I have been reading quite a bit about this topic, but I am still not clear.

It appears from the language on the Norton support site that the only way to enable the following protections is to enable Advanced Event Monitoring (AEM).

Program Component - Monitors the malicious programs that launch Internet-enabled programs.

Program Launch - Monitors the malicious programs that attach to safe programs without being detected.

Command Line Execution - Monitors the Trojan horses or malicious programs that launch trusted applications in hidden mode through command-line parameters.

Code Injection - Monitors the Trojan horses or malicious programs that inject code into an application's process without triggering firewall alerts.

Window Messages - Monitors the Trojan horses and other malicious programs that manipulate an application's behavior to connect to the Internet without triggering firewall alerts.

Direct Network Access - Monitors the Trojan horses and other malicious programs that bypass network traffic. These programs penetrate the Windows TCP/IP layer to send and receive data without triggering firewall alerts.

Active Desktop Change - Monitors the malicious programs that use the documented interfaces that the trusted applications provide to transmit data outside the network without triggering firewall alerts.

Key Logger Monitor - Monitors the malicious keylogger programs that access personal information of a user on a particular computer by monitoring their keystroke activities.

COM Control - Monitors the malicious programs that manipulate an application's behavior by instantiating controlled COM objects.

Is that correct?  Or does Automatic Program Control (APC) offer the above protections but does so automatically without asking for your input?

Two sentences on the Norton support page make me think that you must enable AEM in order to activate the above protections:

Intruders can gain access to your computer in the following ways without causing firewall alerts to appear:

and

The Advanced Events Monitoring settings consist of the following categories that provides your computer with advanced protection:

Could someone please clear this up for me?  If APC does not offer those protections, I am very inclined to disable it and turn on AEM and do it myself even though I'll be bombarded with notifications.

Finally, if APC DOES offer the above protections, are all of the above events recorded in the History or in any logs so you can at least see what NIS has done after the fact?

Thanks

Hi Meatball,

Yes, the firewall in Automatic Program Control mode does block the same sneaky network access tricks used by malware that Advanced Events Monitoring detects - the only difference is that the firewall makes the decisions in APC and asks the user to make the decisions in AEM.  In truth, APC is arguably the most secure way to run the firefall.  Programs are identified using a hash scheme and backend servers provide extensive information on whether a program is malicious or safe.  The traffic is analyzed to detect any qualities that are characteristic of malware.  If necessary, the firewall can query other Norton components for additional information.  This is much more data about a connection request than most users will have if they have to decide for themselves if some program should be allowed to "access the Internet using one or more unrecognized modules," or respond to some other similarly cryptic alert.

These Advanced Events Monitoring elements all pertain to outbound traffic.  The firewall activities log provides a record of the programs that request network access. 

Guru,

Thanks for the timely and thorough reply.  That is VERY good to know. 

I was under the impression that when using AEM, there would be LOTS of pop ups from Norton asking for my attention.  When I look at the firewall logs there are relatively few items especially when it comes to outbound traffic.  Are you sure that APC logs all the same events that AEM would?

Thanks

I know the firewall logs when rules are created for a program the first time it requests network access, each time a program is preparing to access the internet, and when default block rules are invoked.  Unfortunately for you (but fortunately for me), I have never had the opportunity to see what happens when the firewall blocks a malicious program that is trying to call out using devious methods.  I am reasonably sure it would be logged, but I cannot speak from experience.  If there were malware on your system, though, it would be detected by Auto-Protect or IPS, regardless of what the firewall was logging - so it is unlikely that you would actually discover the infection through your firewall logs anyway.

OK, sounds good.  I think I'll stick with APC for now and see how it goes. 

Thanks again

Yeah, not only is it the most convenient way to operate the firewall, it is, as I said earlier, also the most secure.  It can leverage all sorts of information about programs, processes and network traffic signatures that is just not readily available to the average user.