Re: NIS4 compared to NIS3?

From: Joseph V. Morris (
Date: 12/24/01

From: "Joseph V. Morris" <>
Date: Mon, 24 Dec 2001 15:19:49 -0500


"Sally" <> wrote in message
| . . . . When I look at the Internet
| Access Control list, it takes forever to load (even when I'm online) &
| sometimes it freezes. I was just hoping that maybe in ver. 4, they'd
| have worked that out.

Now, this is an interesting issue. Yes, it's certainly SLOWER than
molasses, at least on a P II @ 350 MHz with a 100 MHz front-end bus
running Win 98 SE. On the other hand, on a P IV @ 1.7 GHz running Win XP,
it seems perfectly normal! <g>

The last time I inquired about this, it seemed it was some sort of XML
application, rather than a more typical C++ Windows application and I
think that has a great deal to do with it. Incidentally, it looks a bit
different on different OSs, also. And, IMHO, it doesn't exactly work like
a standard Windows app. This may be related to some sort of desire that
it also run on the MacIntosh, I really don't know. I believe that what
you are actually seeing is something known as Norton Integrator, which is
sort of a universal shell console for ALL Norton apps, that may be
installed on your box -- NIS/NPF, NAV, NSW, and maybe even Ghost and PC
Anywhere (I don't have the latter two).

| Also whenever I run LiveUpdate, NIS always asks me to make a new
| rule. So, by now I have about 20 of them, many of which are identical.

I acknowledge that I have reports of behavior like this (and not just
LiveUpdate), but, for the most part, I can't duplicate it on any of the
three boxes to which I have access (Win 98 SE, Win 2K Pro, or Win XP), so
I really can't explain what's happening there. However, I would strongly
recommend that you download Albert Janssen's NIS Rules Viewer from and run a _detailed_ review of ALL your rules (from the
very first to the very last). On those replicated LU rules, in
particular, check to see if the SHA1 hashes, and file locations are always
the same, in addition to other LU rules details. However, more generally,
look out for what seems to be an application-specific rule (based on the
way it's named), but which really says "Any Application" (in Albert's
utility). If you find any of these present in your ruleset, (and
especially if they also say "Any Service" or "Any Address" under BOTH the
local and remote settings), that's a rule that effectively drops your
firewall. I'd like very much to hear about it if you find anything like
that. There seems to be something 'out there' that can do this. I ran
into it when testing YALTA (look for Yalta.vxd), but others have run Yalta
with no problems. I'm beginning to suspect it has something to do with
either specific CPUs, chipsets, or BIOS versions and I'd really like to
nail it down (as would Symantec who, last time I heard, hadn't been able
to replicate it).

| When that happens, it's pretty frustrating because by the time the
| new rule is made, LiveUpdate has frequently timed out. So I then have
| force LU to close, reopen it, & try again (usually by just telling NIS
| to Permit the access about 3 or 4 different times). Does that happen
| to you too?

No, but as I've already said, I've definitely heard other reports about
behavior like this.

| Another alternative I've thought about is just using AtGuard since a
| lot of people seem to really like it. Would you recommend that or,
| since it's no longer being upgraded, are there likely to be security
| gaps in the future?

I personally have no problems with AtGuard. Dave "Crash Dummy"
Stockbridge is an excellent source on AtGuard as is a poster that you may
find named BlitzenZeus. It is not, however, fully functional on Win XP or
Win ME. And make sure you use an authentic version AG 3.22.11, some of
the versions available on warez sites are of _very_ doubtful integrity.
And you will, of course, need the personal expertise to formulate your own
firewall ruleset. (or you could crib it by using Albert's Rules Viewer
with your current NIS configuration! <g> ). Other options would be Tiny
and apparently Outpost -- both of these seem to be developing quite a
following with people now looking for AtGuard replacements, but who don't
want to go with Symantec.

As for the so-called Leaktest vulnerability present in AtGuard, that's
always been a non-issue with me. There were no documented exploits along
this line prior to Steve Gibson publicizing the issue and, due to all the
PSFs that DO now check either a SHA1 or MD5 hash, I'm unaware of any
prevalent in the wild now. But, if you're really concerned about this,
what you REALLY want is Albert's NIS File Check, which can be set up to
check ALL executables on your box using a hash algorithm of your own
personal choice. This is FAR more comprehensive than the checking
provided by _any_ of the current crop of PSFs.

. . . .

    Joseph V. Morris
    ICQ #29438199

This is a NEWSGROUP message; except for privacy reasons, please respond therein; an e-mail COPY is always appreciated, of course. Almost all electrons used in the creation of this message were recycled. No electrons used in the production of this message were harmed or mistreated in any manner.