02-19-2010 06:39 PM
I just noticed this IPS signature tried to attack my system and was baffled why the setting to notify me was disabled(see below). I never messed with any of these settings, so is it off by default? Also, I searched everywhere on Norton and could not find any info on this attack sig, and it is not even listed as an attack on Norton's list on the website. Can someone tell me if I need to be concerned about this.
Solved! Go to Solution.
02-19-2010 06:49 PM
The IPS definitions were just updated a little while ago. Maybe they haven't updated the website yet. A port scan is when another computer is trying to find open or unprotected ports in your computer. Norton's blocked the port scan. Norton's notified you of the action it took. If you don't want to be notified of the same action again, then you can click Stop Notifying Me and you won't get notified again if that same portscan happens again.
Success always occurs in private and failure in full view.
02-19-2010 08:55 PM
This appears to be a common type of false positive. Port 53 is for DNS communications and the address you show appears to be a Roadrunner DNS server address. Often an application will make a DNS request, but the response will be late and the application will have already timed out the communication. So when your firewall sees the delayed UDP packets arrive on Port 53, it cannot match them up to the original request and so will interpret them as an unsolicited portscan. The default setting for portscans detected by Norton is to not alert the user. I think this is probably because of the great number of instances of situations like yours, as well as the fact that real portscans are a constant occurrence on the internet which are routinely blocked by your firewall. The number of alerts would be very annoying, and there is nothing you can do about them anyway. A firewall's job is to block such portscans and it really isn't necessary or desirable that it make a formal announcement every time it happens, although you can change the configuration from the default if you really want to be notified each time.
02-19-2010 10:02 PM
Thanks for the fast reply. I thought it may have been a false positive, but I wanted to make sure. It makes sense because I use roadrunner. As for the option, "to notify me of this signature" being off by default, is probably a good idea. Thanks.
02-19-2010 10:13 PM - edited 02-19-2010 10:16 PM
You're welcome. Just as a point of information, this type of portscan detection is a frequent occurrence for users of Google Chrome. That browser has a DNS prefetching feature that does a DNS look-up of every link on each web page you visit. This often results in orphaned DNS replies that the firewall will interpret as portscans. The feature can be turned off in the browser's preference settings if desired.