Re: (NIS/NPF) Event log and other issues.
From: Tack (nospam@tack.flyer.co.uk)Date: 06/29/02
- Next message: Greg M. Topf: "Re: ATTN: James Meritt"
- Previous message: Art Kopp: "Re: Spyware going thru firewall"
- In reply to: Joseph V. Morris: "Re: (NIS/NPF) Event log and other issues."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Tack <nospam@tack.flyer.co.uk> Date: Sat, 29 Jun 2002 18:59:54 +0100
In n/g comp.security.firewalls, Joseph V. Morris says...
> snip
> However, I note one glaring omission from the correspondence: They never
> asked you to cut and paste an example of this event in the Privacy tab!
> (Well, I'd obviously expect you to fudge up the password itself, but
> still... it's sort of difficult for them to be offering advice without
> knowing for sure what you're actually seeing.) So, how 'bout we do that
> here? Find an event in the Privacy tab representing this effect and cut
> and paste it into a reply (taking care to obfuscate your REAL password in
> the process).
A typical entry would be...
(begin)
Date: 29/06/02 Time: 15:36:46
Allowed Cookie: Cookie: WEBPASS=(my login p/w here); path=/mail/;
domain=.(my IPS's name here); sent to http://www.(my ISP's name
here)/cgi-bin/login/login.cgi
(end)
(The p/w is shown wether-or-not the cookie is permitted or blocked.)
> I'm rather curious about how this is happening on your machine, because it
> isn't happening on any of mine -- and that includes Win 98 SE, Win ME, Win
> 2000 Pro and Win XP.
I have tried reverting back to a clean installation of win98se,
ie5.01sp2 and NIS 2002 v4.0 from a drive image, applying all
available updates, but the result is the same. I guess that should
rule out any possible effects of ad-ware, trojans and virii.
Incidentally, windows is showing 87% resources free after reboot
with all NIS elements running at startup.
> Incidentally, are you getting a pop-up alert at the time this event is
> getting recorded in the Privacy Tab? You should be.
If I have the reporting level set to high, the alert tracker reports
any permitted/blocked cookies, but apart form that there is no pop-
up alert for that event.
> And, you're absolutely positive (i.e., you actually checked) that your
> password is NOT in the 'Confidential Info' list?
Correct.
> snip
> Well, I can't find this second link at all . . . .
It seems that Symantec keeps truncating the beginning of thread to
save space, hence the link changes almost every time I
check it. I have posted a copy here...
(begin link)
http://www.tack.flyer.co.uk/Why%20does%20nmain_exe%20bypass%20NIS-
NPF%20(Tack).htm
(end link)
...and you could search Symentec's Support Group for the subject...
"Why does nmain.exe bypass NIS/NPF" (without the quotes).
... for any updates.
> Did they ask you to document any rules in your firewall ruleset relating
> to NMain.exe? (Use Albert Janssen's NIS Rules Viewer to do this.)
>
> Did they ask you to document any firewall log events in which you found
> NMain.exe actually doing a connect? (Use Sven Schaefer's Rules Viewer to
> find and document such events quickly.)
>
> And, do you realize that NMAIN.EXE isn't NIS, at all? It's the so-called
> Norton Integrator that allows a common user interface for NIS, NAV, NSW,
> and NU. This is an XML application (more's the pity because it's really
> slow and awkward), so it _will_ show up as being an Internet-enabled
> application.
>
> | I won't pretend to know anything about the abilities of some
> | Trojans, but couldn't it be possible for one to replace NMain.exe
> | with a different program with the same name and then that program to
> | access the internet bypassing NPF?
>
> Well, it's possible but unlikely. Just duplicating the name isn't going
> to cut it. It's got to have the same SHA1 hash as authorized in an
> _existing_ PERMIT rule for nmain.exe. That's a bit of a tall order. I
> haven't yet seen a documented exploit that can dupe the SHA1 hash, but
> I'll acknowledge that it's certainly theoretically possible. (There _is_
> a demonstrated exploit for the MD5 hash used by most of the other personal
> software firewalls, incidentally -- but it ain't easy to beat that one
> either!)
The above may best be re-summarised if you can get to that elusive
link, but I will add that, in my instalation, NMain.exe will connect
to the internet (without having to set any rules or permissions),
when I click on 'NIS>Personal Firewall>Internet Access Control' with
a live connection. Symantec say this is for DNS look-up.
Thanks Joseph.
-- TackPlease reply via newsgroup as my reply-to e-mail address is spam- trapped. If you must respond via e-mail, replace 'nospam' with the name at the head of this signature before posting. nospam@tack.flyer.co.uk
- Next message: Greg M. Topf: "Re: ATTN: James Meritt"
- Previous message: Art Kopp: "Re: Spyware going thru firewall"
- In reply to: Joseph V. Morris: "Re: (NIS/NPF) Event log and other issues."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
