This forum thread needs a solution.
Kudos0

Security History: Default Block Remote Desktop

Posted: 16-Apr-2022 | 5:51PM · 8 Replies ·

Hoping to get some help / advice / information pertaining to some concerning alerts Norton has given me recently. To start, I'm not a very tech savvy person, so please forgive me if I come off like an idiot to anyone who knows anything more than I do.

A couple days ago I had 3 Intrusion Prevention alerts in the matter of about a minute saying the following were blocked:  F5 BIGIP CVE-2020-5902, Fortinet FortiOs Directory Traversal CVE-2018-13379, and Nginx Improper Path Normalization

To my knowledge I had never had this before, didn't really know what it meant beyond Norton flagging it as high severity, and no clue what to do about it. Since then I have been keeping tabs on my Norton Security History and have noticed multiple (probably a couple dozen at least but I didn't count them) instances of:  Rule "Default Block Remote Desktop" rejected TCP(6) traffic with [IP and Port numbers]

I have no idea what any of this means and my attempts at searching for information online have just left me more confused. I am incredibly concerned though that this means that I may have been hacked or something? With a couple of exceptions that I spotted, the IPs listed above seemed to be all different. Further, when I went back later to the Security History to try to get a count of how many there were, the older ones had disappeared from the list.

Can anyone give me any information or insight into what I am dealing with? 

I don't know if it's relevant, but I'm using Norton 360 and have Windows 11.

Labels: Intrusion Prevention, Security History, Alerts/Notifications

Replies

Kudos0

Re: Security History: Default Block Remote Desktop

Posted: 17-Apr-2022 | 5:00PM · Permalink

It means that Norton is doing the job it was intended to do. Is there any recommended action or does it say no action needed?

Kudos1 Stats

Re: Security History: Default Block Remote Desktop

Posted: 17-Apr-2022 | 6:28PM · Permalink

Hello SliderFD- Given what I see as posted I must ask if you have Windows 11 fully patched through Windows updates, and, was Windows 11 installed through the known registry edit that allows Windows 11 to install and run. But may not get updates from Microsoft? I have to ask do you use the device in question to work remotely connecting to an outside remote login? If so your IT department should be notified immediately. I know this may sound scary in reading this, its a big issue nevertheless since these are all vulnerabilities that should already be patched. 

Also, do you have installed and/or use any software named F-5 BIG-IP? Here is why I ask the question regarding "blocked:  F5 BIGIP CVE-2020-5902". You were the victim of an exploit attempt, as xjoex posted Norton protected you. Nevertheless you were scanned remotely.

Next, "Fortinet FortiOs Directory Traversal CVE-2018-13379", is related to the FortiOS SSL VPN which has been patched some time ago. If you are not using that product, once again you were remotely scanned for the vulnerability.

Then you saw "Nginx Improper Path Normalization". Once again this is a serious vulnerability. If you are not connecting to a Nginx webserver you were scanned for that being present. Norton did its job. 

As xjoex asked earlier do the entries in your Norton history say further action is needed? If so please get a screenshot of it and post it here for us to review. Here is how to post screenshots, its a fairly simple process. Please do not add a file in your post with a pdf extension, there are issues where the file formats are not what they are represented to be so others may not be willing to open them for review.

SA

MS Certified Professional / Windows 11 Home 22H2 x 64 build 22621.1265 - Windows 10 Pro x 64 version 22H2 / build 19045.2788 / Norton Security Ultra - Norton 360 Deluxe ver. 22.23.1.21 / Opera GX LVL4 (core: 96.0.4693.104) 64 bit-Early Access w/Norton Chrome Extensions
Kudos0

Re: Security History: Default Block Remote Desktop

Posted: 18-Apr-2022 | 2:05PM · Permalink

Thanks for the reply, SA (and xjoex). As far as I can tell, Windows Updates is working and everything is up to date. It's allowed to update when updates are available. 

I do not use remote connect, for work nor for personal use. 

To my knowledge, I do not have any software named F5-BIGIP, nor do I use a Fortios VPN, nor to my knowledge am I connecting to anything called Nginx. 

None of the entries list out any recommended actions. The 3 mentioned above (F5BipIp, Fortios, and Nginx) I believe all gave me the option of changing the settings and allowing them, but unfortunately I accidentally cleared out all the entries for those so I can't go back to see for sure, but there were definitely no specific actions listed beyond that. I really wish I had taken a screenshot at the time, but can't do anything about that now. I do remember under details it had said something about Steam, but I have no details nor context so I imagine that's useless information. 

The ongoing "Default Block Remote Desktop" entries simply state they were detected under status and have No Action Required. 

How concerned should I be about all this? What does it mean to say that I was "scanned remotely"? It says it blocked those 3, but could a 4th one have gotten through without being blocked? Would I know it? Is there a way to find out? Is it common for people to be targeted with these attacks like this? Is there a way to stop the remote desktop attempts? 

Kudos0

Re: Security History: Default Block Remote Desktop

Posted: 18-Apr-2022 | 5:31PM · Permalink

Are you behind a router?

"Default Block Remote Desktop" is a Norton Firewall rule that means Norton will always block a request for remote access to your computer.  To be absolutely safe, you can disable Remote Desktop by following the instructions here:  https://www.lifewire.com/disable-windows-remote-desktop-153337.

Note: Windows Home versions do not support Remote Desktop, only the Pro versions do.

Kudos0

Re: Security History: Default Block Remote Desktop

Posted: 18-Apr-2022 | 6:14PM · Edited: 18-Apr-2022 | 6:31PM · Permalink

I don't have a router, no.

I have the Home version, so it's not supported. Does that then mean they couldn't succeed in their remote connect attempts? It says "Rule Action: rejected". Does that mean that the attempt was rejected or that the blocking of the attempt was rejected?

I went and unchecked the box for Allow Remote Assistance connections. I assume unchecking that box won't mess up any other settings nor keep Norton from doing what it's supposed to do?

Kudos2 Stats

Re: Security History: Default Block Remote Desktop

Posted: 18-Apr-2022 | 7:06PM · Permalink

Yes Norton blocked the connection request, which would not have worked on Windows Home, anyway (I would still leave Remote Desktop disabled).  Assuming you have an IPv4 internet address (like 192.168.1.1 rather than a much longer IPv6 address) a router would likely have blocked these intrusions by virtue of Network Address Translation -- essentially if a NAT router gets an unsolicited packet from the internet, it drops it because it it does not know what device on your local network to route it to because none of your network devices made a request for the connection.  This protection is a by-product of the way the router works.  That's why I asked about a router: you normally would not see these intrusion alerts if you were behind a router.  That said, the Norton Firewall is perfectly capable of blocking these probes and attacks, so just leave it in its default configuration and don't worry about the alerts -- it's simply telling you that it is working and not letting anything malicious through.

Kudos0

Re: Security History: Default Block Remote Desktop

Posted: 19-Apr-2022 | 6:08PM · Permalink

Thanks for the replies and the information, everyone. If anyone else has any more information to add or expand upon, I'd love to hear that as well. I'd love to know if the remote desktop connect attempts will eventually stop or if it's an automated process that will continue forever.

As for me, I have one more question about my Security History. I've noticed an absurd number of programs that are being allowed to "access your network resources". I imagine most, if not all, of these are necessary for windows / office / etc to work, but there are a couple I'm curious about. One was a "yourphone.exe" but I don't have a device that it would work for, so why is it doing anything at all? And also one called "backgroundtransferhost", but I only have the one single device so there's nothing for it to sync with, so why is it doing anything at all? 

And also, SendOfJive, if you happen to come back to this thread, your talk about a router has me wondering if you would suggest having a router as well even if I've only got the one device that would use it?

I'd again like to thank everyone who has patiently explained everything to me. It is much appreciated.

Kudos1 Stats

Re: Security History: Default Block Remote Desktop

Posted: 19-Apr-2022 | 6:30PM · Permalink

SliderFD:

And also, SendOfJive, if you happen to come back to this thread, your talk about a router has me wondering if you would suggest having a router as well even if I've only got the one device that would use it?

Many experts do recommend using a router, even for only one device.  It used to be a no-brainer before IPv6, which does not use NAT.  But most of us still have IPv4 addresses and will still benefit from using a router.  You can check your if your IP address is IPv4 or IPv6 here:  https://whatismyipaddress.com/

If it is IPv4 you might want to consider a router for added security.

https://www.howtogeek.com/183439/ask-htg-do-you-need-a-router-for-simple...

This thread is closed from further comment. Please visit the forum to start a new thread.