Symantec updates 12/5/04

Okay, let's see if we can't make this a more reasonable process. First, let's get a benchmark for comparison.

From http://www.dslreports.com/forum/remark,10333608~mode=flat , sonofjay lists the files found when he ran NIS Settings. You'll note immediately that none of these files were apparently changed by the 12 May Liveupdate or anything subsequent, so we went to look elsewhere.

Shortly thereafter, he did a global search for SYM*.*, which you can find at http://www.dslreports.com/forum/remark,10337566~mode=flat. In this instance, he found lots of files related to NAV, and I tried to redline those out two posts further down in the thread. Well, that got us down to a fairly short list, for his particular situation (which may differ from yours, especially if one of the three of you had a screwed up LiveUpdate).

Then, at http://www.dslreports.com/forum/remark,10338917~mode=flat, he did something that I find very informative: he ran a System Restore to return his system to its state prior to when he ran his LiveUpdate on 13 May and he then presented the before and after information for all of these files. (And remember, "after" the System Restore means what existed before he ran LiveUpdate.) You will note that most of these files had not changed in ages prior to 13 May 2004. But, perhaps more importantly pay special attention to the files that only existed either prior to or after the 13 May LiveUpdate and check to see what you're showing for them.

Now, regarding my suggestion for a generalized search, let's see if we can't get this down to something manageable (or have we already done this here?)
Let's try

• SYM*.DLL
• SYM*.EXE
• SYM*.SYS
• SYM*.INF
• SYM*.VXD (only for Win 9X,/ME, probably)

Now, if you use each of those in conjunction with the Find Modified Date Between 12 May and 24 May, that should generate a very short list which should be easily compared to what sonofjay has illustrated. If either of you find discrepancies (especially with his ##BEFORE RESTORE information) then that likely points to an item on which we should focus).

Also note (as has been remarked in other threads), that he then goes on to say that after he completed the System Restore:

So, rather obviously that's a last resort fix . . . of sorts.

 

Joseph

In a brief moment before I take She Who Must Be Obeyed out for a meal, had a quick search on sys*.*....

Have 64 entries. Most seems to be pretty old stuff but have 2 zip files in:-

Documents and Settings\All Users\Symantec\Live Update\Downloads.

a) symantec$redirector_4.5.2_english_livetri.zip

Created 9 March 2003 8.11.49AM
Modified 15 May 2004 6.21.15AM

b) symnet$20consumer_5.3.1_english_livetri.zip

Created 23 May 2004 7.05.45AM
Modified 23 May 7.05.45AM

I mention these as they are in the right time frame in May, but to be perfectly honest it means so little to me.

However, doing my best with limited experience (who said and limited brains!!) and hope this means something to you.

You can't even blame the cricket.....

 

Hi everybody,
I have been reading all your input with great interest because yesterday I also downloded this SND.exe file from SYMANTEC and noticed it in the startup files. I have XP with NAV and NIS 2003, no problems with the download installing but I am a bit cheesed with these files from Symantec, which to me looks suspiciously like some form of trojan.
I started looking as to whats in the start up file,
NAV ie ccApp.exe
ccregVfy.exe both which I allow of course, BUT I 'locked' SND.exe using spybots 'startup' tools, to see what happens and everything seems to work Ok including Live Update, so what does this SND.exe actually do? Data mining perhaps??
I then looked in the Firewall at Internet enabled Symantec files and there is no less than 33!!! from Alert assistants....Alertast.exe to NAV32.exe to files that send Symantec your log files and Viewers. I have blocked internet access for the Logviewer ....cclgview.exe and also blocked log export ie. Logexprt.exe, without any undo problems.
The question is what other of these Symantec files can be blocked from a privacy point of view without affecting its functionality??
Any body any ideas?
Regards Gordon

 

Gordon

Talking different exe names here as I've got 2002 and you 2003.

Don't allow blanket internet coverage - only have 17 apps which are allowed to access the internet of which four are Norton..

Symantec Live Update (new version since 12 May) LuComServer.exe

Norton Antivirus Email Scanner navapw32.exe

Norton Personal Firewall HTTP Filter SymProxySvc.exe

Norton PF Tray Icon IAMAPP.exe

Have no problems, they are the only Norton ones which have requested internet access (unless I bring the GUI up when I'm on the internet and another one asks (can't remember which at the mo), but I refuse it.

And that's that... have no problems.

Pleased you mentioned dis'ing SNDMon.EXE with no apparent ill effects, have been waiting for somebody to say that... will do it myself now and see what happens here,

Guess partly what I'm saying is that there is probably no need for a lot of your Norton bits to access the 'net, but as I don't have 2003 can't really comment. Would just say though that I really can't imagine Symantec planting Trojans on us

 

New tidbit. Down near the end of http://www.broadbandreports.com/forum/remark,10217368~mode=flat~days=9999 , theskulptor has just returned and says he found a new LiveUpdate for the Symantec Redirector that solved his problem. He's been offline since 23 May and sonofjay indicated that he had been unable to find a LiveUpdate on 25 May. Maybe you should take a look and see if there's something new up there?

 

Oremina,

I would suspect those are the two 23 May LiveUpdates that sonofjay has also referenced. One seems to have been related to NAV, and the other should have had a version of sndmon.exe and symfw.sys in it.

However, it looks like theskulptor has now found a subsequent LiveUpdate (between 23 May and today) for Symantec Redirector, which he feels has fixed his problem. Still waiting for more details on exactly what's new as a consequence.

 

Dear Oremina,
Thanks for your reply. I will remove all the Symantec files from the firewall and see how many the Firewall ask me to allow when I access the net [for proper functioning of NAV and NIS ].
Regarding the startup files, do we need to allow regvfy.exe in the startup files? This file obviously sounds like verification of registration prior to downloading updates, so does it have to be in the startup?
Must go to work now [am working nights].
Thanks Gordon

 

Just to bring you up to speed, the 12 May 2004 LiveUpdate never caused any problems with NIS/NPF 2003 (or 2004, for that matter). The problem we're trying to work out is related to NIS/NPF 2002 (not even NAV 2002).
However, I have had a few people query me about something odd now with NIS/NPF 2003. Unfortunately, I can't help on that one, since I've never had it here. (CrazyM has used it, but I'm not sure if even he still has it installed.)

Yeah, those are old files, been around for sometime. The CC signifies "Common Component" and typically applies to whatever Norton products you may have installed on your machine.

Must admit that I haven't seen anything definitive (from anyone), but I think SNDMON.EXE must have something to do with detecting whether there's a network (LAN? or just Internet?) connection available before certain processing starts. It could be something as trivial as facilitating Automatic LiveUpdate; I don't know. It's a brand new file.

Well, that is a bit odd. I would have assumed that cclgview.exe was simply the Log Viewer utility, which typically would only operate locally and similarly that logexprt.exe was the Log Export utility, which again I would assume only operates locally. But you are saying you found Internet-enabled privileges for these two applications?

Well, that's sort of the problem. Even with NIS 2002 on WinXP, I was getting a bit concerned with the number of Symantec/Norton executables being given Internet privileges (if one allowed automatic firewall rule generation). I didn't have the foggiest idea what most of these files really did and I don't to this day.

 

If you're going to do this, here's another thing you might now want to do. Note down the names of the Symantec programs to which you are then prompted to provide access rights. Later, when you get a chance, customize the rules for those applications to enable logging (which will then show in the firewall event log). Sven Schaefer has just recently put out a version of his NIS Log Viewer that works with NIS/NPF 2003 and 2004, so you can then easily search for any resulting log events associated with these applications (indeed, you can actually filter down to just display those events). At that point, you'd probably have a damn good idea of where they were going, when (especially in reference to other applications), and why.

That strikes me as another new executable. Obviously, if you get the Rules Assistant pop-up for this one, I'd also enable the event logging for any rules subsequently created. I must admit it rather suggest to me (and that's all that it does) that Symantec may have now 'backloaded' the Digital Rights Management feature of its 2004 products at least into NIS/NPF 2003. I really have no idea, just a bit of speculation on my part.

 

Hello

I have Systemworks 2002 and Firewall 2002 and ever since this stupid update I have problems. My PC itself runs fine, no problems there (either after the first or the second update), but I have real problems browsing the web. I have a cable modem, but websites take up to a minute to open. I have switched on Task Manager and the CPU runs at 100% each time I open a web-site. This only happened after the Redirector update.

The process which is sucking the power is called:

SYMPROXYSVC.EXE

I have applied the patch which came out last week, and even though things are slightly faster, they are still slower than a dial up modem, and if I open more than 5 web pages at the same time, the PC crashes. Apparently due to a device driver conflict.

What can I do now ?

I have already contacted Symantec, but their only answer was to upgrade to version 2004....

Cheers
Mad

 

oops, sorry, have forgotten to give at least basic info:

Running Win XP SP1
CPU 1.3GhZ AMD Athlon
RAM 256
Video Card NVIDIA Geforce 2 MX400
NW Card Netgear FA311

Connection: Cable Modem 512K

 

Hi mad

Can't really be of assistance to you.. all I can say is that following this and various other threads, that Symantec update caused a lot of problems. It did here but that is all cleared up now and has been since their revamped update cleared it up on 15 May.

However, that makes me the lucky one beacause it would appear that quite a few people are still having problems. What amazes me is the different symptoms everybody is having.

I may be wrong but don't think Norton support 2002 anymore, so the only advice you will get from them is -"update". BUt from what I've seen people with 2003 and 2004 also have their share of problems.

I wish you luck and hope that the next update will sort your problem. For your info I've had none of your symptoms and SymproxySvc takes from around 12400K to 13500K on my system, depending how busy its been. At the mo my CPU is around 5 to 7% and also I often have several web pages open at once using Firefox without causing any problems.

 

It is beginning to look like there may well be two, distinct problems affecting NIS/NPF users since the 12 May LiveUpdates.

AplusWebMaster, in his thread regarding Akamai just pointed out this little tidbit over at SANS (see http://isc.sans.org/diary.php?date=2004-05-26 )

 

Quote:-
It is beginning to look like there may well be two, distinct problems affecting
NIS/NPF users since the 12 May LiveUpdates.

Now that, jv, looks like it is making sense.

My problem with 2002 was with repeated crashing on 12th May. I have never had the slow internet connectivity and/or slow page loading as reported by our friends ghodgson, madpiano et al in this and other forums (or is it fora?)

Symantec have lost themselves a huge amount of goodwill I feel and its about time they got their act together. (But do they care?)

 

Well, it's not fauna!

I honestly don't know. I've gotten a few communications from Symantec employees (privately) but none of substance facilitating a resolution of this problem or even indicating that a solution is available. (I specifically asked, at one point, as to what files we should be looking for and got no response.)

The "unconfirmed report" on SANS suggests that the problems are more pervasive, save for those with super-fast CPUs, regardless of which version of NIS/NPF they are running.

I'm getting private e-mails from some people that think it's a plot on Symantec's part to irritate the hell out of NIS/NPF 2002 users and get them to upgrade to NIS/NPF 2004. Well, if so, it ain't working! (Still, it's something I can believe their marketing types might think makes a lot of sense.) I'm seeing far more responses from disgusted users who are simply going elsewhere for their software firewalls and AV protection in the future -- and I rather doubt that they will be Symantec customers in the future or recommend Symantec products to their friends and acquaintances.

I was thinking of sending an MP3 of "The Sounds of Silence" to all the Symantec e-mail addresses I have, but that would probably get the RIAA on my tail (and the Symantec guys probably wouldn't catch on, anyway. )

 

Hi Joseph and Oremina,
Thanks for your input. I know I diverge slightly from SNDMON.exe, but this is posted as a follow up to our discussions re NIS 2002/3/4
Since removing all Symantecs executables from my Firewall, I have been prompted to allow only 4 files so far , thus...........
SYM common client ccApp.exe
Sym Live update Lucomserver.exe
Sym NIS proxy service ccPxySvc.exe
and Norton programme integrator Nmain.exe
Everything seems to be working satisfactorily. This includes still having SNDMON.exe disabled. Although I havent yet seen an instance of auto update since disabling SNDMON.exe, it still works manually. But that may be because it hasnt needed to auto update.
AND YES Joseph, The log viewer and exporter definitely have internet capability according to the firewall.
As of yet I have not been prompted to allow the ccRegVfy.exe file to access the net. If that is the case, then I may try and lock the startup entry to see what happens.
If only Symantec were a little more user friendly instead of trying to stonewall everybody and doing things underhand. Because A word of explanation about some of these files ie. SNDMON.exe could have saved a lot of unhappy people.
Gordon

 

Sorry, Gordon, I had to go back up and see what you're running (trying to handle too many respondents on this issue; maybe I should put up a database on who is running what version of NIS/NPF on which operating system, so that I can quickly reference it!

I was about to ask if you could post your rules for those apps, but since you're running NIS 2003, there's really no easy, practical way to do that.

If you got an automatic LiveUpdate yesterday, you probably won't see another until next Wednesday; look for that one.

Interesting . . . and I wonder what that is all about.

The other possibility here is that this is also part of the kludge. In other words, it's possible that ccRegVfy.exe is really only applicable to NIS/NPF 2004 users, but the guys writing the LiveUpdate upload screwed up and downloaded it to people also running NIS/NPF 2003!

More to the point, Gordon, it might have saved them a lot of customers, both current and future.

Oh, I know what this is about, Gordon. Ever buy a perfectly standard household appliance and find one of those "DO NOT OPEN! No user serviceable parts inside" stickers? Well, Symantec apparently would like to believe that such a statement is applicable to NIS/NPF -- but it isn't and never has been. (And, quite frankly, I'm beginning to have reservations as to whether Symantec techies know how to service the product any longer.)

 

Just want to echo the views of some of the people over on DSLR forum concerning the enormous efforts of jvmorris in keeping tabs on and trying to find solutions to these recent Symantec problems (Iwish they would make a tenth of his efforts!!)

Kudos and a big thumbs up to you Joseph, it is much appreciated.
You're a star!!!

 

Looks like my plan to update to NIS 2004 is not a good idea as the thread is now impolying that the very slow internet access issue is across all versions.

I'm going out at lunchtime to buy a new package, then . Can anyone recommend a good one-stop firewall/AV/parental control suite? I did a web search and looked at the McAfee offering, but there seem to be a few adverse reviews out there...

 

Yes, I had similar problems after I downloaded the LiveUpdate from Symantec. I originally thought that I had a browser hijack, I conducted a HijackThis program that I got through this forum and sent the request log. They reviewed by log and found nothing wrong. It was suggested that I got to a different thread which I did and found several others with the same problem that we are having. So, this morning I disabled my firewall and it loaded my Internet start page up correctly and very fast like it did before I installed the update. I plan to uninstall my firewall and then reinstall it.

 

Might want to hold off a bit after re-installing before you then run LiveUpdate (at least for the Redirector, SYMEVENT, and NIS/NPF Security Program Updates). NAV and the NIS/NPF auto-config updates should be okay, however. (At least the firewall will be functional that way, if not fully patched! )

 

Dear Joseph,
I will also thank you for all your hard work and patience in trying to sort out our, or should I say Symantecs problems. Looking at some of the replies SYMANTEC have already lost customers, do they [Symantec] ever read these pages at WILDERS!!!
I know what you mean re ''No servicable user parts'' !!!!

Joseph quoted
''I was about to ask if you could post your rules for those apps, but since you're running NIS 2003, there's really no easy, practical way to do that''
I will try...................................
re NIS/NIF 2003
SYM common client ccApp.exe
Sym Live update Lucomserver.exe
Sym NIS proxy service ccPxySvc.exe
and Norton programme integrator Nmain.exe
Presently they are all on Automatic access, which I know I probably shouldnt.
Re the firewall rules as at present,in order as they appear top to bottom,
SYM common client ccApp.exe , [inside here there is 4 firewall rules, all outbound and permitted. ie,
User session aim rule, user session e mail rule,user session HTTP rule and user session MSN rule]

Sym Live update Lucomserver.exe [ here are 5 rules, Live update FTP data transfer, out and permitted, Liveupdate HTTP rule out and permitted, Live update permitted in and out, Live update out permitted and live update in permitted.

Sym NIS proxy service ccPxySvc.exe [ 5 rules ie, NIS IM filter outbound permitted, NIS proxy service HTTP rule out and permitted, NIS IM filter out and permitted, NIS proxy service NNTP rule out and permitted. NIS IM filter out and permitted]

and Norton programme integrator Nmain.exe [ 4 rules ie, Norton programme integrator out and permitted, Norton Program Integrator MS access outbound permitted, Norton Program integrator VS access outbound and permitted and Norton program Integrator Block rule, out bound and blocked.]
That is all my firewall rules for SYMANTEC.
Do you think changes are needed? or best left well alone.??
Many thanks Gordon
PS You mentioned Svens NIS logging , do you have an address where this is obtainable?..................thanks

 

Well, we finally managed to suck in Reese Anschultz over at the BBR/DSLR Security Forum. (See the thread at http://www.dslreports.com/forum/remark,10357746~mode=flat ) I would suggest you read through the whole thread (this is a fairly new one) very carefully. If you're feeling a bit gutsy, you can see some suggestions there for some experimentation.

Unfortunately (so far), Reese has tended to concentrate on SNDMON.EXE and I don't think this is the primary source of the problem that NIS/NPF 2002 users are experiencing. Indeed, his second posting in that thread is almost exclusively related to Symantec Product releases after NIS/NPF 2002 -- to wit, Symantec Desktop Firewall (5.x) and then NIS/NPF 2003/2004 (6.x and 7.x, respectively). Well, that's not where the problem lies -- for us!

I don't know if we're going to hear any more from Reese any time soon. After all, it's the Memorial Day weekend (here in the 'states) and it's quite likely that even in California he's now taken off for an extended weekend.

Well, this is one of the embarassing features about NIS/NPF 2003/2004. You really can't document the rules comprehensively without laboriously copying them down by hand! (and you have to go through a large variety of windows/tabs to do even that!). I thought of dumping you a set of what the rules for these Symantec apps would look like -- until I completed the spreadsheet that I just inserted over in the BBR/DSLR Security Forum thread mentioned above. There's no way that what's reasonable to NIS/NPF 2002 is likely to be relevant to NIS/NPF 2003/2004. I'm sorry; I didn't design the latter products.

Oh, that I can do! Let's see . . . .
http://home.debitel.net/user/svenschaef/logview/
Sven's work is extremely high quality and I recommend it without reservation.

 

I uninstalled Norton Personal firewall this afternoon and then re-installed it. I then held my breath and went out to Norton and installed the updates. My access to the internet is just great, the speed is a good as it was before I begin to have the slow downs. I guess Symantec must have fixed the problem. I am now a happy internet surfer.

 

Well, you also can download and fill out the spreadsheet available at http://www.dslreports.com/forum/remark,10364550~mode=flat to reflect the current NPF configuration that you find on your system! There are two guys already doing that at BBR/DSLR Security and at least one other over at Computer Cops. The more the merrier!