Is This Proof Norton AV Is Phoning Home With My Email?

Discussion in 'other firewalls' started by AlamoCity, Oct 17, 2007.

Thread Status:
Not open for further replies.
  1. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    Re: Proof Norton AV Is Phoning Home With My Email


    74.53.181.82 is s12.sitemeter.com

    I suggest you download Superantispyware and do an online scan at ESET.
     
  2. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Hi Stem,

    I blocked Symantec in my firewall a few months ago to stop it from phoning home my Web site viewing history. So sending out logs in packets as part of a DLL process may be the only option available to them, IF they are in fact spying.

    After reading your post, I agree 100%. Based on the small size of the syn packet, there would be no point. But like you said, after the "ack packet" is received, "then data transfer will be made" -- which means those "data transfer" packets could contain logs of virtually anything. Perhaps those data transfer packets that were set to be sent out are still on my hard drive, and they contain logs.

    I know you indicated that the syn packet wouldn't be on my system, but what about the data transfer packets? Would I be able to find them on my hard drive using a packet sniffer? As perhaps they're just "waiting" for another opportunity to slip out.

    Also, would you happen to know what type of file is typically used for spy logs? And whether there is software available that I could use to search inside such logs for keywords from that email?

    Thanks very much for taking the time to provide this information, it is very educational. I hope a lot of other people will be able to benefit from it as well.
     
  3. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Hi Escalader,

    I knew that, I just didn't know the purpose of the Sygate packet being sent out in response to the DLLs.

    That doesn't do any good. Because all a spy has to do is have the packets containing the logs of your activity sent to their server, period. Email programs are not necessary for them to read the email you send or receive.

    My firewall keeps my PC very secure -- that's one of the reason's why I've been able to get by without an AV program for long periods of time. But when you have a so called legitimate program on your PC that is slipping logs out disguised as normal traffic, I don't think any firewall can be programmed to prevent that.

    NAV is a good example, in that it admittedly phones home logs of the web sites you visit. But I've certainly never been able to distinguish these outgoing logs from any other traffic. I guess you could if you examined all outgoing traffic with a packet sniffer.
     
  4. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Thanks for the interesting info. Your explanation sounds very logical -- the words in question winding up in the outgoing packet is simply the result of them being in ram. (In addition to a bug, as Stem said.)
     
  5. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Thanks for the information. Here's a quote from sitemeter.com:

    "Site Meter's comprehensive real time website tracking and counter tools give you instant access to vital information and data about your sites audience. With our detailed reporting you'll have a clear picture of who is visiting your site, how they found you, where they came from, what interests them and much more."

    Hmm, "much more" sounds kind of ominous from the perspective of the "audience" being "tracked" -- like me. I wonder if they'd respond if I asked them why my firewall was trying to send them packets from my computer. And whether the packets contained the "much more" alluded to on their home page.

    Thanks for the recommendation. It looks like a good program -- one that I would have picked after hours of research.
     
  6. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    I'm quoting myself because I don't see any way to edit this post -- there's no edit button visible on my browser.

    Obviously you can use your firewall to block any program from phoning home. (Whether it would still be able to sneak logs out even though it's "officially" blocked, I don't know.) What I meant to say is that I don't think any firewall can be programmed to prevent unblocked programs from sending their spy logs out via normal network traffic.

    For example, since your AV program has to be updated every day, it has to remain unblocked. Thus it would be the perfect program for unscrupulous software companies to use to log everything you do. Whether it was for their own commercial benefit, or to kiss up to a government agency in exchange for various "favors."
     
  7. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,163
    Location:
    USA still the best. But barely.
    Haven't we named the folly yet? Time to put this one to bed. :doubt:
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: Proof Norton AV Is Phoning Home With My Email

    Hi AlamoCity:

    Posts here are edited by the poster themselves. Look at the lower right hand corner of your own post and you will see an edit button.

    Members here have made many many suggestions. There is no such thing as perfect www security. It doesn't exit. Except pulling the plug.

    99.9% of the members here run a top flight AV of their choice. For a long while your set up lacked an AV. That was a big security error IMO.

    Which AV/ASW/HIPS combo have you installed now and used?

    FW's should block in and out by binding an application in the FW to a specific ip/ port range and prevent any other application from using that to connect out. If it is a good FW only the connections you permit and have rules for will occur. It is those rules that allow data in out. All other attempt to connect will be blocked.

    It's true that once an application is granted internet access it will be able to send and receive packets (and send email if you don't restrain it). In the case of auto updates, you can turn those off and limit access by doing a manual update to a specific IP. So only trusted application should be used.

    Now if Norton is a "spy" and it is building up logs to send to Mr Gates, when you allow an update, the evil program code could send those logs out! This is true of any evil program. WE can do zip about the code attempting that.

    Users must trust but verify their 3rd party via testing that their software is behaving properly and not doing unauthorized phone homes.

    There is a product called PeerGuardian 2 that deals with blocking millions of ip's for us. Try it. You can block M$, Government, Norton etc. It is independant of all the other software. But guess what, you have to trust it.

    Finally, Stem provided you a resonable suggestion to do some packet filtering. That is what you should do and report back your findings. IMHO.
    Paranioa drains time and energy best invested in implementing many of the recommendations from your thread.

    Good luck,
     
  9. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Thanks for advising me to look on the right hand side -- I would never have thought to look for it there. Due to my 50 IQ and advanced Alzheimer's disease, I thought that if an edit button wasn't on the left side, it simply didn't exist. :D

    Seriously, it's not there. I promise you. The only thing there is a quote button. Maybe Firefox is on a semi-strike due to my maxed out ram or a bug.

    What good is it? People who use XYZ as their AV program can't block its IP because they need updates on a daily basis. If the government is blocked, they'd just open an account at a hosting company in which the IP's aren't blocked.

    You must have dreamed that. This is what he said: "Can you run a packet sniffer, to try and catch this? (if it happens again)" Note the part in red.

    What security software do you use on your system?
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: Proof Norton AV Is Phoning Home With My Email



    Hmm, interesting, I use FF and have the edit button lower RH corner of all my posts just to left of the quote thingy. You could check the FF ABP to see if your FF has that edit blocked somehow.

    Yes, as I said in my post.

    As to what good is it, well I'm not the marketing guy for the PG 2 tool.
    It blocks in/out from YOUR PC to millions of ip's you or I would not want to send to! Why not assume that their is some value in it since Stem suggested that I use it that maybe just maybe there might be some use for it!

    If you don't want to run a packet sniffer, dreaming or not then don't. It's is of course your pc and your problem.

    I don't know if you really want to know, but I've already posted on my set up and you can see it here:

    https://www.wilderssecurity.com/showthread.php?t=188008
     
  11. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    I just asked you a simple question, you don't have to get all huffy about it. Did you take an irritable pill or something? :D Also, since Stem didn't make the suggestion in this thread, why not just assume that I wasn't aware of it. :rolleyes:

    As you know, it has nothing to do with whether I want to run the program or not. The issue is what Stem said. In your summation of this thread, you stated something that wasn't true, and I was merely pointing this out.

    Stem indicated that packet filtering would only serve a purpose "if it happens again", which means that installing and using the program at this point would be a waste of time. Which is why I asked him the follow-up question about the data transfer packets.

    I can't install anything now anyway, as I have too many important web sites open that I'm working with, and my ram is maxed out thanks to the FF memory hog. It's using over 700,000 KB of ram right now.

    If I didn't really want to know, I wouldn't have asked. :D In the above referenced thread, you state that your security set up is as follows:

    All I'm using is Sygate -- and you seriously think I'm the one who's paranoid? ROFLMAO!!

    You've obviously been following this thread closely, so in light of my response to RarelyConfused in post #61, your above paranoia comment was extremely inappropriate and totally uncalled for. As I previously explained, this thread is about exposing what I perceived to be spying. It simply illustrates that I'm methodical and that I 'leave no packet unturned' when I'm checking something out.

    Before judging and labeling someone else, you should review some of your own posts and evaluate your apparent obsession with security. This thread represents my only posts since 7/19/2007. And it pertains to an exploit that I thought had actually occurred -- whereas you seem to be consumed by things that might happen. So perhaps you should consider following your own advice, because paranoia drains time and energy best invested in living your life.

    And I'm still not 100% convinced that an exploit of my firewall didn't happen. As the three words added to the end of the syn packet could have leaked out of the data transfer packets due to a bug in Sygate. Meaning the data transfer packets could contain a huge log of many of my emails for all I know. So this is a good opportunity to check those packets out if they're recoverable.

    Given the other circumstances involved in this situation, I think it's worth investigating further, hence my follow-up questions to the firewall expert. Now that I've posted my rebuttal to the paranoia allegation you were parroting from "Confused", maybe Stem will reconsider whether a response to my questions is warranted.

    I realize that you have to have the last word, but please try to control your impulses for a few days in order to give him an opportunity to respond. As he may not want to step into what he perceives to be a playground, in which children are arguing back and forth. And although you obviously consider yourself to be a "security expert" (based on your paranoia remark), I can't conclude that my smoking gun is a dry squirt gun until the real expert responds.
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Proof Norton AV Is Phoning Home With My Email

    No, there will not be any packets.
    If there was a "Spy log", this could be any name, with any extension (so the file type could possibly be anything). There would also be the possibility that if there was such a file, then it could be hidden.

    Are you still set up with Norton?
     
  13. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    Re: Proof Norton AV Is Phoning Home With My Email

    Thanks very much for the response. Yes, NAV is still on my system, but it won't do anything since the subscription is expired. I also have Norton SystemWorks on my system.

    By hidden, I'm assuming that you mean invisible, and that keywords probably can't be located inside of files that are invisible?
     
  14. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    433
    I'm not even going to waste time reading the whole thread, but...

    If I was using the buggy IE7 and using an obsolete firewall and using a Norton app that was probably released before IE7 and not updated in months I would EXPECT to get all kinds of weird stuff happening. You sound surprised. Naturally, it raises other questions, but I won't be back to your thread to see the answers:

    -are you still giving the machine internet access? If so, why?
    -any errors in the XP event log?
    -have XP error reporting turned on?
    -any other "reporting" stuff turned on (ie. Norton, Microsoft apps)?
    -did you upgrade to the buggy IE7 direct from IE6 or via an even buggier IE7 beta?
    -why don't you take steps to keep your machine clean (ie. regular drive imaging, clean installs integrating SPs/updates/etc. , reverting to old image if new software unsatisfactory, running a good antivirus program, checking internet for problems before installing major software releases, using updated software when it is stable for compatibility reasons, etc.)

    These are things you can do for yourself so you won't have to come to a forum like this asking for members to guess what is going on in what must be a very messy PC.
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: Proof Norton AV Is Phoning Home With My Email

    Hello Alamo:

    I upset you and that is too bad. It was not my intention.

    You started this thread in an open forum, but the personal attack on me is just too much it is uncalled for and unacceptable IMHO.

    I answered your questions, made suggestions, and yes I have more that a FW on my PC so if that proves I'm paranoid (suffering from unreasonable fears) then you are correct. Others can decide that.

    You have an unresolved issue yet seem unwilling to do anything about it.
    That is not sensible.

    So, I bid you and this thread a permanent goodbye.
     
  16. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    He's using FF, but you won't see this lol
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.