SpyBot Co-existence with NIS2004Pro

Discussion in 'other firewalls' started by Ben-Zion Joselson, May 27, 2004.

Thread Status:
Not open for further replies.
  1. I have Norton Internet Security 2004 Professional, installed on Windows 2000 Professional SP4.
    My firewall definitions and my virus definitions are regularly "LiveUpdated" from the Symantec website, and I run weekly virus scans of My Computer.
    I use Dial-up Internet connection ATTGlobal.net with an external 56K modem.
    I am considering if it would be useful and feasible to install SpyBot as well.
    Quetion 1:
    Is it possible that spyware runs in my system in spite of the firewall and the anti-virus?
    Do I need SpyBot at all?
    Question 2:
    Is there any conflict to be expected between SpyBot and NIS2004Pro?
    Note that NIS2004Pro Firewall Rules are no longer stored in the Registry (as it used to be in NIS2001), but still NIS2004Pro depends on the Registry; does SpyBot recognize all NIS2004Pro Registry keys and values as safe?
    Question 3:
    Can SpyBot be run only at times when my system is temporarily disconnected from the Internet and my NIS2004Pro firewall and anti-virus are temporarily disabled?
    This may decrease the chance of conflicts, but is SpyBot capable of detecting spyware while there is no Internet connection and the spyware is necessarily inactive?
    Question 4:
    Are there versions of SpyBot that are better suited to co-exist with NIS2004Pro firewall and anti-virus?
    Question 5:
    What specific firewall rules are necessary to enable SpyBot to operate without being intercepted by NIS2004Pro firewall? Are there any specific ports (local and/or remote), protocols or Internet addresses that have to be "permitted" to enable SpyBot to function?
    Please advise.
     
  2. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Sort of odd (to me) to go to the expense of running NIS 2004 Pro on a stand-alone PC, but it was your money. :)
    To the best of my knowledge, there is no problem in running SpyBot S&D (version 1.3) in conjunction with any version of NIS/NPF. NIS/NPF will pick up a lot more than earlier versions, but I think you'll find that Spybot S&D 1.3 (in advanced mode) still picks up some things (and earlier) than NIS 2004 Pro does. For example, invoke the Tea-Timer resident module and see if it picks up anything.
    I've seen no incompatibilities mentioned in any of the Security Forums or NNTP newsgroups that I frequent. (Incidentally, the NIS rules were stored in the registry up through NIS 2002, version 4.0.x.) Now, if you run TeaTimer and something nasty tries to change the existing NIS 2004 Pro entries in the registry, you're going to find out about it very quickly.
    Again, I'm unaware of any conflicts to be concerned about. Nor do I see any need to disable NAV/NIS to run SpyBot. And, rather obviously, if you disconnect from the Internet, you can't check for updates to SpyBot.
    To the best of my knowledge, there is only one current version of SpyBot and that is 1.3.
    If you have NIS 2004 Pro configured to HIGH Security and have disabled "Automatic Internet Access" (as I think it's now called), then the Rules Assistant should popup the first time that SpyBot runs and attempts to access the internet. There are three possibilities that come to mind:
    • Product Registration (I don't think this happens, however)
    • Checking for SpyBot updates (both program and 'signature' files), and
    • (possibly) looking for detailed information on something SpyBot flags (but I've never seen this happen).
    Hope that helps.
     
  3. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Ben-Zion Joselson,




    Very possible.



    I run NIS 2004 (not the PRO version) and SpyBot S & D 1.3 concurrently; I have not detected any incompatibility, nor interaction problems. They appear to coexist without any problems.



    Again, NIS 2004 and SpyBot S & D 1.3 appear to coexist without any problems in my Windows XP Pro machine. The previous version of Spybot also had no problems with NIS on my machine.



    Spybot requires Internet access permission from NIS 2004 by way of two specific rules (required in NIS 2004) to allow SpyBot S & D access to its' update site: One Domain Name Server (DNS) access rule, and one HPPT (port 80) rule to access the two Spybot web servers.

    I don't know your level of proficiency in setting up rules, so I'll list the entire set up of these two rules in NIS 2004 as follows. (So, please forgive me if I'm telling you what you already know. Also, there may be variations of the NIS labeling in your "PRO" version)


    Access NIS' Program Rules section:


    1. From the NIS 2004 status window, highlight Personal Firewall and click the "Configure" button. (If you have "pass word protection" selected, NIS will ask you for your pass word at this point.)

    2. Select the Programs tab.

    3. Select the Settings For: list box for the "locations" that your dial-out modem is associated. In NIS 2004, these are: "Default, "Home", "Away", "Office", or a custom location (if you've established a custom location.) You can view your defined "locations" by clicking on the "Locations" tab. For example, if your dial-out modem connection is associated with the "Home" location, then select "Home".

    Add the SpybotSD.exe program:

    4. Continuing on the Programs tab, click Add...; which will bring up the Select a Program window.

    5. Select the SpybotSD.exe" application from the "Spybot - S&D" program directory.

    Add Rule #1:


    6. Add rule #1 to provide restricted Domain Name Service to Spybot:

    Permit;
    Direction: Outbound (i.e., "To");
    Computers: Only the computers and sites listed below set to the IP addresses of the Domain Name Servers for your ISP (usually two similar IP addresses; you can get these from your ISP);
    Communications: UDP, remote port 53, local port 0 (zero);
    Logging: Check Create an event log entry to log all Spypbot DNS accesses;
    Alerts: Check Notify me with a security alert if you wish real-time notification of Spybot's DNS accesses;
    Rule Name: Create a descriptive name for this rule, such as Rstrctd SpybotSD.exe DNS Out NS1/NS2 UDP Rmt 53; Lcl 0 (Home); (This will appear in your log viewer and alerts.)
    Confirm the "Location" for the rule (such as "Default", "Home", etc.)
    Click the Finish button.


    Add Rule #2:


    7. Add rule #2 to provide restricted download (HTTP - port 80) access to Spybot's two web sites:

    Permit;
    Direction: Outbound (i.e., "To");
    Computers: Only the computers and sites listed below set to the IP addresses of the two Spybot web servers: security.kolla.de, and kundenserver.de; (Note: You must have an active Internet connection when you type in any domain name, such as kundenserver.de, so that NIS can immediately resolve the domain name from a online domain name server. If you attempt to add a domain name while not connected to the Internet, NIS 2004 will give you an error screen stating that the address is bad. Don't worry though: if you've blocked all traffic until you authorize it, NIS will not allow access through the firewall unless a rule is in place and active; so you can safely set up application-specific rules while you are connected to the Internet.)
    Communications: TCP, remote port 80 (HTTP), local port range 1024 to 5000;
    Logging: Check "Create an event log entry" to log all Spypbot HTTP accesses;
    Alerts: Check "Notify me with a security alert if you wish real-time notification of Spybot's HTTP accesses;
    Rule Name: Create a descriptive name for this rule, such as Rstrctd SpybotSD.exe HTTP Out TCP Rmt 80; Lcl 1024-5000(Home); (This will appear in your log viewer and alerts.)
    Confirm the "Location" for the rule (such as "Default", "Home", etc.)
    Click the Finish button.


    These two rules are very restrictive, and should be all that you need to receive updates from Spybot. If they are too restrictive to successfully interact with your ISP, then you may need to talk with your ISP to determine their specific requirements, which would then be applied to the rules. (For example, the DNS rule may need to be less restrictive. ATTGlobal.net has pretty good technical support; I believe that their online documentation specifies the DNS server addresses.)

    Best regards,
    Mike
     
  4. Thanks for the detailed replies.

    Recently I searched Google for combined "SpyBot" & "Norton Internet Security" & "conflict" or "error" etc., and found in some Forums at least 'circumstantial evidence' for difficulties in using both utilities.

    May I mention that even running NIS2004Pro by itself is not without pitfalls, and I have already reinstalled it and then had Symantec send me a replacement CD, due to occasional NMain.exe errors or '5007,102' errors or 'Account Not Logged On' and 'Disabled' situations... [I am "dragging my feet" before reinstalling NIS2004Pro yet again as long as a Restart remedies it for a time].

    I also had to modify HKLM...run Registry key and delay ccApp.exe to prevent startup conflicts with ConfigSafe and UPSCOMMANDER.

    So now you see why I am very careful about installing yet another "monster".
    In particular, I would not like to have SpyBot running at Startup and continuously in a 'background resident' mode, but rather start it manually at my own pace, when other heavy applications like NIS2004Pro are at rest, naturally without Internet during such scans. [Updates will be downloaded separately from scans, if possible].

    It is not yet clarified if SpyBot is capable of detecting spyware while there is no Internet connection and the spyware is necessarily inactive.

    About Firewall Rules: I am always willing to find new aspects, so I am wondering why Little Mike suggests local port 0 for the Permit DNS Rule, whereas 'agnisrules' guide recommends local ports 1024-5000 for System-Wide DNS Rules as well as for most other Applications Permit Rules.
     
  5. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    I've found that on my machine each application that asks for DNS access does so via local port 0 (as indicated by the NIS alert messages and event logger); yet "data" transfer (i.e., HTTP) generally is within the local port 1024-5000 range. This is almost universal with my applications.

    I also log and track individual application access to the Internet, which means that I have specific and individual DNS rules for each permitted application, rather than use one general DNS rule (which logs a general, non-specific log entry.)

    In addition, I've tried to restrict general permit rules to the minimum necessary.

    This approach results in more rules and log entries (and oversight); but, it also allows me to understand what and how each application is accessing the Internet. In other words, I'm learning how the applications and firewall actually behave; and, in contrast, what constitutes abnormal behavior.

    Best regards,
    Mike
     
Thread Status:
Not open for further replies.