Re: SubSeven alerts: Norton Firewall vs Hacks/Trojan cleaner

From: Joseph V. Morris (jvmorris@erols.com)
Date: 08/29/02 

From: "Joseph V. Morris" <jvmorris@erols.com>
Date: Thu, 29 Aug 2002 13:07:20 -0400

Frank,

"Francis Bell" <phrankndonna@worldnet.att.net> wrote in message
news:2vkqmuo910m814poruamqfg727k731b544@4ax.com...
| . . . .
|
| I actually am vigilant about my computer. I do have Norton AV and I
| do keep the rules updates. I don't open UI email, and even from known
| sources I save attachments first and then scan them before opening. I
| do know exactly what's on my system, and I keep it very updated with
| the latest patches, and if I do download something (which is seldom),
| I only do it from a well known source (although I know that's no
| guarantee either.)

First, it sounds like you have a reasonable handle on safe procedures. As
one of the prior respondents pointed out, this is really where it all
starts. If you don't understand what to do and what _not_ to do, no
software product is going to secure you.

| Wolfgang, you said,
| - run no services
| ... like what are you referring to?

There are, of course, the obvious: web servers (including Microsoft's
Personal Web Server -- PWS), mail servers, news servers, ftp servers, IRC
servers. Then there are the "not so obvious". For example, KaZaA is (or
at least was) a server app that would run and potentially give someone
more or less unlimited access to your machine if not properly configured
(And you definitely do NOT want a KaZaA server running at the moment with
the RIAA tracking down offerors, complete with court orders.) . And, as
noted elsewhere, a misconfigured WinGate proxy server can apparently be
used as an IRC reflector. A Trojan server (like SubSeven) is actually a
server, also. It sits there (v-e-r-y quietly) and waits for an Subseven
client looking to contact it. (Incidentally, that could well be exactly
what you saw, but possibly not).

I don't believe you exactly said what OS you are using? Well, there are
also some arcane Windows services that may well be running. This gets
pretty bad on Win 2K Pro and even worse on Win XP. Unfortunately, I can't
tell you what these default services are; I simply shut them down and then
forgot about them.

| - use netstat with appropriate options to check for listening services
| ... what is netstat and how does it differ from a firewall if
| it's just monitoring your system?

Well, netstat is a low-level utility present on most Windows (and other)
OSs. You have to run it, in most cases, from a DOS command line, i.e., go
to Start | Run ... and enter command.com into the argument. When the DOS
window opens, type in "netstat -an" at the command prompt. (Type
netstat -? for the list of alternative arguments.) There are also Windows
interfaces or alternatives to netstat. Actually, you've already _got_ an
enhanced version of netstat if you're running NIS or NPF. Open the NIS
Statistics window, look under the "Network Connections" tab. This _will_
tell you the application (if any) listening on a port and also provide
information on the bytes sent and received, etc. (You'll probably see a
lot of loopback connections, not at all unusual.)

Second part of your question: Netstat (and its analogs) simply _monitors_
; it _does_ nothing. And that's how it differs from a router or a
firewall (hardware or software) which make decisions as to what to
permit/deny based on various rules.

| - rely on you TCP/IP stack
| ... I've done away with my dialup service in favor of a cable
| modem. Is there still a TCP/IP stack associated with a cable
| modem?

Hey, if you're using the Internet, you've got a TCP/IP stack; the nature
of your physical connection is irrelevant.

| So, the bottom line here is that I'm more or less good with what I've
| got. I shouldn't need any additional software (and in Wolfgang's
| opinion, the firewall software is extraneous). Just be vigilant and
| careful. And as for the flashing Norton Subseven alerts, just nuke em
| when they come in. Does that about rap it up? Thanks for all the
| help folks!!

Well, technically, Wolfgang is correct. It's perfectly possible to
configure your system without having a software firewall. It's a PITA and
takes a certain amount of expertise and learning that the average personal
user is unlikely to care to expend. (But I could say the same with
regards to NIS/NPF if you get a sudden urge to start customizing it.) And
then (without the firewall) you're going to spend a considerable amount of
time checking to understand exactly what's going on.

As for the Subseven Alerts, again, Wolfgang is largely correct; they
simply scare the bejabbers out of the novice and are totally unnecessary.
Basically, they tell you that the firewall is actually _doing_ something.
(I think the Alerts were originally intended to make people aware of this
fact; actually, what they are doing is scaring the hell out of people.)
You know, if you want, you can go in to the Trojan Rule Settings and
simply disable the Security Alerts; a lot of people do this just to get
rid of the distraction. (I'd keep the logging enabled, however, even if I
did disable the Security Alert stuff -- that way you could occasionally
review the events whenever you got the urge in the Firewall Event Log.)
Some people go even further and simply eliminate the Trojan Block rules.
For the most part (there is a remote exception), they serve no purpose
that isn't provided by NIS/NPF by default.

I sort of beat around your other fundamental question. If you've got the
time and money, it wouldn't be a bad idea to consider getting an
anti-trojan utility that you can run memory-resident in addition to NAV
(which is basically an AV product). The people that concentrate primarily
on AV have a somewhat different expertise than those that concentrate on
AT products. 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
    ICQ #29438199

This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.

Relevant Pages

  • Re: trace oder ping Möglichkeit bezogen auf TCP/UDP Ports
    ... ist eine Firewall. ... Zu Server B habe ich keinen Zugriff. ... Allerdings möchte ich wissen ob der Port erreichbar ist. ... NetStat -a zeigt alle aktuell ...
    (microsoft.public.de.german.win2000.networking)
  • Ports gesperrt?
    ... Die Windows-interne Firewall ist aus. ... Ja, auf Port 80. ... dass Windows 2003 Server per Default ... >ueber NETSTAT -AN raus. ...
    (microsoft.public.de.german.windows.server.networking)
  • Re: CEICW fails at firewall config
    ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)