NIS Firewall curiosity question

Norton Security | Norton Internet Security
1

NIS 2011 v 18.7.2.3
Vista Home Premium 32 bit
Vista sp2
IE8 browser

took a look at my firewall log and noticed something confusing
Saw that a rule was created for iexplore.exe outbound UDP 53
I have used IE8 many hundreds of times before this entry showed
I went to program rules and saw for iexplore.exe two rules, outbound TCP and outbound UDP
I deleted the program from the program rule, (knowing that the rules would be recreated when I next opened IE8) I then restarted my computer. Shortly there after, I opened up IE8. I looked at the firewall log and 3 firewall rules were created. One for TCP 80 BUT 2 for UDP 53.
So I am curious as to why there are 2 rules that are the same, the UDP 53?

Any one have any possible answer?
This happened yesterday after the Microsoft up dates and after the NIS 2011 update. so not sure what might be related.
Any one using NIS 2011, Vista Home Premium 32 bit OS, and IE8 notice the same thing?

2

I’m pretty sure its nothing to be worried about, but always make me feel better if those in the know tell me what they think

3

Do you run a 64-bit system? If so, you will have one iexplore.exe in the program files IE folder, and one in the program files (x86) IE folder, both of which NIS creates rules for.

4

Calls,

 

Although running a different OS and version of IE, (I do have IE8 on my virtual machine running XP) this activity is due to Microsoft security updates and nothing to worry about. I do not know the programming part of this but certain MS updates dealing with IE make Norton "re-evaluate" the rules for communication.

 

It is actually an excellent example of the product taking care of us, if the same rules were never changed they could open up vulnerabilities over time.

 

Hope this helps -- Bill

5

Yeah, that's right - there was an IE update with this latest batch of MS updates. That will change the IE executable (iexplore.exe) and NIS doesn't use the same rule for the new one as for the old.

6

thanks all. This makes almost 100% sense to me, which is very unusual : )

I was just going to add that I thought there was some microsoft update for IE8 last night. And given that the notification of the rule being created (specific to UDP) was when I launched IE8 AFTER installing the Microsoft updates, it makes more sense.
Only part still confusing is this. I had deleted the iexplore.exe from the program control. So naturally when I relaunched IE8, program control/firewall rules were created. But this is where I’m still confused. there were two rules created for iexplore.exe in regards to UDP outbound protocol. If the microsoft IE 8 updates caused NIS firewall to make a change, why would it show 2 firewall rules created for UDP outbound for iexplore.exe? wouldn’t it just show one ule created since the old rule would not be needed?
Just curious
as I said anyone with my specs
Vista Home Premium 32 bit, SP1
IE8 and NIS 2011,
if you remove the program control rules for iexplore.exe and then launch it agian, do yoi show 2 outbound UDP rules created?

7

sorry, cant edit my previous post from my phone. Let me just clarify something. when I relaunch IE8 after removing from program control rules, the firewall log shows 3 instances of rules created for iexplore.exe
One for TCP or http outbound (sorry i dont recall exactly)
But TWO rules for outbound UDP
when I look at program control rules I just see 2 rules, and only one of those is for outbound UDP.
THAts what is confusing me, why the 2 instances in fire wall log for UDP now?

8

Hi Calls,

 

Glad things are starting to make sense, I was able to see the two instances if IE in program control in my virtual machine (keep in mind that has the latest version of NIS, not 2011).

 

I have tried to "fully understand" firewall rules in the past and my research has uncovered they are extremely complex. So I have stopped trying to figure things out and I enjoy paying Symantec to do it for me :smileyhappy: 

 

As a suggestion, if you like to see immediate results ( I have saw NIS "clean up" removed program rules and those no longer required, just not instantly ) Norton has had a feature I like to use once and while called firewall "reset" under advanced options for the firewall. Once or twice a year (usually after major NIS version updates) I temporarily disable the internet and reset the firewall. If you are using custom firewall controls this may not be attractive, but for the masses this is great.

 

I have done this in my VM this evening and the IE rules are now normal with no "duplicate" entries.

 

All the best -- Bill

 

9

thanks Bill
I am not seeing duplicate rules in program control. There I just see the two rules.
Where I’m seeing multiple entries is in the Firewall activity log.
This is where there will be multiple instances of firewall rules created for iexplore. Plus I have noticed more of these when I launch internet explorer after removing it from program control rules. Perhaps it is because I had deleted the program and now it needs to recreate all the scenarios?
also I do have quick scans that run auto and they will note Firewall configuration updated and the number of rules correspond to the appropriate number of rules not adding these “automatically created” multiple logging.
I just “tested” again and removed iexplore.exe from program control. rebooted my PC and then launched IE8 again. Immediately I had these 3 entries in firewall log
Firewall rules automatically created for Internet Explorer
they read as follows
My PC , 0
Outbound UDP port 53
My PC, 0
Outbound UDP, port 53
My PC, 4xxxx (I deletd these for this post)
Outbound TCP, www-http

so its the logged duplicate of the UDP rule that is stumping me.
: (

10

sorry all. I know I made this a bigger issue than it needed to be. I was just curious as to the workings of this and what appeared to bee a duplicate entry in the firewall log and why
sorry

11

Calls,

 

No need to be sorry, the forum is here to get answers to questions.

 

I should have picked up, you were looking at the log entries. Also I should not have made the implication the rules created were "duplicate" they actually "point" to another created executable file (as noted by Bombastus).

 

Thanks for letting us know you are good with your question, I hope you have a great day! -- Bill  

12

thanks betme

But I’m only partially understanding. I understand why there would be a new firewall rule created for internet explorer, if there were changes to internet explorer. I’ll assume that was the case since just prior to the rule being created, there was a microsoft update for IE8. So that part makes sense.
But where I’m stuck is why are there 2 firewall rules created for internet explorer noted in the firewall log, created at the same time and appearing exactly the same?
My-PC, 0
Outbound UDP

again, that is where Get stuck, that the rules appear exactly the same
and why is this so?
In the program control for Internet explorer, There is a rule for outbound TP and only ONE rule for outbound DP. Ut the firewall log shows the out bound TCP BUT TWO entries for the Outbound UDP
Would anyone know this? Is it a glitch with the firewall logginng?
: (

13

Calls,

 

You are really a very curious person!! :-)

There is no problem with your firewall rules.

Just FYI, Outbound 53 (port), is related to your DNS service. (Hope you know what is DNS).

It is something you need, to translate addresses and DNS uses either TCP port 53 or UDP port 53.

Leave your firewall rules as they are.

Hope this helps. 

14

and sadly we all know what happened to the curious cat : (

I know the firewall rule for internet explorer is ok, but as Say why TWO entries logged at the same time for what appear to be the same rule?
Is it that on the surface in the Firewall LOG they appear the same (outbound UDP, 53) but that they are actually a little bit different? its the duplication in the firewall log that I can’t grasp

sorry to be such a pain in the **** on this : (

15

Don't know, maybe a cosmetic bug. Just ignore it. It just doesn't matter.

16

again sorry, from my phone I can’t edit my posts and try to post while here at work is difficult at times.

But just to clarify, my concern is the what appear to be duplicate rules in firewall log. this is what seems to be difficult to resolve, not just for me, but for all who are helping ( to whom I give great thanks and appreciation)

17

Callis,

 

Hello again,

 

Please check when you will be near your pc, your router's configuration.

If it uses 2 DNS primary and secondary, it could be a firewall entry for each of those 2.

They should appear as 2 IP addresses and usually are taken care by your ISP.

Let us know if that's the case.

Hope this helps,

 

Cheers,