All of the PCs on our network are running the current version of NIS.
Per datalogging done and firewalling done by our Check Point router,one of our PCs using netbios-ns on port 137 via UDP.
The Check Point router blocks this by default since there is rarely if ever a good reason for PCs to try to do that sort of thing.
Is there a way to enable logging within the NIS firewall on the problem PC so that I can identify the program that is attempting NetBIOS access to the internet?
All of the PCs on our network are running the current version of NIS.
Per datalogging done and firewalling done by our Check Point router,one of our PCs using netbios-ns on port 137 via UDP.
The Check Point router blocks this by default since there is rarely if ever a good reason for PCs to try to do that sort of thing.
Is there a way to enable logging within the NIS firewall on the problem PC so that I can identify the program that is attempting NetBIOS access to the internet?
All of the PCs on our network are running the current version of NIS.
Per datalogging done and firewalling done by our Check Point router,one of our PCs using netbios-ns on port 137 via UDP.
The Check Point router blocks this by default since there is rarely if ever a good reason for PCs to try to do that sort of thing.
Is there a way to enable logging within the NIS firewall on the problem PC so that I can identify the program that is attempting NetBIOS access to the internet?
Thanks for any assistance!
Yes you can use the firewall for this but be warned it can be a bit annoying. It will display popup messages about every program that matches the rule.
Here's how to do it:
Open Norton
Click Settings (at the top)
Click Network (at the top)
Click Smart Firewall (on the left side)
Click Configure next to Advanced Settings (in the main window)
Click Configure next to Traffic Rules
Click Add
Select Monitor and click Next
Select Connections to and from other computers and click Next
Select Any Computer and click Next
Select The rule will apply only if it matches all the ports listed below
Click Add
Select Remote (on the top right)**
Select Known ports from list (on the top left)
Scroll through the list and select 137
Click OK
Click Next
Click Next (yes, that's not a typo, it's two next in a row)
Enter a name (eg: Remote port 137 monitor)
Click Next
Click Finish
Move the new rule to the top of the list
Repeat steps 7 to 22 but select Local on step 13 instead of Remote**
** The reason you need to create separate rules is because communication cannot be both remote and local at the same time and the rule states "matches all ports".
Over time you will start seeing popups and you can look in the security log to see what's going on:
Right-click the Norton tray icon
Select View Recent History
Select an entry that says "Rule Remote port 137 monitor" (or whatever you named it)
Click More Details and look in the Advanced Details section for the process that triggered the rule
When you're finished, you can either delete the rules you made or just remove the check next to them and they will be disabled.
I would not have figured that out without you ... esp. the part about needing two separate rules...
I had to add one step: 10.5 and select protocols before it would let me add detail to the rule - so I selected TCP & UDP.
I don't think it would be ICMP traffic that I care about ................ (???)
So ... the rule is getting tripped like crazy.... interestingly by norton & by "start page" which is a toolbar search engine I use in Firefox... (see below) I've turn on silent mode as otherwise I won't be able to get any work done....
and let it run for a while.... it's kind of curious....
Category: Firewall - Activities Date & Time,Risk,Activity,Status,Recommended Action,Category 2/26/2014 10:24:53 AM,Info, Rule detected UDP(17) traffic with spoc-pool-gtm.norton.com (143.127.93.101 Port (137) ),Detected,No Action Required,Firewall - Activities
Category: Firewall - Activities Date & Time,Risk,Activity,Status,Recommended Action,Category 2/26/2014 10:27:28 AM,Info, Rule detected UDP(17) traffic with startpage.com (69.90.210.96 Port (137) ),Detected,No Action Required,Firewall - Activities
I would not have figured that out without you ... esp. the part about needing two separate rules...
I had to add one step: 10.5 and select protocols before it would let me add detail to the rule - so I selected TCP & UDP.
Yes, TCP & UDP would be sufficient. I didn't include this step because Norton usually defaults to this selection and it shouldn't be necessary.
The log you posted looks as if you have something phoning home over the typical NetBIOS port. I'm not sure about the calls to norton.com but the others certainly look suspicious. I would use something like Malwarebytes (free version) to scan for adware and other junk.
NetBIOS is used by Windows to register the computer with the local network. Norton will block this port for all IPs except for those on the "local subnet" so if your router is on one of the private networks (eg: 192.168.1.x or 10.0.0.x) then Norton will allow outbound communication. It will block inbound communication if anything outside the local network tries to respond.
What you're seeing isn't technically NetBIOS but rather something taking advantage of the fact that the port is left open by Windows. You can use Norton to block that port completely but that might mess up your home network.
I try to run a tight ship here - I run Malware Anitbytes, SuperAntiSpyware, and NIS full system scans every few days on a rotating basis and they always have come back clean never an infection since I stood this machine up several years ago.
The traffic seems to be spawned by Firefox browsing activity (perhaps it would be generated by IE browsing as well I just don't use IE).
I had my NIC card set to the default of enabling NetBIOS over TCP/IP. While it's not really NetBIOS traffic (if I understand correctly), I don't think I "need" NetBIOS over TCP/IP enabled for anything so I'm going to turn it off and see what happens.
I can put a rule in the router to block Port 137 traffic at the "edge" of my network ... but like you said that could screw something up...
Disabling NetBIOS over TCP/IP (under advanced settings --> WINS tab) quieted everything down immediately.
I'm not quite sure what was going on there but with it disabled Norton is still fetching updates and nothing seems broken...
I don't quite understand it, but I'm good with it ... it's tax season ...
NetBIOS is a protocol Windows uses to identify computers on a network. So for example if you have a computer named "Kitchen" with an IP of 10.0.0.1 and a computer named "Bedroom" with an IP of 10.0.0.2, Windows will allow those computers to recognize each other by their name instead of their IP, though it isn't entirely necessary.
Because this port is typically left open, malware can use it to communicate with command and control servers. Don't be fooled by the "friendly names" given to ports. Even though ports have common names like HTTP for port 80, HTTPS for port 443, NetBIOS for port 137, etc... any type of communication can be sent over an open port.
For example, if a malware wanted to set up an FTP server on port 137, Norton will alert you about NetBIOS traffic because that's the friendly name but technically it's FTP traffic (Norton doesn't do deep packet inspection to see exactly what type of communication it is). This is why it is good to close any unnecessary ports.
So apparently, unless specifically blocked by the firewall (which it appears to NOT be the default),
or unless "NetBIOS over TCP/IP" is disabled in the IP protocol stack, then Port 137 is left open to the internet.
From what I can see - some websites are "clever" enough to route traffic over this port in FireFox for backchannel communications which caused the security flag to be thrown by my router ....