Does Norton Internet Security 2002 Pro have serious problems ?

I've just installed NIS2002 Pro (up from NIS2002 std) and find that even though an application scan has been performed and a program (such as MSIE for example) is then removed from the list of 'authorised apps', launching said app causes it to access the internet straight away without the access alert that's supposed to occur ! Alert tracker provides notification of the access and there's an event log entry, but the point is that once an app is removed from the list, you should get a prompt asking what you want to do !
Now this is a serious problem !
Anyone else seen this ?

 

What is the precise message you are seeing?

There is one message in the log that actually means that an Internet-enabled app has been loaded and begun execution. It does not necessarily mean that the application is, in fact, accessing the Internet.

That's the reason I'd like to know exactly what message you're seeing.

 

Also check that Enable Automatic Internet Access Control is disabled. It is enabled by default in NIS2002 Pro.

CrazyM

 

Yes, automatic internet control is disabled.
My pc has just been reformatted and w2k pro put on fresh with a handful of other apps,
and I tried NIS2002 on another pc and had the same problem with it,so it's not the pc.
The point is that once an app is removed from the list of apps in the internet access control list,
there are then no defined rules as to how NIS should handle its accessing the net and so NIS
should give you an access alert dialog asking you how you'd like to handle the situation.
It doesn't ! But it does give an alert tracker notification plus an event log entry.
The whole point here is that apps can access the internet even though they're not on the
'approved list' which does rather negate the whole point of a firewall now doesn't it !
If you have NIS2002 yourself, try it. Remove Netscape, MSIE or Cuteftp etc and see if you get
an access control alert or does the app just connect as per normal.....

 

Just a follow up as I have just seen a review on netsecurity.about.com

they said :
"Norton Internet Security is a very good product with many features that are easy to use and easy to tweak if you are so inclined. By default NIS installs so that it will block any Internet application that tries to run on your system. You are prompted to either allow the application, or deny the application.
You can set it to prompt you each time the application is run or set it so that it will always allow the application"

Well, there you go ! "...prompt you EACH TIME..."

 

Once again, would you please copy and then paste here exactly what you are seeing in Alert Tracker and in the event log that leads you to this conclusion.

With no more information than you have provided to date, it's impossible for me to either explain what you may be seeing to you or to ascertain if you have in fact encountered a problem.

I wish I had the time to simply try to guess what you're seeing that's bothering you -- but unfortunately, I don't.

 

Ok Joseph - here you go...

From the 'firewall' tab in the event log :
An instance of "C:\Program Files\Netscape\Communicator 4.08\Program\netscape.exe" is preparing to access the Internet for the first time

From the Alert Tracker :
C:\...\Program\Netscape.exe is preparing to access the internet

Now, the fact that I'm posting this proves that the app is being let out although it's not in the defined access control rules list.

So, if you have NIS2002 Pro, go try it and see what happens !

 

Not necessarily...

An instance of "C:\WINNT\system32\mstask.exe" is preparing to access the Internet for the first time
An instance of "C:\WINNT\system32\spoolsv.exe" is preparing to access the Internet for the first time
An instance of "C:\WINNT\system32\SERVICES.EXE" is preparing to access the Internet for the first time

The above are from my NIS2002 Pro logs. Perhaps their (Symantec's) choice of the word "Internet" was not best and should have been something like "Network"

The above from my logs are network aware, they may even be listening on a service/port, but none of them actually connected anywhere outside of my system.

What is Netscape doing as part of it's start up that may be network aware? Do you have configured for email and not the web or vice versa? Can you actually connect outside of your system with any of these apps you do not have rules for without getting a prompt?

Check your connection logs and see if anything that is not allowed has actually connected outside of your system.

CrazyM

 

Morph,

Thank you; that makes a world of difference. Indeed that would not have been one of my initial guesses, so this information is, indeed, very valuable.

CrazyM has already explained that the message you're seeing in the firewall event log doesn't really mean quite what it seems to. (I suspected that part would be what you were referring to.) However, if I'm reading the rest of your response correctly, you are actually using Netscape to access this forum and post here, yet you have no explicit rule for Netscape in your ruleset. Is that correct?

If that is correct, then it looks very much as if you have a corrupted rule, probably sitting up in your System-Wide ruleset. If you were using a version of NIS/NPF prior to NIS 2002 Pro (NIS 4.5), it would be fairly easy to find and correct the problem using Albert Janssen's NIS Rules Viewer, but in NIS 4.5, the rule settings have been encrypted and Albert's Rules Viewer won't work any more.

So, this is going to be a bit more arduous. First, switch over to where you can view the System Wide rules in the Internet Access Control pane of the NIS Console. Do you see any rules (by name) listed there that most definitely does not look appropriate for a system-wide rule? Specifically, do you see a rule name that looks like it should apply to a specific application, yet you've now found it in the System-Wide Settings? (This is the most common problem.). If so, take a look at the details of that rule (use the Modify... button so that you can really see all the details). Specifically, you're looking for a System-Wide rule that PERMITs outbound access to Remote TCP Port 80, at least.

If you find one, enable logging on that rule. Now, do the standard thing, start up Netscape and connect somewhere. (Here would do nicely.) Now start up Sven Schaefer's NIS Log Viewer and take a look at the firewall event log that you've just created. If you find that the System-wide rule is what's allowing you to connect via Netscape, we've at least found the culprit.

If you can confirm that this is what is happening, it's very important. Yes, it would represent a problem that is not supposed to occur in NIS 4.5, and we need to confirm it in some detail so that we can bring it to Symantec's attention.

 

Yes Joseph, it is very important and I've been trying to convice those at the online support center at Symantec of this for the past week and I'm getting very frustrated at their mindless replies !! "Go check this document on how to enable automatic internet access" etc etc, going off at a tangent to the subject and completely missing the point being made...telling me how to open the car door when the problem is I can't close it !!!
If I seem a bit agro here, now you know why !

Firstly, to address comments made by CrazyM :
I'm not on a local network - it's strictly a dial up to the web single pc configuration, although the other NIS2002 Pro install I did WAS on a large local network as well with the same result. I think the use of the word internet rather than network is appropriate as that's precisely what the apps are doing ! Granted, the internet is a massive network anyway so perhaps we are really splitting hairs here. The 'logging' info, however, is more interesting - "...preparing to access the internet for the first time" - FIRST time

Joseph : Yes, I am aware that 2002 Pro encrypts and monitors tampering with its registry data for security and that's one of the reasons I bought it. Exporting the data doesn't help of course as it's encrypted as well.
I have already checked the system wide settings (thinking along the same lines as you with regards to access priorities) and find nothing there that shouldn't be or that would create unlimited access.

I'm an old hand with Nortons guys !

Now just getting back to my original request - if you have NIS2002 Pro why don't you just delete an app of the list like MSIE or Netscape and see what happens yourself !? See for yourself if I'm right or wrong ! Someone's going to have to do it to prove there's a problem....

I want to stick with NIS as it's the best all round firewall in my opinion, but this one problem is making me think Sygate Pro 5 is a better choice...

 

OK, deleted my entry in Internet Access Control for MSIE and rebooted just to be sure. On connecting out with MSIE I received the usual prompt to create a rule, selected the automatic option and the default rules were created. So I was unable to duplicate your problem. W2K sp3 and NIS2002 Pro v4.5 with all updates.

I have been using NIS2002 Pro since it came out and never encountered a situation where an unauthorized app managed to connect without a prompt and subsequent approval. I have encountered some anomalies, but only because of testing I have done for different configurations which has involved several installs/uninstalls.

One such anomaly that may be relevant here involved a rule that was present, but did not show anywhere in Internet Access Control, but did show in the list seen in View Statistics -> Firewall Rules. This occurred after using Manged Settings to import a configuration file. Whether this was a fault in NIS or just all my testing/tinkering we may never know.

Check View Statistics -> Firewall Rules and see if any Netscape rules are showing there.

CrazyM

 

I'm still with SP2.... the other pc I loaded it onto to try had SP3 though.
Yes, there is an entry for Netscape in Stats/Firewall rules :
Netscape Communicator TCP/UDP Permitted 4, Blocked 0, No match 6
Ditto for MSIE which doesn't have a rule define either :
Internet Explorer HTTP Rule   278   0   10

Does this help ?

At least this has answered one question - Yes, you should get an alert when an app is removed from the list.

 

Now we are starting to get somewhere...

Yes, it means my anomaly was not as a result of my tinkering...uh testing

Not quite...this is the anomaly...the rules are there, but the only place you can see them is View Statistics -> Firewall Rules.

Edit: To verify they are there check you Firewall Event Log for the first System entry after booting up...
"Firewall configuration updated: 39 rules"
This total will be the same in View Statistics -> Firewall Rules...but less after you tally the rules in the three different sections of Internet Access Control.

You have duplicated an anomaly I found, but had thought may have been a result of my continued testing. It would now appear that NIS Pro can suffer from the same (usually rare) rules corruption of earlier versions.

The interesting part is we would appear to have ended up with the same result via different means. I ended up with a rule I knew was there, but could only see in View Statistics, after importing a saved configuration file via Managed Settings. You appear to have removed the rules via Internet Access Control, but it would appear they were not as you can also still see them in View Statistics... but perhaps you could clarify exactly what you did or did not do.

As Joseph pointed out, rules corruption can occur, but one of the joys of trying to figure things like this out with NIS Pro with the encryption it uses, is the lack of built in functionality to do so. (Like what is available for earlier versions with Log Viewer and NIS Rules)

CrazyM

 

"Firewall configuration updated : 239 rules" rather than 39 rules.
I assume this is what you meant.
Added up exported NISStats.txt file rules and came to 240.
In internet access control, I got 60 apps rules, 17 system wide rules and 64 trojan rules....

While I'm here, does anyone know how to view/change/delete the user created firewall alert rules that are created when you tell NIS to remember your response each time the particular inbound connection type is made ? It gets assigned to a group (general, NIS system keeping or whatever you choose) but you can't view the rules or even the groups.

 

morph000

Can you provide some more details to help us determine where things may have gone wrong.

- all rules present in NIS added by you
- did you use managed settings to import anything from one system to the other
- if you used managed settings, how many app rules were present in NIS when you did
- if settings imported, did they have any accounts established that may be causing a conflict
- the missing rules, how were they created, how were they removed

...just want to try and figure out where things may have gone wrong.

CrazyM

 

Okay, that means you may have an extra rule in System-Wide settings. I've got a default NIS 4.0x install on one of my machines (which happens to be a LAN client) and I only have 16 default System-Wide rules. If anything, I should have more, not less, system-wide rules than you do.

Any idea what the extra rule is?