03-08-2011 01:39 PM
I do have a theory on this.
The default setting in WIN XP for NetBIOS is "default." That setting says if using DHCP use setting from DHCP server to determine NetBIOS status.
Most individual routers today provide both DHCP and DNS servers.
I read an interesting article a while back that this does not always work as expected. To sum it up, router DHCP servers and XP do not get along very well when it comes to NetBIOS.
I do have stateful inspection set on at the router and the Netopia manual indicates that opens ports 136-138 on the LAN side of the router. My theory is that there is leakage on those LAN side ports to the WAN side that allowed the connections outbound to the Symantec servers. We all know that routers have a habit of bumbing around misrouted connections which eventually find there way out to the WAN side. This is the reason why most experts recommend turning off NetBIOS unless you really need network support. And even if a network is necessary, use NetBeui instead.
03-08-2011 01:54 PM - edited 03-08-2011 01:55 PM
Perhaps Symantec could approach Comodo about a licensing agreement to use their firewall? If that is not an option, at least design the product so it would be easy to decouple the firewall portion. If you read many of the forum posts, individuals are already going that route. Perhaps they read the latest test results from Matousec?
Matousec is a HIPS test, not a firewall test and it has many problems such as most products do not get tested against all the "tests" (that includes Norton).
03-08-2011 02:07 PM
Agreed. I know Matousec's history and their relationship with Comodo.
However, Rubenking over at PC Mag did a recent review of 2011 Anti-Malware software that didn't bode to well for NIS 2011. His score showed an average rating. I didn't like the scores that NIS 2011 had for keyloggers and rootkits.
03-08-2011 03:48 PM
The biggest indicator I see so far as Norton stats with rootkit infections is this forum. In 2009 Quads was up to his ears in them. Every second problem on the forum was a rootkit. In 2010 this dropped off to nearly none because of the technology, and we still see very few of them. The ones we do see are often as the result of user interaction in clicking on a FakeAv to try and get rid of it and in the process downloading both infections. P2P sharing is also one of the biggest causes because the files are coming from varied hosts. Even the tests themselves are user interaction, so I do not have much faith in these sorts of tests or the resulting reviews.
03-09-2011 05:11 PM
I don't want to keep bad mouthing Symantec products but my personal experience is they are lukewarm in the rootkit blocking area and pretty good in removing them if you know you are infected. I got rid of Endpoint 11 after it let in Hacktool.Rootkit. The interesting part was it did get rid of most of it when I ran a full scan in safe mode.
The real culprit in rootkit exploits is Java; especially it's cache area. But you can't even trust its updater. I got redirected one time using it and ended up getting infected. It goes without saying that Java is not installed on my current PC.
03-10-2011 07:34 AM
Symantec Endpoint and Norton Internet Security are two different products. NIS has SONAR and Insight to help with rootkits
(and all other threats) and they do a good job. http://malwareresearchgroup.com/malware-tests/flas
Endpoint 12 will have SONAR and Insight.
03-10-2011 04:14 PM
Endpoint always had a hueristic scanner. Running it at it's default recommended setting at the low setting for 5 years yielded not a single detection. A year ago Symantec issued an advisory to change all it's settings to max. detection after Endpoint scored horribly in a corp. AV review. I ran at that setting for 9 months. Result -nada, zip, nothing. My conclusion - it was worhless. I assume Norton's Sonar is using the same engine as that in Endpoint.
As far as Insight goes, I have had the experience everyone else in this forum has. If Insight doesn't recognize the file, it deletes it. Especially frustration when you download an 100 MB app from a trusted vendor. Symantec needs to get with the program and provide Sandboxing for unknown files and let the user decide what do. I run IE8 as a limited user which by definition blocks most malicious downloads since they don't have the permission to download in the first place.