Hi,

I just upgraded from NIS 2013 to NIS 2014 and noticed an entry in the Security I haven't seen before:

Rule rejected TCP(6) traffic with (0.0.0.0 Port (0) )

In Advanced Details is the following:

Fire rule was matched:

Rule Name:  Default Block Microsoft Windows 2000 SMB

Rule Description:

Rule ID:

Rule Action;  Rejected

Rule Severity:  Normal

Traffic Details:

Protocol:  TCP(6)

Direction:  Inbound

Local Host:

This appears to be something new within NIS 2014.  Can you let me know what all of this is?

Thanks very much,

Cody

It's always scary when you look at the security history. Sometimes I just don't want to know how often I am being attacked.

thanks goodness for NIS.  I always feel very secure in knowing I am being protected.

What I'm asking for is a definition or explanation of what is going on with these messages in Security History.

Thanks! Cody

Hi Cody,

These are just communications that are blocked by default by the Norton Firewall, based on your computer's network settings (such as having file sharing turned off).  Norton oversees network traffic to maintain the maximum amount of security possible under a variety of circumstances.  Unnecessary communications are blocked, and these can vary depending upon your network setup.  A set of General Firewall rules govern what is allowed and what is blocked.  Your logs are reporting local events going on in your system - you were not under attack.  These are typical entries that you will find in the firewall logs on any PC running a Norton firewall.  You do not need to be concerned about them.

Hello,

This is good to know.  I had an incidence yesterday with two messages in Security History:

You allowed Local Security Authority  Process to access your network resouces

Program:  Local Security Authority  Process

Program Path:  C:\Windows\System32\lsass.exe

Default Action:  No action taken

Action Taken:  Allow

Local Computer:  ______________.org (left name of this organization off this message) (::0, 49146)

Before the above one, I got this one:

You configured firewall rules to manage how Local Security Authority Process accesses your network resources.

Action Taken:  User configured rules.

Local computer: ________________.org

You created firewall rule to manage your network resources.

I NEVER accessed this _________.org website.  I have a router with WPA2.  I believe that someone, maybe in my neighborhood broke into my computer.  This is why I've been looking into my security history a lot.

Appreciate any comments/suggestions.

Thanks,

Cody

Hi Cody,

That is sort of intriguing.  Is there a reason for not identifying the .org?  Does it mean anything to you?  This is, again, a local event, as all log entries will be since you are behind a router.  Therefore ___.org is something installed on your PC.  Does it show up in the Norton Firewall Program Control panel?  Could it be a component of something you recently installed?

Hello SendOfJive. Could I sent you an email, rather than post here? I can say for sure that it means absolutely nothing to me, and it’s definitely not a component of anything I installed. Thanks, Cody

You could PM me (click my name and under "Contact" on the right side of my profile page there is a private message link).  I'm not sure it will mean anything to me either, though.

Hi Cody,

I have sent you a couple of PM replies.  I am not really sure what is going on with the configuration of a firewall rule for Lsass that involves_________.org.  It does seem very peculiar.  I think the safest thing for you to do would be to use the Firewall Reset feature.  This will erase any and all user (or mystery guest) created firewall rules and restore everything to the default settings.  Whatever weirdness was created with Lsass will be undone.  Of course if you have created any rules yourself, they will be erased as well and you will have to recreate them, so write 'em down first.

The Firewall Reset option is located in Norton Network Settings, - Smart Firewall, - Advanced Settings Configure[+], - Firewall Reset Reset[+]. 

Hello SendOfJive,

In your first message, I checked the Program Control panel and did find an entry for Lsass.  I clicked Modify and looked at the rule parameters.  This is what was there:

1)  Local Security Authority Process:  Allow, Direction:  Outbound; Computer:  Any; Communications:  Specific; Protocol:  TCP and UDP

2)  Local Security Authority Process:  Allow, Direction: Inbound; Computer:  Any; Communications:  Specific; Protocol:  TCP and UDP

In your second message, I reset the Firewall.

I don't know what the information would have been before I did a reinstall.  It may have told a different story.

I wasn't sure what you meant about entries in the Computers "Tab."  If you can tell me, I'll check and look for _____.org.

Thanks very much,

Cody

Hi Cody,

If everything has been reset , you won't find any references to ____.org, as all of that will have been erased by the reinstall and again by resetting the firewall.  At this point your firewall is properly configured and will be repopulating the Program Control list as various programs access the internet.  The only thing you need to do is perhaps check the logs periodically  for any new signs of mysterious configuration changes.  You may also want to scan your PC with Malwarebytes' for good measure.  Just keep an eye on things.

Hello SendOfJive, Things look okay and will follow your suggestions. Thanks again for the help. Cody

Those connections are basic functions of Windows. Depending on your security settings, NIS blocks them or allows them. This happens on a Windows using the Windows firewall as well. This is a normal startup entry using the Windows 7 firewall with "Public network" settings:

"Description: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Reason:        The application is a system service

Application Path:    C:\windows\system32\lsass.exe"

It's just normal Windows acitivity.

REFERENCE:  Message Posted Yesterday (11/7/10)  Same Subject

To:  SendOfJive,

I've got another Security History entry from the same place, I think.

Monday, November 8, 2010, :44 am

You created firewall rules to manage how Local Security Authority Process accesses your network resources.

Program Name:  Local Security Authorization Process

Program Path:  Windows\System32\lsass.exe

Default Action:  No Action Required

Action Taken:  Allow

Local Computer:  00:, 49155

Traffic Description:  Inbound TCP, Port 49155

Monday, November 8, 2010 8:44 am

Program Name:  Local Security Authority Process

Program Path:  Windows\System32\lsass.exe

Default Action:  No Action Required

Action Taken:  Allow

Local Computer:  0.0.0.0., 49155

Traffic Description:  Inbound TCP, Port 49155

You allowed Local Security Authority Process to access your network resources.

If you notice, the _____________________.org is no longer showing up; just 0 etc and the Port, which instead of Port 49156 (see yesterday) is now 49155.  Not sure if it's the same bugger or not.

Cody

Hi Cody,

That looks more normal, although I am not an expert on these things.  I will continue to look into what might have caused the ________.org entry. 

Thanks very much, Cody

Check your Smart Firewall settings to see if there is an entry for "not used".  Settings - Network - Smart Firewall. click on configure beside Program Control.

If there is a setting for that, remove it, reboot your computer and see if it still happens.

No entry for “Not Used” in Smart Firewall settings.

Try running Autofix by clicking on Support - Get Support. This will check your installation and fix anything it finds.

If that does not help, you can reinstall NIS using the Norton Removal and Reinstall tool.

Download the tool from here.

Backup your Identity safe data if you use that feature.

Run the NRnR tool. As the name says, this will uninstall your Norton product, and reinstall the same product you had.

Run LiveUpdate manually a few times, rebooting as necessary, until no updates are available.

Import your Identity Safe data.

Let us know what you find.