• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

symantec Intrusion Prevention Signatures: AutoBlock

I have set AutoBlock to Block Attacking computers for 48hours, yet, when I.P.S. Block an Intrusion Attempt on Monday, September 01, 2008, about four hours after the I.A. had taken place, there was no computers listed in getting Blocked; why is that?  Will the Attacking Computer still be getting Blocked or not?
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

Replies

Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

I have set AutoBlock to Block Attacking computers for 48hours, yet, when I.P.S. Block an Intrusion Attempt on Monday, September 01, 2008, about four hours after the I.A. had taken place, there was no computers listed in getting Blocked; why is that?  Will the Attacking Computer still be getting Blocked or not?
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Pls provide the version of the product and the operating system that you are using. I've not heard of this problem before but the code is different for those two factors and this will help to understand the problem better.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

That is a question that I have as well. I have my set to max blocking time, 48 hours. But what if the attacking computer persists longer than that?
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Oh and I'm using NAV2008
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

The time on this value really doesn't need to be very long. The auto-block is to prevent denial-of-service attacks and continued attack investigation. The moment your machine is attacked after the attacker has been removed from the auto-block list, it will be detected and re-added to the auto-block list.

NY1986, are you seeing this problem as well or are you just curious? If you are seeing the problem I need to know what operating system you are using as well.

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Reese I am using NAV2008 on a Vista home premium OS.

I may be dealing with a different issue

I have my autoblock set at 48hours (only because that is the max. If they had forever, I'd use that)

 What I am seein in the activity log is as follows:

unused port blocking has blocked inbound TCP connection

remote address,local service is 221.130.51,6588

I might have like 2-3 instances of this, then

then another 2-3 instances of  

unused port blocking has blocked inbound TCP connection

remote address,local service is 221.130.51,3121

same address, but I presume a different port number

so I guess my question- Is the 48 hour block a continuous 48 of the same "attack" from the same address? or if it stops after say a day and then starts another day (say 1 1/2 days later) does the 48 hour block clock restart?

Message Edited by NY1986 on 09-04-2008 03:32 PM
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


reese_anschultz wrote:
Pls provide the version of the product and the operating system that you are using. I've not heard of this problem before but the code is different for those two factors and this will help to understand the problem better.

Surely this has to question the effectiveness of AutoBlock.

15.5.0.23; Windows X.P., Service Pack 03.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


NY1986 wrote:

Reese I am using NAV2008 on a Vista home premium OS.

I may be dealing with a different issue

I have my autoblock set at 48hours (only because that is the max. If they had forever, I'd use that)

 What I am seein in the activity log is as follows:

unused port blocking has blocked inbound TCP connection

remote address,local service is 221.130.51,6588

I might have like 2-3 instances of this, then

then another 2-3 instances of  

unused port blocking has blocked inbound TCP connection

remote address,local service is 221.130.51,3121

same address, but I presume a different port number

so I guess my question- Is the 48 hour block a continuous 48 of the same "attack" from the same address? or if it stops after say a day and then starts another day (say 1 1/2 days later) does the 48 hour block clock restart?

Message Edited by NY1986 on 09-04-2008 03:32 PM
Although this is an Attack on your computer, this is not the same as Intrusion Prevention because it is the Firewall which Blocks these Attacks, whereas I.P. has Signatures, like V.D.s that could target-Attack Software installed on your computer.
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

I'm not sure why this would question the effectiveness of AutoBlock. It is implemented differently on Windows XP than it is on Windows Vista, and, the product exposes this setting differently from version to version. Now that we have your information we can try to reproduce the problem.

A thought did occur to me though. The auto-block list and the associated timers don't persist across a reboot. Can you confirm that you didn't reboot during that time?

Message Edited by reese_anschultz on 09-04-2008 04:07 PM
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Thought I might be off the mark.Thanks Red

So my question of how long it will block, since its a firewall issue, the answer is forever as long as I don't change the firewall settings (within reason forever- nothing is forever)  :)

Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Once auto-block is triggered for a remote address, the timer starts ticking and doesn't stop ticking until either the time has expired or the system is rebooted.Message Edited by reese_anschultz on 09-04-2008 04:04 PM
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


reese_anschultz wrote:

I'm not sure why his would question the effectiveness of AutoBlock. It is implemented differently on Windows XP than it is on Windows Vista, and, the product exposes this setting differently from version to version. Now that we have your information we can try to reproduce the problem.

A thought did occur to me though. The auto-block list and the associated timers don't persist across a reboot. Can you confirm that you didn't reboot during that time?


I did not re-boot.
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


NY1986 wrote:

Thought I might be off the mark.Thanks Red

So my question of how long it will block, since its a firewall issue, the answer is forever as long as I don't change the firewall settings (within reason forever- nothing is forever)  :)


The un-used Port-blocking will always block computer that attempt to access un-used ports; it only blocks it when the computer accesses an un-used port so you will always be safe.

However, if this happens every few seconds, chances are symantec will be aware of this and release symantec Trusted Application List: symantec Trusted Application List Update, which configures Firewall auto-configuration.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


reese_anschultz wrote:
Once auto-block is triggered for a remote address, the timer starts ticking and doesn't stop ticking until either the time has expired or the system is rebooted.Message Edited by reese_anschultz on 09-04-2008 04:04 PM
So, even if a user has set it to Auto-Block for 48hours, even if the user re-starts, this will not be case [that the computer will get Blocked for that time because the user has re-booted]?
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Red replied:

The un-used Port-blocking will always block computer that attempt to access un-used ports; it only blocks it when the computer accesses an un-used port so you will always be safe.

However, if this happens every few seconds, chances are symantec will be aware of this and release symantec Trusted Application List: symantec Trusted Application List Update, which configures Firewall auto-configuration.

But I want my firewall to block it. Most of the addresses are from China and other internet bad places like Russia

Red, are you saying that if the same IP address keeps banging away at the same port, my Norton will automatically consider this and allow the connection?? I would not want that.

Reese, might you please address this?

Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


NY1986 wrote:

Red replied:

The un-used Port-blocking will always block computer that attempt to access un-used ports; it only blocks it when the computer accesses an un-used port so you will always be safe.

However, if this happens every few seconds, chances are symantec will be aware of this and release symantec Trusted Application List: symantec Trusted Application List Update, which configures Firewall auto-configuration.

But I want my firewall to block it. Most of the addresses are from China and other internet bad places like Russia

Red, are you saying that if the same IP address keeps banging away at the same port, my Norton will automatically consider this and allow the connection?? I would not want that.

Reese, might you please address this?


That's not what I meant; Norton will always block un-used ports no matter where they come from.  symantec seem to always be aware when Norton Products block a lot of un-used port blocking and, thus, will Release Updates to address this.
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Thanks Red. Sorry for my misunderstanding. I would hate to think that because something is banging at my door over and over again, that my Norton Product would change the firewall rules to allow it, when I don't say so. I have noticed that sometimes there is an entry in Activity log that says (some number) of firewall rules created. I would hope this means that they created rules to block these not allow these.
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Red forgive my ignorance and the huge helping of paranois, but can you explain what is mean by

 symantec seem to always be aware when Norton Products block a lot of un-used port blocking and, thus, will Release Updates to address this

"Updates to address this" as in how? To block? To set rules for other comps?

Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


Floating_Red wrote:

So, even if a user has set it to Auto-Block for 48hours, even if the user re-starts, this will not be case [that the computer will get Blocked for that time because the user has re-booted]?

I think that you've essentially restated my comment. When your machine is rebooted, the list is cleared, but, any future attacks will put it back into the auto-block list.

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


NY1986 wrote:

Red forgive my ignorance and the huge helping of paranois, but can you explain what is mean by

 symantec seem to always be aware when Norton Products block a lot of un-used port blocking and, thus, will Release Updates to address this

"Updates to address this" as in how? To block? To set rules for other comps?


They may combine that New Rule with one that already exists, or they may create a New Rule to Block this by "Default".

Obviously, computer Attacking un-used Ports is bad.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

and let me clarify- it might be the same address 1-3 times attempting the same port, then the same address attempting another port. I don't think I have ever seen the same address at the same port  more than 3 times in the same few minutes. Now the same address at the same port maybe several times over the course of a couple of days, but not just continuous, like I said more than 3 times. It seems like it gives up (hopefully not getting in) and moves to another port. This is why I need to not view the logs. :)

I don't understand them and just get freaked

Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


NY1986 wrote:

and let me clarify- it might be the same address 1-3 times attempting the same port, then the same address attempting another port. I don't think I have ever seen the same address at the same port  more than 3 times in the same few minutes. Now the same address at the same port maybe several times over the course of a couple of days, but not just continuous, like I said more than 3 times. It seems like it gives up (hopefully not getting in) and moves to another port. This is why I need to not view the logs. :)

I don't understand them and just get freaked


If it did get in, it would most-like smack a Virus on your computer.

There is no need to worry; un-used Port-blocking will not allow an Attacking computer in.  :)

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


reese_anschultz wrote:

I'm not sure why this would question the effectiveness of AutoBlock.


What i mean by this is that maybe AutoBlock will not even Block an Attacking computer for even the Default of 30minutes when it is set to 48hours.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

If you see it in the Auto-Block list, it's blocked. I have asked somebody to try to reproduce your issue of the timmer going away earlier than expected.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock


reese_anschultz wrote:
If you see it in the Auto-Block list, it's blocked.

I know this.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Any further information regard to this?
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: symantec Intrusion Prevention Signatures: AutoBlock

Not yet, sorry.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation

This thread is closed from further comment. Please visit the forum to start a new thread.