Configuring program access in Norton Internet Security 2007

Just installed Norton IS 2007 after seeing it get a good review on PC Mag.
I have "Ask me what to do" check under "Firewall processing", because I want
to decide what process access the internet. I understand of course that
this means the program will pop up a window for my permission the FIRST TIME
a process attempts to go online. However, it seems no matter how many times
I say YES or NO for any given process, IS 2007 KEEPS ASKING. Case in point,
windows explorer. Explorer.exe appears 3 times in the OS. I have EACH ONE
set to BLOCK under "Personal firewall: Program control". I have REMOVED
explorer.exe from the "Configure program launch monitoring" "allowed" list.
Yet EACH TIME I do a search in windows explorer, I am asked 5 or more times
whether or not the program can access the internet. Similarly, it KEEPS
ASKING ME if Outlook Express can access the internet, despite the fact that
I have told it YES repeatedly. Same with Firefox. This is maddening. I
have run several previous versions of Norton IS, and in the past once you
told the bloody thing how you wanted it to handle a given program, it did
so. Is there any way to get IS 2007 to just DO WHAT I TELL IT, or do I have
to remove the damned thing?

TIA

Dan

Re: Configuring program access in Norton Internet Security 2007

> Is there any way to get IS 2007 to just DO WHAT I TELL IT, or do I have
> to remove the damned thing?
>

"Firewall processing" or "Application Control" by another name, you should
disable it if you can as it's worthless. It can easily be circumvented and
defeated by malware or mis-configured. So, why be bothered with such things
in a solution.

You can use the tools in the link to look around for yourself, if you have
an NT based O/S such as XP..

long

http://www.windowsecurity.com/articles/Hidden_Backdoors_Troj an_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

short

http://tinyurl.com/klw1

You can Active Ports. You can put a short-cut for AP in the Start-up folder
and watch for dubious connections, along with using AP on a router basis.
You can use Process Explorer to look at running processes and what is
running with the process, the hidden processes.

http://pcworld.com/downloads/file/fid,23780-order,1-page,1-c ,alldownloads/description.html

If the machine has a direct connection to the modem, then harden the O/S to
attack, like disable Client for MS Networks and MS File and Print Sharing
off of the NIC or dial-up connection, as the machine has no business being
in a networking situation on the Internet, along with other things you can
do to the O/S.

http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm

You can practice safehex.

http://www.claymania.com/safe-hex.html

I disabled "Firewall processing" or "Application Control" by another name
long ago on the personal FW/packet filter running on this laptop that has s
direct connection to the Internet.

I look for myself as to what's happening or running on the machine, as
"Firewall processing" or "Application Control" is worthless..

Duane :)

Re: Configuring program access in Norton Internet Security 2007

Duane-Thanks for the in-depth response! I'll check out the links etc. I'm
not only concerned about blocking "malware", I also wonder why the hell
something like windows explorer has to "call home" when I'm looking for a
file on my hdd! And what the heck are all those "svchost.exe's" that keep
connecting? In addition to SECURITY, I also want some PRIVACY (I only trust
M$ slightly more than the malware goons ;-) and to keep unnecessary
background crap to a minimum!

Thanks again,

Dan


"Duane Arnold" wrote in message
news:sfv0h.16288$Y24.10129@newsread4.news.pas.earthlink.net. ..
>
>
>> Is there any way to get IS 2007 to just DO WHAT I TELL IT, or do I have
>> to remove the damned thing?
>>
>
> "Firewall processing" or "Application Control" by another name, you should
> disable it if you can as it's worthless. It can easily be circumvented and
> defeated by malware or mis-configured. So, why be bothered with such
> things in a solution.
>
> You can use the tools in the link to look around for yourself, if you have
> an NT based O/S such as XP..
>
> long
>
> http://www.windowsecurity.com/articles/Hidden_Backdoors_Troj an_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
>
> short
>
> http://tinyurl.com/klw1
>
> You can Active Ports. You can put a short-cut for AP in the Start-up
> folder and watch for dubious connections, along with using AP on a router
> basis. You can use Process Explorer to look at running processes and what
> is running with the process, the hidden processes.
>
> http://pcworld.com/downloads/file/fid,23780-order,1-page,1-c ,alldownloads/description.html
>
> If the machine has a direct connection to the modem, then harden the O/S
> to attack, like disable Client for MS Networks and MS File and Print
> Sharing off of the NIC or dial-up connection, as the machine has no
> business being in a networking situation on the Internet, along with other
> things you can do to the O/S.
>
> http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
>
> You can practice safehex.
>
> http://www.claymania.com/safe-hex.html
>
> I disabled "Firewall processing" or "Application Control" by another name
> long ago on the personal FW/packet filter running on this laptop that has
> s direct connection to the Internet.
>
> I look for myself as to what's happening or running on the machine, as
> "Firewall processing" or "Application Control" is worthless..
>
> Duane :)
>
>
>

Re: Configuring program access in Norton Internet Security 2007

"Dan" wrote in message
news:jYSdnUqAhNfzON_YnZ2dnUVZ_v-dnZ2d@comcast.com...
> Duane-Thanks for the in-depth response! I'll check out the links etc.
> I'm not only concerned about blocking "malware", I also wonder why the
> hell something like windows explorer has to "call home" when I'm looking
> for a file on my hdd! And what the heck are all those "svchost.exe's"
> that keep connecting? In addition to SECURITY, I also want some PRIVACY
> (I only trust M$ slightly more than the malware goons ;-) and to keep
> unnecessary background crap to a minimum!
>

Explorer does try to connect to a network, that's part of its job. But at
the most, in your case, the Loop Back IP, look it up using Google, if
Explorer is not really in a LAN situation is being used by Explorer. You can
use Active Ports and start Explorer and see if Explorer.exe is actually
connecting to a remote IP on the Internet. I think you'll find that it's not
doing that.

Svchost.exe is the messenger for the O/S programs and other programs that
can be malware. You should be aware of what's using an Svchost.exe, what
SVChost.exe is hosting as it's a hosting program or what remote IP an
SVChost.exe is connecting to. You can use Process Explorer to see what
hidden processes are hosted by and SVchost.exe and there can be many
SVChost.exe(s) running doing various things for the O/S and other programs.
You can

If SVChost.exe is not running out of Winnt/system32 Win 2k and down or
Windows/system32 Win XP and up, then it's a Trojan. Again, you can use
Active Ports to see what an given SVchost.exe is connecting to. But I think
you'll find that Svchost.exe is just doing its job communications and is not
doing anything dubious itself. Most likely, svchost.exe is hanging out on a
Loop Back IP doing nothing, if that.

Look for yourself and see what's happening and don't depend upon a personal
FW to tell you what is happening. You should set AP's refresh rate to high.
You can use Arin whois to see who owns a remote IP.

Duane :)

Re: Configuring program access in Norton Internet Security 2007

Post removed (X-No-Archive: yes)

Re: Configuring program access in Norton Internet Security 2007

Dan wrote:
> Duane-Thanks for the in-depth response! I'll check out the links etc.
> I'm not only concerned about blocking "malware", I also wonder why the
> hell something like windows explorer has to "call home" when I'm
> looking for a file on my hdd!

Probably because it was configured to search not only your harddisk, but
also the web locations. Inspecting the traffic with a protocol analyzer
(e.g. wireshark [1]) helps with understanding what exactly happens
there.

> And what the heck are all those "svchost.exe's" that keep connecting?

svchost is a host for several services. What service exactly tries to
establish those connections? Use "netstat -anb" to find out.

> In addition to SECURITY, I also want some PRIVACY (I only trust M$
> slightly more than the malware goons ;-)

Well, if you don't trust Microsoft you should refrain from using their
operating system, plain and simple. There's no way on earth any software
running ON TOP of their operating system could enforce control over
their operating system.

> and to keep unnecessary background crap to a minimum!

You keep unnecessary background crap at a minimum by NOT RUNNING IT in
the first place. Autoruns [2], Silent Runners [3] or msconfig may help
you with that. In addition to that [4,5,6] may help with disabling
services you don't need. Running additional unnecessary background crap
does NOT help with it. Which should be obvious, but obviously isn't.

[1] http://www.wireshark.org/
[2] http://www.sysinternals.com/Utilities/Autoruns.html
[3] http://www.silentrunners.org/
[4] http://www.ntsvcfg.de/ntsvcfg_eng.html
[5] http://majorgeeks.com/page.php?id=12
[6] http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich