All: There is an announcement posted, although not a detailed one. My Norton contact says there will be a detailed addition to it soon. It appears this version once again was released without the left hand knowing what the right was doing. Poor communication internally from where I sit and seems to be something Norton should tackle at all costs. Version 24 now is a dead horse.
To clarify my initial screenshot. Indeed it is regarding “Program Control” not traffic rules. I see that as an improvement over the past release regarding scalability.
I wonder if v25 fixed the issues I was having with v24 taking forever, if at all, to open web pages in Edge. I also could not play Call of Duty BOPS6 because of all the extrapolation errors. Once I fell back to v22, all was well again.
In version 25 there is constant data being sent and received via UDP(17) protocol. Note: this is HARD CODED and cannot be changed in firewall rules. I believe that since that protocol is used for the sake of speed amongst other things, it is the root cause of some issues that were in version 24 as well. UDP(17) DOES NOT care for validation and will drop packets for the sake of data speed. In the case of this and the past release its time sensitive data, aka telemetry collection. Norton is using a mixture of these ports: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Here is some additional information regarding ports commonly used with this protocol:
Hi @SoulAsylum. Are you saying that we should be seeing the following over and over and over? Please remember, when it comes to firewalls, I know nothing.
@majorbuzz We SHOULDN’T be seeing that no. But!! The fact is that its “hard coded”. The only way we may be able to tame it is in “Program Control” somehow. I haven’t figured that one out yet due to things coming up keeping me from fiddling with it lol.
Edited: This is where I will have a look at editing as soon as I can get my laptop booted: The default rule
Thanks @SoulAsylum for getting back to me about this. Should you figure it out when you have some time on your hands, please tag me, so I’m sure to see your post. Good luck!
@majorbuzz Here are my testing results. NOTHING changes this in Program Control nor the network settings. I’ve gone through them all one at a time. The “common” local port in history when looked at is port 137, the IP is always different locally. UDP(17) will chose whatever port range is wants, because, its purpose isn’t not to drop packets but rather speed of action is the key to it. While UDP(17) may appear to be something that is a good thing to Norton, its actually leaving Norton itself NOT having any stealthed ports and is open worse than a piece of Swiss cheese in that respect. Port ranges used are all over the place. Anyone can view the security history and the UDP(17) entries, hover your mouse over one entry and look at the ports used. If you click on that same entry you are only shown the local port, which in most cases is port 137. This reporting should represent exactly the port range used in clear view when opened and does not do so. Feedback is a must.
While most of my UDP(17) Spam is port 137, I also see a few repeating entries on port 138 … not that it probably makes much difference.
I checked with a friend who also got updated to V25 and they are getting all the UDP messages in their history but didn’t even know, as I think many would never even check the security history. I’m thinking most users are not even noticing this oddity.
Anyone concerned about their ports being unstealthed can check with Gibson’s Shields Up GRC | ShieldsUP! — Internet Vulnerability Profiling I’ve used this for over 15 years. It’s a free service. It probes your firewall for port vulnerabilities. You can choose all service ports (the first 1055 ports) or custom port ranges. The problem is, according to SoulAsylum, N360 is using various ports, some of which may be above Port 1055. Gibson offers other probes as well, e.g. file sharing (networking) status, UPnP exposure etc.
@SoulAsylum Just a blind stab in the dark. I’m assuming that port 137 you referenced is the remote port and that N360 uses random local ports? I’m not using V25 so I can’t experiment but if you created a custom traffic rule and blocked all UDP traffic on remote port 137, would that stop these alerts? The problem with this approach is that it would block all UDP traffic and may render N360 dysfunctional. Which raises another question. Has it been confirmed that N360 is the source of this UDP(17) traffic?
If any member of this forum uses Wireshark (I don’t), apparently the app can identify the source that’s generating TCP and UDP traffic.
Edge? So THAT’S what causes it to take forever on FIRST run to load pages? FF and Chrome are not an issue so I could not figure out what was wrong with Edge.
I’m waiting for v25 to see if it fixes the overall sluggish behavior for CERTAIN apps when they are first started. There’s another thread in the MS forums about that. The system is just not responsive for the first 10-15 seconds for certain apps and the list seems to be slowly growing. First VLC, then SnagIt, now Chrome.
I’m still suspecting like others in the MS forum that it’s 24H2 related. But one person updated a different firewall and it fixed their issue.
@SoulAsylum I read over your post again and realized I have the remote-local ports reversed but the same suggestion. Would a custom traffic rule blocking all UDP traffic through local port 137 stop these alerts? Again, is the source of this traffic N360 and, if so, is this activity new with the introduction of V25 or had it always been there and we weren’t alerted until V25? Wondering if Norton could/would clarify.
To All: I posted information on using the Windows command prompt process netstat on another thread. You should be able to trace the process that’s generating the UDP traffic using netstat -aon. Here’s a link to a youtube tutorial with clear instructions including where the process information can be found in the netstat results and how to identify the process in task manager using the PID number (under the Details tab). https://www.youtube.com/watch?v=-0lKFK0C8yY&t=2s Don’t forget to run command prompt as the administrator.
Below is the result I got on one of my computers. Note I’m using V22. All the UDP associated PIDs (last column) were either svchost or Firefox. According to task manager, Norton PIDs are 3648 and 4688 so no UDP traffic was associated with Norton, but traffic is dynamic and these results are just a snapshot in time.
I’m starting to lean more in that direction. This may all be normal operation, but V25 added the UDP notifications as ‘info only’ logged to the security history,
If you look closely at the traffic rules there are 4 rules for Windows networking. In Private network profile they both say “allow” for both in and out. In Public network profile the in says “block” and the out says “allow”. The in also cannot be configured on/off as of course any rules cannot be edited.
There is some sort of software code which is producing this info security alert. Maybe it is intentional or maybe just a bug.
The solution or maybe what I might call a workaround is to change your network from private to public. If you do all the info alerts for “allow” will disappear.
Of course you will receive the alerts for Ping “block”.
I have sent feedback to Norton thru the 360 app and I encourage others to do also.
I created a new rule in the firewall last evening. Note: I’m not presently on that laptop to post the screenshots. The rule didn’t stop the UDP(17) spamming history even with block invoked. Both my active network and just below it “last network detected” are set to private. Norton changes the lower one back to public on its own which is BS in itself.
Something else that appeared on the first restart of the laptop, just after installing Windows 11 24H2. I will post the screenshot later about it. Its related to “Co-Pilot” stating an internet connection is needed to perform whatever task its trying to do, there is an active internet connection via WiFi at the time and its always just after post and logging on the OS. If I unhide the CP icon, right mouse click it and tell it to quit CP, and click cancel the internet icon then shows active. Not until. I’m investigating that further.