Hey guys, I have a problem. Ever since I got cable and I hooked up a Microsoft MN-500 router to my system to share the connection, my norton firewall hasn't been really checking the connections. I check the log files and haven't seen any connection logs after the technician set me up for cable. How do I fix this?

New update on the problem. Apparently the logs are showing some data, but really weird info. Everytime I start up my computer, Norton makes the logfile "Firewall Configuration Updated: 496 rules". I'm starting to wonder if it's a virus that's causing norton to malfunction, though I've checked with various 3rd party softwares.

Does anyone have a solution to this problem?

FWI

interested persons can find further details of this members problem..in this thread:


http://www.wilderssecurity.com/showthread.php?t=31501

-{ Quote: "Does anyone have a solution to this problem?" }-
After I installed a router my firewall has not logged one intrussion attempt. The firewall in the router has caught every incoming attempt. My software firewall takes care of all of the out going attempts. It is a pretty secure setup.

I suspect bigc is correct here. With a router inline (presuming it's properly configured) you should not be seeing any Blocked inbound TCP/UDP communications in your software firewall event log.

I found this to be true whether it was Kerio, NIS, or Sygate -- suddenly (well, not really, if you think about it) the software firewall logs start looking very, very empty. I know this may sound rather silly, but I actually had to enable logging on routine Internet Explorer (PERMITTED) communications simply to ensure that the software firewalls were still working! :)

On the other hand, if you look at some of the other event logs (e.g., ad-blocking, privacy, connections) you should still find events.

Maintenance (with the router) is down, way down. Nothing very exciting happening in the software firewall event logs at all. I may have to go back to playing chess! ;D (That's for Paul W.)

Yes, but my firewall doesn't mention any outbound connections either. It doesn't try to prompt me when a new program accesses the internet. Usually there should be a log concerning such but there isn't.

-{ Quote: "Yes, but my firewall doesn't mention any outbound connections either. It doesn't try to prompt me when a new program accesses the internet. Usually there should be a log concerning such but there isn't." }-
Well, NIS/NPF is only going to log PERMITTED outbound communications if you ENABLE that on a particular rule. (Typically, NIS/NPF does not log PERMITTED outbound comms unless you expressly customize a rule to do this.)

Oh, incidentally, don't do this on every PERMIT rule; if you do, your log is going to go right off the spectrum. That's why I suggested you simply enable logging on the MSIE HTTP rule; that should suffice. (As a matter of fact, if MSIE is responsible for most of your internet connections, it will more than suffice! :) ) And, once you're satisfied that everything is working, I would recommend going back and disabling that logging.

Tried that, still nothing. It's weird, I can even click on the "block traffic" button and I will still be able to access the internet. I'll post you two log files and you'll see what I mean by it not monitoring. Notice the dates...

Here's the other log.

-{ Quote: "Here's the other log." }-
Yeah, the firewalls log is all that's necessary here, I think.

When did you install the router? (roughly will do)

Early February. I just installed it that time, I still had dial-up so my router wasn't in use. Then, I ordered broadband cable and had it installed on February 28, 2004. As you can see by the dates, that was when NIS stopped monitoring connections.

Roger, confirming 28 Feb 2004.

Let's go back to the 27th for a moment:

I see you were running IIS with a Permit Inbound UDP rule. Did you continue to do that afterwards? (That event should still show, if you did, unless you turned off logging on it.)

Then, we get to the interesting stuff:
2/27/2004 8:46:05 AM,Rule "Block Windows File Sharing" blocked communication.,"Rule ""Block Windows File Sharing"" blocked communication. Local address: VIVEK(192.168.2.14)(netbios-ssn(139)). Process name is ""System"""

followed not all that much later by:

2/27/2004 10:59:24 AM,The user has created a rule to "permit" communications.,"The user has created a rule to ""permit"" communications. Local address is 169.254.0.223(netbios-ssn(139)) Process name is ""System"""

and that's where your 'normal' logging appears to end. You notice, I presume, that the port is 139. At 8:46, it was blocked; at 10:59, you did a PERMIT (actually, it looks like you created a new rule).

The 8:46 local IP address is a LAN address, so I assume you were on a LAN (maybe ICS?) before installing the router. But the next one (10:59) suggests that you'd installed the router on 27 Feb, since it's to 169.254.0.223 . See http://www.robertgraham.com/pubs/firewall-seen.html#3.8 .

"From a draft document on auto-configuration of IP addresses when DHCP fails:
Once a DHCP Client has determined it must auto-configure an IP
address, it chooses an address. The algorithm for choosing an
address is implementation dependant. The address range to use MUST
be "169.254/16", which is registered with the IANA as the LINKLOCAL
net.

This only happens when the normal DHCP process fails. "

But I don't like the fact that the rule is for port 139. Any recollection as to what happened here? That could have been a kiss of death, especially in late February, depending on the details of the rule created (if you can find it).

Amazingly the next event is almost six weeks later:

4/11/2004 8:43:22 AM,Firewall configuration updated: 296 rules,Firewall configuration updated: 296 rules

and that continues until

4/14/2004 4:37:02 PM,Firewall configuration updated: 296 rules,Firewall configuration updated: 296 rules

and then suddenly:

4/14/2004 4:51:03 PM,Firewall configuration updated: 456 rules,Firewall configuration updated: 456 rules

456 rules??!! Any recollection how you suddenly jumped from 296 rules to 456 rules? That's scary and is suggestive of massive rules corruption. Any recollection of what you did about that time? Did you maybe just run LiveUpdate or something?

I know it's difficult in NIS 2003/2004, but you might want to visually inspect your General Rules and see if you haven't suddenly been blessed with some PERMIT EVERYTHING rules (probably near the top (beginning) of the ruleset).

I assume you've checked your basic configuration and that a) the firewall is enabled and b) Security is set to "High", not "Moderate" or "Low" ("low' is pretty much equivalent to disabling the firewall).

Finally, check your settings for your Trusted Zone (that will definitely kill just about all firewall logging if you have an entry that's way too liberal).

Let us know, okay?

1.) I never changed my IIS rules. I didn't disable logging either. I was also baffled why that didn't show at all.

2.) I have no clue what the "Block Windows File Sharing" thing is. The only time I created a rule was when I was allowing communication with another computer on my network. I permitted file sharing with that computer and allowed it via that rule. I did this AFTER I got broadband set up and my router and router firewall working.

3.)I never installed my router on Feb 27, 2004. I checked the actual date: January 10, 2004, Feb 27, 2004 was when I had a technician come to my house to set broadband up.

4.) Yes, I found the "Firewall Configuration Updated: 456 rules" entries rather suspicious. If you actually look at one date, you can see this entry: "Firewall Configuration Updated: 464 rules" and then the next day it would be back to "Firewall Configuration Updated: 456 rules". Rather odd.

5.) There is no permit everything rule except for a permit all ICMP rule. My trusted zone contains this address "192.168.2.0 and subnet 255.255.255.0". My security is set to high.

Is there a rules viewer I can use for NPF2003 so I can post the rules? BTW, I installed NAV2003 and NPF2003 separately. I didn't buy the whole NIS2003 package that comes with Spam blocking, etc.

No, unfortunately, there's no rules viewer of which I am aware that works with NIS/NPF 2003/2004 (unless you get offered some inhouse utility from Symantec).

There is one other possibility that worked at least for a while. I believe CrazyM once found a problem relating to NIS/NPF 2003. (Unfortunately, it may have been removed in a subsequent LiveUpdate.)

NIS Statistics (if you can still find that) had as one of its views, a display that would show all the rules (in their physical order of evaluation). If you've still got NIS Statistics and that is one of the displays, expand it to fill the whole window (set the window itself to full-screen, so that we can see the numbers). Start at the beginning of the ruleset and let's just see one screenful as a cut and paste (I would recommend a GIF, rather than a JPEG, it's a lot smaller). Now, that display eventually got messed up and no longer had valid data in it and I think it may subsequently have been removed.

At one point (long ago and far away), there were rules that would show up in that display that did not display in the GUI for editing/creating/customizing rules. If, somewhere near the top of the ruleset, you find such a rule that is working as a PERMIT rule for just about EVERYTHING, that's the source of the problem. (Of course, we'd need to know what it is to suggest how to correct that problem.)

I can see I'm going to have to reinstall NIS, just to give coherent advice on this! ::)

Well, I didn't bother with the screenshot because I have tons of rules. I did manage to, however, save the rules in a text file for you guys to see. Just ignore the first part of it as it's data from the rest of "Detailed Statistics".

I did happen to notice one thing, if I'm counting correctly, there are 455 rules. Didn't the last log file say 457?

Okay,

From stats.txt, it looks like your firewall is not processing any rules. Now, need to get CrazyM in to take a look at that file. (That may be later today.) What we need to know (from CrazyM) is whether the display is still functional. (NanDog is another possibility here as far as that subject is concerned.)

Oh, first things first. If you go back to that window and look at the menu on top, you'll see a choice that says View or Display. That gives you the option to select/unselect which particular panes to display. Next time you do one of these :) , just select the pane that relates to the rules (I think that's at the end of your current text file, isn't it?). It just cuts down on the clutter a bit. But the text file rendition is fine for this purpose.

At any rate, if the display is functional; at least one of the columns beginning at the top (an ICMP rule, as I recall) should have non-zero entries in it. Again, presuming the display is functional, this would indicate the firewall portion is processing absolutely nothing; effectively it's been disabled.

If you open the main console for NPF (the GUI, not the System Tray icon) and it indicates that the firewall is enabled and running okay, then you have a serious problem.

NPF may have been disabled by one of the malwares out there that specifically targets firewalls and antivirus products
Or, somehow, your install has gotten corrupted and simply is no longer functional.

If it's malware, you need to find it and get it cleaned ASAP using one of the online scanners. You can use the Symantec online scanner if you're already familiar with that. Quite frankly, I'd also recommend you use an anti-Trojan. You need to use an online scanning service because if such malware is already present on your machine, it's probably pointless trying to download and install another AV/AT package.
Even if you find and remove some malware, that's unlikely to get NPF working correctly again. You're probably going to have to do a complete uninstall and reinstall of the product.

This is pure speculation, but I would assume that the cable technician disabled NPF briefly while getting your cable connection up and running and that this is when your machine got penetrated. (You can get hit on an unprotected cable connection in about 30 seconds these days.) It probably got both NPF and NAV and it would have also been able to disable many of the other popular software firewalls, so just switching to something else doesn't insure that this would not have happened or that it will not happen in the future (but all the software firewalls are continually hardening against this kind of thing).

Well, I do recall that he had also reinstalled TCP/IP networking because my computer was responding to ipconfig/ release commands in cmd.exe. When he did that, NPF had prompted that it could not function without TCP/IP networking enabled when he uninstalled it.

My technician did in fact disable NPF but that was when I wasn't connected to the internet. I was still trying to pass a connection to my ISP first so I doubt anyone could have hacked in at that time. Then he restarted the computer (with NPF enabled) though it didn't actually load. NIS had that problem where if you do too much at startup, it sometimes wont startup. Something to do with the order of programs at startup... Anyways, when I finally was connected to the internet, I was only 10-15secs without a firewall before I quickly connected my modem to my router.

Still, I'd run one of the online AV scanners. One of the nice 'features' of the Symantec scan is that it scans 'from the inside out' and might, therefore pick up something that a purely external scanner might miss. And, yes, I mean AV scanner, not a port scanner, like GRC's Port Authority.

Whether the scanner finds anything or not (but, by all means, do that first), I truly suspect that you're going to have to uninstall and then re-install NPF.

One last question: Have you run AV/AT scans on the other machines on your LAN? Not all problems necessarily come in 'over the wire' from the Internet.

I ran Symantec's AV scan on my other computer and the results came out fine. I ran McAfee's Stinger program as well and still, nothing.

I do have to tell you one thing though, the Nimda Removal tools did not find Nimda, however, they did display a list of corrupt files, mainly in the Symantec Shared folder.

-{ Quote: "Now, need to get CrazyM in to take a look at that file. (That may be later today.)" }-

That is a lot of rules and there are duplicate rules in there, which could be contributing to the high number count. More on that later.

-{ Quote: "What we need to know (from CrazyM) is whether the display is still functional." }-

The View Statistics > Firewall Rules is still somewhat functional in NIS2003, I don't know about 2004.

If the firewall is functioning, the statistics will usually be correct for the General/System rules at the top of the rule set. Once you get to application rules it is not accurate as this is one of the areas Symantec changed and NIS now orders those rules, not the user. (The way the rule order appears in the display, is not the real order in firewall.) The View Statistics > Firewall Rules does not appear to have been updated to deal with this and thus lost functionality/accuracy. Rule matches will still be recorded, it's just the totals in the far column (that used to help with checking the integrity of the rule set) that get thrown for a dump because of the real ordering of the application rules.

Once rules corruption comes in to play, the accuracy of View Statistics > Firewall Rules is a factor again. On occassion it has helped identify rules corruption, while on others it has not shown rules that I know are present.

Regards,

CrazyM

-{ Quote: "Well, I do recall that he had also reinstalled TCP/IP networking because my computer was responding to ipconfig/ release commands in cmd.exe. When he did that, NPF had prompted that it could not function without TCP/IP networking enabled when he uninstalled it." }-

Were you on dial up before?
Is your dial up configuration/adpater still in place?
Was a new ethernet card installed as part of your broadband hook up?
Does NIS show both network adapters?
Is your current rule set configured for the both or just the previous dial up?

Regards,

CrazyM

Yes, I was on dial up before. My dial up adapted is still there. For the ethernet card, I had installed it myself. I don't know what you mean by whether NIS shows both adapters and I don't know what you mean by configuration. When I switched over to broadband, I didn't change anything with Norton. All I did was run the networking wizard to include the ethernet adapter.

-{ Quote: "I don't know what you mean by whether NIS shows both adapters and I don't know what you mean by configuration. When I switched over to broadband, I didn't change anything with Norton. All I did was run the networking wizard to include the ethernet adapter." }-

NIS2003 can have rules for more than one adapter. I have never tried this feature, but was curious if it may have something to do with your problem.

Does your system event log show what adapter is being filtered?

Regards,

CrazyM

-{ Quote: "NIS2003 can have rules for more than one adapter. I have never tried this feature, but was curious if it may have something to do with your problem.. . ." }-

Good point. And since the Ethernet adapter was added afterwards, that might also explain why his rule count nearly doubled, couldn't it? Furthermore, most of the rules that used to log (via the modem-based rule) only would be doing so because logging was explicitly turned on. (They were all PERMIT rules, as I recall.)

Let's see where is that setting? He needs to find where one can customize/edit/modify applications-based rules. Find the entry, say, for Internet Explorer. Select "Customize" to see the individual rules for Internet Explorer. (I think he should see at least seven or eight, shouldn't he? Indeed, if he's got more than that, then he has different rules for different adapters, in all likelihood.) Okay, he should have at least one rule for Internet Explorer HTTP. Select that rule and then click "Customize" or whatever it's labeled. I believe "Adapters" is accessible via a command button on the "Computers" tab if I recall correctly. And, if he's got the rule expressly covering the Internet adapter (or "All" adapters), then he needs to confirm that logging is enabled on that rule.

Good catch, guy.

Yes, it does. It shows the network adapter of my ethernet card (the one that's connected to my router)

Hmmm, I think I know why the number of rules jumped so quickly and why there might be repeat rules. I recall, when I was trying to fix my firewall, that I had run program control to see if I could reset the firewall rules so that they would work for my new adapter. The new rules may have added on to the old ones, doubling the final amount of rules.

Also, I somehow don't think it was my routers fault for the problem because I had hooked it up long before I had gotten broadband and my firewall was operating fine at that time. I have a feeling it has to do with my technician reinstalling tcp/ip networking and that causing some kind of conflict with NPF.

Is there a way that I can maybe check what adapter NPF is watching and whether it is working via the registry values?

-{ Quote: "I have a feeling it has to do with my technician reinstalling tcp/ip networking and that causing some kind of conflict with NPF." }-

That is a possibility as well and not sure what may resolve it short of a reinstall. You mentioned earlier the tech shut down NPF. I trust you have checked the obvious settings to ensure it is starting up properly.

-{ Quote: "Is there a way that I can maybe check what adapter NPF is watching and whether it is working via the registry values?" }-

Unfortuantely since NIS2002 Pro and up, all registry entries are encrypted and there are no public utilities for checking settings. This makes troubleshooting in the later versions very difficult, you have to rely on available logs.

Regards,

CrazyM