I just upgraded my NIS and when I was looking at the logs I noticed this:
Rule rejected TCP(6) traffic
Firewall rule was matched: Rule Name: Default Bock EPMAP Rule Action: rejected Rule Severity: normal
Traffic Details:
Protocol: TCP(6) Direction:Inbound Local: Host Local IP: Local Service: Port (port #)
I assume that the new version of NIS just uses different wording, but the use of the word "rejected" is throwing me a bit. Does this mean the traffic was rejected or that the rule was rejected? Rule Action: rejected almost makes it sound like it's the rule that's being rejected, but that doesn't make sense.
Also, does anyone know if the new version logs more? Just since the upgrade, I have many more exe files (as far as I can tell, all legitimate) showing up in my firewall activities.
Thanks F4E! I know you’ve got things locked up tight so going to assume the “rejected” refers to the traffic and not the rule.
When you upgrade, do you know if there would be a significant change in the firewall rules? I’ve just got it set to smart firewall and am wondering if I’m seeing an increase in exe files accessing the internet because Norton wasn’t logging them before and now is or because the firewall is letting things access the internet that it previously blocked.
roane, I would expect that every time Norton does an upgrade that the level of protection is increased, and that by setting your Firewall Settings to the Smart Firewall, you are in effect letting Norton do the heavy lifting. Being a two way firewall, it will monitor both inwards and outwards traffic, and you will only get an alert, if Norton detects something suspicious.
FWIW, I have always had the Firewall set to Automatic, and have never had a problem. I prefer to let Norton monitor my traffic. After all, that's what we're paying for !....
Totally agree with letting Norton do the heavy lifting/letting it monitor my traffic :)
It just seemed odd that all of these things are suddenly showing up in the Firewall activities (runonce.exe, RunBroker.exe, SearchProtocolHost.exe, etc--there are actually quite a few, at least ten, I think, that are showing up every time I turn on the computer) as accesing the internet. The fact that these only started showing up in the logs after the upgrade seems strange.
roane, RunBroker andSearchProtocol are Windows files that sometimes need internet access, as is runonce which is normally associated with a download, and only therefore needs to run once. This is normal, and as previously mentioned, Norton may be listing files differently, and this is what you are seeing.
Try not to fret over the way Norton is working, and enjoy the protection it's giving you. Even the default settings will give you protection. Feel free to go through them and adjust them to your liking. There is plenty in the Help Files to guide you.
Thanks F4E (I’m starting to feel like I should send you and Apostolos each a box of chocolates). I think I just freaked out because there are so many and they are running so often (runonce every time I turn on the computer, SearchProtocol and some of the others every hour). It was a bit unnerving to see them all.
You’re right. I do need to stop fretting so much and overthinking. I mean, I’m running Norton, keeping it updated, scanning every couple of days and running periodic scans with Malwarebytes. I don’t think there’s much else that I can do.
Absolutely. Run Norton as your one and only real time protection. I also run MalwareBytes Free and SuperantiSpyware Free, as on demand passive scanners. Always nice to have a second opinion, that your system is malware free !....
If Norton spots something that should not be happening, it will block it and notify you. You don't have to go looking in the logs for things on your own.
Thanks SendOfJive. Logically, I know you’re right (I mean, if Norton relied a: on people knowing where the history was and b: combing through the logs) it wouldn’t be at all effective. It’s just sometimes I see things and logic goes out the window (today I sent a text to a friend because SndVol.exe was accessing the internet when I turned down the volume on the computer and his response was a very sensible “The nice people on the forum told you not to worry. Stop it.”)
I’m going to try and cut myself off from looking at the logs so much. I probably won’t be able to totally quit cold turkey, but I’m going to cut it down.
We've all been there. I remember once, as a young SendOfJive, new to computers, naively thinking it would be helpful to set the firewall to notify me whenever it blocked something inbound. To my horror, it started alerting several times per minute. After a few moments of panic, I realized that what I was seeing had been going on all along in the background and was simply the constant random bombardment of internet port scans that firewalls are there specifically to block. The only thing that had changed was that I was now being alerted about each instance. I immediately turned off the alert feature - there was no need to trouble myself over every action the firewall was taking in its normal course of business.
I just upgraded my NIS and when I was looking at the logs I noticed this:
Rule rejected TCP(6) traffic
Firewall rule was matched: Rule Name: Default Bock EPMAP Rule Action: rejected Rule Severity: normal
Traffic Details:
Protocol: TCP(6) Direction:Inbound Local: Host Local IP: Local Service: Port (port #)
I assume that the new version of NIS just uses different wording, but the use of the word "rejected" is throwing me a bit. Does this mean the traffic was rejected or that the rule was rejected? Rule Action: rejected almost makes it sound like it's the rule that's being rejected, but that doesn't make sense.
Also, does anyone know if the new version logs more? Just since the upgrade, I have many more exe files (as far as I can tell, all legitimate) showing up in my firewall activities.
Thanks for any feedback!
I'd suggest that this is a defect, similar to the one that I raised here:
What you should be seeing is a more user-friendly message like 'Rule "Default Block EPMAP" blocked communication' rather than a technical rule description. Given that, keep an eye out for a wording change for this issue in a future Norton Product Update.