Intrusion Prevention white list?

Norton Security | Norton Internet Security
1

I am running NAV2010 and the Intrusion Prevention feature is blocking legitimate access from another machine on my LAN.  I don't have the logs available but I believe it was something like "Invalid Port".  I would like to configure Intrusion Prevention to ignore this specific IP Address - Is that possible?

 

Alternatively, can I tell Intrusion Prevention to "allow" this access in the future?

 

Thanks in advance

2

Hi billy44bob44,

 

Welcome to the forum. Can you be more specific about the software you are using? Is this NAV 2010 or NIS 2010. It should be NIS 2010 since NAV does not have the two way firewall. Can you give your exact version from Help and Support > About? Also what is your OS and SP (service pack) level to include 32 or 64 bit?

 

For NIS you can check the history logs by clicking on History near the upper left corner (in the Computer section) of the main NIS window. You can look at recent history or if this was further back you can select Full History from the drop down list. You can also be more specific by selecting Intrusion Prevention from the drop down list.

 

Please check the logs and let us know the details of what was blocked and any other details shown by NIS.

 

In short, yes rules can be set up to allow this access in several ways. One is a program rule which is typically the best if certain software is running which needs access as this will automatically grant whatever permissions are needed to that software. Another is to set up a rule based on port(s) which need to be granted access. This can be set based on source IP address or global if desired.

 

Another way which is the least secure and typically not recommended is to grant ALL access to a particular IP address.

 

Before we get into the details of which of these might be better for what you want to accomplish, we need a little more detail from the NIS logs.

 

Thanks

Allen

3

Thanks Allen.

 

I am in fact referring to Norton AntiVirus 2010, not NIS.  NAV on my PC has a feature called "Intrusion Prevention" that appears to be blocking access from my other machine, based on the notifications and logs I'm seeing.  I can't find any screens within NAV where I can create a program rule, create a rule based on sources, destinations and ports, or simply allow all access from a single IP address, as you describe below.  I realize that I can disable the Intrusion Prevention feature altogether, but it seems like it has the potential to protect my system from a future attack so ideally I'd like to keep it enabled.

 

My system details are: Norton AntiVirus 2010 v17.5.0.127, Windows 7 Ultimate, 32-bit.

(See screenshot at http://www.tomlucht.com/public/pictures/NAV-Screen2.jpg)

 

The Security History Logs say:

- An intrusion attempt by 192.168.0.203 was blocked.

- Risk Name: Invalid TCP Destination Port

- Attacking Computer: 192.168.0.203, 53253 (that's my other machine - it's actually a TiVo)

- Destination Address: 192.168.0.201, 0 (that's this machine)

- Traffic Description: TCP, Port 53253

- (See screenshot of the Security History log at http://www.tomlucht.com/public/pictures/NAV-Screen3.jpg)

- (See screenshot of the Advanced Details for this entry from the Security History log at http://www.tomlucht.com/public/pictures/NAV-Screen4.jpg.  Although it doesn't really show any additional details.)

 

Do you think I can configure Intrusion Prevention to ignore this particular "attack", or do I have to disable it when I want to have these two machines communicate with each other?

 

Thanks in advance for your help!

 

 

 

4

HI billy44bob44,

 

Thanks for the additional information. Apologies about the NAV vs NIS. I find many interchange the two terms. :smileywink:

 

You should be able to do "some" configuration of the Intrusion Prevention with NAV. Please see this thread for details.

 

I do want to mention though that NAV 2010 does not have an actual two way firewall. Intrusion Prevention is a "function" of a firewall but is not an actual firewall. This thread offers some explanation of the difference.

 

As the built in Windows firewall is not that good I would suggest upgrading to NIS, possibly when your current subscription expires. If you have another good 3rd party firewall, then this is not necessary.

 

One added note: I know it is counter-intuitive but you can attach images directly to your post here by clicking the  near the top.

 

Thanks

Allen

5

HI billy44bob44,

 

Did this work for you? I hope this solved your problem.

 

Thanks

Allen

6

Yes, you have answered my questions, thank you.  Unfortunately, the answer is that I cannot configure NAV's Intrusion Prevention feature to ignore "attacks" from certain IPs.  It appears that from the threads you referenced that the closest thing is that it is possible to temporarily unblock certain IPs after they have been blocked.  That is not quite as good as permanently unblocking the IP before the block occurs, but it will be helpful.  It is good to know the limitations of this software.  I will consider NIS for the future. 

 

Thanks again!

7

HI billy44bob44,

 

Thank you very much for the update. I'm not sure how long you have left on your subscription but if you do decide to go with NIS at that point I feel confident you will be happy with it. NIS is very customizable and has something called Identity Safe built in. Identity Safe allows you to store all your logon information of various websites and can store information to auto-fill forms on websites and several other niceties.

 

Thanks again.

Allen