Is This Proof Norton AV Is Phoning Home With My Email?

Discussion in 'other firewalls' started by AlamoCity, Oct 17, 2007.

Thread Status:
Not open for further replies.
  1. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    I agree. Thread title changed.
     
  2. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Apparently it has piqued your interest enough to follow this thread.... The way I see it, a lot of the members here, including myself, are caught up in the paranoia from time to time. What most of us do is ask about it at this forum, and eventually come up with some sort of solution to the situation. Most of the time other "helpful" members pipe in with wise words, as they usually remember being in a similar situation. It's all part of the learning experience. MOST members are usually more than helpful to another fellow member. Wish you luck in resolving this matter, Alamo City. Just my 2c
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: Proof Norton AV Is Phoning Home With My Email

    Hi Midway:

    Interesting. You provided the description of the exe and I provided the name of the exe for precision.

    I followed the url you gave the thread and it led me to down load the exact same exe as I provided earlier. I got the first removal tool by trying to run my old one and that pointed me to a different site at Norton that simply allows user to download newest version of the:

    Norton_Removal_Tool.exe

    It is version 2008.0.1.19, 977 kb and created 10/01/2007.

    I keep this on file in case I need it to help friends and neighbours.

    Symantec should be credited with providing a removal tool and making it immune to becoming obsolete when users like me try to run an older version!

    On the other hand, it must reduce their effort by cutting back on calls to help users remove corrupted copies of NIS etc.
     
  4. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    I only made mention of it since a lot of other sites that shows up in a Google search (MajorGeeks, Tucows, Softpedia, etc) that also host SymNRT which may or may not have the latest version. Best to get it from the source, eh? :)

    Also I just wanted to emphasize that it does not replace Add/Remove as it has caused problems with me in the past using it in that capacity. I got "scolded" by Symantec for using it like this, lol.
     
  5. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Sygate should not be associated with Symantec (Norton). At least with firewall 5.5 versions but I think also not with 5.6 "betas" that have windows security center recognizion. Symantec just bought Sygate and killed it and also the forum of the firewall with lots of good informations gathered there over the years.

    DLL authentication is something I never bothered to run and left it unchecked with my SPF firewall.
    Same as with Comodo 2.4. I left that feature in a learning mode, that means basically off.

    Lots of paranoia can be caused by firewalls's prompts and that packet log used by the original poster. My humble suggestion is just to use what ever norton removal tool available to get rid of it. Symatec cribbles a lots of computers as it does to my work portable one. It is not mine so I am carefull what to do since some important information there. Someone installed another antivirus and had not removed all Symantec and bingo, it takes something like 15 minutes to boot up.
     
    Last edited: Oct 20, 2007
  6. wat0114

    wat0114 Guest

    Re: Proof Norton AV Is Phoning Home With My Email

    The detailed info in the screenshots in your first post are IE related, so I don't know about any confusion ;) All I did was post what I think may have happened. It's only my theory. However, the important thing is you posted a valid concern and hopefully a valid conclusion will result in this thread. I'm following it in hopes of learning something. Stem has dropped in so things are looking up :)
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Monty, if you're speaking of me, I do try to be helpful most of the time as much as possible, but in this case, things just seemed to be so over the top that I felt compelled to make a few perhaps harsh comments. If I offended anyone, particularly AlamoCity, I didn't mean to, just trying to post what I thought was the truth.

    At any rate, carry on guys, and excuse me if I came on too strong earlier... no harm intended...
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Midway:

    Good stuff! Always best to get SW from source, no doubt about that!

    No need for your supplier Symantec to scold you! If their SW didn't required special uninstall procedures they wouldn't have the problem. That problem belongs to them not you or any other customer!

    These big outfits get to think they own the world and bully customers!
     
  9. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    I say "scolded" because my tech was an Indian who has not quite grasped the "nuances" of the English language. Luckily we do not have such difficulties between us Yanks and you Canucks, eh? :D
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Glad to hear it!

    A lot of these help centres are now outsourced and off shore!

    Their main problem is lack of language skills and an attitude issue in some cases to say nothing of their knowledge. eg

    Q= does your Norton av phone home without authorization and if so why?
    A from off shore help centre= have you cleared your cookies sir?
     
  11. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Out of the countless thousands of FBI agents in the U.S., a night watchman is the one who discovered the Watergate conspiracy.

    RarelyConfused, this appears to be one of the "rare" times that you're confused, as I've made it clear throughout this thread that Symantec's involvement in spying is pure speculation on my part, and that there is no real evidence.

    Are you still confused, or are you just parroting what Kerodo has already said? Because the paranoia allegations were thoroughly covered in post #42, almost a full hour before you posted. Anyone who read that post and still attributes my suspicions to paranoia has zero understanding about big business in America. As there are a lot of advertising related companies that pay out millions of dollars a year for information that pertains to the buying habits of consumers and what they do online.

    Again, my suspicions were based on Symantec's insistence on logging the web sites "their millions and millions of customers" visit. Simple common sense dictates that any company that logs the web sites "their millions and millions of customers" visit would also be interested in what they write while on those sites, so they can scan for specific keywords. The notion that a huge corporation wouldn't care about what their customers type while online is extremely naive.

    That's a valid point, but you're assuming that the suspected keylogging has been going on for a long time. You're also assuming that it can be detected by more than luck. As I just happened to notice three words in a firewall packet that I had just used in an email. If those words had all been common words, I wouldn't have paid any attention to them.
     
  12. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Good suggestion on the online scanning, but if I had a virus there would be obvious symptoms/problems -- and my PC is functioning fine. And if I had a trojan, my bank accounts would be empty (in most cases). Maybe I've just been lucky so far. That's why I'm going to start using an AV again as soon as I reformat.
     
  13. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Hi Stem,

    Thanks for your response. So what does your diagnosis indicate? Could the "incorrectness" be attributed to my version of Sygate being 3-4 years old, and perhaps they used different methods back then? Or could it mean that my firewall is being manipulated by a hacker (or large corporation)?

    As for the packet length, I know nothing about packets -- could you tell me if the screenshot represents the entire contents of the packet? And what quantity of data the packet consists of? In other words, could it be just a paragraph of text from my email?

    By "hex" dump I guess you mean the binary dump? What does the "incorrectness" indicate to you?

    Sure, I can download a packet sniffer and have it ready. I guess the objective would be to run the program before clicking the no button on the Sygate alert? And the packet sniffer program will enable me to make a copy of the packet and see the contents? Will a lot of other packets show up in the log of the packet sniffer? If so, how would I locate the one Sygate is referencing?

    Is there anyway I can use a packet sniffer or file recovery program to find the existing packet that's in the screen shot?

    I'm sure you're too busy to answer a lot of questions from one person, so any of the additional questions that you can answer would also be greatly appreciated:

    1) What exactly is the purpose of the packet? If I had clicked yes on the Sygate alert, would the packet have been sent to the destination IP?

    2) Is there a logical explanation for why the packet would contain my keystrokes? As that's basically the whole issue this thread is about -- the fact that content from my email wound up in a firewall packet that was presumably going to be sent to a server at a hosting company.
     
  14. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Thanks very much, now I don't feel like such an idiot. This thread has been a lesson to me about jumping to conclusions based on assumptions.
     
  15. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Well said monty, and thanks. Actually, I don't see why the critics would be so quick to chalk it up to paranoia anyway. I simply don't like software companies using their programs to surreptitiously spy on their customers -- and I know for a fact that it occurs. It's a blatant invasion of privacy, and when I see something that might be a smoking gun, I'm going to shine a bright light on it. So this thread is 100% about "exposure" rather than paranoia.
     
  16. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    DLLs can contain trojans -- this is an established fact. And of course, ANY web site you visit can load a DLL onto your computer if you have DLL authentication disabled.
     
  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: Proof Norton AV Is Phoning Home With My Email


    Hi AlamoCity;

    I would hesitate to try to teach you here about packets because I am in learning mode on those still.

    I can tell you that ALL data entering your PC and leaving it travels in packets. They are like postal packages with address (IP's) on them. That is how the www works. So your email strokes and all our email travels in packets.

    What you need to do is put a rule in your FW set that ensures that only your email client (eg Outlook etc) can send email and that Norton software or any other software you have cannot send email from your PC!

    To do that, you need to enter the world of firewalls and secure your PC from potential leaks. Have a look at the FW learning threads.

    Anyway, that is my suggestion.

    For me security has 2 main pieces:

    1) Privacy, what your thread here is about happens to be an email issue
    2) Intrusion prevention (FW again), Intruder detection and removal.
     
  18. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    I might offer an explanation, but witout more information I can't say I'm sure. The part of the packet's payload in question ("mimic a DOS") is just a leftover from memory, which was used by your OS because it needed padding. Let's suppose the network packet was created at a memory location previously used by your email program, and because poor programming, that memory location was not erased first. If the information was not overwritten by anything usefull, you will end up with a packet with "weird" stuff inside.

    Edit: I just analysed a bit your "binary dump of the packet" from sygate. At offset 0010 you have the value 0030, whch means a length of 48 for the IP part of the packet. The ethernet header is 14, so you have a 62 bytes length packet. But sygate reports a 76 bytes length packet. So there are 2 possibilities: Sygate is wrong, and it just did what i said before (added information in the log which was not supposed to be there), or your OS did that.

    PS: I hope I was clear (i'm not a native English speaker), but if not, I'm happy to try to explain more clearly. :)
     
    Last edited: Oct 21, 2007
  19. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Probably sygate showed the dump of the wrong packed because of some weird bug
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Proof Norton AV Is Phoning Home With My Email

    Hi AlamoCity,
    The packet should still be the same format.
    I would not think so. If an AV wanted to send out any of your data, it could do this during an update, or simply directly send this. I cannot see data being added to the end of a syn packet. This to me, looks more of either a bug in the firewall or some conflict on your system.
    A packet consists of an header, this is the information about the mac address, IP, ports (to/from) etc. I have added your pic to show you. In blue is the header info. In red is the data.

    packet.JPG

    Your firewall does state that there is no data.

    It is actually an "hex hexadecimal) dump", but we can call it (as your firewall does) a "binary dump".
    As this is incorrect, then as I mentioned, it looks like a bug.

    A packet sniffer/capture program, will by default catch all packets. If you use a packet sniffer such as "Etheral" then you can filter out what is not wanted. But even so, all packets will be time stamped.

    No, this info will not be on the system

    Yes, but the packet in question is only the start of the connection. Any info would be sent after the connection is made.

    Basically, for TCP. Your browser (or whatever program) will first send a SYN packet (as shown in your post),... if the site (or whatever IP) is accepting inbound connections then there will be a reply made a "syn ack packet", your own program will acknowledge this by send back an "ack packet". Once this is done, then data transfer will be made. (a more detailed explanation can be found, do a web search for "3 way handshake", one search result here, look at number 5 TCP operation)

    In this first packet, no. If a program was monitoring keystroke and then sending this info, I would expect any data to be in later packets.
     
  21. controler

    controler Guest

    Stem

    Do you recommend using the old Ethereal or the new Wireshark?
    I used both but never really got the hang of all the features.
    It seems Wireshark has more wireless features?
    I was going to correct the Binary dump thing but see you already did :)
    It is funny how many people still don't know the difference between binary and hex.
    The teachers made us convert back and forth between the two manually when I was in electronics school just so we had a grasp on how it worked, then of course later they allowed us to use a calculator LOL
    The info on a hard drive is binary while the number you enter into your wireless router for wep is a hex number.

    binary is 1's and 0's

    Binary 1 = 1000
    Binary 2 = 0100
    Binary 3 = 1100
    Binary 4 = 0010
    Binary 5 = 1010

    ECT
    As can be seen the first place is 1's place
    second place is 2
    third is 4
    fourth place is 4 and so on

    so counting goes 1 2 4 8 16 32 ect

    Now as an oversimplified explanation. A electronic device see a 1 as a logic high and a 0 as a logic low. 1 being say + 1.5 volts DC while a 0 is anything under that 1.5 volt threshold, say +.75 volts
    Anyhow her I am rambling again LOL

    This info was not for you Stem but rathe a refresher course for newbies.
    Won't go back into how many bits = a byte and how many bytes = a word LOL


    http://www.wireshark.org/

    Bruce
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I do forget about "Wireshark", I do not actually remember using that. I use a packet analyzer I purchased some time ago. Its just that when I think of a free packet sniffer, I alway think of Ethereal.

    Your teachers would not be happy with you,... you have placed the binary in reverse. (the count starts on the right)

    Binary 1 = 0001
    Binary 2 = 0010
    Binary 3 = 0011
    Binary 4 = 0100
    Binary 5 = 0101

    Regards,
     
  23. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    You were very clear.. :)

    Actually, this is quite possible indeed, I have seen this in disk sectors and viewed similar in hex editors in the past. Obviously disk sectors are another animal but in theory this might explain things... I suspect there are many possible technical reasons why that information showed up in his packet.
     
  24. controler

    controler Guest

    Oh God I am bad

    Yes you are right on the order of the 1' and 0's

    I have to use the reverse for work at my company to set up SIB cards for slot machines. They for some reason have it reversed and that is set in my mind now. sorry.
     
  25. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    So there was no evil plan. Drat. :D

    Just like I thought. :cautious:
     
    Last edited by a moderator: Oct 22, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.