03-25-2010 08:48 AM - edited 03-25-2010 08:59 AM
First off, my router was unsecured for 2 hours (it's been secured since).
But Please answer this question assuming this is the case (that I have an unsecured router),
because I'm feeling paranoid that someone hacked into my system and stole my files
(even though I had no shared files in Windows Vista 32bit, wondering if they still hacked in).
I have Norton 360, and even though it automatically turned off Windows Firewall,
I went into Windows Firewall and manually turned it back on,
so that now both Norton 360's Firewall and Windows Firewall are running together at the same time.
My question is, does this now make my computer MORE or LESS secure from hackers?
The logic being that I have 2 guards instead of 1.
I've heard that it may cause more conflicts, so it will make the firewalls less effective, so it's LESS secure.
I've also heard that it just means more hoops for hackers to jump through, so it's MORE secure.
Which is really true? Does this now make my computer MORE or LESS secure from good hackers?
Thank you so much for your reply, it will help me feel better.
03-25-2010 08:52 AM - edited 03-25-2010 09:00 AM
My question is, can a good hacker go undetected from Norton 360?
Like, not even show up in any logs with any activity?
Basically get around Norton totally?
I left my router unsecured for 2 hours,
and am wondering if they accessed my network
and stole my files without being logged by Norton with any activity
(even though I have no shared files in Windows Vista 32bit,
wondering if they still hacked in).
Is there any way to see which files they accessed (if any)?
Thank you for your reply, it will help me feel better.
03-25-2010 09:31 AM
Welcome to Norton Community!
The following is taken from a post of Garret_Polk, Principal Software Engineer (Norton AntiVirus, Norton Internet Security, Norton 360) from a thread regarding the usage of Windows Firewall along with Norton Firewall:
"If you turn on Windows Firewall when the Norton Firewall is installed Norton will prompt you and offer to turn the Windows Firewall back off. Having two firewalls is sort of like having two doors on your house with two different keys. You will constantly need to unlock both doors for data to go in or out. Except in this case the Norton door is a cool automatic one that goes "whoosh" when safe data tries to enter. The Windows door is rusty and the key doesn't fit right and you have to jiggle it. :)"
Most firewall products bombard the user with questions about what programs should be allowed to run or to access the internet. Norton 360 have application intelligence baked in, allowing it to make security decisions so that you don’t have to. The Firewall in Norton 360 intelligently makes security decisions for you—allowing you to use your computer without you needing to be a security expert. With Automatic Program Control, every program requesting network access is scanned via all available scanning technology carried by the Norton product (e.g. Behavioral Heuristic Scan, AntiVirus scan, etc.) before granting network access. A rule will be created if it passed all scan filters and Smart Firewall uses this rule as reference for granting permission for the program to access the Internet. So, there is no need for you to check each time whenever any program requires the Internet access when using the Norton 360.
The Norton 360's intelligent intrusion prevention technology adds an extra layer of security by looking inside the data coming into your PC and blocking suspicious traffic. Intrusion prevention technology examines the content of Internet traffic and detects online security breaches, which can hide in approved Internet connections. When an intrusion is detected, Norton program automatically triggers the appropriate action (block all Internet access, for example), depending on the threat.
Conclusion: Better to use the Firewall from Norton 360, and keep Windows firewall disabled
03-25-2010 09:36 AM
Is there any way to see which files they accessed (if any)?
Go to Tasks > View Security History. From the drop-down menu next to Show, select the categories listed under Internet section, and review the details shown for each(Firewall-Networks & Connections, Firewall-Activities, Download Insight etc). Let us know if you find suspicious entry during the time period you left your router unsecured.
03-25-2010 11:13 AM
This post was merged by an admin. But it's a different question.
Can somebody help me with the specific points I've addressed in these two posts?
Thanks again for all your help.
03-25-2010 11:35 AM - edited 03-25-2010 11:38 AM
These are some of the logs I see that look suspicious,
would you help me decipher what they mean
and if it means the files on my system could have been hacked/accessed by someone on my network
(again I had an unsecured router)?
(running Vista 32 and Norton 360)
(I may have also had windows firewall on at the same time as norton 360 firewall,
does that lower my security?)
1. Rule "Default Block windows file sharing" blocked communication. Process name is "system".
2. Rule "Default Block UpnP Discovery" stealthed (192.168.5.101, Port ssdp (1900) ). Inbound UDP packet.
My computer was 192.168.5.102 - does that mean another computer on the network was coming in?
3. What is "IP address has disappeared from adapter ... and is no longer being protected (IP Address: 192.168.5.102)"
4. Nothing shows for "Download Insight".
5. Severity: Medium - Unauthorized access blocked (open process token) blocked
Would you please help me by addressing each of these items?
Thanks so much, it will help me feel better on these issues.
03-25-2010 12:24 PM - edited 03-25-2010 12:25 PM
Rule "Default Block windows file sharing" blocked communication. Process name is "system"
This indicates that the Norton Firewall blocked the communications using the general firewall rule(default rule) in order to protect your computer and thus making the Trust Level of your computer to "Protected" status in the network.
"Rule 'default block UPnP Discovery' stealthed (my IP, port ssdp (1900) ). Inbound UDP Packet."
Read the informations provided in the below threads:
IP address has disappeared from adapter ... and is no longer being protected (IP Address: 192.168.5.102)
This is normal entry, read the post of TomiRed in the below thread:
Unauthorized access blocked
If you could provide more information on the Actor, Ip Address and Target file; we can check this further. Mostly, this happens when one of the programs in your computer tries to access Norton program files(like ccSvcHst.exe) and Norton Tamper Protection blocked that attempt as it seems to be unnecessary. This just indicates that Norton program works as designed and tamper protection provides security over Norton files.
All these entries are due to the General Traffic Rules set in Smart Firewall by default. Norton products have application intelligence baked in, allowing it to make security decisions so that you don’t have to. The Smart Firewall intelligently makes security decisions for you—allowing you to use your computer without you needing to be a security expert. The Smart firewall will automatically configure and use the rules whenever it is required. And, all these entries indicate that Norton program is blocking some unwanted intrusion attempts which came to your computer through different ports or ways. So, there is nothing for you to worry about these entries.
03-25-2010 12:33 PM
Thank you for your clarification on those matters.
Here's some more detail on one of the logs that concerns me:
"Rule "Default Block UPnP Discovery" stealthed (192.168.1.101, Port ssdp (1900) ).
Inbound UDP packet.
Local address, service is (18.104.22.168, Port ssdp (1900) ).
Remote address, service is (192.168.5.101, Port (52235) ).
Process name is "C:\Windows\System32\svchost.exe".
I want to also note my ip on the network was 192.168.5.102 (not 101 like the remote address),
so does this mean a hacker came into my system?
Thank you again for your gracious help and attention.