a network; it's standalone.
I traced the incoming addresses as being machines on the same international network as my ISP (Tiscali) but when I informed Tiscali, they didn't want to know. So, I'm left to deal with the problem myself, at my end.
In Personal Firewall/Intrusion Protection, I've got the following two settings checked:
Detect Port Scan Attempts
Enable Autoblock
Autoblock, according to my Norton handbook, prevents a scanned attack from gaining access to the system, so keeping that setting checked seems sensible. However, there's some ambiguity over the "Detect Port Scan Attempts" setting. The handbook recommends enabling this if you want to be notified when the firewall detects a port scan. However, elsewhere, Norton states that Trojans and the like will only be blocked if first detected, which implies that you must always have "Detect Port Scan Attempts" checked.
So, what's the correct position, here? Would it be safe to uncheck "Detect Port Scan Attempts" and just keep "Enable Autoblock" checked, so that I don't have to keep servicing the alerts? Or are those two an AND function? I can't test this in any secure way, as I get constantly scanned.
What gives with the 30-minute limit on the autoblock? Surely, a firewall, once configured and with an up-to-date database of definitions, should permanently block - period?
Incidentally, in the Customise section of Personal Firewall Settings, there's a related setting called "Alert when unused ports are accessed". I've had that unchecked for a long time but it's not stopped the Norton alerts for this Trojan.
Participate in our website and join the conversation
                         This subject has been archived. New comments and votes cannot be submitted.
                    
                    
                    Jun 17
Jul 5
0
24 minutes
Responses to this topic

OP
                                                    Jerry, as an aside, in Internet Access Control (IAC), should the application Generic Host Process for Win32 Services be permanently blocked? I've never been sure about that one.
 
Note that, in the Configure button of IAC, the Sokets de Trois v1 trojan is among many that are automatically blocked for the apps in that list. These are, of course, outgoing connections and nothing to do with the inward scans that I'm trying to avoid servicing.
                                                
                                            Note that, in the Configure button of IAC, the Sokets de Trois v1 trojan is among many that are automatically blocked for the apps in that list. These are, of course, outgoing connections and nothing to do with the inward scans that I'm trying to avoid servicing.

OP
                                                    Hmm, that's interesting. That svchost process has been linked with the picking up of viruses. In various forums, I've seen people commenting on it and, like me, some have blocked Generic Host Process for Win32 Services as a result.
                                                
                                            
OP
                                                    I'm afraid you've rather lost me there, Alecstaar. However, I have to admit that, in the user-configurable section of the Norton firewall that deals with outward processes, GHP for Win32 Services is listed, and in such a way that it's clear that normally it's intended to be enabled, not blocked.
 
By having it blocked ever since I last installed Win2K, I've not experienced any problems with processes that have needed to access the Internet.
 
 
                                                
                                            By having it blocked ever since I last installed Win2K, I've not experienced any problems with processes that have needed to access the Internet.
                                                    sorry i lost track of this thread.
i can't find the box on your version unless i uninstall and reinstal the older version. not having the time lately has prevented that.
 
your generic win32 host proc, for norton firewall, is your standard loopback connection. it's ok to allow or auto configure that one.
                                                
                                            i can't find the box on your version unless i uninstall and reinstal the older version. not having the time lately has prevented that.
your generic win32 host proc, for norton firewall, is your standard loopback connection. it's ok to allow or auto configure that one.

OP
                                                    Alecstaar,
 
If you're still there, just the other day I tried unchecking the "Detect Scan Attempts" in NPF but found that it certainly didn't turn off the Alerts. I also tried hiding the Alert Tracker but that also was fruitless. The scans continue to come and I continue to get alerts each time from NPF.
 
Fed up with this situation, I went back to Symantec's website and ran a more detailed security check on my machine. The only vulnerability it found was Location Service (loc-srv). I've no idea what that is but, anyway, the Symantec test found that the port on which it runs is open and is vulnerable to hackers. I gather that the port in question (I'm not giving its number here, for obvious reasons) is used to direct Remote Procedure Calls.
 
The remainder of my firewall is completely stealthed, according to the results. So, is there any way that I can close (stealth) that port, and do it without screwing up my Internet usage?
 
                                                
                                            If you're still there, just the other day I tried unchecking the "Detect Scan Attempts" in NPF but found that it certainly didn't turn off the Alerts. I also tried hiding the Alert Tracker but that also was fruitless. The scans continue to come and I continue to get alerts each time from NPF.
Fed up with this situation, I went back to Symantec's website and ran a more detailed security check on my machine. The only vulnerability it found was Location Service (loc-srv). I've no idea what that is but, anyway, the Symantec test found that the port on which it runs is open and is vulnerable to hackers. I gather that the port in question (I'm not giving its number here, for obvious reasons) is used to direct Remote Procedure Calls.
The remainder of my firewall is completely stealthed, according to the results. So, is there any way that I can close (stealth) that port, and do it without screwing up my Internet usage?

OP
                                                    Alecstaar,
 
It might surprise you to learn that, for about 18 months now, I've had Messenger service turned off completely, ie. stopped. I've had it like that in order to stop Messenger-type spam being received. I was plagued with that sort of spam for a long time but finally stopped it in its tracks by turning off Messenger completely.
 
Any more ideas?
                                                
                                            It might surprise you to learn that, for about 18 months now, I've had Messenger service turned off completely, ie. stopped. I've had it like that in order to stop Messenger-type spam being received. I was plagued with that sort of spam for a long time but finally stopped it in its tracks by turning off Messenger completely.
Any more ideas?

OP
                                                    I returned to Symantec's site and did a search on "Port 135" and, low and behold, an issue concerning its security popped up. Fortunately, Symantec gave clear instructions on how to stealth-block that port within NIS (NPF). I duly made the changes and then went back to Symantec's site and re-ran the online security check. That confirmed the now water-tightness of my firewall.
 
However, it HASN'T STOPPED those accursed alerts!!! They're still occurring.
 
I reckon there must be a bug in NPF and I've now e-mailed Symantec about it. This doesn't affect security, it's more that the constant stream of alerts is terribly annoying and there appears to be no means of turning them off. What seems to be the correct configuration setting for that simply doesn't work. Mind you, my particular version of the firewall is no longer supported by Symantec, so they might have corrected the problem in more recent versions.
                                                
                                            However, it HASN'T STOPPED those accursed alerts!!! They're still occurring.
I reckon there must be a bug in NPF and I've now e-mailed Symantec about it. This doesn't affect security, it's more that the constant stream of alerts is terribly annoying and there appears to be no means of turning them off. What seems to be the correct configuration setting for that simply doesn't work. Mind you, my particular version of the firewall is no longer supported by Symantec, so they might have corrected the problem in more recent versions.

OP
                                                    Yeh, I second that view, Alecstaar. Thanks for your indulgence in this issue.
                                                
                                            
OP
                                                    Certainly, since closing that Port 135, the scans have been much less frequent, so it looks as though it was worth all that investigative work, in the long run.
 
Oh, of course, I realise that if I were to buy the latest version of NIS, I could get the upgrade version, at a discounted price. But, who knows, that bug might have been carried across even into the latest version?! Unless Symantec are willing to communicate with me, they, me and other users will perhaps never know. I must say I find their latest policy on support somewhat offputting (ie. no one-to-one e-mail support, unless you pay for it).
 
Actually, I'm starting to have a look at Firefox. Looked into that yet, Alecstaar? If so, I'd like to hear your view of it. A couple of my contacts have already been trying out v0.9 and are reporting that it works very well. If it does all that it claims, then perhaps those who choose to use it can say goodbye to all those browser-borne viruses, spam, adware, pop-ups and other crap.
                                                
                                            Oh, of course, I realise that if I were to buy the latest version of NIS, I could get the upgrade version, at a discounted price. But, who knows, that bug might have been carried across even into the latest version?! Unless Symantec are willing to communicate with me, they, me and other users will perhaps never know. I must say I find their latest policy on support somewhat offputting (ie. no one-to-one e-mail support, unless you pay for it).
Actually, I'm starting to have a look at Firefox. Looked into that yet, Alecstaar? If so, I'd like to hear your view of it. A couple of my contacts have already been trying out v0.9 and are reporting that it works very well. If it does all that it claims, then perhaps those who choose to use it can say goodbye to all those browser-borne viruses, spam, adware, pop-ups and other crap.
 
                                
                                 
                                
                                 
                                 
                                 
                                