Not sure if this is the correct place for this, please feel free to move it.
Concerns this mornings updates from Symantec.

Have NSW 2002 and NIS2002. When I checked Live Update this morning (GMT)
there were two updates, one Security and one Symantec Redirector update of 1642.7 KB.

D/l'd both of them, rebooted and all hell broke loose on my Pc. Crashed several times with the report on rebooting that it was recovering from a serious error.

Did a Drive Image restore (thank God for DI) and repeated the whole process with the same results. Have now d/l'd the NIS updates on their own and all seems well. Would appear that the Redirector update is the culprit. It added an exe file, (SNDMON.exe if I remember correctly) and the firewall kept asking for permissions e.g IAMAPP requesting to access the internet. Seemed all the normal NPF exe's were screwed up.

Anybody else had problems today with this update?



:-\

Oh well..

I'm used to being ignored.... I'm married with two daughters...
;D

No problem with those updates in NIS 2004; other than LuComServer.exe subsequently trying to connect to an IP address that was associated with akamaitechnologies.com. But, this occasionally occurs, as LuComserver.exe appears to want access to all kinds of places.

Best regards,
Mike

Hi Mike

I guess that the vast majority of Norton users are on 2003 and like yourself, 2004.

Think we 2002 users seem to go along with steam engines and model-T Fords.

Nevertheless, your reply much appreciated.

Best wishes

;)

Yeah, I'm using Norton Internet Security 2002, and I had to re-format my machine after the last update, and put it all back on. Everything's working fine now though...hopefully.

It crashed my machine in about 5 mins when I had it running...it just reset.
Then anytime you restarted Windows it said it had recovered from a critical error, even after I'd uninstalled Norton.

I thought I had been hit by a virus or something, but this thread confirms not, thanks.

I only found this because I searched SNDMon.exe I was wondering what the hell SNDMon was...and that just happened to be the problem.

Hi Oremina,

Sorry!!! I didn't see your posting earlier.....

Have a look at this thread:
Norton Internet Security 2002 (http://www.wilderssecurity.com/showthread.php?t=32511)

You will see that you are indeed not the only one having problems....
You will also see in that thread two links to DSLR-threads where the problem is also been discussed.
So far there seems not be a real solution.....

Regards, Jan.

Hi A MAN and FanJ

Problem has been solved, at least on my PC.

What happened was that after the disaster of the Symantec Redirector update of 12 May, I ignored the update but kept an eye on it. I noticed that after a couple of days or so that I was no longer being offered this update. Assumed it had been withdrawn by Symantec for "repairs".

On the morning of 15th May, I noticed it was being offered again. It appeared to have been amended as it was slightly different in size, about 0.1Mb smaller.
I d/l'd it and have had no problems since. All I can say is I am so pleased that I have Drive Image and back up regularly, or I would have been considering reinstalling and I would have not been a happy man!!

I am not a Norton basher, have found my NSW and NIS2002 to be reasonably trouble free and dependable, but this recent episode has shaken my faith in them a little. Having your PC wrecked to the point of having to do a clean install is beyond a joke. Think the best piece of software I ever spent money on has to be Drive Image. By the way A MAN, my LU folder tells me that the SNDMON.EXE is the Symantec Security Drivers Install Monitor... whatever that is

:)

Hope everybody who has similar problems has sorted it by now.

Best wishes :)

-{ Quote: "Hi A MAN and FanJ

Problem has been solved, at least on my PC.. . . " }-

Hey, I can't give you a thumbs up here (anymore??), but I think you were on to something that I missed the first time around, so what I did was give you some attribution in the larger thread over at BBR/DSLR Security Forum.

You can find it at http://www.dslreports.com/forum/remark,10308615~mode=flat

It's all a rather interesting story and emphasizes what all of us, as a group, can do working together -- no matter what Forum or NNTP newsgroup we may routinely use or where we may come from -- indeed, I think that's the most important point, as I note over there. There were bits and pieces of the answer here, at BBR/DSLR Security and even on the grc.security NNTP newsgroup -- and it involved inputs from people in half a dozen different countries.

And, I would be remiss if I did not also acknowledge inputs received from anonymous users (guests here) and lurkers in all of these places. They also serve who only lurk! 8)

So, from me to you, a big THUMBS UP!! ;D

It appears that Symantec may now have fixed this problem. See http://www.dslreports.com/forum/remark,10312609~mode=flat , which apparently came out late on Friday evening.

Have any of the NIS/NPF 2002 users that experienced the problem after the 12 May LiveUpdate applied this patch; does it solve the problem?

Next question: Does this fix, primarily for NIS/NPF 2002 users, still provide a solution to the eEYE vulnerabilities that started all this? (Anyone checked using eEYE's Retina scanner?)

And finally, by way of feedback, just what files are changed by this update?

Hi jvmorris

Thanks for your input (your postings of 22 May and 23 May). Apologies for not replying sooner. I'm not disinterested, just that I've been away for a few sunny days (for a change) visiting one of my daughters and her brood in the depths of rural Suffolk. (By the way, referring to one of your postings on DSLR I am definitely, most definitely, male and not a she!! No offence was caused at this end I assure you, but I can see why you would think so with my pseudonym of Oremina.)

I will just confirm that my all is now well here since my last posting of 18 May. I also d/l'd the Redirector update of 23 May and all I can do is reiterate that all is well now, but without doubt there was a serious problem caused by the 12 May update.

Please, please Symantec, don't do this to me again or I'll have even less hair than I do now.

Regards

Hi again jvmorris

Forgot to mention that, in response to your posting of 23 May asking which files have been changed....

When I d/l'd the 23 May update for Symantec Redirector, my Process Guard asked for permission to run SNDMON.EXE again, so that is the one which was in some way changed.

HTH

Regards

Oremina,

Oops, sorry 'bout that! :-[ I know someone who uses a very similar sig and has a tendency to change it slightly in different forums; I thought you were she.

So, it is indeed SNDMON.EXE. Thanks for that.

I assume you checked the SYM*.* files also? Those would probably be *.SYS or *.vxd files and I don't know if PG would pick up on them or not.

jvmorris

No, I didn't, but I do tend to rely completely on PG to pick up all the .exe files and that was the only one that changed here.

I had serious issues with net connectivity after downloading the May 12th Live Update. I only had connectivity about 10% of the time. Now, after the most recent update to Redirector, my net connectivity is incredibly s l o w .

Does anybody know if a new fix is due from Symantec? If not, is there a way to disable just the redirector program?

Thanks

What do you show file "File Created" and "File Last Modified" dates on SNDMON.EXE? Let's start there.

Hi again jvmorris

Info I can give you about SNDMon.EXE:-

File version 5.3.1.9
Date Created: 15/5/04
Size 85.1 Kb

Modified: 21/5/04

HTH.... Whilst I am pleased to help please note that my knowledge/experience is pretty limited compared to most people on this forum.

Feel free to ask if you need any more info.

Regards

SNDMon.EXE:

Created: 13th May 2004
Modified: 25th May 2004
Size 85.1KB

Cheers

Don't really know whether this is relevant or not, apart from the fact that Redirctor is involved.

Cast your mind back to last January and the Norton/Verisign farce.

Ever since then, my NAV 2002 has been taking a fair time (around two minutes) to load, much slower than previously. I have very few programs at start up and my Systray shows NAV, NIS, BOClean and a².

NAV would be the last to load by some way. However since 12 May Redirector updates, NAV has been the first to show. Whther this is coincidence or not I wouldn't know. But if I were you essenbee I'd be a bit wary of dis'ing Redirector.

Personally I haven't the faintest idea if you can or not, but its certainly speeded my NAV loading up. Also there has been no effect (unless its absolutely marginal) on my internet speed but I'm only on dial up anyway.

One question I would like an answer to if anybody knows is this. SNDMon.EXE appears at startup. Can this be safely disabled without any effect on performance... Does anybody know for sure.

Okay, you and Oremina need to both look sndmon.exe up in Windows Explorer and compare the relevant information obtained by right-clicking on the file and then selecting Properties ... From the "General" tab, you're going to want the file size (down to the byte), the date created, date modified information found there. On the "Version" tab, the complete specification listed for File Version.

I realize that it looks like the same file, but I don't like the date differences. Also, it's possible both of you could see 85.1 KB, when the two files could have a very subtly different actual file size (down to the byte).

I'd do it myself, but I'm not running that product anymore.

Hi jvmorris

The info you ask for is :-

General tab

Size 85.1 Kb (87,184 bytes)
Size on disk 88.0 Kb (90,112 bytes)

Created 15 May 2004, 9:29:22 AM
Modified 21 May 2004, 2:59:46 PM

On Version tab

File version 5.3.1.9

HTH

If you need any more info just yell - I'll be around on and off all evening our time.

Thanks, now for a reply from essenbee. (I wonder if it will be different?)

Enjoy the cricket!

Size : 85.1 KB (87,184 bytes)
On Disk : 88.0 KB (90,112 bytes)
Created : 13 May 2004, 22:21:31
Modified : 21 May 2004, 14:59:46
Version : 5.3.1.9 [Symantec Security Drivers Install Monitor]
Location : C:\Program Files\Symantec\LiveUpdate

Sorry, got caught up looking for one of Jooske's smarticons -- specifically the one that races back and forth across the post going "mutter, mutter, mutter .... :-\

Okay, based on FileSize, FileModified, and FileVersion, I think we have to conclude you've both got the same file . . . now. So, that doesn't explain the difference; has to be in some other file; and that presents a quandary. Specifically, the other file doesn't necessarily have the same FileModified date/time stamp (indeed, it would be pure coincidence if it did).

Life would be so much easier if Symantec would simply identify what files they'd changed, instead of forcing people to look for the file(s) involved.

Okay, I'm gonna hate myself for even suggesting this. Back to File | Find ... . This time, let's try a search on Files Modified between 15 May 2004 and 22 May 2004 . Sort the results on FileType (and there are going to be lots of results, I suspect. :P ) This time, we look for files of type *.exe, *.dll, *.vxd, and *.sys that appear to have some relationship to either Symantec or Norton. The complication is that Symantec stuffs some of these files into the Windows System directory, so it's not necessarily intuitively obvious which are which.

Possibly, if you do a select all and then copy into Notepad, you can quickly eliminate the irrelevant possibilities and then paste what's left into either a post here or exchange between the two of you by IMs? (And it's getting late in the UK)

Obviously, if you find an SYM*.* file also changed in this time period, you could just post the information on that here and I might be able to find someone else's to compare it with. Sorry about all this.

Well jv, you're right about one thing.... I've got the better part of 2,000 modified files between those dates you mentioned.
To be perfectly honest, I'm a bit out of my depth here. While I know how to do a search, I really don't know what I'm looking for. I notice on a search of sys*.* I get several zip files concerning redirector in All Users/Application Data/ Symantec but how to compare all these with somone else's, I just don't know.

As I mentioned in my post of 18th May, all is well here now, have no problems at all - in fact things are improved as NAV loads faster.

I am lost.. I really don't know what the answer is as to why my PC is working OK and essenbee has very slow internet connectivity. In fact the longer I have this Pc and the more I see about various problems on the forums, the LESS I know about anything, or that's the way it seems.

I'll keep an eye on this thread and if I can come up with any ideas, I will, but stumped at the moment..

I too have literally thousands of files that match the search criteria. Many of them are related to NAV virus definition updates. Looks like this way is going to be too difficult :'(

Okay, let's see if we can't make this a more reasonable process. First, let's get a benchmark for comparison.

From http://www.dslreports.com/forum/remark,10333608~mode=flat , sonofjay lists the files found when he ran NIS Settings. You'll note immediately that none of these files were apparently changed by the 12 May Liveupdate or anything subsequent, so we went to look elsewhere.

Shortly thereafter, he did a global search for SYM*.*, which you can find at http://www.dslreports.com/forum/remark,10337566~mode=flat. In this instance, he found lots of files related to NAV, and I tried to redline those out two posts further down in the thread. Well, that got us down to a fairly short list, for his particular situation (which may differ from yours, especially if one of the three of you had a screwed up LiveUpdate).

Then, at http://www.dslreports.com/forum/remark,10338917~mode=flat, he did something that I find very informative: he ran a System Restore to return his system to its state prior to when he ran his LiveUpdate on 13 May and he then presented the before and after information for all of these files. (And remember, "after" the System Restore means what existed before he ran LiveUpdate.) You will note that most of these files had not changed in ages prior to 13 May 2004. But, perhaps more importantly pay special attention to the files that only existed either prior to or after the 13 May LiveUpdate and check to see what you're showing for them.

Now, regarding my suggestion for a generalized search, let's see if we can't get this down to something manageable (or have we already done this here?)
Let's try

SYM*.DLL
SYM*.EXE
SYM*.SYS
SYM*.INF
SYM*.VXD (only for Win 9X,/ME, probably)
Now, if you use each of those in conjunction with the Find Modified Date Between 12 May and 24 May, that should generate a very short list which should be easily compared to what sonofjay has illustrated. If either of you find discrepancies (especially with his ##BEFORE RESTORE information) then that likely points to an item on which we should focus).

Also note (as has been remarked in other threads), that he then goes on to say that after he completed the System Restore:
-{ Quote: "Also Sndmon.exe is no longer present anywhere on my PC.

A few things I should note is that even when I run a LU now, it does not present me with any new downloads or updates. I can only assume this is because there is a catalog/file somewhere on my PC that tracked what LU I got and knows that I have already downloaded and installed it once (even though I backed out of the changes with an XP restore).

So far so good and my CPU is back to where it should be. Howver, I have yet to do any surfing other than here so I guess I'll have to go try it out some more. " }-
So, rather obviously that's a last resort fix . . . of sorts.

Joseph

In a brief moment before I take She Who Must Be Obeyed out for a meal, had a quick search on sys*.*....

Have 64 entries. Most seems to be pretty old stuff but have 2 zip files in:-

Documents and Settings\All Users\Symantec\Live Update\Downloads.

a) symantec$redirector_4.5.2_english_livetri.zip

Created 9 March 2003 8.11.49AM
Modified 15 May 2004 6.21.15AM

b) symnet$20consumer_5.3.1_english_livetri.zip

Created 23 May 2004 7.05.45AM
Modified 23 May 7.05.45AM

I mention these as they are in the right time frame in May, but to be perfectly honest it means so little to me.

However, doing my best with limited experience (who said and limited brains!!) and hope this means something to you.

You can't even blame the cricket.....

Hi everybody,
I have been reading all your input with great interest because yesterday I also downloded this SND.exe file from SYMANTEC and noticed it in the startup files. I have XP with NAV and NIS 2003, no problems with the download installing but I am a bit cheesed with these files from Symantec, which to me looks suspiciously like some form of trojan.
I started looking as to whats in the start up file,
NAV ie ccApp.exe
ccregVfy.exe both which I allow of course, BUT I 'locked' SND.exe using spybots 'startup' tools, to see what happens and everything seems to work Ok including Live Update, so what does this SND.exe actually do?????????????????????? Data mining perhaps??
I then looked in the Firewall at Internet enabled Symantec files and there is no less than 33!!! from Alert assistants....Alertast.exe to NAV32.exe to files that send Symantec your log files and Viewers. I have blocked internet access for the Logviewer ....cclgview.exe and also blocked log export ie. Logexprt.exe, without any undo problems.
The question is what other of these Symantec files can be blocked from a privacy point of view without affecting its functionality??
Any body any ideas?
Regards Gordon

Gordon

Talking different exe names here as I've got 2002 and you 2003.

Don't allow blanket internet coverage - only have 17 apps which are allowed to access the internet of which four are Norton..

Symantec Live Update (new version since 12 May) LuComServer.exe

Norton Antivirus Email Scanner navapw32.exe

Norton Personal Firewall HTTP Filter SymProxySvc.exe

Norton PF Tray Icon IAMAPP.exe

Have no problems, they are the only Norton ones which have requested internet access (unless I bring the GUI up when I'm on the internet and another one asks (can't remember which at the mo), but I refuse it.

And that's that... have no problems.

Pleased you mentioned dis'ing SNDMon.EXE with no apparent ill effects, have been waiting for somebody to say that... will do it myself now and see what happens here,

Guess partly what I'm saying is that there is probably no need for a lot of your Norton bits to access the 'net, but as I don't have 2003 can't really comment. Would just say though that I really can't imagine Symantec planting Trojans on us ;D

New tidbit. Down near the end of http://www.broadbandreports.com/forum/remark,10217368~mode=flat~days=9999 , theskulptor has just returned and says he found a new LiveUpdate for the Symantec Redirector that solved his problem. He's been offline since 23 May and sonofjay indicated that he had been unable to find a LiveUpdate on 25 May. Maybe you should take a look and see if there's something new up there?

Oremina,
-{ Quote: "... Have 64 entries. Most seems to be pretty old stuff but have 2 zip files in:-

Documents and Settings\All Users\Symantec\Live Update\Downloads.

a) symantec$redirector_4.5.2_english_livetri.zip

Created 9 March 2003 8.11.49AM
Modified 15 May 2004 6.21.15AM

b) symnet$20consumer_5.3.1_english_livetri.zip

Created 23 May 2004 7.05.45AM
Modified 23 May 7.05.45AM
....." }-
I would suspect those are the two 23 May LiveUpdates that sonofjay has also referenced. One seems to have been related to NAV, and the other should have had a version of sndmon.exe and symfw.sys in it.

However, it looks like theskulptor has now found a subsequent LiveUpdate (between 23 May and today) for Symantec Redirector, which he feels has fixed his problem. Still waiting for more details on exactly what's new as a consequence.

Dear Oremina,
Thanks for your reply. I will remove all the Symantec files from the firewall and see how many the Firewall ask me to allow when I access the net [for proper functioning of NAV and NIS ].
Regarding the startup files, do we need to allow regvfy.exe in the startup files? This file obviously sounds like verification of registration prior to downloading updates, so does it have to be in the startup?
Must go to work now [am working nights].
Thanks Gordon

-{ Quote: ". . .I have XP with NAV and NIS 2003, no problems with the download installing but I am a bit cheesed with these files from Symantec, which to me looks suspiciously like some form of trojan." }-
Just to bring you up to speed, the 12 May 2004 LiveUpdate never caused any problems with NIS/NPF 2003 (or 2004, for that matter). The problem we're trying to work out is related to NIS/NPF 2002 (not even NAV 2002).
However, I have had a few people query me about something odd now with NIS/NPF 2003. Unfortunately, I can't help on that one, since I've never had it here. (CrazyM has used it, but I'm not sure if even he still has it installed.)
-{ Quote: " I started looking as to whats in the start up file,
NAV ie ccApp.exe
ccregVfy.exe both which I allow of course, " }-
Yeah, those are old files, been around for sometime. The CC signifies "Common Component" and typically applies to whatever Norton products you may have installed on your machine.
-{ Quote: "BUT I 'locked' SND.exe using spybots 'startup' tools, to see what happens and everything seems to work Ok including Live Update, so what does this SND.exe actually do?????????????????????? Data mining perhaps??" }-Must admit that I haven't seen anything definitive (from anyone), but I think SNDMON.EXE must have something to do with detecting whether there's a network (LAN? or just Internet?) connection available before certain processing starts. It could be something as trivial as facilitating Automatic LiveUpdate; I don't know. It's a brand new file.
-{ Quote: " I then looked in the Firewall at Internet enabled Symantec files and there is no less than 33!!! from Alert assistants....Alertast.exe to NAV32.exe to files that send Symantec your log files and Viewers. I have blocked internet access for the Logviewer ....cclgview.exe and also blocked log export ie. Logexprt.exe, without any undo problems." }-
Well, that is a bit odd. I would have assumed that cclgview.exe was simply the Log Viewer utility, which typically would only operate locally and similarly that logexprt.exe was the Log Export utility, which again I would assume only operates locally. But you are saying you found Internet-enabled privileges for these two applications?
-{ Quote: " The question is what other of these Symantec files can be blocked from a privacy point of view without affecting its functionality??" }-
Well, that's sort of the problem. Even with NIS 2002 on WinXP, I was getting a bit concerned with the number of Symantec/Norton executables being given Internet privileges (if one allowed automatic firewall rule generation). I didn't have the foggiest idea what most of these files really did and I don't to this day.

-{ Quote: ". . . I will remove all the Symantec files from the firewall and see how many the Firewall ask me to allow when I access the net [for proper functioning of NAV and NIS ]. " }-
If you're going to do this, here's another thing you might now want to do. Note down the names of the Symantec programs to which you are then prompted to provide access rights. Later, when you get a chance, customize the rules for those applications to enable logging (which will then show in the firewall event log). Sven Schaefer has just recently put out a version of his NIS Log Viewer that works with NIS/NPF 2003 and 2004, so you can then easily search for any resulting log events associated with these applications (indeed, you can actually filter down to just display those events). At that point, you'd probably have a damn good idea of where they were going, when (especially in reference to other applications), and why.
-{ Quote: " Regarding the startup files, do we need to allow regvfy.exe in the startup files? This file obviously sounds like verification of registration prior to downloading updates, so does it have to be in the startup?. . ." }-That strikes me as another new executable. Obviously, if you get the Rules Assistant pop-up for this one, I'd also enable the event logging for any rules subsequently created. I must admit it rather suggest to me (and that's all that it does) that Symantec may have now 'backloaded' the Digital Rights Management feature of its 2004 products at least into NIS/NPF 2003. I really have no idea, just a bit of speculation on my part.

Hello

I have Systemworks 2002 and Firewall 2002 and ever since this stupid update I have problems. My PC itself runs fine, no problems there (either after the first or the second update), but I have real problems browsing the web. I have a cable modem, but websites take up to a minute to open. I have switched on Task Manager and the CPU runs at 100% each time I open a web-site. This only happened after the Redirector update.

The process which is sucking the power is called:

SYMPROXYSVC.EXE

I have applied the patch which came out last week, and even though things are slightly faster, they are still slower than a dial up modem, and if I open more than 5 web pages at the same time, the PC crashes. Apparently due to a device driver conflict.

What can I do now ?

I have already contacted Symantec, but their only answer was to upgrade to version 2004....

Cheers
Mad

oops, sorry, have forgotten to give at least basic info:

Running Win XP SP1
CPU 1.3GhZ AMD Athlon
RAM 256
Video Card NVIDIA Geforce 2 MX400
NW Card Netgear FA311

Connection: Cable Modem 512K

Hi mad

Can't really be of assistance to you.. all I can say is that following this and various other threads, that Symantec update caused a lot of problems. It did here but that is all cleared up now and has been since their revamped update cleared it up on 15 May.

However, that makes me the lucky one beacause it would appear that quite a few people are still having problems. What amazes me is the different symptoms everybody is having.

I may be wrong but don't think Norton support 2002 anymore, so the only advice you will get from them is -"update". BUt from what I've seen people with 2003 and 2004 also have their share of problems.

I wish you luck and hope that the next update will sort your problem. For your info I've had none of your symptoms and SymproxySvc takes from around 12400K to 13500K on my system, depending how busy its been. At the mo my CPU is around 5 to 7% and also I often have several web pages open at once using Firefox without causing any problems.

:)

It is beginning to look like there may well be two, distinct problems affecting NIS/NPF users since the 12 May LiveUpdates. :o

AplusWebMaster, in his thread regarding Akamai just pointed out this little tidbit over at SANS (see http://isc.sans.org/diary.php?date=2004-05-26 )

-{ Quote: "And an unconfirmed report that Norton Internet Security 4.0 2002, 2003 & 2004 for Windows has added a new feature which pre-scans the inline html images prior to writing the images to the temp directory and displaying them in the web-browser. This effort is to try to identify web borne worms and viruses. The unfortunate side effect is that pages load incredibly slowly. The report stated that Verizon's page took over 3 minutes to load with the scanner and under 3 seconds without it. This could result in users disabling their firewalls which is not a good thing. " }-

Quote:-
It is beginning to look like there may well be two, distinct problems affecting
NIS/NPF users since the 12 May LiveUpdates.

Now that, jv, looks like it is making sense.

My problem with 2002 was with repeated crashing on 12th May. I have never had the slow internet connectivity and/or slow page loading as reported by our friends ghodgson, madpiano et al in this and other forums (or is it fora?)

Symantec have lost themselves a huge amount of goodwill I feel and its about time they got their act together. (But do they care?)

-{ Quote: "... My problem with 2002 was with repeated crashing on 12th May. I have never had the slow internet connectivity and/or slow page loading as reported by our friends ghodgson, madpiano et al in this and other forums (or is it fora?)" }- Well, it's not fauna! ;D

-{ Quote: "Symantec have lost themselves a huge amount of goodwill I feel and its about time they got their act together. (But do they care?)" }-

I honestly don't know. I've gotten a few communications from Symantec employees (privately) but none of substance facilitating a resolution of this problem or even indicating that a solution is available. (I specifically asked, at one point, as to what files we should be looking for and got no response.)

The "unconfirmed report" on SANS suggests that the problems are more pervasive, save for those with super-fast CPUs, regardless of which version of NIS/NPF they are running.

I'm getting private e-mails from some people that think it's a plot on Symantec's part to irritate the hell out of NIS/NPF 2002 users and get them to upgrade to NIS/NPF 2004. Well, if so, it ain't working! :P (Still, it's something I can believe their marketing types might think makes a lot of sense.) I'm seeing far more responses from disgusted users who are simply going elsewhere for their software firewalls and AV protection in the future -- and I rather doubt that they will be Symantec customers in the future or recommend Symantec products to their friends and acquaintances.

I was thinking of sending an MP3 of "The Sounds of Silence" to all the Symantec e-mail addresses I have, but that would probably get the RIAA on my tail (and the Symantec guys probably wouldn't catch on, anyway. :'( )

Hi Joseph and Oremina,
Thanks for your input. I know I diverge slightly from SNDMON.exe, but this is posted as a follow up to our discussions re NIS 2002/3/4
Since removing all Symantecs executables from my Firewall, I have been prompted to allow only 4 files so far , thus...........
SYM common client ccApp.exe
Sym Live update Lucomserver.exe
Sym NIS proxy service ccPxySvc.exe
and Norton programme integrator Nmain.exe
Everything seems to be working satisfactorily. This includes still having SNDMON.exe disabled. Although I havent yet seen an instance of auto update since disabling SNDMON.exe, it still works manually. But that may be because it hasnt needed to auto update.
AND YES Joseph, The log viewer and exporter definitely have internet capability according to the firewall.
As of yet I have not been prompted to allow the ccRegVfy.exe file to access the net. If that is the case, then I may try and lock the startup entry to see what happens.
If only Symantec were a little more user friendly instead of trying to stonewall everybody and doing things underhand. Because A word of explanation about some of these files ie. SNDMON.exe could have saved a lot of unhappy people.
Gordon

Sorry, Gordon, I had to go back up and see what you're running (trying to handle too many respondents on this issue; maybe I should put up a database on who is running what version of NIS/NPF on which operating system, so that I can quickly reference it! :) -{ Quote: "Hi Joseph and Oremina,
Thanks for your input. I know I diverge slightly from SNDMON.exe, but this is posted as a follow up to our discussions re NIS 2002/3/4
Since removing all Symantecs executables from my Firewall, I have been prompted to allow only 4 files so far , thus...........
SYM common client ccApp.exe
Sym Live update Lucomserver.exe
Sym NIS proxy service ccPxySvc.exe
and Norton programme integrator Nmain.exe " }-
I was about to ask if you could post your rules for those apps, but since you're running NIS 2003, there's really no easy, practical way to do that.
-{ Quote: " Everything seems to be working satisfactorily. This includes still having SNDMON.exe disabled. Although I havent yet seen an instance of auto update since disabling SNDMON.exe, it still works manually. But that may be because it hasnt needed to auto update. " }-If you got an automatic LiveUpdate yesterday, you probably won't see another until next Wednesday; look for that one.
-{ Quote: " AND YES Joseph, The log viewer and exporter definitely have internet capability according to the firewall." }-
Interesting . . . and I wonder what that is all about.
-{ Quote: "As of yet I have not been prompted to allow the ccRegVfy.exe file to access the net. If that is the case, then I may try and lock the startup entry to see what happens." }-The other possibility here is that this is also part of the kludge. In other words, it's possible that ccRegVfy.exe is really only applicable to NIS/NPF 2004 users, but the guys writing the LiveUpdate upload screwed up and downloaded it to people also running NIS/NPF 2003! :P
-{ Quote: " If only Symantec were a little more user friendly instead of trying to stonewall everybody and doing things underhand. Because A word of explanation about some of these files ie. SNDMON.exe could have saved a lot of unhappy people." }-
More to the point, Gordon, it might have saved them a lot of customers, both current and future.

Oh, I know what this is about, Gordon. Ever buy a perfectly standard household appliance and find one of those "DO NOT OPEN! No user serviceable parts inside" stickers? Well, Symantec apparently would like to believe that such a statement is applicable to NIS/NPF -- but it isn't and never has been. (And, quite frankly, I'm beginning to have reservations as to whether Symantec techies know how to service the product any longer.)

Just want to echo the views of some of the people over on DSLR forum concerning the enormous efforts of jvmorris in keeping tabs on and trying to find solutions to these recent Symantec problems (Iwish they would make a tenth of his efforts!!)

Kudos and a big thumbs up to you Joseph, it is much appreciated.
You're a star!!! ;D ;D ;)

Looks like my plan to update to NIS 2004 is not a good idea as the thread is now impolying that the very slow internet access issue is across all versions.

I'm going out at lunchtime to buy a new package, then :-\ . Can anyone recommend a good one-stop firewall/AV/parental control suite? I did a web search and looked at the McAfee offering, but there seem to be a few adverse reviews out there...

Yes, I had similar problems after I downloaded the LiveUpdate from Symantec. I originally thought that I had a browser hijack, I conducted a HijackThis program that I got through this forum and sent the request log. They reviewed by log and found nothing wrong. It was suggested that I got to a different thread which I did and found several others with the same problem that we are having. So, this morning I disabled my firewall and it loaded my Internet start page up correctly and very fast like it did before I installed the update. I plan to uninstall my firewall and then reinstall it.

Might want to hold off a bit after re-installing before you then run LiveUpdate (at least for the Redirector, SYMEVENT, and NIS/NPF Security Program Updates). NAV and the NIS/NPF auto-config updates should be okay, however. (At least the firewall will be functional that way, if not fully patched! 8) )

Dear Joseph,
I will also thank you for all your hard work and patience in trying to sort out our, or should I say Symantecs problems. Looking at some of the replies SYMANTEC have already lost customers, do they [Symantec] ever read these pages at WILDERS!!!
I know what you mean re ''No servicable user parts'' !!!!

Joseph quoted
''I was about to ask if you could post your rules for those apps, but since you're running NIS 2003, there's really no easy, practical way to do that''
I will try...................................
re NIS/NIF 2003
SYM common client ccApp.exe
Sym Live update Lucomserver.exe
Sym NIS proxy service ccPxySvc.exe
and Norton programme integrator Nmain.exe
Presently they are all on Automatic access, which I know I probably shouldnt.
Re the firewall rules as at present,in order as they appear top to bottom,
SYM common client ccApp.exe , [inside here there is 4 firewall rules, all outbound and permitted. ie,
User session aim rule, user session e mail rule,user session HTTP rule and user session MSN rule]

Sym Live update Lucomserver.exe [ here are 5 rules, Live update FTP data transfer, out and permitted, Liveupdate HTTP rule out and permitted, Live update permitted in and out, Live update out permitted and live update in permitted.

Sym NIS proxy service ccPxySvc.exe [ 5 rules ie, NIS IM filter outbound permitted, NIS proxy service HTTP rule out and permitted, NIS IM filter out and permitted, NIS proxy service NNTP rule out and permitted. NIS IM filter out and permitted]

and Norton programme integrator Nmain.exe [ 4 rules ie, Norton programme integrator out and permitted, Norton Program Integrator MS access outbound permitted, Norton Program integrator VS access outbound and permitted and Norton program Integrator Block rule, out bound and blocked.]
That is all my firewall rules for SYMANTEC.
Do you think changes are needed? or best left well alone.??
Many thanks Gordon
PS You mentioned Svens NIS logging , do you have an address where this is obtainable?..................thanks

-{ Quote: ". . . do they [Symantec] ever read these pages at WILDERS!!!" }-
Well, we finally managed to suck in Reese Anschultz over at the BBR/DSLR Security Forum. (See the thread at http://www.dslreports.com/forum/remark,10357746~mode=flat ) I would suggest you read through the whole thread (this is a fairly new one) very carefully. If you're feeling a bit gutsy, you can see some suggestions there for some experimentation.

Unfortunately (so far), Reese has tended to concentrate on SNDMON.EXE and I don't think this is the primary source of the problem that NIS/NPF 2002 users are experiencing. Indeed, his second posting in that thread is almost exclusively related to Symantec Product releases after NIS/NPF 2002 -- to wit, Symantec Desktop Firewall (5.x) and then NIS/NPF 2003/2004 (6.x and 7.x, respectively). Well, that's not where the problem lies -- for us!

I don't know if we're going to hear any more from Reese any time soon. After all, it's the Memorial Day weekend (here in the 'states) and it's quite likely that even in California he's now taken off for an extended weekend.
-{ Quote: ". . . ''I was about to ask if you could post your rules for those apps, but since you're running NIS 2003, there's really no easy, practical way to do that''
I will try...................................
re NIS/NIF 2003
SYM common client ccApp.exe
Sym Live update Lucomserver.exe
Sym NIS proxy service ccPxySvc.exe
and Norton programme integrator Nmain.exe
Presently they are all on Automatic access, which I know I probably shouldnt.
Re the firewall rules as at present,in order as they appear top to bottom,
SYM common client ccApp.exe , [inside here there is 4 firewall rules, all outbound and permitted. ie,
User session aim rule, user session e mail rule,user session HTTP rule and user session MSN rule]

Sym Live update Lucomserver.exe [ here are 5 rules, Live update FTP data transfer, out and permitted, Liveupdate HTTP rule out and permitted, Live update permitted in and out, Live update out permitted and live update in permitted.

Sym NIS proxy service ccPxySvc.exe [ 5 rules ie, NIS IM filter outbound permitted, NIS proxy service HTTP rule out and permitted, NIS IM filter out and permitted, NIS proxy service NNTP rule out and permitted. NIS IM filter out and permitted]

and Norton programme integrator Nmain.exe [ 4 rules ie, Norton programme integrator out and permitted, Norton Program Integrator MS access outbound permitted, Norton Program integrator VS access outbound and permitted and Norton program Integrator Block rule, out bound and blocked.]
That is all my firewall rules for SYMANTEC." }-
Well, this is one of the embarassing features about NIS/NPF 2003/2004. You really can't document the rules comprehensively without laboriously copying them down by hand! (and you have to go through a large variety of windows/tabs to do even that!). I thought of dumping you a set of what the rules for these Symantec apps would look like -- until I completed the spreadsheet that I just inserted over in the BBR/DSLR Security Forum thread mentioned above. There's no way that what's reasonable to NIS/NPF 2002 is likely to be relevant to NIS/NPF 2003/2004. I'm sorry; I didn't design the latter products.
-{ Quote: " . . . . You mentioned Svens NIS logging , do you have an address where this is obtainable?..................thanks" }-
Oh, that I can do! :) Let's see . . . .
http://home.debitel.net/user/svenschaef/logview/
Sven's work is extremely high quality and I recommend it without reservation.

I uninstalled Norton Personal firewall this afternoon and then re-installed it. I then held my breath and went out to Norton and installed the updates. My access to the internet is just great, the speed is a good as it was before I begin to have the slow downs. I guess Symantec must have fixed the problem. I am now a happy internet surfer.

-{ Quote: "I uninstalled Norton Personal firewall this afternoon and then re-installed it. I then held my breath and went out to Norton and installed the updates. My access to the internet is just great, the speed is a good as it was before I begin to have the slow downs. I guess Symantec must have fixed the problem. I am now a happy internet surfer." }-
Well, you also can download and fill out the spreadsheet available at http://www.dslreports.com/forum/remark,10364550~mode=flat to reflect the current NPF configuration that you find on your system! :) There are two guys already doing that at BBR/DSLR Security and at least one other over at Computer Cops. The more the merrier!

Dear Joseph,
Re....... NIS 2003 Ver 6.0 and SNDMON.exe
Many thanks again. I have been over and read all the posts at BBR/DSLR forum. So SNDMON.exe initiates another instance of LUcomserver.exe, so we end up with 2 instances running. I have allowed SNDMON.exe to run once, to register present programmes, and have no intention of installing further SYMANTEC products. Therefore, will now disable SNDMON.exe semi permanently.
Although I think NIS 2003 works well, it is hefty with a file size of about 120 MB, and does consume quite a bit of CPU usage . there must be equally good products out there which are more modest in size and consumption. AND with better tech support.
Incidentally, My virus definitions auto updated normally today........without SNDMON.exe.
Gordon

Gordon,

Just keep following that one in your spare time. It may get more interesting in the near future. (You've got a bank holiday over there and we've got Memorial Day over here, so it may be later on before things start picking up again.)

So far, I've had no users complain about the consequences of disabling SNDMon.exe, only Symantec employees.

However, as Reese noted, remember you have done this -- you may need to re-enable it at some point in the future if a future update or new product release does not install properly.