Question on IPS Detection Statistical Submission

Norton Security | Norton Internet Security
1

I know generally these are of no worry. but there is something about this concerning to me

In recent history log it shows
IPS detection Statistical Submission

the application name: System
there is an IP address from Brazil and the local port shown is 3389

when I run netstat, I see the port is open to a svchost.exe
when I check the services associated with that process, there are several, encyption, DNSCache, and a few others

the entry in thhe firewall log just just shows as information and “No action required”
I did not say the IP address was blocked and thats what concerns me

so did this mean the IP attempted and connected to my PC?
The local port is 3389

still on NIS2010 until this weekend

2

sorry all from my phone I can’t edit my question

let me clarify. On the
IPS Detection Statistical Submission
The application name is
SYSTEM
(not svchost)

and the REAL concerning part is this has to do with intrusion prevention right? so why would several IP addresses (the are a few entries like this) be acessing my system application?
there was nothing showing these IP addresses were blocked from doing so, so that is troubling

3

That's the port used for remote desktop connections. I don't know why anyone would be able to connect like that unless you had initiated it.

 

Things like this is a good reason why should have been behind a router; in case this is someone attacking you (not saying that it is, just IF), that would have been blocked before it reached your computer if you had had a router.

4

the thing is that the firewall log does not show an inbound connection, but then nothing saying itss blocked either

so this IPS Detection Statistical submission

is that saying the IP address connected?
My remote desktop setting iis OFF

5

did a little research and it appears that port 3389 is on by default in Vista machines

so wondering if this IPS Detection just noticed a knock at the door rather than an entry attempt??

6

Do yourself a favor and get a wireless router. As an added benefit, you don’t need to be stuck in one place.

My router logs shows tons of intrusion attempts while my Norton firewall is fairly quiet.

7

Hello Calls

 

It was just a Statistical Submission so if necessary Symantec can make adjustments. If there was an actual invasion of your computer, Norton would have let you know with an alert. I would say it is nothing to worry about. It is more of a message to Norton community watch than to you.

8

Get one with stateful packet inspection (spi) firewall.

9

Hi Calls,

 

Remember, this is a statistical submission having to do with a test signature - it is not an actual detection that matches the current working signature for whatever threat we are talking about.  If something were actually detected, it would be blocked and there would be a record of it in Intrusion Prevention history.  If there is nothing there, then there was no attack - probably just a WIndows process connecting out that triggered a false positive for the test signature.

10

ok, first I’m getting a new ISP in a week or 2 that will have a wireless router
But for now still very concerned more so because another entry showed this morning and the IP address noted was from Turkey and google search shows might be a malicious IP
also did some checking and information seems to indicate that on Vista OS, port 3389 is set to listen
when I run netstat -ano it shows port 3389 in listening state.
When I check the associated PID, it indicates a svchost.exe
When I go to that svchost.exe and check the services, it is associated with DNS cache, encryption, and a few others, But NOTHING about remote desktop

I understand the part that Norton is just logging this event for information purposes
BUT is the entry saying that these IPaddresses are actually connecting to my PC?
Or are they tapping at port 3389, but not being connected?

I think if I shut down port 3389 I’ll really mess things up

so is this kind of like an unused port blocking, except since it is a usable port, it’s showing the IP “saw” it but did not connect?
the last IP to be logged is
88.250.186.7
which is from Turkey

11

Hello Calls

 If you are really that concerned that your computer might be infectted, you can always sign up at one of the malware removal sites and ask them if you are infected. They can tell you what scans to run and then they can tell you if your computer is infected. It it is not infected and you continue to get those entries, then you will know that it is just Norton Community Service doing it's job and recording those entries. Here are the 4 locations you could sign up with and wait your turn with them. Bleeping will be the most crowded. 

 

 

 

 

 

 

 

 

 

Please go to one of these free Forums for help in removing your bad malware or rootkits.


http://www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

(Thanks to Delph for providing the list of sites)
 

 

12

I see no reason this should be happening, so for once I think Calls might be right to be worried (sorry Calls, nothing mean intended, but you do worry a lot over small things :=) ). Of course, it might be a false alarm, but there really shouldn't be.

13

Hi Calls,

 

Follow the instructions in the link below to disable RDP in Vista.  What you are seeing may be scans by the Morto worm looking for systems running Windows Remote Desktop Connection.  If it sees a system open to RDP, it will use a small set of easily-guessed passwords to try to match the Administrator password to gain entry - so the attack depends upon RDP being enabled and a weak password.  Unless both conditions are met, you cannot be infected.  Norton will alert to Morto and its attempts to call out, so if you are not seeing these, you are not infected.  I am only suggesting you disable RDP for peace of mind since the entries you are seeing are using the RDP port.

 

http://www.vistarevisited.com/2008/09/07/how-to-disable-remote-assistance-in-vista/

14

SoJ
and others, thanks
SoJ
followed that link and the instructions
My remote assistance box is already UNCHECKED
but I do not have any other Remote Desktop options showing

15

Here's someone who had the same issue http://community.norton.com/t5/Norton-Internet-Security-Norton/Infection-via-port-3389/td-p/28504

16
Calls wrote:
SoJ
and others, thanks
SoJ
followed that link and the instructions
My remote assistance box is already UNCHECKED
but I do not have any other Remote Desktop options showing

Yeah, this all sounds familiar - I'm sure we've been through this before and disabled Remote Assistance previously.

17

SoJ

so the fact that the remote assistance box is UNCHECKED, would that also mean that remote desktop is not able to work (unusable)?

just wondering why I do not have those other options? That also the same for other Vista users(not having those other options)?

18

sorry cant edit on my phone

but wanted to add that when I installed NIS2010 (and yes I will be switching this week),but it was suggested that I not modify the firewall and close ports, etc

so really just wanting to know id having remote assistance unchecked, means that I have blocked any connections from such. Or do you need to have both remote assistance and the other one set to not allowing connections. or does unchecked remote assiistance do the same job?

19

Hi Calls,

 

The Home version of Vista does not include Remote Desktop - hence, the lack of options.  Remote Assistance provides access to your computer from outside, but can only be used when both parties agree to the connection.  Disabling this feature blocks you from requesting outside assistance from other computers.  Do not create any custom Firewall rules.  SInce you do not have Remote Desktop installed, you are not vulnerable to the Morto worm.  According to F-Secure, Morto is the first worm to use RDP as an attack method and is accounting for a large amount of traffic on port 3389 - so it is possible that what you are seeing is some of that traffic.  But, again, you are not able to be attacked because you are not running the program that Morto uses to gain entry.  This is just a guess on my part as to what might be the cause of what you are seeing.  I could be wrong.  But, in any event, you are not getting alerts from Norton, so I presume whatever the traffic you are seeing belongs to, it is not adversely affecting your computer.

20

thanks SoJ

I have been racking my brain on this. It seems that this has all just started about a week ago.
We have not done any changes as far as installing programs, downloading from the internet, etc.
But it seems that the statistical submissions happen several times a day
This would be supported by the info you just told me about that virus you said.
What you said makes a lot of sense to me.
I have some additional thought on this, if you would review this?
You know how unused port blocking generates log entries. but thats for unused ports
Since 3389 is “listening” could it be that when IP traffice send out to a large number of computers and mine is in that group, it “knocks” at my door causing norton to detect it and generate that statistical submission?
but since it actually did not try to “enter” my PC, it did not generate a “block” message?

does that make sense?