Custom Program Rules - A Couple More Questions

Hi -

 

I use Automatic Program Control with NIS 2009, but have about 6 custom program rules, either via modification of an automatic rule or addition of an entirely new oneI have a few questions which I hope are straightforward, even though I can't seem to state them too succinctly:

 

1The first time I use a program (since installing NIS), it usually creates an automatic program rule, and I see a log entry that says :"Firewall rules were automatically created for program such-and-such."  No surprise thereOther times I have manually created a rule, and it says "you created firewall rules to manage how program such-and-such  accesses your network resources."  No surprise there, either.

 

But tonight a rule was created *automatically*, and the log used the "YOU created firewall rules..." statementSo now I'm confused as to why it didn't use the "Firewall rules were created automatically..." statementThe program was an openvpn, but I'm not sure why that would change the phrasing of the log entry given it was still created automaticallyAny ideas why it is saying I created the rules this time?

 

2Even though I generally use auto program control, yesterday an alert popped up that a particular program had accessed the internetI had modified the automatically-generated rule to log any accessBut this is the first time I ever saw such a pop-up rather than just a log entry (and I was happy to be alerted in this case).  Previously I have had to check the logs to see such logging-requested activity, whether it was with regard to an Allow rule or a Block rule.  Why the change?  (I have one theory, which is mentioned in question 3, but I have no idea whether it's right.)

 

3When modifying an auto program rule or adding a completely new custom rule, I know that  choosing "monitor" on the Action tab will automatically place a checkmark in the "Create a Log Entry" box on the Tracking tabIs there any significance to the fact that the reverse is not also trueOn a related note, getting back to that program with the pop-up alerting me to net access:  I *think* (can't swear to it) that this program's rule modification was the first time I actually selected Monitor on the Action tab rather than soley ticking the Log box on the Tracking tabCould THAT have any relation to why I saw an alert pop-up?

 

 

Thanks.

Message Edited by Ardmore on 05-23-2009 10:18 PM

Questions 2 and 3 are related as if you check monitor Norton will log and give a pop up.  If you just check log, no pop up.

 

The only reason for the rule statement in #1 is that the Automatically created rule was based on a manually created rule you made.

Well that quickly solves questions 2 and 3!

 

But for 1, I'm not sure why you say that the automatically created rule was based on a rule I created manually.  I first noticed this a few hours after I accessed the application for the first time since installing NIS.  I was looking through the log for something else, and noticed a "you created..." entry for the rule NIS had created automatically for the application, without any manual involvement on my part.   Under program rules, it was still listed as "Auto" at the time.

 

AFTER I modified the automatic rule to add reporting there were additional log entries starting with "you created..."; and in the program rules the dropdown changed to Custom.  No mysteries there.

 

Let's say I have the sequence wrong and it actually went like this

a.  Went to program rules and saw the rule NIS had created, shown as Auto

b.  I added notification, thus changing it to Custom

c.  Examined log

 

Even if the sequencing actually went like that, wouldn't there still be an entry in the log saying "rule automatically created..."  NIS wouldn't go back and delete or modify the original "automatic-rule-created" log entry, would it??

EDIT: I just realized that perhaps your reference to a manually created rule I made assumes I have created some general firewall rule(s).  If so, note that I haven't created or modified anything other than program rules, and there hasn't even been many of those.
Message Edited by Ardmore on 05-24-2009 12:19 AM

What is happening in your scenerio is that Norton is deleting the Automatic rule the moment you accept the editted version and replacing it with the manual rule.  The Automatic rule has been wiped from the records; replaced with the manual rule you just made. 

 

However, I think you may have found a small glitch in the logging of the Rules History.  I'll try and find out.

Ok, thanks.  Don't know if this helps, but here are what the five log entries related to this application say: (oldest to newest):

 

6:53:33 PM  An instance of C:\...openvpn.exe is preparing to access the internet.  Detected.

6:53:33 PM  You created firewall rules to manage how openvpn accesses your network resources.  Detected.

6:53:41 PM  You created firewall rules to manage how openvpn accesses your network resources.  Detected.

7:17:33 PM  You created firewall rules to manage how openvpn accesses your network resources.  Detected.

8:57:05 PM  You created firewall rules to manage how openvpn accesses your network resources.  Detected.

 

That last entry is the one where I manually added logging for the third rule of what then showed as an automatic three-rule set when I first looked at it around 8:50 PM.  (I say "then showed", because the logs seem to suggest that I might have seen only a two-part rule had I looked at, say, 7:00  PM instead.  7:17 is just about when when I disconnected the openvpn, so maybe NIS created the 3rd part of the rule at that time for some reason.  Fyi, the three rule parts, in order, were for outbound TCP & UDP; outbound UDP; and inbound UDP.)

 

 

As for your statement that "Norton is deleting the Automatic rule the moment you accept the editted version and replacing it with the manual rule.  The Automatic rule has been wiped from the records; replaced with the manual rule you just made."...  I checked the logs to see if this appears true for programs I've modified, and the result has left me even more confused.  Since I reinstalled NIS a few days ago I don't have many datapoints to go on.  But I have a downloader program for which NIS created an automatic 3 rule set.  I changed the 3rd rule from allow to block, expanded the name for all 3 rules, and requested logging (via the log checkmarks ONLY, not the monitor radio button).  This is similar to I how handled the openvpn rule set I've been discussing (except that I didn't change any of the openvpn rules to block).  But UNLIKE openvpn, the logs DO still list the original automatic rule creations.  And to complicate matters further, NIS has since added a 4th rule AND changed the dropdown back to Auto despite the fact that my modifications to the first three rules remain.

 

In another case there was a program that was added automatically which I changed to a blanket Block via the dropdown.  For that one, the log does indeed lack any record of the automatic rule creation. 

 

...and all this started just because I wanted to understand why the log said I created something I didn't.  Could it be that your answer on this count is basically correct but subject to certain complex nuances/exclusions? 

 

 Meanwhile, I've added the overdue Kudo for the quick solution to the other issue encompassing questions 2 and 3.

 

 

Message Edited by Ardmore on 05-24-2009 03:40 AM

"But I have a downloader program for which NIS created an automatic 3 rule set."

 

 

Are you saying the for xyz.exe, NIS2009 made 3 seperate rules Automatically?

When I open Program Control, xyz.exe is only listed only once.  When I look inside that listing there are three parts, each of which I assume NIS calls a "rule" because the heading is, "These rules determine how the firewall..."

 

EDIT: As I mentioned in my last post, that describes what happened when the program was initially added.  It's since grown to four parts:  The aforementioned three created automatically by NIS and modified by me.  Then a fourth part added at some later point by NIS.  And the dropdown has also reverted from Custom back to Auto, all with no further intervention by me.

 

Message Edited by Ardmore on 05-24-2009 04:40 PM

Thanks for posting back, Ardmore. 

 

The actions you are seeing take place is due to the Automatic Program Control being set to ON.  Norton's Smart Firewall will adjust rules on the fly as needed to allow the applications to work and still be secure.  If this is bothersome to you, you can turn the APC function off (I would then recommend that you turn on Advanced Events Monitoring) and have complete manual control of the firewall.

I'm pretty much fine with those actions, although I'll take a look every now and then and turn APC off/AEM on if seems appropriate at some point (not likely, I would guess).

 

It would still be nice to better understand what seems to be either special rules or inconsistencies in how the program-rule creation log entries are worded, and under what circumstances existing log entries will be modified or deleted by NIS.  My logs seem to support your explanations re this in one case but not another.  That said, again I'm comfortable having some of this remain a mystery as long as I can be confident that the kinds of things I'm seeing happen (and not happen) are normal.  Even a couple bugs wouldn't concern me as long as I can be confident that they're inconsequential.

 

Annyway, I'll mark this solved as there was a clear solution on questions 2/3 and some helpful observations (and a suggestion) re question 1.

 

Thanks.

I understand what you are saying, Ardmore.  I must have tried every software firewall there is in the last 2~3 years (well, at least the major ones) and was kind of skeptical over this one at first.  I think Norton has done a terrific job of making a automatic controlled firewall that fits almost every average user out there and still protects against bad network traffic.  There are a few instances I've run across (Domain controls / log ins, VPN with IPSec modifications, etc. that are not typical) that have been real issues.  But for what this is designed for, the Smart Firewall is a lot tougher than it looks.

 

Let us know if you need anything else on this.  I will be digging into the Firewall heavily as new versions start to come out and get tested.

To answer the "you have created" question, this is an 'odd' messaging behavior since the original NIS 2000. The program automatically created the rule despite what the log says. The text probably should be changed, but it's not as trivial as just changing the text.

 

Normally, when a program is "preparing" to access the Internet, rules are created for that program and the messaging is correct. When traffic is detected that doesn't match one of those rules, however, special processing is required. A notification is sent from the core firewall to the user context code for evaluation. That user context code does some further evaluation and MAY create some additional rules to allow (or block) the traffic, or, it may prompt the user for the desired action. Regardless of whether the user chooses what to do or the user context code does, the user context code ultimately tells the core firewall what to do. When the rule is created, due to automatic logic or the user saying to always perform the same action, the same "user created" message gets logged.

 Reese, your post sure helps explains de-mystify log wording issues I observed, AND related behind the scenes behavior! Thanks!