Re: Norton Internet Security 2002 Problems

From: Joseph V. Morris (jvmorris@erols.com)
Date: 04/09/02 

From: "Joseph V. Morris" <jvmorris@erols.com>
Date: Tue, 9 Apr 2002 12:08:01 -0400

Howard,

Inline, below ....

"Howard Johnson" <classy-hjohnson@daystardev.dyndns.org> wrote in message
news:3mv3busqporko7fubjm16vgkub9e73in7v@4ax.com...
. . . .
|
| I am not sure what the version is since I uninstalled it immediately
| after getting blown off by Symantec. However, it was the latest trial
| version downloaded from their website.

Well, last time I looked, both NIS 2002 (NIS 4.0) and NIS 2002
Professional (NIS 4.5) were downloadable as trial versions from Symantec's
site. So, not knowing which you had makes it a bit difficult to suggest
what you should (and indeed, even what you _can_) do to correct the
problem.

I can understand (and sympathize with) your reaction under the
circumstances. I've tried to talk with them about ways they could improve
their tech support for several years now, mostly with little if any
impact. They have somehow convinced themselves that they have the best
tech support in the software industry. There are a number of responses
here that I would hope they would look at; maybe they'll eventually
understand that not all of their customers (or prospective customers) see
things quite the same way as they do.

| In anticipation of your next question/statement... I was told by
| Customer Service that their trial version was IDENTICAL to the
| purchased copy. The only difference is the 30 day timeout. And that
| goes away when you enter the registration information into the trial
| version.

Oh, you were running the TRIAL version? Does Live Update work with the
trial version? (There were some glitches in the initial release of NIS
4.0 that were subsequently only correctable via Live Update -- I don't
know if the current trial version has those upgrades in it or not.) As
far as I know, the above statement is correct, not that it does much to
resolve your problem. (Actually, I thought somewhere they said they don't
provide tech support for the trial downloads?)

| >What operating system are you running on?
| Windows 2K Pro.

Okay, got NIS 4.0 on one Win 2K Pro box here.

| >If you're on Win NT/2K/XP, what _kind_ of OS user account are you
using?
| >(Admin group, super-user, user, etc.)
|
| Administrator.

| >If you're using NIS 4.0, are you running with a NIS administrator
account
| >when you encounter this problem or only when using one of the other NIS
| >account groups? (NIS accounts _may_ be different from OS accounts.)
[For
| >that matter, did you install Privacy Control and User accounts when you
| >installed NIS 4.0?]
|
| No Privacy control or user accounts created.

Hmmm, interesting. In the original release of NIS 4.0, you had to install
Privacy controls in order to get user accounts. (Not too clear in the
original instructions.) No User Accounts, you couldn't really customize
your rules, for the most part (you could only have automatically generated
rules).
. . . .
| I appreciate your help... I really do. But I was so disgusted with
| Symantec's attitude that I unceremoniously uninstalled it.

Understood, as noted above.

| In summary the rules were like this... when you clicked on
| Applications and then clicked on Microsoft Outlook (which it showed
| had Custom rules), then click modify.
|
| The radio button for all connections (in and out) was checked. The
| computers to communicate with were entered as well as the ports (25
| and 110). Also, as insurance, both TCP and UDP were allowed.
|
| What was peculiar though is that at times, Outlook was allowed to pass
| without a warning from NIS. So this inclined me to believe that my
| rules were configured properly.

I've got a rule like that one for Outlook (not Outlook Express, right?).
Mine looks like:
------------------------------------------------------
Rule 42 Microsoft Outlook EMAIL
Category: E-mail
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Microsoft Outlook)
..........Path: c:\...\outlook.exe
..........SHA1: <Outlook version dependent>
........Access: Custom
Local service: Any Service
Local Address: Any Address
Remote Service:
..........Port: 25
..........Port: 110
Remote Address: Any Address
------------------------------------------------------
Of course, I've got SIX other rules for Outlook also! (Not all of which
you may need.)
Now, the above is the generic Internet e-mail rule. Note that Ports 25
and 110 are listed as REMOTE services, whereas LOCAL services are
indicated as "Any Service". Is that the way you were set up? (A lot of
people do this backward.) And, when you say you customized the rules
(presumably to only allow your authorized e-mail servers), I assume you
entered the relevant IP addresses under "Remote Address", not under "Local
Address"? (And do you only have one authorized e-mail server or do you
have several?)

Incidentally, I think that restriction to only your authorized e-mail
server(s) is a very good idea. I've never had Outlook phone home, but
then I'm running OL 98 [CW mode], rather than OL 2000 or OL 2002. Not too
sure as to whether the later versions do that or not; still, restricting
the Remote Address to your intended e-mail servers should solve that
problem.

The only Inbound Rule I have for Outlook is for Port 113. And I have no
UDP rules whatsoever for Outlook.

| I also had the same issue with RealOne (used to be Real Player). I
| don't want that app to phone home. So I made rules to connect to the
| certain radio stations I wanted. Again, sometimes it would work and
| at other times it would not... without changing any rules.

Only thing I use RealPlayer for is playing AV snippets in Real format; I
use RealJukebox for music and I've noted that it does phone home from time
to time. But, as far as I can tell, that's simply checking for updates
(and it keeps popping up the blurb for Real One.)

| >I gave up so long ago on getting answers to any tech questions from
their
| >web-based support that I forget when that was! <g>
| >. . . .
|
| When I submitted this to their web based support, I specifically said
| I had setup the rules and the rules were failing. I basically laid
| out what I just told you.

There WAS a problem with NIS/NPF 3.0/4.0 in their original release in
which rules could be replicated ad infinitum (depending on your Firewall
Security setting). This was eventually corrected via LiveUpdate. (I set
Security Level to HIGH, incidentally.) Unfortunately, I don't know if you
can use LiveUpdate with the TRIAL versions, hence my original question.
(And you may have to run LiveUpdate multiple times, since the updates are
sequential in many instances.) You can find the only centralized source
of information on the various versions and patches for NIS/NPF at
http://service4.symantec.com/SUPPORT/nip.nsf/pfdocs/2000020411153436?OpenD
ocument .
|
| The response I received was that I had indicated I want to learn how
| to setup the rules. So he directed me to a page on how to setup
| rules. And even that page was not complete.

Yeah, that's what they always do first: Find the closest canned response
and run with it, even if it's obviously inappropriate. (Ever notice that
they never ask for additional information, before directing you to a
'solution'?)

It's a great deal easier to manage, document, and customize the firewall's
basic configuration and firewall ruleset by using Albert's NIS Settings
and NIS Rules Viewer application in conjunction with Sven's Log Viewer. I
can (and indeed have) written guidelines on how to do this with these
utilities. I honestly don't see how an advanced user can do this at all
with the functionality currently available in NIS/NPF 3.0x/4.0x/4.5x.

| The guy needs to take a remedial reading course and work on his
| comprehension.

Oh, it's not (necessarily) the tech support guy. It appears that this is
what they've been directed to do. Unfortunately, it also appears that the
'direction' is coming from 'suits' who are somewhat clueless as to how to
provide tech support. Yet, there are massive differences in terms of the
appropriate guidance for NIS/NPF 2.5x/3.0x/4.0x users (and sometimes
guidance is different depending on the OS in question).

| If I were to re-install NIS and obtain those third-party utilities, do
| you think it would be worth the effort?

Well, that's a tough question, Howard. Symantec's tech support is
directed (almost obsessively) towards the entirely clueless (and that's
their current market of choice, since it's the largest source of potential
new customers). You're not in that category, obviously (otherwise you
wouldn't have tried to make the customizations you've now described).

You're only going to get the kind of support you're looking for from
places like here, or (possibly) the GRC grc.security.software newsgroup.
In all honesty, you're likely to get better responses from the UBB forum
at http://www.dslreports.com/forum/security,1 . There must be a dozen
knowledgeable NIS/NPF/AG users who respond to queries there.

I might also note that any source of firewall rules for Tiny/Kerio,
Sygate, Outpost, LookNStop, etc., are equally applicable to NIS/NPF or
AtGuard with a minor amount of transliteration. At www.dslreports.com ,
you'll find a Security FAQ with detailed recommendations for Kerio/Tiny;
there's also a dedicated Tiny/Kerio forum there which is currently
concentrating on setting up rules. Finally, I suppose I should indicate
that appropriate rules for _any_ of the rules-based personal software
firewalls (PSFs) are highly dependent on a whole lot of individual factors
that _have_ to be considered (especially for advanced users); there is
_no_ set of rules that works for everyone. (But I think you already know
that.)

However, to address the second part of your question above, I think that
Albert's and Sven's utilities are almost _essential_ for an advanced user
of NIS/NPF (and AtGuard, for that matter) who desires to manage and
customize their firewalls. It would be nice if Symantec would provide
this functionality as an innate part of their product (or even as a set of
unsupported add-ons) but they have deliberately chosen not to do so.
More's the pity. 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
    ICQ #29438199

This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.