For the past three days, I've been noticing two to three of these entries in my security logs every few hours. All with different ISPs from different countries.
Rule "Default Block Microsoft Windows 2000 SMB" blocked (xxxx.xx.xxx.xxx, Port (445) ) Inbound TCP connection Local address, service is (PC (my ISP #), Port (445) ). Remote address, service is (xxx.xx.xx.xxx, Port (60633) ). Process name is "System".
From what I've read on the boards, these attempts are from other systems looking for vulnerable computers and getting blocked by Norton and is not an indication that my own system is at risk or has been compromised. (hopefully I've got that right!)
My question, though: Is it strange or concerning that these attempts only started a few days ago?
I did a search in the logs and there are no incidents prior to this (though, admitedly, it's a new computer so the logs only go back to August). Any feedback is much appreciated!
For the past three days, I've been noticing two to three of these entries in my security logs every few hours. All with different ISPs from different countries.
Rule "Default Block Microsoft Windows 2000 SMB" blocked (xxxx.xx.xxx.xxx, Port (445) ) Inbound TCP connection Local address, service is (PC (my ISP #), Port (445) ). Remote address, service is (xxx.xx.xx.xxx, Port (60633) ). Process name is "System".
From what I've read on the boards, these attempts are from other systems looking for vulnerable computers and getting blocked by Norton and is not an indication that my own system is at risk or has been compromised. (hopefully I've got that right!)
My question, though: Is it strange or concerning that these attempts only started a few days ago?
I did a search in the logs and there are no incidents prior to this (though, admitedly, it's a new computer so the logs only go back to August). Any feedback is much appreciated!
I just didn't know if it was okay to list the ISPs (which, in retrospect, may have been a bit silly).
The full entry was:
Rule "Default Block Microsoft Windows 2000 SMB" blocked (114.46.36.233, Port (445) ) Inbound TCP connection Local address, service is (PC (my ISP), Port (445) ). Remote address, service is (114.46.36.233, Port (60633) ). Process name is "System".
In the past 24 hours, I've had this same rule come up with 6 different ISPs (60.191.111.85, 181,114.45.40, etc, etc) attempting to make the inbound connection, each usually making multiple attempts.
Thanks so much! That is a huge relief! (and sorry for confusing ISP and server addresses--I'm horrible when it comes to tech stuff).
So the fact that these events just started isn't anything to worry about? I was feeling a bit paranoid after checking a friend's computer (also running Windows 8 and NIS) and saw that she's never had anything similar pop up in her logs.
roane, as Apostolos says, your history shows that Norton is blocking these attempts.
Welcome to the world of spamming and phishing ! You'll probably find that these intrusions will die off, as the nasties will go looking for more vulnerable computers. As long as you keep your settings locked up nice and tight, Norton will protect you.
Run scans at regular intervals and back up, back up, back up !.....
You guys were totally right and those intrusions did seem to die off. I started getting a different one over the past two days, though, and was wondering if what you said applies to this one as well?
Now I'm getting:
Rule: "Default Block EPMAP" blocked (xxx.xxxx..xxxx.xxx, Port dcom(135) ).
Inbound TCP connection.
Local address, service is (PC (my ISP), port dcom(135) ).
Remote address, service is (xxx.xxx.xxx.xxx, Port xserver(6000) ).
Process name is "C:\Windows\System32\svchost.exe".
(Sorry for the X's. For some reason, posting the remote addresses makes me nervous.)
Is this also just a normal attempt that can safely be ignored? The fact that the process name was coming up as svchost.exe scared me a bit.
Thanks so much for taking the time to reply and the link!
I did see that thread when I ran a search but wasn't sure if the advice on it would still apply to me since, in that user's case, it was another computer on his own network that was being blocked and, in my case it appears to be coming from an outside source (and I wasn't sure if the fact that it seemed to be targeting svchost.exe was of a concern). Looking at the thread again, though, I do see that SendOfJive mentioned that it was alright even if the attempt originated from the internet.
I will try to stop obsessing! (And possibly ban myself from looking at the history file)
roane, when I first got my computer, I checked the Event Viewer and Norton history, all the time. Then I learned to relax, and enjoy using it, and letting Norton do it's job. Now I've lost my worry lines.......
lol I think I'd be a lot happier if I could get out of the habit of checking the history file. Normally, I can shrug off most of what I see (usually thanks to the awesomeness of the forum and previous threads) but every once in awhile I just obsess about something in there.
I do wonder how often the average user even checks those things, though.
Roxane Take it from one who looked at the history constantly, it’s not worth it To be honest I actually wound up in counseling because the anxiety it caused I still check a little, but not with the same paranoia I had. Btw you can see the history of questions I’ve had over the years I’m still concerned but within limits I’m actually still using 2012 nis
lol I don't mind being called Roxanne. It sounds so much more dramatic :)
I can definitely understand the anxiety and counseling stuff. I tend to be obsessive, myself, so it's sometimes hard for me to distinguish between a worry that's legitimate and one which I'm blowing out of proportion. Logically, I know the attempts are being blocked so Norton is protecting me, but the illogical part of my brain is having a total anxiety party whenever I break down and check the history.
So, yes, definitely understand and am very glad it sounds like counselling has been helpful. :)
Two things to bear in mind to help you stay off the Xanax:
1. The history is showing that Norton is doing what it is supposed to be doing. Firewalls are necessary because there is a constant background radiation of port probes on the internet that is inescapable. Your PC is not being targeted specifically, but its IP address may be in a block that is being probed at any given time. Firewalls block these connection attempts each and every time. You don't need to worry about it.
2. If anything should arise that requires your involvement, Norton will alert you about it when it happens. Whatever events you find in the logs are things that have already happened that Norton has taken care of without bothering you about it. The logs are only a record of Norton's past activities (all of them routine, by the way, unless you are very unfortunate), not a list of things that need your current attention.
Since you can't do anything about the internet's background radiation, or things that have already happened, I suggest you relax and instead of worrying, take comfort from the logs that show that Norton is protecting your PC exactly as it is supposed to do.
I'm going to print this out and pin it above my desk and use it as a mantra when I find myself getting stressed out about the logs. It'll be my Norton equiv of "I must not fear. Fear is the mind killer. Fear is the little death that brings total obliteration.... etc, etc, etc."
(100% not being sarcastic, it's printing right now)
