Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
That is a question that I have as well. I have my set to max blocking time, 48 hours. But what if the attacking computer persists longer than that?
Oh and I’m using NAV2008
The time on this value really doesn't need to be very long. The auto-block is to prevent denial-of-service attacks and continued attack investigation. The moment your machine is attacked after the attacker has been removed from the auto-block list, it will be detected and re-added to the auto-block list.
NY1986, are you seeing this problem as well or are you just curious? If you are seeing the problem I need to know what operating system you are using as well.
Reese I am using NAV2008 on a Vista home premium OS.
I may be dealing with a different issue
I have my autoblock set at 48hours (only because that is the max. If they had forever, I'd use that)
What I am seein in the activity log is as follows:
unused port blocking has blocked inbound TCP connection
remote address,local service is 221.130.51,6588
I might have like 2-3 instances of this, then
then another 2-3 instances of
unused port blocking has blocked inbound TCP connection
remote address,local service is 221.130.51,3121
same address, but I presume a different port number
so I guess my question- Is the 48 hour block a continuous 48 of the same "attack" from the same address? or if it stops after say a day and then starts another day (say 1 1/2 days later) does the 48 hour block clock restart?
reese_anschultz wrote:
Pls provide the version of the product and the operating system that you are using. I've not heard of this problem before but the code is different for those two factors and this will help to understand the problem better.
Surely this has to question the effectiveness of AutoBlock.
15.5.0.23; Windows X.P., Service Pack 03.
NY1986 wrote:Reese I am using NAV2008 on a Vista home premium OS.
I may be dealing with a different issue
I have my autoblock set at 48hours (only because that is the max. If they had forever, I'd use that)
What I am seein in the activity log is as follows:
unused port blocking has blocked inbound TCP connection
remote address,local service is 221.130.51,6588
I might have like 2-3 instances of this, then
then another 2-3 instances of
unused port blocking has blocked inbound TCP connection
remote address,local service is 221.130.51,3121
same address, but I presume a different port number
so I guess my question- Is the 48 hour block a continuous 48 of the same "attack" from the same address? or if it stops after say a day and then starts another day (say 1 1/2 days later) does the 48 hour block clock restart?
Message Edited by NY1986 on 09-04-2008 03:32 PM
Although this is an Attack on your computer, this is not the same as Intrusion Prevention because it is the Firewall which Blocks these Attacks, whereas I.P. has Signatures, like V.D.s that could target-Attack Software installed on your computer.
I'm not sure why this would question the effectiveness of AutoBlock. It is implemented differently on Windows XP than it is on Windows Vista, and, the product exposes this setting differently from version to version. Now that we have your information we can try to reproduce the problem.
A thought did occur to me though. The auto-block list and the associated timers don't persist across a reboot. Can you confirm that you didn't reboot during that time?
Thought I might be off the mark.Thanks Red
So my question of how long it will block, since its a firewall issue, the answer is forever as long as I don't change the firewall settings (within reason forever- nothing is forever) :)
Once auto-block is triggered for a remote address, the timer starts ticking and doesn’t stop ticking until either the time has expired or the system is rebooted.
reese_anschultz wrote:I'm not sure why his would question the effectiveness of AutoBlock. It is implemented differently on Windows XP than it is on Windows Vista, and, the product exposes this setting differently from version to version. Now that we have your information we can try to reproduce the problem.
A thought did occur to me though. The auto-block list and the associated timers don't persist across a reboot. Can you confirm that you didn't reboot during that time?
I did not re-boot.
NY1986 wrote:Thought I might be off the mark.Thanks Red
So my question of how long it will block, since its a firewall issue, the answer is forever as long as I don't change the firewall settings (within reason forever- nothing is forever) :)
The un-used Port-blocking will always block computer that attempt to access un-used ports; it only blocks it when the computer accesses an un-used port so you will always be safe.
However, if this happens every few seconds, chances are symantec will be aware of this and release symantec Trusted Application List: symantec Trusted Application List Update, which configures Firewall auto-configuration.
reese_anschultz wrote:
Once auto-block is triggered for a remote address, the timer starts ticking and doesn't stop ticking until either the time has expired or the system is rebooted.Message Edited by reese_anschultz on 09-04-2008 04:04 PM
So, even if a user has set it to Auto-Block for 48hours, even if the user re-starts, this will not be case [that the computer will get Blocked for that time because the user has re-booted]?
Red replied:
The un-used Port-blocking will always block computer that attempt to access un-used ports; it only blocks it when the computer accesses an un-used port so you will always be safe.
However, if this happens every few seconds, chances are symantec will be aware of this and release symantec Trusted Application List: symantec Trusted Application List Update, which configures Firewall auto-configuration.
But I want my firewall to block it. Most of the addresses are from China and other internet bad places like Russia
Red, are you saying that if the same IP address keeps banging away at the same port, my Norton will automatically consider this and allow the connection?? I would not want that.
Reese, might you please address this?
NY1986 wrote:Red replied:
The un-used Port-blocking will always block computer that attempt to access un-used ports; it only blocks it when the computer accesses an un-used port so you will always be safe.
However, if this happens every few seconds, chances are symantec will be aware of this and release symantec Trusted Application List: symantec Trusted Application List Update, which configures Firewall auto-configuration.
But I want my firewall to block it. Most of the addresses are from China and other internet bad places like Russia
Red, are you saying that if the same IP address keeps banging away at the same port, my Norton will automatically consider this and allow the connection?? I would not want that.
Reese, might you please address this?
That's not what I meant; Norton will always block un-used ports no matter where they come from. symantec seem to always be aware when Norton Products block a lot of un-used port blocking and, thus, will Release Updates to address this.
I have set AutoBlock to Block Attacking computers for 48hours, yet, when I.P.S. Block an Intrusion Attempt on Monday, September 01, 2008, about four hours after the I.A. had taken place, there was no computers listed in getting Blocked; why is that? Will the Attacking Computer still be getting Blocked or not?
Thanks Red. Sorry for my misunderstanding. I would hate to think that because something is banging at my door over and over again, that my Norton Product would change the firewall rules to allow it, when I don’t say so. I have noticed that sometimes there is an entry in Activity log that says (some number) of firewall rules created. I would hope this means that they created rules to block these not allow these.
Red forgive my ignorance and the huge helping of paranois, but can you explain what is mean by
symantec seem to always be aware when Norton Products block a lot of un-used port blocking and, thus, will Release Updates to address this
"Updates to address this" as in how? To block? To set rules for other comps?
Floating_Red wrote:
So, even if a user has set it to Auto-Block for 48hours, even if the user re-starts, this will not be case [that the computer will get Blocked for that time because the user has re-booted]?
I think that you've essentially restated my comment. When your machine is rebooted, the list is cleared, but, any future attacks will put it back into the auto-block list.
NY1986 wrote:Red forgive my ignorance and the huge helping of paranois, but can you explain what is mean by
symantec seem to always be aware when Norton Products block a lot of un-used port blocking and, thus, will Release Updates to address this
"Updates to address this" as in how? To block? To set rules for other comps?
They may combine that New Rule with one that already exists, or they may create a New Rule to Block this by "Default".
Obviously, computer Attacking un-used Ports is bad.