I do have a theory on this.

The default setting in WIN XP for NetBIOS is "default." That setting says if using DHCP use setting from DHCP server to determine NetBIOS status.

Most individual routers today provide both DHCP and DNS servers.

I read an interesting article a while back that this does not always work as expected. To sum it up, router DHCP servers and XP do not get along very well when it comes to NetBIOS.

I do have stateful inspection set on at the router and the Netopia manual indicates that opens ports 136-138 on the LAN side of the router. My theory is that there is leakage on those LAN side ports to the WAN side that allowed the connections outbound to the Symantec servers. We all know that routers have a habit of bumbing around misrouted connections which eventually find there way out to the WAN side. This is the reason why most experts recommend turning off NetBIOS unless you really need network support. And even if a network is necessary, use NetBeui instead. 

---

donziehm wrote:

Perhaps Symantec could approach Comodo about a licensing agreement to use their firewall? If that is not an option, at least design the product so it would be easy to decouple the firewall portion. If you read many of the forum posts, individuals are already going that route. Perhaps they read the latest test results from Matousec?

 

---

Matousec is a HIPS test, not a firewall test and it has many problems such as most products do not get tested against all the "tests" (that includes Norton).

Agreed. I know Matousec's history and their relationship with Comodo.

However,  Rubenking over at PC Mag did a recent review of 2011 Anti-Malware software that didn't bode to well for NIS 2011. His score showed an average rating. I didn't like the scores that NIS 2011 had for keyloggers and rootkits.  

I don't want to keep bad mouthing Symantec products but my personal experience is they are lukewarm in the rootkit blocking area and pretty good in removing them if you know you are infected. I got rid of Endpoint 11 after it let in Hacktool.Rootkit. The interesting part was it did get rid of most of it when I ran a full scan in safe mode.

The real culprit in rootkit exploits is Java; especially it's cache area. But you can't even trust its updater. I got redirected one time using it and ended up getting infected. It goes without saying that Java is not installed on my current PC.

Symantec Endpoint and Norton Internet Security are two different products. NIS has SONAR and Insight to help with rootkits
(and all other threats) and they do a good job. http://malwareresearchgroup.com/malware-tests/flash-test-results/

Endpoint 12 will have SONAR and Insight.

Endpoint always had a hueristic scanner. Running it at it's default recommended setting at the low setting for 5 years yielded not a single detection. A year ago Symantec issued an advisory to change all it's settings to max. detection after Endpoint scored horribly in a corp. AV review. I ran at that setting for 9 months. Result -nada, zip, nothing. My conclusion - it was worhless. I assume Norton's Sonar is using the same engine as that in Endpoint.

As far as Insight goes, I have had the experience everyone else in this forum has. If Insight doesn't recognize the file, it deletes it. Especially frustration when you download an 100 MB app from a trusted vendor. Symantec needs to get with the program and provide Sandboxing for unknown files and let the user decide what do. I run IE8 as a limited user which by definition blocks most malicious downloads since they don't have the permission to download in the first place.