Got Norton! Got Problem! BIG PROBLEM!

Discussion in 'other firewalls' started by HandsOff, Feb 22, 2004.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hey -

    I have Norton Personal Firewall 2003. I have it configured NOT to automatically configure access for "safe" programs. Instead got to manually configure by having NPF scan for internet enabled programs, and then i go down the list and make sure only the few programs that need to access the internet are allowed to do so automatically.

    If i have one complaint about NPF it is that it is quirky about granting programs automatic updates. I assumed I must be doing something wrong, perhaps doing an update, which was considered an installation granting the program rights to automatic internet connects, who knows, i didn't. Then I notices something very disturbing. (First let me just say that i do not give ANY of my programs the ability to automatically update. Not XP, not anti-virus, nothing!) I use Adobe Acrobat Professional 6.0, but there is an Adobe Acrobat 4.0 listed, and it had access. Normally i would reset the access to "Block All", but in this case since i assumed the program was not on my machine at all i chose "Remove From List"...well it was back again today. In itself this is trivial but it opened my mind to the unpleasant thought that perhaps the programs that i was setting access for did not corrospond to the list. That i was granting access to one program when i thought i was to another.

    Sound crazy? There is more. One of the programs that was granted "Automatic Access" to the internet was listed as

    "SYMANTEC NORTON WEB SERVICES",

    Yet, i could read its little yellow dialog pop up balloon (metatag?) and it said:

    "C\PROGRAM FILES\321 STUDIOS\PCSETUP.EXE"

    I quickly found others that did not match! I was sure it was a mistake, so i performed this test: I went to C\PROGRAM FILES\321 STUDIOS\PCSETUP.EXE and I removed pcsetup.exe and put it in a new directory called "Ed Norton Works Here" and did another scan for internet enabled programs. Result: SYMANTEC NORTON WEB SERVICES is listed again, as expected....only now the metatage lists its location as the new folder "Ed Norton Works Here".

    My conclusion, and I hope I am wrong, is that NPF is easily fooled into misidentifying programs that are being configured for internet access. Either that, or it is common knowledge that you need to check the metatags and what not, and I am just uniformed. Still, I have to believe that many others have being making some dicisions based on false information, not just me. I feel this is important, but now i am asking you? Should people be aware of this?

    -HandsOff
     
  2. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    A picture paints 1000 words:


    The program pointed to is NOT part of Norton it is what the little balloon indicates, a web enabled component inside of 321 Studios directory.

    Any idea why?
     

    Attached Files:

    • 2.jpg
      2.jpg
      File size:
      52.7 KB
      Views:
      612
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    This is usually a good choice if you want to keep track of what programs are accessing the network and not allowing NPF to silently create rules for those things it has preconfigured rules for.

    My preference for full control when using NIS/NPF is to disable automatic program control, do not use the program scan and just let NIS/NPF prompt for anything wanting access and create custom rules at that time. That in addition to customizing the general and trojan rules.

    Not sure what you are getting at here.

    If a program has an auto update feature and NPF has preconfigured rules, it can create automatic rules for that.

    After a program updates NPF may prompt or create new rules if the .exe signature has changed. This is normal and by design.

    Entirely your choice. Safe rules can be configured for live updates.

    I have seen the auto rules not correctly identify the version, but the full path to the .exe has been correct and you can use that to determine the rule(s) are for your version 6 and not a non existent version 4. It could be a matter of the automatic rules needing updating.

    Any idea how that rule got there if you are not using automatic rules or what you were using if prompted?

    If you were prompted for a rule, is it a matter of the description not being properly defined when the rule was created?

    Could be an issue with the automatic rules database, in which case you may want to send an e-mail to Symantec.

    There have been noted incidents of rules corruption in NIS/NPF. Unfortunately with the later versions (2002Pro and above) there is no easy way to confirm or trouble shoot this. If you encounter a rules corruption issue now, if deleting the rule does not resolve it, you are usually looking at an uninstall and reinstall of the program.

    Delete the rule and see if you are prompted again and if the same error occurs.

    Sounds like this could be an issue with the program scan/automatic rules. As above, you may want to clarify with Symantec.

    Regards,

    CrazyM
     
  4. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Crazy M -

    Thanks for the suggestions and input. In comparing all of the items in the internat enabled manual configuration list I found quite a few that were not quite what I thought they were, though in most cases they problem may have been in my interpretation. The good news is that having the yellow tags and the description Norton uses in its list is almost like having two separate pieces of information which can be checked against each other, and between the two, you can learn what some of the crazy sounding labels refer to (for example norton list microsoft Betriebssystem, whereas the yellow tag says ntvdm.exe. well i had no idea what betriebsystem meant, but i did recognize ntvdm.exe as xp's "Virual DOS Machine")

    Other than that, there are some that are slightly inaccurate, and some that just were a little surprising. I would definitely say anyone with norton may want to look closer.

    Why did i doe the scan in the first place? Actually, it just fascinates me how many programs are internet enabled. Its a treand I dont like. I would rather just download updates on my own. Also just wanted to identify some program lables so i would recognize them....

    However the thing with 321 studios bothers me. In fact 321 studios is starting to bother me....I will try to get Norton's take on it. Also curious if anyone else had any thing similar.

    I just wanted to post one more example though to sort of clarify what i meant by confusing. Not too long ago I used Veritas software for burning CD's and DVD's. So i assumed the following was related to that software. To me it's confusing!

    Thanks Again, HandsOff
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.