Re: Queston re Norton Internet Security 2003
From: Joseph V. Morris (jvmorris_at_erols.com)
Date: 05/16/03
- Next message: mhicaoidh: "Re: Does a casual home user need a router for security?"
- Previous message: Lars M. Hansen: "Re: Symantec Enterprise Firewall 7.0 and Domain Controllers"
- In reply to: P.Nichols: "Queston re Norton Internet Security 2003"
- Next in thread: High Flight: "Re: Queston re Norton Internet Security 2003"
- Reply: P.Nichols: "Re: Queston re Norton Internet Security 2003"
- Reply: Phillip Pi: "Re: Queston re Norton Internet Security 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 May 2003 21:06:10 -0400
Well, I was hoping Phillip would respond to your query and I see that he has
now done so. On the one hand, Phillip has familiarity with NIS/NPF 2003
which I do not share (I've only gone as far as NIS 2002, but I've used
almost every prior build of NIS/NPF up through that point). On the other
hand, Phillip has a certain association with Symantec which I do not. In
the current instance, that means that I can be a bit more frank. <g> . . . .
"P.Nichols" <pdsnickles@yahoo.com> wrote in message
news:9f87f28b.0305150959.3c655c54@posting.google.com...
. . . .
> 1)Does this - if configured per the default settings - guard against
> Trojans and Worms? would AV find such, if I had it?
First, in the NIS Console, set Security to HIGH; set Reporting to Low (to
get rid of extraneous garbage); and, finally disable "Automatic Firewall
Rule Creation" (or whatever it's called in NIS/NPF 2003) after you've
configured your basic Internet-enabled applications.
NAV (which is a component of NIS) is going to do a very good job of finding
traditional viruses. It may not be the absolute best, but it's certainly in
the top five. With regards to Trojans, NAV will do a credible job of
finding all of the 'popular' Trojans. If you have reason to be concerned
about the more esoteric Trojans (due to your Internet habits), it would be
well worth your time to install one of the dedicated anti-Trojan software
packages -- these may search for as many as ten times the number of Trojans
that NAV will, but these additional Trojans are much more rare 'in the
wild'.
Let me put this in a personal context. I run both NAV and an anti-Trojan
utility memory-resident at all times. I also run a memory-resident registry
monitor and periodically (daily) run a file authentication utility against
all executables on my machines. I also periodically run a spyware detector
and an anti-keylogger utility. The only damn thing I've seen in months is
an e-mail worm which NAV trash-cans. Am I gonna disable any of this stuff
personally? Not hardly. Why? Well, I've got two kids running their own
machines behind mine (which serves as an ICS gateway); I have no idea what
stupid crap they may be doing from one day to the next (and both are smart
enough to disable any protective measures I install solely on their
machines).
The next thing that you specifically asked about above (worms) is a much
less clear issue. Worms tend to propagate either through e-mail or via
things that get stuffed into unprotected server applications that you may be
running. What's an 'unprotected server application'? Well, it would be
something like a web server (not a web browser like MSIE, but rather
something like MS' IIS or PWS), an e-mail server (not an e-mail reader like
Outlook or Outlook Express, but rather something like MS' Exchange Server),
a news server (not a news reader like Outlook Express), a SQL database
server (like MS SQL Server or MSDE, not a client-based installation of
Access), or an FTP server that you are knowingly (or possibly even
unknowingly) running on your machine. Such a server would deserve the
adjective 'unprotected' if you have not installed all relevant security
patches to the application or to the operating system or if you have failed
to take basic steps to 'harden' the operating system which you use.
You can easily (and quite likely unknowingly) install a web server if you
use MS Front Page (MS' Personal Web Server -- PWS); or a database server if
you install MS' Visual Studio or Access (MSDE in this instance). It's a bit
harder to unknowingly install a mail server, news server, or even an FTP
server. It's also quite easy to unknowingly install a P2P server (file
sharing or something like KaZaA for example) or an IRC 'bot server (simply
by spending a bit too much time in some of the more dubious IRC Chat
groups). Instant messaging applications (like MSN/Windows Messenger) or
conferencing apps (like NetMeeting) can also function as servers, if you
aren't careful when you set them up. (And I've left something very common
out, but at the moment can't recall what it is!)
You didn't ask about so-called SpyWare, the nifty little beasties that tend
to monitor your web surfing habits and then discretely report back to some
anonymous site what sites you visit (usually e-Commerce sites are of
interest to the little goodies) or the really scurrilous 'key-loggers'
(which tend to monitor every damn thing you do on your machine and then
report back to some designated, anonymous remote site). Whether these are
things you should be concerned about is largely dependent on precisely what
your web surfing habits are like and just who (in the latter case) may
really want to know what you do using your computer (i.e., who you've
managed to PO in the Internet world, perhaps a recently disenfranchised
'significant other'?). NAV is not so good for these potential threats;
you'd probably be well advised to pick up an anti-spyware or anti-keylogger
utility, if these are of concern.
Now, this is the point where we move beyond NAV to the firewall components
of NIS itself; these provide some additional protections.
First, NIS 2003 (with the settings recommended at the beginning of my
response) is going to DENY access to the Internet from any nasty that got
installed on your machine without your knowledge -- until you explicitly
allow it out.
Second, NIS 2003 has a more sophisticated Intrusion Detection System (IDS)
than that which was available in earlier versions of NIS/NPF. This will
stop a lot of exploits of servers that you may be knowingly (or unknowingly)
running (unpatched) on your machine. It's pretty good, but still not quite
so good as you could get from a dedicated IDS like BlackICE or Real Secure
Desktop (to name only a couple of possibilities). Do you need/want the
additional protection? I can't say; you have to make your own
determination.
Third, NIS 2003 provides (for the first time) TWO additional capabilities
that were not available in earlier versions. One checks the DLLs, OCXs, and
SYSs likely to be called by an Internet-enabled application to ensure that
they have not been maliciously subverted. The OTHER, if enabled,
specifically monitors those applications (like RUNDLL32.exe) that can
automatically LOAD, EXECUTE, and RUN other applications -- some of which you
may very well not care to have running without your knowledge. Now, you'll
see people advising you (perfectly sincerely) to remove the functionality of
these two components. They slow down your Internet activity and they can in
fact drive you nuts. Question is: (based on your own Internet usage), do
you need this or can you comfortably live without them? Again, it really
boils down to your own needs.
Fourth (and almost since its inception), NIS has provided a set of default
Trojan Block Rules. These are specifically intended to prevent some skiddy
from being able to communicate with a Remote Access Trojan, RAT, (EVEN IF
ONE HAS SOMEHOW MANAGED TO GET ITSELF INSTALLED ON YOUR SYSTEM) AS LONG AS
the RAT in question only uses one of the default ports on which the RAT
typically listens (and most RATs can now be customized to use ANY port).
Sounds pretty good, doesn't it? What's missing? Well, protection against
memory-resident worms like CodeRed. These require something like a web
server be installed (and unpatched). Neither NAV nor NIS itself is
necessarily going to protect you against this (except for the IDS capability
and that only works for known exploits).
Bottom line: NIS 2003 is pretty good, but it's not perfect. If you don't
want to spend a lot of time on Internet Security, it'll probably suffice --
unless you have some bad Internet habits. If you want to spend more time OR
you have bad habits OR you have some especially critical information on your
machine, then it would be worth your while to look into additional tools to
supplement NIS 2003.
> 2)Does it automatically scan downloads - such as music downloads or
> movie downloads - for viruses, trojans or worms, or do I have to scan
> each download manually before opening it?
I have to take Phillip's information on the above; I'm in no position to
correct or extend it.
> 3) When I get a "security alert" from Firewall, I always go to clear
> it, and it happens like 20 times a day, and it's a pain in the ass to
> clear it. I get the impression that this is just Norton showing me how
> much good it is doing, with no real reason for showing me a "security
> alert". So can I just NOT clear the Security Alert, and it will still
> work the same?
Oops, I missed one in my original recommendations. Somewhere in NIS 2003,
you'll find a setting that says something like "Alert when Unused Ports are
Accessed". DISABLE (i.e., UNCHECK) this option. Most of these security
alerts will magically disappear. Oh, the firewall will still work the same
way; you just won't see all these annoying messages. Indeed, you can still
see the blocked access attempts if you check the NIS firewall event log.
Unfortunately, I'm not sure where you will find this option in the NIS 2003
User Interface.
> What is the best software to check to see if I have a Trojan or Worm?
There is NO SUCH THING. There are a variety of products, each with their
own strengths and weaknesses. (This is like asking what's the best pick-up
truck for hauling firewood.) Some run memory-resident (like The Cleaner
from Moosoft and Trojan Hunter), whereas others (like TDS-3, which is far
more sophisticated) only run on demand (last time I checked). Indeed, this
is why many of us use what we refer to as layered defenses. One component
may fail or be subverted, but there's always something else waiting to fill
the gap. Now, this can kill you on a slow system or a slow Internet
connection and I won't deny that. So, once again, it comes down to an issue
of exactly how far you want to go, how much you're willing to spend, how
much time you're willing to invest in learning to use the various tools
(competently), and just what you yourself DO on the Internet.
> (will Norton AV do that?) Because my computer has been running slower
> lately, so I am wondering what might be causing that.
There are any number of reasons why you may be experiencing a slow-down
recently. NIS 2003 itself can, indeed, raise havoc on a slow Win 98
machine, especially with a dial-up connection. I myself would not venture
an answer to this question without far more information from you.
--
Regards,
Joseph V. Morris
jvmorris@erols.com
- Next message: mhicaoidh: "Re: Does a casual home user need a router for security?"
- Previous message: Lars M. Hansen: "Re: Symantec Enterprise Firewall 7.0 and Domain Controllers"
- In reply to: P.Nichols: "Queston re Norton Internet Security 2003"
- Next in thread: High Flight: "Re: Queston re Norton Internet Security 2003"
- Reply: P.Nichols: "Re: Queston re Norton Internet Security 2003"
- Reply: Phillip Pi: "Re: Queston re Norton Internet Security 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
