Norton Firewall fails Norton's own test.

I recently upgraded my computer and I re-installed Norton Internet Security which I had bought in February 2005. I ran Live Update and brought it up to date. As my previous version of Norton Utilities was not compatible with Windows XP I looked at the Symantec web site with a view to purchasing the newer version.
I noticed that Symantec were offering a free Security Scan so as I thought my computer would pass I tried the Scan. To my surprise it failed as I was "At Risk" from "Hacker Exposure" on Ports ICMP, 22 and 80. I have looked at the configuration of my Norton Firewall and as far as I can see it is configured correctly. I wonder how many computer users with Norton Internet Security would also fail this test. It does seem odd though that Symantec would offer a free Security Scan when it's own Firewall would fail so I am wondering whether I have not done something which I should have done, it seems OK to me though. I cannot see anything on the Symantec web site that advises me to do anything which I have not already done, perhaps it feels I should buy a Norton Firewall!!!. Roger100

 

Hi Roger100,

Welcome to Wilders!!!

Since your thread is not about L'n'S firewall, I have moved it to the other firewalls forum ...

 

Norton firewall, not LnS

 

Hello Roger,

It appears NIS is not functioning properly on your PC. Under normal circumstances, it will give a stealth result at Symantec's and other testing sites. Unless you've already invested in the new NIS, you can uninstall NIS and try ZoneAlarm or Sygate or LnS -- those should give you stealth results as well.

Warmly, Ran

 

As I only bought NIS in February 2005 I am reluctant to get rid of it so soon. I run Windows XP on my new hard drive and Windows 98SE on my original hard drive but I get the same result which ever hard drive I am using when I go on line to do the Security Scan. I presume I would be unable to keep NIS but also use Zonealarm Firewall as well. Roger

 

Hi Roger,

Welcome to Wilders'

Have you tried uninstalling NIS, then after rebooting reinstalling NIS? Something may have gone wrong with the installation.

Steve

 

Hi Roger

Anything else in the mix like a router?
When you did the test did you see the scans showing up in the NIS logs?

Regards,

CrazyM

 

I have uninstalled NIS and then reinstalled, downloaded all the updates. Re-tested, same result. I phoned Symantec UK and was informed that it was nothing to do with my Firewall as what ports were open was down to my Internet Supplier, NTL.
This seems rather strange but as I purchased the Firewall and AntiVirus software in February as part of a package I can't have one without the other. It seems therefore that I may have to purchase a new AntiVirus programme and then download say ZoneAlarm. However, if what Symantec say is correct then this would make no difference to what ports were open and I would still be at risk from Hackers.
I have not got a router as far as I am aware although I do have two hard drives, I did not see the NIS logs. Roger

 

If it fails its own test, try a second opinion:-

https://image.grc.com/x/ne.dll?bh0bkyd2

http://www.pcflank.com/about.htm

If these still show you as having open or unstealthed ports, check to ensure you are not allowing 'Server' rights and try again.

If necessary you can determine what apps are using these ports by checking with 'Active Ports' http://www.snapfiles.com/get/activeports.html

or SysInternals' TCPView http://www.sysinternals.com/Utilities/TcpView.html

 

Try contacting Symantec again as you may have have gotten a tech support guy who doesn't know which end is up. It happens sometimes with various manufacturers. He probably does not know what the problem is,but won't say that.

 

With Symantec it happens rather a lot. I've had some dire experiences at the hands of their so called Tech support; so if it is costing you money to pick up the phone to them, you are probably wasting it! You'd be better off spending that cash on a more reliable product than enriching Symantec any further!

 

Thanks for that. I used pcflank and got the following result
"The test has found that the IP address used by your computer cannot be scanned. This commonly occurs because of a firewall program on your computer and/or you are connected to the Internet through a proxy-server or your ISP uses Network Address Translation (NAT) to share IP addresses.

This means the test cannot check your system as the results of the testing would be incorrect".

I assume that means that despite what Symantec said my Firewall is OK, is that correct?. Roger

 

I have found that PCFlank does not always give the correct result. I think sometimes it is seeing the ISP rather than you. The link given for GRC is much better.
https://image.grc.com/x/ne.dll?bh0bkyd2

 

This is possible as some ISP's will filter certain traffic at their borders. You could try contacting your ISP tech support and ask if they are doing any filtering that could explain your results.

If your ISP was filtering certain traffic this does not put you at risk, your system would not see those packets, but your firewall would still deal with everything else.

Does your modem do any kind of NAT? To rule this out check the IP of your system, is it a private one (10.x.x.x 192.168.x.x)?

Checking the logs would help troubleshoot this issue and determine if the firewall is seeing these scans and to what ports. You will need to check the firewall log and IDS log.

Regards,

CrazyM

 

Unfortunately, it merely means that the test was not possible on your system. Which might, or might not, mean that the Symantec test was also invalid.

Following CrazyM's advice, and checking the FW logs, would be the best thing to try.

 

I have just done all the tests at image.grc etc and my system achieved a perfect "True Stealth" rating. So despite what Symantec's test showed my computer is invisible. One thing I did note was that the IP address they were testing was not the same as that revealed by a Belarc Advisor printout of my computer. Is that significant?. Roger

 

Yes, as it would suggest there may be something else in the mix in your connection to the network.

Is the IP for your system in one of the private address ranges?
Did the scan at grc show up in you NIS logs?

Regards,

CrazyM

 

Hi CrazyM. I thought you may be interested in the Norton test results that failed 3 ports, the following is what was said:
Ping Ping. Ping is a network troubleshooting utility. It asks your computer to acknowledge its existence. If your computer responds positively to a ping, hackers are more likely to target your computer.

22 SSH. TCP connections to this port might indicate a search for SSH, which has a few exploitable features. SSH is a secure replacement for Telnet. The most common uses of SSH are to securely login and copy files from a server.

80 HTTP (Hypertext Transfer Protocol). HTTP is used to transfer Web pages over the Internet. Port 80 should be open only if you're running a Web server.

The address being tested starts 82 and at the end of this address my IP's name is quoted. The number is similar to mine but is definitely different..

I have checked my Firewall log and the only thing that could be the grc.com test is"Unused Windows Service Block was detected and blocked". The grc test states that all my Ports are "Stealth". Roger