Norton PF & Netspy. Backdoor/Subseven, Netbus

Discussion in 'other firewalls' started by Tom Simpson, Feb 1, 2004.

Thread Status:
Not open for further replies.
  1. Tom Simpson

    Tom Simpson Guest

    Norton Pers Firewall has a problem with NetSpy trojen when Spywareblaster is invoked. Also, during web operation, Norton picks up Netbus and backdoor/subseven. In each case, I go to Norton to clear the alert.

    Question: Which of these, if any, should I be letting through on behalf of Spywareblaster (so they aren't always coming up as alerts, if they are harmless)?
     
    Tom Simpson, Feb 1, 2004
    #1
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,280
    Location:
    New England
    Hi Tom,

    I've moved this thread over to the "other firewalls" forum section since the people here can help you adjust NPF to stop any unnecessary alerts.

    This sounds like the NPF default trojan blocking rules... I believe these rules alert whenever any "common trojan port" is probed on your system, or when a program on your system tries to listen on such a port. These alerts are very misleading and not very productive. I think you'll get some replies here about how best to adjust these rules.

    SpywareBlaster needs very simple network access to check for and pull down its update file. It goes out to a Javacool webserver at port 80, but listens on your local system on an available port, however, it shouldn't be the same port every time you run it. (The local port is assigned out of a range of available ephemeral ports, which should increment as different programs access the Internet.)

    If you run SpywareBlaster and get that Netspy alert, then close and reopen SpywareBlaster again, do you get the alert again, meaning every time you run it?

    In any case, this is a generic set of firewall rules describing the access constraints you could put on SpywareBlaster. As you can see, SpywareBlaster will listen on a local port for the responses from the Javacool webservers.

    [pre]Access Type Source Destination Description
    Allow UDP YourPC:Any YourDNSservers:53 DNS
    Allow TCP YourPC:1024-5000 JavacoolsWebservers:80 Webserver
    Allow UDP YourPC:1024-5000 YourPC:1024-5000 Loopback
    Block Any Any Any Block the rest    [/pre]Perhaps a NPF user can explain how to set this up specifically on your system, if it'll help with suppressing alerts related to SpywareBlaster.

    Also, just for more background, this link describes a different variation on the "default trojan rule" problem, but it may still be worth a read: Netspy!
     
    LowWaterMark, Feb 2, 2004
    #2
  3. Tom Simpson

    Tom Simpson Guest

    By this time, according to your explanation and some basic logic, I realize that the NetSpy trojan should be harmless, and that I should be able to disable the alert for it. That will be the challenge; it is just a nuissance message and I have to say "OK" to get it clear on the detector.

    The Netsepy alert in Norton happens every time I instantiate the SpywareBlaster. The Netbus & Subseven guys occur independently, and are likely true blocks from the outside.
     
    Tom Simpson, Feb 4, 2004
    #3
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Tom

    You do not need to allow any of them. The netspy alert is a common false alarm as it is associated with a low ephemeral port that SpywareBlaster is obviously using. The fact it is blocked should not impact the use of the program.

    As for the alerts being a nuisance, you have a couple of options.
    First you could modify each default Trojan rule in NIS to not alert (and there are lots of them).
    Or you could delete them all and replace them with one or two simple block rules with logging enabled and no alert. You can find an example of this at: http://www.gpick.com/agnisrules/pages/trojan.html

    Most likely they are and that is quite normal. The same options apply as for the alerts. If you reduce your trojan rules to the two in the example, the same things will be blocked and logged, you just won't get any of the pop up alerts.

    Regards,

    CrazyM
     
    CrazyM, Feb 4, 2004
    #4
  5. Tom Simpson

    Tom Simpson Guest

    Roger, wilco. Based on your info, I prefer not fooling with the alerts, unless it gets real crazy with others. Thanks for all your collective input. I feel much better now that I "know" a bit more about the situation.
     
    Tom Simpson, Feb 5, 2004
    #5
  6. T A Simpson

    T A Simpson Guest

    That was my main concern, which you have cleared up ... the detection & "block" of NetSpy should not affect operation of SpywareBlaster ... I can clean up the alert flags at my leisure. Thanks.
     
    T A Simpson, Feb 22, 2004
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...