• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

ShieldsUP! and Leaktest

I found out about this very famous website - www.grc.com. It has two popular tools, called ShieldsUP!(https://www.grc.com/x/ne.dll?bh0bkyd2) and Leaktest(http://www.grc.com/lt/leaktest.htm). They're to check the vulnerability of a firewall. 

I'm using NIS2009, and in BOTH these tests, NIS's firewall has failed.

Leaktest result: 

ShieldsUP! result:  


Am I doing something wrong? This makes me really worried. Such a reputed firewall is failing in these tests. 

Replies

Kudos0

Re: ShieldsUP! and Leaktest

I found out about this very famous website - www.grc.com. It has two popular tools, called ShieldsUP!(https://www.grc.com/x/ne.dll?bh0bkyd2) and Leaktest(http://www.grc.com/lt/leaktest.htm). They're to check the vulnerability of a firewall. 

I'm using NIS2009, and in BOTH these tests, NIS's firewall has failed.

Leaktest result: 

ShieldsUP! result:  


Am I doing something wrong? This makes me really worried. Such a reputed firewall is failing in these tests. 

Kudos0

Re: ShieldsUP! and Leaktest

On the first page before the ShieldsUp tests are listed, they will tell you the IP of the system they are testing.  Is this your machine's IP or something else (router, ISP server, etc.)?  Most likely this is not the IP of your machine but of your router / modem.  Can you check and verify this, please.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: ShieldsUP! and Leaktest

Perhaps you are behind a router or ISP-provided modem/router combo that is preventing Shields Up from seeing the Norton software firewall on your PC.  In this case, GRC is reporting the configuration of the internet-facing device.  See this recent thread:

 http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=52666

Message Edited by SendOfJive on 05-26-2009 11:17 PM
Kudos0

Re: ShieldsUP! and Leaktest

 Nope, it's the correct IP Address. 

 

<<Edit: image resized to fit into the screen>>

Message Edited by TomV on 05-27-2009 12:36 AM
Kudos0

Re: ShieldsUP! and Leaktest

Also, about the other test; the Leaktest. I saw that NIS had automatically added it into Program Control, access - 'Auto'. :

 

I don't think this should be happening. What if it actually was a malicious program?  

Kudos0

Re: ShieldsUP! and Leaktest

It's a funny test.  When you download it, Norton as expected makes rules to allow a program internet access that requires it.  So it leaks.  If you block it, the results are quite disappointing.  It blocks it, with absolutely no fanfare.  Boring.

The Shields Up test is far more useful provided you are not behind a NAT firewall, provided you have turned on the Stealth Blocked ports and probably the stateful protocol filtre turned on.  These settings are in internet settings>scroll down to program control>configure.

Shields Up will then check the first 1056 ports for entry. If you choose block all internet traffic, you will once again get a perfect bill of health.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: ShieldsUP! and Leaktest

In regards to post #4 of this thread: 

This is not your IP address on your machine.  This is the unique address for your system on your ISP's routing server.  ShieldsUp is hitting the server not you.  If you look at your network connection on your machine does that IP address match the numbers and order shown at ShieldsUp?  Usually starts with 192 or 198 .......

As to the Leak Test; there is no malicious activity taking place.  Just a program pinging a sever.

ps - On the address, i did a reverse DNS look up on the address shown.  Goes to your ISP server not you; unless you are sitting in the server room.

Message Edited by dbrisendine on 05-27-2009 03:18 AM
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: ShieldsUP! and Leaktest

@delphinium: So, if I download a program which asks for internet access (for sending personal info and downloading trojans), norton will allow it? I don't understand. What's the use of Program Control if Norton doesn't block any/we have to manually block the programs.

ALSO, about the ShieldsUP! test, I was just googling around, when I came across this. A person had recommended putting all ports, 1 to 65535, to the virtual servers. That way, traffic would not get filtered in my ADSL Modem (am I right?).

I did that, and now this in ShieldsUP, port 0 and 1 are closed, port 53 is open, and the rest are stealth. Why are 0 and 1 not stealthed? I'm running a DNS server (Treewalk), maybe that's why port 53 is open. Is it dangerous for it to be open? 

 <<Edit: image resized to fit into the screen>>

Message Edited by TomV on 05-27-2009 12:34 AM
Kudos0

Re: ShieldsUP! and Leaktest

Did you rename LeakTest.exe prior to running the test?
Kudos0

Re: ShieldsUP! and Leaktest

No, but now I renamed it and ran it and still the firewall is being peniterated. 
Kudos0

Re: ShieldsUP! and Leaktest

@dbrisendine: 

 1.Of course there is no malicious activity taking place by LeakTest. But what I mean is, what is there was a program which caused malicious activity. Shouldn't norton ask me before giving it access to the Internet? 

2.Then what is the IP address on my machine? AFAIK, the  122.173.xxx.xxx is the unique IP of my machine, and the 192.168.1.x is my local IP. 

Kudos0

Re: ShieldsUP! and Leaktest


cyanide911 wrote:

@dbrisendine: 

 1.Of course there is no malicious activity taking place by LeakTest. But what I mean is, what is there was a program which caused malicious activity. Shouldn't norton ask me before giving it access to the Internet? 

2.Then what is the IP address on my machine? AFAIK, the  122.173.xxx.xxx is the unique IP of my machine, and the 192.168.1.x is my local IP. 


1)  Yes, Norton would notify you with a pop up that it had blocked / stopped malicious activity if it is serious enough.  Sometimes it will block it, log it and let you go about your business undisturbed.

2)  You only have one IP address per connector, period.  That is your local IP; the address your network connector responds to.  The other address is used by your ISP routing server to identify you to the real world.  The routing server is an buffer interface, in this case, between your machine network connector and the ShieldsUp testing server.  The results you saw were for the ISP routing server not your system / NIS2009.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: ShieldsUP! and Leaktest


cyanide911 wrote:

@delphinium: So, if I download a program which asks for internet access (for sending personal info and downloading trojans), norton will allow it? I don't understand. What's the use of Program Control if Norton doesn't block any/we have to manually block the programs.

ALSO, about the ShieldsUP! test, I was just googling around, when I came across this. A person had recommended putting all ports, 1 to 65535, to the virtual servers. That way, traffic would not get filtered in my ADSL Modem (am I right?).

I did that, and now this in ShieldsUP, port 0 and 1 are closed, port 53 is open, and the rest are stealth. Why are 0 and 1 not stealthed? I'm running a DNS server (Treewalk), maybe that's why port 53 is open. Is it dangerous for it to be open? 

 <<Edit: image resized to fit into the screen>>

Message Edited by TomV on 05-27-2009 12:34 AM
Just saw this post and if you are running any kind of network server on your system, NIS2009 will not help you there.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: ShieldsUP! and Leaktest

I think this thread has become really confusing. These are my questions that need to be answered:

1. I downloaded Leaktest.exe. Norton gives it full internet access without asking me. What if it was a malicious program? What's norton doing to prevent a malicious program from accessing the internet from within my PC? 

2. I disabled my ADSL modem's 'firewall' (I added ports 1 to 65535 to the 'Virtual Servers' list of my modem, which I think, means that internet traffic will go through my modem unfiltered). Now, after running the ShieldsUP! test, ALL ports are stealthed, EXCEPT 1 and 2, which are CLOSED, not STEALTH. Why is this so, and what should I do do correct this?

3.  Shields UP's Trustealth test fails because of two reasons. One of them is point #2 above. The second is this:

 "Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation"

Why is this so and what should I do to correct this?  

EDIT:

If you're talking about the Treewalk DNS, I can close it, I don't mind. It was just an experiment. 



Message Edited by cyanide911 on 05-27-2009 12:56 AM
Kudos7 Stats

Re: ShieldsUP! and Leaktest

cyanide,

Regarding question 1, as dbrisendine mentioned in some earlier posts. the GRC Leak Test is not blocked because it is not malicious.  Norton does not automatically block leak test utilities because it looks for actions that would characterize the program as malicious, and those kinds of tell-tale events do not always appear when running these tests.  If they do, Auto-Protect or SONAR catches them.  If this is a concern to you you can always disable the Automatic Program Control and use Advanced Events Monitoring.  The following quotes from Neil J. Rubenking's PC Mag reviews of NIS 2009 and Norton 360v3, which both use the same firewall, might make things a bit clearer:

A firewall that uses old-style program control
has to be on the alert for sneaky malware that communicates by
pretending to be one of the approved programs, or by manipulating an
approved program to do its bidding. "Leak test" utilities demonstrate
various techniques used by malware for this purpose, and an old-style
firewall should try to block them, too. Norton doesn't block leak tests
because their behavior is not actually malicious—they're just demos.
Even so, its behavior-blocking SONAR decided three of the dozen I tried
were too suspicious and blocked them.


As soon as the first two-way firewall started restricting the Internet
and network access of suspect or known-bad, the bad guys started
working on ways to get around those limits. They devised various
techniques for masquerading as an approved program or routing their
communications through an approved program. Utility programs called
leak tests demonstrate these techniques without any malicious payload,
and some firewalls have a second level of program control that blocks
those techniques. Symantec says that because there's no malicious
payload, the firewall doesn't need to block leak tests. Other elements
of the product have their own ideas, though. When I launched a dozen
leak tests, the duo of Auto-Protect and the behavior-based SONAR
blocked two-thirds.

Recognizing that Norton 360 users range from utter newbies to
experienced security experts, Symantec has added a new level of
advanced firewall protection. Turning it on requires that you turn off
the automatic program control, meaning Norton 360 will no longer
automatically configure access for known good programs. You get a great
big warning that selecting this mode means you'll receive firewall
queries, and that answering them incorrectly can disable valid
programs. It's not for the faint of heart!

I turned on the advanced firewall features and retried the leak
tests. Auto-Protect stopped one of them. The rest triggered one or more
pop-up queries rivaling the earliest firewalls at their cryptic best,
reporting, for example, that some program is "attempting to access the
Internet using one or more unrecognized modules" or "attempting to
activate a controlled COM object."


Interestingly, each popup gives you two choices: allow the behavior always or block it once.
This is clearly meant for diagnosing problems, not everyday use. And
yes, I did accidentally (and temporarily) disable Internet Explorer by
trying it. With this feature turned on, Norton 360 blocked all the leak
tests, but I prefer its normal unobtrusive mode.


Questions 2 and 3 have to do with open ports.  In its default configuration the Norton Smart Firewall will stealth all ports and will not respond to pings.  However, as you demonstrated yourself, you got different port status results when you tweaked your modem - confirming that Shields Up is reporting how that device is configured, not what your firewall is doing.  Even if you tell the modem to allow everything so Norton can block it, the port scan test will still only show what the modem is doing.  There is no way for Shields Up to report on anything on the LAN side of your modem/router.  Your best security will be to set up the modem/router to stealth most ports if you can, but remember,  ping is enabled by default by your ISP because it is necessary for them to do diagnostics.  Even then, it is the modem responding to the ping request, not your PC.  To the extent that a hacker finding your modem/router would then have to somehow compromise it first so he could run up against the Norton Firewall makes this a very low risk situation.

Hope this helped.

Message Edited by SendOfJive on 05-27-2009 11:03 PMMessage Edited by SendOfJive on 05-27-2009 11:06 PM
Kudos0

Re: ShieldsUP! and Leaktest

Fantastic explanation, SendOfJive! 
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: ShieldsUP! and Leaktest

Thanks a lot for the help, that cleared things up. 

Kudos0

Re: ShieldsUP! and Leaktest

Hello,

Would this GRC site be good for me to use in conjunction with NIS '09?

I am beginning to see that it world be a good idea to cross-check my computer.

Thanks.

Marty

This thread is closed from further comment. Please visit the forum to start a new thread.