NPF 2003 does not work after getting broadband.

Discussion in 'other firewalls' started by mVPstar, May 2, 2004.

Thread Status:
Not open for further replies.
  1. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Hey guys, I have a problem. Ever since I got cable and I hooked up a Microsoft MN-500 router to my system to share the connection, my norton firewall hasn't been really checking the connections. I check the log files and haven't seen any connection logs after the technician set me up for cable. How do I fix this?
     
  2. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    New update on the problem. Apparently the logs are showing some data, but really weird info. Everytime I start up my computer, Norton makes the logfile "Firewall Configuration Updated: 496 rules". I'm starting to wonder if it's a virus that's causing norton to malfunction, though I've checked with various 3rd party softwares.
     
  3. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Does anyone have a solution to this problem?
     
  4. SnowGuy

    SnowGuy Guest

  5. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    After I installed a router my firewall has not logged one intrussion attempt. The firewall in the router has caught every incoming attempt. My software firewall takes care of all of the out going attempts. It is a pretty secure setup.
     
  6. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    I suspect bigc is correct here. With a router inline (presuming it's properly configured) you should not be seeing any Blocked inbound TCP/UDP communications in your software firewall event log.

    I found this to be true whether it was Kerio, NIS, or Sygate -- suddenly (well, not really, if you think about it) the software firewall logs start looking very, very empty. I know this may sound rather silly, but I actually had to enable logging on routine Internet Explorer (PERMITTED) communications simply to ensure that the software firewalls were still working! :)

    On the other hand, if you look at some of the other event logs (e.g., ad-blocking, privacy, connections) you should still find events.

    Maintenance (with the router) is down, way down. Nothing very exciting happening in the software firewall event logs at all. I may have to go back to playing chess! :D (That's for Paul W.)
     
  7. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Yes, but my firewall doesn't mention any outbound connections either. It doesn't try to prompt me when a new program accesses the internet. Usually there should be a log concerning such but there isn't.
     
  8. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Well, NIS/NPF is only going to log PERMITTED outbound communications if you ENABLE that on a particular rule. (Typically, NIS/NPF does not log PERMITTED outbound comms unless you expressly customize a rule to do this.)

    Oh, incidentally, don't do this on every PERMIT rule; if you do, your log is going to go right off the spectrum. That's why I suggested you simply enable logging on the MSIE HTTP rule; that should suffice. (As a matter of fact, if MSIE is responsible for most of your internet connections, it will more than suffice! :) ) And, once you're satisfied that everything is working, I would recommend going back and disabling that logging.
     
  9. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Tried that, still nothing. It's weird, I can even click on the "block traffic" button and I will still be able to access the internet. I'll post you two log files and you'll see what I mean by it not monitoring. Notice the dates...
     

    Attached Files:

  10. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Here's the other log.
     

    Attached Files:

  11. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Yeah, the firewalls log is all that's necessary here, I think.

    When did you install the router? (roughly will do)
     
  12. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Early February. I just installed it that time, I still had dial-up so my router wasn't in use. Then, I ordered broadband cable and had it installed on February 28, 2004. As you can see by the dates, that was when NIS stopped monitoring connections.
     
  13. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Roger, confirming 28 Feb 2004.

    Let's go back to the 27th for a moment:

    I see you were running IIS with a Permit Inbound UDP rule. Did you continue to do that afterwards? (That event should still show, if you did, unless you turned off logging on it.)

    Then, we get to the interesting stuff:
    2/27/2004 8:46:05 AM,Rule "Block Windows File Sharing" blocked communication.,"Rule ""Block Windows File Sharing"" blocked communication. Local address: VIVEK(192.168.2.14)(netbios-ssn(139)). Process name is ""System"""

    followed not all that much later by:

    2/27/2004 10:59:24 AM,The user has created a rule to "permit" communications.,"The user has created a rule to ""permit"" communications. Local address is 169.254.0.223(netbios-ssn(139)) Process name is ""System"""

    and that's where your 'normal' logging appears to end. You notice, I presume, that the port is 139. At 8:46, it was blocked; at 10:59, you did a PERMIT (actually, it looks like you created a new rule).

    The 8:46 local IP address is a LAN address, so I assume you were on a LAN (maybe ICS?) before installing the router. But the next one (10:59) suggests that you'd installed the router on 27 Feb, since it's to 169.254.0.223 . See http://www.robertgraham.com/pubs/firewall-seen.html#3.8 .

    "From a draft document on auto-configuration of IP addresses when DHCP fails:
    Once a DHCP Client has determined it must auto-configure an IP
    address, it chooses an address. The algorithm for choosing an
    address is implementation dependant. The address range to use MUST
    be "169.254/16", which is registered with the IANA as the LINKLOCAL
    net.

    This only happens when the normal DHCP process fails. "

    But I don't like the fact that the rule is for port 139. Any recollection as to what happened here? That could have been a kiss of death, especially in late February, depending on the details of the rule created (if you can find it).

    Amazingly the next event is almost six weeks later:

    4/11/2004 8:43:22 AM,Firewall configuration updated: 296 rules,Firewall configuration updated: 296 rules

    and that continues until

    4/14/2004 4:37:02 PM,Firewall configuration updated: 296 rules,Firewall configuration updated: 296 rules

    and then suddenly:

    4/14/2004 4:51:03 PM,Firewall configuration updated: 456 rules,Firewall configuration updated: 456 rules

    456 rules??!! Any recollection how you suddenly jumped from 296 rules to 456 rules? That's scary and is suggestive of massive rules corruption. Any recollection of what you did about that time? Did you maybe just run LiveUpdate or something?

    I know it's difficult in NIS 2003/2004, but you might want to visually inspect your General Rules and see if you haven't suddenly been blessed with some PERMIT EVERYTHING rules (probably near the top (beginning) of the ruleset).

    I assume you've checked your basic configuration and that a) the firewall is enabled and b) Security is set to "High", not "Moderate" or "Low" ("low' is pretty much equivalent to disabling the firewall).

    Finally, check your settings for your Trusted Zone (that will definitely kill just about all firewall logging if you have an entry that's way too liberal).

    Let us know, okay?
     
  14. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    1.) I never changed my IIS rules. I didn't disable logging either. I was also baffled why that didn't show at all.

    2.) I have no clue what the "Block Windows File Sharing" thing is. The only time I created a rule was when I was allowing communication with another computer on my network. I permitted file sharing with that computer and allowed it via that rule. I did this AFTER I got broadband set up and my router and router firewall working.

    3.)I never installed my router on Feb 27, 2004. I checked the actual date: January 10, 2004, Feb 27, 2004 was when I had a technician come to my house to set broadband up.

    4.) Yes, I found the "Firewall Configuration Updated: 456 rules" entries rather suspicious. If you actually look at one date, you can see this entry: "Firewall Configuration Updated: 464 rules" and then the next day it would be back to "Firewall Configuration Updated: 456 rules". Rather odd.

    5.) There is no permit everything rule except for a permit all ICMP rule. My trusted zone contains this address "192.168.2.0 and subnet 255.255.255.0". My security is set to high.
     
  15. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Is there a rules viewer I can use for NPF2003 so I can post the rules? BTW, I installed NAV2003 and NPF2003 separately. I didn't buy the whole NIS2003 package that comes with Spam blocking, etc.
     
  16. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    No, unfortunately, there's no rules viewer of which I am aware that works with NIS/NPF 2003/2004 (unless you get offered some inhouse utility from Symantec).

    There is one other possibility that worked at least for a while. I believe CrazyM once found a problem relating to NIS/NPF 2003. (Unfortunately, it may have been removed in a subsequent LiveUpdate.)

    NIS Statistics (if you can still find that) had as one of its views, a display that would show all the rules (in their physical order of evaluation). If you've still got NIS Statistics and that is one of the displays, expand it to fill the whole window (set the window itself to full-screen, so that we can see the numbers). Start at the beginning of the ruleset and let's just see one screenful as a cut and paste (I would recommend a GIF, rather than a JPEG, it's a lot smaller). Now, that display eventually got messed up and no longer had valid data in it and I think it may subsequently have been removed.

    At one point (long ago and far away), there were rules that would show up in that display that did not display in the GUI for editing/creating/customizing rules. If, somewhere near the top of the ruleset, you find such a rule that is working as a PERMIT rule for just about EVERYTHING, that's the source of the problem. (Of course, we'd need to know what it is to suggest how to correct that problem.)

    I can see I'm going to have to reinstall NIS, just to give coherent advice on this! :rolleyes:
     
  17. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Well, I didn't bother with the screenshot because I have tons of rules. I did manage to, however, save the rules in a text file for you guys to see. Just ignore the first part of it as it's data from the rest of "Detailed Statistics".

    I did happen to notice one thing, if I'm counting correctly, there are 455 rules. Didn't the last log file say 457?
     

    Attached Files:

    Last edited: May 11, 2004
  18. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Okay,

    From stats.txt, it looks like your firewall is not processing any rules. Now, need to get CrazyM in to take a look at that file. (That may be later today.) What we need to know (from CrazyM) is whether the display is still functional. (NanDog is another possibility here as far as that subject is concerned.)

    Oh, first things first. If you go back to that window and look at the menu on top, you'll see a choice that says View or Display. That gives you the option to select/unselect which particular panes to display. Next time you do one of these :) , just select the pane that relates to the rules (I think that's at the end of your current text file, isn't it?). It just cuts down on the clutter a bit. But the text file rendition is fine for this purpose.

    At any rate, if the display is functional; at least one of the columns beginning at the top (an ICMP rule, as I recall) should have non-zero entries in it. Again, presuming the display is functional, this would indicate the firewall portion is processing absolutely nothing; effectively it's been disabled.

    If you open the main console for NPF (the GUI, not the System Tray icon) and it indicates that the firewall is enabled and running okay, then you have a serious problem.
    1. NPF may have been disabled by one of the malwares out there that specifically targets firewalls and antivirus products
    2. Or, somehow, your install has gotten corrupted and simply is no longer functional.
    If it's malware, you need to find it and get it cleaned ASAP using one of the online scanners. You can use the Symantec online scanner if you're already familiar with that. Quite frankly, I'd also recommend you use an anti-Trojan. You need to use an online scanning service because if such malware is already present on your machine, it's probably pointless trying to download and install another AV/AT package.
    Even if you find and remove some malware, that's unlikely to get NPF working correctly again. You're probably going to have to do a complete uninstall and reinstall of the product.

    This is pure speculation, but I would assume that the cable technician disabled NPF briefly while getting your cable connection up and running and that this is when your machine got penetrated. (You can get hit on an unprotected cable connection in about 30 seconds these days.) It probably got both NPF and NAV and it would have also been able to disable many of the other popular software firewalls, so just switching to something else doesn't insure that this would not have happened or that it will not happen in the future (but all the software firewalls are continually hardening against this kind of thing).
     
  19. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Well, I do recall that he had also reinstalled TCP/IP networking because my computer was responding to ipconfig/ release commands in cmd.exe. When he did that, NPF had prompted that it could not function without TCP/IP networking enabled when he uninstalled it.

    My technician did in fact disable NPF but that was when I wasn't connected to the internet. I was still trying to pass a connection to my ISP first so I doubt anyone could have hacked in at that time. Then he restarted the computer (with NPF enabled) though it didn't actually load. NIS had that problem where if you do too much at startup, it sometimes wont startup. Something to do with the order of programs at startup... Anyways, when I finally was connected to the internet, I was only 10-15secs without a firewall before I quickly connected my modem to my router.
     
    Last edited: May 12, 2004
  20. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Still, I'd run one of the online AV scanners. One of the nice 'features' of the Symantec scan is that it scans 'from the inside out' and might, therefore pick up something that a purely external scanner might miss. And, yes, I mean AV scanner, not a port scanner, like GRC's Port Authority.

    Whether the scanner finds anything or not (but, by all means, do that first), I truly suspect that you're going to have to uninstall and then re-install NPF.

    One last question: Have you run AV/AT scans on the other machines on your LAN? Not all problems necessarily come in 'over the wire' from the Internet.
     
  21. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    I ran Symantec's AV scan on my other computer and the results came out fine. I ran McAfee's Stinger program as well and still, nothing.

    I do have to tell you one thing though, the Nimda Removal tools did not find Nimda, however, they did display a list of corrupt files, mainly in the Symantec Shared folder.
     
  22. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    That is a lot of rules and there are duplicate rules in there, which could be contributing to the high number count. More on that later.

    The View Statistics > Firewall Rules is still somewhat functional in NIS2003, I don't know about 2004.

    If the firewall is functioning, the statistics will usually be correct for the General/System rules at the top of the rule set. Once you get to application rules it is not accurate as this is one of the areas Symantec changed and NIS now orders those rules, not the user. (The way the rule order appears in the display, is not the real order in firewall.) The View Statistics > Firewall Rules does not appear to have been updated to deal with this and thus lost functionality/accuracy. Rule matches will still be recorded, it's just the totals in the far column (that used to help with checking the integrity of the rule set) that get thrown for a dump because of the real ordering of the application rules.

    Once rules corruption comes in to play, the accuracy of View Statistics > Firewall Rules is a factor again. On occassion it has helped identify rules corruption, while on others it has not shown rules that I know are present.

    Regards,

    CrazyM
     
  23. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Were you on dial up before?
    Is your dial up configuration/adpater still in place?
    Was a new ethernet card installed as part of your broadband hook up?
    Does NIS show both network adapters?
    Is your current rule set configured for the both or just the previous dial up?

    Regards,

    CrazyM
     
  24. mVPstar

    mVPstar Registered Member

    Joined:
    May 2, 2004
    Posts:
    52
    Yes, I was on dial up before. My dial up adapted is still there. For the ethernet card, I had installed it myself. I don't know what you mean by whether NIS shows both adapters and I don't know what you mean by configuration. When I switched over to broadband, I didn't change anything with Norton. All I did was run the networking wizard to include the ethernet adapter.
     
  25. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    NIS2003 can have rules for more than one adapter. I have never tried this feature, but was curious if it may have something to do with your problem.

    Does your system event log show what adapter is being filtered?

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.