Current Norton products contact our servers to access information used by our cloud/reputation-based technologies and for fast, constant updates to keep your security up to date.

You should open up the ports for our products to work their best :)

See more info here:

http://www.symantec.com/business/resources/articles/article.jsp?aid=20091204_how_reputation_based_se...

http://www.symantec.com/about/profile/star_technology.jsp

Care to elaborate on this Carlos?

I have never seen anything "good" that uses NetBIOS ports. The conventional wisdom is restrict NetBIOS ports 135-139 to your Local subnet - period.

Humm. Don't know if I buy into the Symantec explanation.

Prior to this weekend, I purposely turned off NetBIOS on my LAN connection.

With NetBIOS turned off, ports 136 - 138 did not exist. Norton worked just fine that way. I assume it would have to since turning off NetBIOS is the recommended security action unless NetBIOS is absolutely needed. Or is it implied that Symantec is using a backdoor to access port 137?  

Of course, Microsoft also seems not to care about security since the default configuration for NetBIOS on a XP PC is that it is set on. This also occurs when you use netstat to reset your TCP/IP stack which is what I did.

donziehm:

You obviously don't like the product, you don't believe anything anybody tells you, you don't care for any opinion other than your own.  Why are you still using it???  Symantec is not going to redesign their firewall just so that you can tinker with it.  I fail to understand the purpose in constant complaint.  Your firewall isn't even functioning properly any more.

You have something that looks like a duck, walks like a duck, and quacks like a duck, and you are complaining because it isn't a chicken.  It just is never going to become a chicken.

Perhaps Symantec could approach Comodo about a licensing agreement to use their firewall?

_____________________________________________________________________________________

I'm pretty sure that Comodo's CEO would never agree to such a thing.

If that is not an option, at least design the product so it would be easy to decouple the firewall portion.

That's what NAV is for.  There is no need to "decouple" the firewall.

Symantec offers commercial users is absolutely terrible in detecting the current web based threats when configured not to use it's firewall.

The corporate versions have a superb firewall.  Why turn off a commercial grade firewall just to replace it with a lesser version that perhaps telss you more but does less???

I can only hope that you find what you are looking for. 

Just so you know, Norton uses http (80) and https (443) to access our servers for various critical and non-critical business needs, such as checking reputation, malware reporting metrics, downloading signature and binary updates, etc.

The fact that the firewall reports Port 137 indicates to me that perhaps some sort of proxy is being used on the local machine.  For instance, one could configure IE connections to forward to any proxy port (under Internet Options>Connections>LAN settings).    In this case, however, it may be a 3rd party program doing port forwarding.

AFAIK, I'm unware if Norton 2011 is configured to use this particular port (137).  I don't believe it is, however, I will inquire further to determine this.    Donziehm, you have a sharp eye :)

Scott Dang

SQA Manager

Symantec Corporation.

AFAIK, I'm unware if Norton 2011 is configured to use this particular port (137).  I don't believe it is, however, I will inquire further to determine this.    Donziehm, you have a sharp eye :)

Note the symantec.com connection

The fact that the firewall reports Port 137 indicates to me that perhaps some sort of proxy is being used on the local machine.  For instance, one could configure IE connections to forward to any proxy port (under Internet Options>Connections>LAN settings).    In this case, however, it may be a 3rd party program doing port forwarding.

Not using any proxy. My Netopia/Motorola 3347 router is configure with both NAT and stateful inspection on. It's firewall is configured to run in "silent mode" which is full stealth mode. For stateful inspection, ports 137 and 138 are open on the LAN side only.

I'm pretty sure that Comodo's CEO would never agree to such a thing.

Perhaps it's time to "bury the ax" between both companies and work together for the common good? After all, aren't we all after the same thing - too make the Internet safer for all users.

The corporate versions have a superb firewall.  Why turn off a commercial grade firewall just to replace it with a lesser version that perhaps telss you more but does less???

Have you ever tried to create Endpoint firewall rules on an unmanaged client which is how you would run it on a stand alone PC? Try it and then get back to me. To just install the IPS portion on the client without the firewall is difficult.

Using that old saying that a "picture is worth a thousand words", below you will see the dangers of openning UDP port 137 outbound. In the this case my ISP, AT&T has decided to drop a tracking cookie on my PC. I am not surprised since it's AT&T after all! Now imagine what malicous software could do? BTW - Norton did not detect the tracking cookie from what I can tell.

BTW - I have turned off NetBIOS. I think I have made my point. I do hope Symantec cleans up it's System rules in it's next release.

donziehm, from looking at your logs, you probably have WINS installed/enabled on your system. WINS is used to look up and resolve system names, similar to DNS. What you are seeing is the System trying to determine the IP address for those sites using WINS. As you've noted, the product still works fine when you are blocking WINS because the addresses are actually resolved via DNS. In short, NIS isn't directly using port 137 but instead is asking the system for the IP address associated with, say, shasta-rrs.symantec.com and the system then tries to use WINS to determine that address.

Reese Anschultz
Senior Software Quality Assurance Manager, Symantec Corporation