03-17-2011 05:03 AM
I confess I'm fairly ignorant of what NIS does to protect my computer, I just assume that it knows what it is doing. Recently, NIS 2011 blocked some intrusion attempts (Fake AV webpage request and a http blackhole toolkit activity). It then picked up and quarantined a downloader.
Since then I regularly look at the security history log. There seems to be a lot of firewall activity logged as info that reports Rule "Default Block SSDP" blocked ....Inbound TCP connection.......process name is c:\windows\system32\svhost.exe"
Please can someone help to explain what this means and is it indicative of any problems that I need to address? eg intrusion attempts? Also what number of alerts would be considered to be a normal daily level?
03-17-2011 08:00 AM
Norton is blocking malicious scripts on webpages when you see entries in intrusion prevention, such as the Fake AV. These blocks are an indicator that you need to avoid that site. Use your back button to withdraw from it, do not click on anything in a webpage of that nature.
There are many entries in the firewall log since Norton logs most of what is going on. Much of it is just similar to "directing traffic." The important logs are intrusion prevention, unresolved threats, and quarantine.
03-17-2011 08:50 AM
SSDP is the Simple Service Discovery Protocol service. It looks for Universal Plug and Play devices on your network. Depending on your Windows settings, Norton blocks this, at least on Protected network level or above. As it should be.
03-17-2011 10:36 AM
The firewall entries for SSDP are normal and would not be related to the intrusion attacks that were blocked by Intrusion Prevention.