PDA

View Full Version : Norton Internet Security log files help please



cybergran
24-12-2005, 08:45 AM
:waughh: I have just purchased a new computer running Win XP and Norton Internet Security....I have viewed the logs and after searching Symantec for information I would like help in interpreting the following logs, please....
1. Symantec Resource Protector

Alerts...Red X beside it.
C:\win\system32\winlogon.exe (PID-508)
Target C;\program files\Norton Internet securit| Norton antivirus\navapsvc.exe
Action: unauthorised access
Reaction: unauthorised access stopped
www.symantec.com link button

2. Norton Internet Security
Firewall icon...
Inbound TCP connection
remote address, local service is (207.210.245.140,http(80))
detailed info at symantec about this attack
www.symantec security response link button.

3.Intrusion Detection... circle with a - inside (brown/red) icon
attempted intrusion "portscan" against your computer was detected and blocked
Intruder: 206.204.51.131 (2070)
Riks Level: medium
Protocol: TCP
attacked IP. 210.54.85.154
attacked port: imap (143)
detailed info at symantec security response link button.

4.System. i blue icon
"Port block Allow NetBIOS" changed.
old value 1
new value 0

5. Alerts. blue arrow icon
Rule: "default block backdoor/subseven trojan horse" blocked (210.55.145.174.27374)
Inbound TCP connection
local addres, service is (210.54.100.56.27374)Remote address, service is (210.55.145.174.1409)
process name is "N/A"

6. Firewall icon.
The user has created a rule to "permit" communications
Outbound TCP connection
Remote address, service is (203.96.92.131,smtp (25)
process name is: "C:\program files\internet explorer/iexplore.exe"

I would appreciate replies interpreting these logs....thanx so much..
A very Merry Christmas & a even Happier New Year to everyone.

cybergran
24-12-2005, 09:44 AM
:cool: PS.. Please advise what type of logs I should be aware of for security threats etc....
Also everytime I turn my computer on the Norton Internet Security balloon pops up and tells me "my computer might be at risk...Norton is disabled"....when I check Norton is turned ON...Can I stop this balloon from popping up or will it affect something else as well....Thanx so much...

Jen
24-12-2005, 09:10 PM
The trouble with looking at internet firewall security logs is that it makes you paranoid. :p

It is not uncommon to get various alerts from incoming traffic and some of this can be considered *normal* internet traffic noise. The main thing is your firewall is doing its job and blocking anything considered suspicious. If you suddenly had a heap of alerts from the same IP or trying to access the same port, then I would have a closer look, but apart from that you don't have to worry about most of the alerts.

Outgoing traffic is more suspicious. Your internet capable programs such as email client and browser need full access to the internet in order to function. One of the alerts #6 you asked about is an example of that. SMTP is the mail server protocol that your ISP uses for your outgoing emails.

Be very careful of what other programs require internet access. If you are not sure whether to allow it or not, google for information to make sure it is safe to allow this. A process that suddenly and persistantly seeks permission to access the internet can indicate a trojan or virus present on the machine.


Also everytime I turn my computer on the Norton Internet Security balloon pops up and tells me "my computer might be at risk...Norton is disabled"....when I check Norton is turned ON...Can I stop this balloon from popping up or will it affect something else as well....This is normal on XP machines with SP2 installed. The XP Security Centre cannot detect the status of your Norton's Antivirus therefore gives this warning. Norton has designed their product so that third-party applications cannot access the status of their program (for security reasons). You can find more information here (http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004070812114713?Open&src=con_web_nam&docid=2004070814522613&nsf=sharedtech.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=). I'm not sure if you can manually change the report option within Norton.

cybergran
27-12-2005, 04:35 PM
:) Hello Jen...Thank you very much for your helpful information....I will check out item no 6 when I arrive home....Hope you have a very Happy New Year....

Speedy Gonzales
27-12-2005, 05:01 PM
Depending on which version of NIS you have, (like 2003), the XP Security Centre wont recognise the firewall / AV if the WMI update hasnt been installed (thru Liveupdate).

I think with NIS 2006, the WMI update installs as part of the install. So, the Security Centre should pick up the firewall / AV after u install NIS 2006.

If you want disable the balloons for good, go here (http://www.kellys-korner-xp.com/xp_tweaks.htm) and click on number 11 / disable all.

Download this file, and double click on it.

If u want, I would find out where the ip address comes from in #5. And report them.

cybergran
27-12-2005, 10:40 PM
:waughh: Hi Speedy Gonzales... I have Norton Internet Security Suite 2005...I do live updates daily...Please explain what WMI update hasn't been installed thru live update...means....How can I find out what the IP address is for #5....can I google it? thanx so much for your reply...Hope you have a very happy new year....

Speedy Gonzales
28-12-2005, 08:08 AM
The WMI update/s for NIS tell XP's security centre (hopefully), what firewall / anti-virus is installed. If your Liveupdate shows no more updates, I wouldnt worry about it.

Usually if NIS reports a hacker (as in # 5), you can click on that ip address, and cick on Yes. It'll then bring up a map of the world and tell you where that ip address originated from....

cybergran
28-12-2005, 09:29 PM
:p Hi speedy gonzales...thanks for your input...yes the live update shows nothing more to update....thanks for the tip about the IP too I will try that when I log off...have a Very Happy New Year....