[packman]

Are there any Norton firewall experts out there who can tell me why I'm unable to stealth-block a persistent Trojan scanner?

OS is Win2K SP3. The firewall app is Norton Personal Firewall, part of Norton Internet Security. I've ensured that the firewall is reasonably well configured.

The problem is that every day now, for about six months, I'm continually bombarded with Trojan attacks. These are blocked by NPF but, with each, an alert is signalled on the screen and has to be investigated and serviced, otherwise (apparently) the block is lifted after 30 mins. But with this obvious scanning Trojan hitting my machine every 15 secs on occasions, I think you can see that this situation's intolerable.

The source originates from ever-varying IP addresses and possibly comes from a number of infected machines somewhere on my ISP's customer network. The variation in IP address is very wide and, anyway, many of the addresses are in the same range as that of my ISP, so I can't selectively block.

Incidentally, my machine is clean. There are no outgoing comms to unknown machines. Neither is my machine on a network; it's standalone.

I traced the incoming addresses as being machines on the same international network as my ISP (Tiscali) but when I informed Tiscali, they didn't want to know. So, I'm left to deal with the problem myself, at my end.

In Personal Firewall/Intrusion Protection, I've got the following two settings checked:

Detect Port Scan Attempts
Enable Autoblock

Autoblock, according to my Norton handbook, prevents a scanned attack from gaining access to the system, so keeping that setting checked seems sensible. However, there's some ambiguity over the "Detect Port Scan Attempts" setting. The handbook recommends enabling this if you want to be notified when the firewall detects a port scan. However, elsewhere, Norton states that Trojans and the like will only be blocked if first detected, which implies that you must always have "Detect Port Scan Attempts" checked.

So, what's the correct position, here? Would it be safe to uncheck "Detect Port Scan Attempts" and just keep "Enable Autoblock" checked, so that I don't have to keep servicing the alerts? Or are those two an AND function? I can't test this in any secure way, as I get constantly scanned.

What gives with the 30-minute limit on the autoblock? Surely, a firewall, once configured and with an up-to-date database of definitions, should permanently block - period?

Incidentally, in the Customise section of Personal Firewall Settings, there's a related setting called "Alert when unused ports are accessed". I've had that unchecked for a long time but it's not stopped the Norton alerts for this Trojan.

[packman]

Unfortunately, I'm using only a 56K dialup modem.

It's not easily possible to know which port(s) this scanner is using; the IP address is different on each attack and varies wildly.

I vaguely remember some TCP/UDP settings in the advanced section of TCP/IP Properties but I don't regard myself as sufficiently knowledgeable on TCP/UDP to be confident of making a valid change there.

No, really, what I'm needing is some clarification of those checkable Personal Firewall settings I've described. What EXACTLY do those firewall settings do? There's no help on them at the Symantec website and asking Symantec themxselves would cost me a cool $29 a time. It's kinda a question of the 'semantics of Symantec', I'd say.

[Jerry Atrik]

just go to the alert/reporting area and turn off reporting.
this way it'll still block scans but not popup and annoy u.

[packman]

Thanks Jerry,

What do you mean, exactly, by "alert/reporting area"? And are you ABSOLUTELY certain you're correct? If you're not, I'll get infected VERY RAPIDLY. In the 5 mins I've been online, already I've had four attacks. An infection with a Trojan like this will mean a complete reformat. Whoops, here comes another one.

Alecstaar,

Redialing has no affect whatsoever on this sort of intrusion. I keep my firewall and a/v software bang up to date but, even so, I've run complete internal scans , to check for infection and never found anything. I've also run Symantec's online security check and, again, my machine's clear. It's obvious, anyway, from how the alerts are reported that these are INCOMING attacks.

[Jerry Atrik]

i've used npf for years
what version? so when i get home i can post step by step.

[packman]

'Personal Firewall' is, in this case, the main feature of Norton Internet Security v4.0.

My guess is that any version of Norton Internet Security or of the specific package called Norton Personal Firewall will have very similar, if not identical, configuration settings.

The one part of it that's ambiguous - leaving the user wondering that, if he/she unchecks one of the two settings (see my initial description of the problem above), all such security against Trojans will be thrown away - is Personal Firewall/Intrusion Protection.

[Jerry Atrik]

ok, nis v4
nis and npf have different ui's so i will have to look thru it when i get home.
when i reinstall i load my settings from a file so it's hard to remember right offhand.

i wouldnt turn anything "off" until u are sure that u are turning only the "alert status" off.


*edit: open nis, click on internet status. on the left 2nd down is "reporting" slide the thingy to min... or configure to your likeing.

this will stop alerts but not stop security.

[ross_aveling]

If you're worried that your system may be open to attack, hop over to Shields Up at https://grc.com/x/ne.dll?bh0bkyd2 and let it run a test. It will tell you if you are in the green and if not, which ports/services you need to close.

It has a lot of good info about firewalling as well.

[packman]

Jerry, Reporting is ALREADY set at the Minimum setting. That's the default.

What else can/should I do, to turn off the Alerts?

[packman]

Alecstaar, I DO assure you that logging off and redialing has no effect. I redial many times in an evening and I still get the scans. I've had three alerts in the first five minutes of logging on tonight.

If you look at:

http://service1.symantec.com/SUPPORT/nip.nsf/pfdocs/2001012308470736

you'll see that, if you turn off blocking and subsequently get infected by a Trojan, NIS will probably not be able to detect it on your machine. Neither will it be able to eradicate it. So, I need to be 100% careful about the way I reconfigure my firewall. Jerry, please note!

I'd think it VERY UNLIKELY that I've let in a Trojan at some stage because my machine is one that I built myself and equipped with OS, etc, and I'm always EXTREMELY careful about security. Over the years, I've reformatted and reinstalled from scratch a good many times and, EVERY TIME, I'm meticulous about getting protected as soon as possible. That said, no one person or his/her machine can be 100% immune from mistakes or bad luck. But all the indications, anyway, are that these are INCOMING attacks.

[packman]

Alecstaar, thanks for your thoughts on this. You do, however, underrate Norton somewhat. NIS, in fact, gives quite a lot of detail on attacks, even pre-cursor ones. For instance, it logs the sender's IP address and other information each time. It's identified these particular attacks as from the "Default Block Sokets de Trois v1" trojan horse virus.

And, once again, I DO assure you that redialing (if that were a tolerable remedy, which it isn't) DOES NOT stop this scanning Trojan. It might delay its onset for a few minutes but thereafter the attacks are as regular and as varied as before.

These sorts of attacks on my machine began about six months ago. They've been associated with not just this particular Trojan but with other backdoor types as well. At first, the alerts didn't occur that often but the person or persons behind these Trojans has clearly stepped up the regularity of the scans and, no doubt, has managed to infect many other machines (probably mostly on my ISP's net). Like I say, with Norton (and maybe other common-or-garden firewalls/antivirus software), the victim wouldn't be aware that his/her infected machine would be acting as a server or proxy for the Trojan. In MY case, I'm actually GETTING ALERTS from Norton each time, so it's clear that I'm getting attacks from OUTSIDE my machine, not attempts FROM my machine.

[packman]

Again, thank you, Alecstaar, for trying to help. Let me point out, however, that I DO very much appreciate that these are scans and not necessarily a connection with a damaging virus of itself. The NIS handbook explains this time and time again and I've read the handbook many times over.

The difficulty I'm encountering is being missed here, though. All I'm needing is someone with some expertise in configuring NIS or NPF to advise me as to how I can turn off the alerts in a reliable and safe way. It's the alerts that are proving to be tiresome. Also, I need to know precisely why there's apparently only a 30-minute block on such scans, in NPF. The thing about all non-pro firewalls is that it doesn't take much in the way of misconfiguring to lay yourself open to a true infection. Unfortunately, the way in which Symantec have referred to the controls in the firewall on Intrusion Protection has led to some considerable ambiguity and so users like me are left in some doubt about fiddling with them.

As for your own comments, I'd like to point out that I've been using the word "attacks" in a very loose and general security sense. And I've referred to a "person" in the sense that someone must have originally sourced the scan, even though many other machines may have been hijacked in the meantime and may be participating.

I might try the DOS-based search you've mentioned, for showing the ports scanned. However, I don't profess to be as expert as your good self, so cannot guarantee that I'll be able to interpret the screen results, if any.

[packman]

Alecstaar, I've tried that netstat command. In fact, there are various switches for it, which give different levels of display. I've tried nearly all of them but not obtained a listing that looks anything like yours.

Quite apart from that, I'm not at all sure how to export the results to this forum topic but if I rt-click on the Command Prompt screen, it looks like Edit/Select All can be done, so presumably there's a way of doing Copy and Paste, or something like that?

I wasn't sure, anyway, whether you meant for me to execute the netstat command while offline or, instead, while connected to the Internet. I tried it both ways and, in the offline case, got just 7 active connections listed, whose States were all listening. Online, 21 connections were displayed, of which most were listening states, a few established states.

BTW, I'm not going to display my results here, anyway, as I don't know enough about this feature to convince myself that I wouldn't be openly publishing some vital information about my system and so unwittingly compromising my security. After all, I don't know you from Adam, to say nothing of other forum users who might be reading this topic.

The listings available under the netstat command (at least, on MY Win2K machine) do not look like anything you've displayed (no virus names at all are in my lists), in any event. And that's having tried the different switches.

All I'm prepared to inform you is that my list of active connections are tabulated into four columns:

Protocol
Local Address
Foreign Address
State

In the offline situation, the first six protocols are TCP, with the seventh UDP. Under TCP, there are no Foreign addresses listed. Each Local Address includes the name of my machine, along with what appears to be a process/port no. That's about as much as I'm prepared to divulge. The online case is very similar, except that there are one or two established States there (which I imagine is probably normal).

[packman]

Alecstaar, I'm a 57-year old retired professional electronics engineer. I've been retired for a few years now, due to ill health. I used to work as a design engineer amongst physicists, so my skills are first and foremost in hardware. What I know about computers, the Internet, security, etc is all self-taught, since I left my employment. My computer, its peripherals, and the applications I run are one of the few interests I can pursue these days, given a severe drop in income and limited mobility.

[packman]

Alecstaar, I've taken a look at the 27573-1 thread but I'm afraid I can't really help you. I think you must have assumed I was a chipset designer but, no, over my 30+ years career I was involved in ALL SORTS of analogue and digital design work, at both component and system levels (but never at chip design level). Not just to do with computers. These were newly thought-of mechanisms, on the part of myself and my colleagues. In fact, at my place of work I was always so busy with pushing on with new ideas that I never got the chance to use a desktop PC, as we know today, and I had to learn for myself when I finally left that employment and was on my own at home.

I rarely ever look back on such matters, I always look forward, and continue to ask and learn from as many sources as possible. That's just the way I am. I suspect you're the same.

As for your PCI timing query, therefore, I can't unfortunately help you. I have, of course, encountered BIOSs where PCI timings have been settable and I can remember a Via chipset-based m/board I used a few years ago where, like you, I experimented with the PCI latency timing. However, I found that varying the original figure (32) by as much as 100% (upward) made no detectable difference to the board's performance. Generally, it wasn't recommended to tweak the latency too much, especially downward, so I just left it at the 32 setting. After all, I'm not a 'total performance' freak, when it comes to my PC. I value system stability more than speed performance.

Reading that thread, though, I'd say that FourandTwenty has got it just about right.

Note that generally, in digital timing analysis, "latency" is viewed as a negative property of a logic state, but its meaning may well have changed in recent years ("latency" meaning that the state/device/whatever is hanging around, wasting time, until some other transition occurs). So, I think it might well depend on the precise circumstances as to whether a larger value (thereby allowing a parallel process to proceed in its place)would render a larger overall bandwidth, or whether a smaller value would, instead.

As for Adrian's Rojak Pot, yes, I agree that that's a running bible on BIOS settings, and generally he's right. He does update his Guide from time to time, though, so have you looked again lately?

[packman]

Jerry,

Any answers for me yet?

[Jerry Atrik]

Originally posted by packman:

Quote:

Jerry, Reporting is ALREADY set at the Minimum setting. That's the default.

What else can/should I do, to turn off the Alerts?

i know exactly what to turn off i just cant remember exactly where it is on v4.

intrusion detection should be on, but notify should be off.
my version both check boxes are next to each other.
now bear with me while i find where that is on your version.
(i have that version somewhere around here)

*edit*
sounds like u have what i call the most fun job
<--- process engineer with a degree in physics
playin with new stuff is the only wat to work.

[packman]

Jerry,

Certainly on my version, "Autoblock" and "Detect Scan Attempts" are side-by-side. I get the feeling, though, that if I turn off "Detect Scan Attempts", I'll effectively be turning off all intrusion protection. It's that that I'm unclear about. I can't afford to take the risk.

There might well be a more suitable setting elsewhere, but I've not found it.

[packman]

Jerry, please appreciate that I'm no longer in any gainful employment; I had to stop working because of my ill-health.

Yes, I worked in an R&D lab, developing all kinds of new computer-based systems - but never working directly on desktop computers as we now know them. For us, computers merely were a tool. In their 'personal' form, they didn't really begin to gain much prominence, anyway, till the late 1980s.

Retirement for me is no picnic, I can assure you. Money with which to pay all the bills is extremely short (just because I Was a professional didn't mean that I was paid a lot; in fact, quite the contrary). But, despite my health problems, I struggle on with my technical and musical interests, here at home. I contribute to a number of forums on the Internet, both technical and non-technical, using my knowledge and experience to help others. I get a lot of satisfaction from that.

[packman]

Alecstaar,

Re your PCI Latency query, would it be completely daft of me to ask if you've thought of e-mailing Adrian (he of Rojak's Pot fame), to ask him directly for the definition of that parameter?