I am surprised, Norton 360 fails LeakTest,
Does anyone know this security issue?
Thanks in advance for any suggestions
LeakTest
Personal firewall leakage tester
When LeakTest was released, most personal firewalls were easily fooled. Any malicious program could give itself the same name as a trusted program to gain access to the Internet. LeakTest demonstrates and tests for this simple application "masquerading" vulnerability.
Hi oem7110,
This is not a security issue. Leak tests are not malicious. The Norton Smart Firewall allows known safe programs to have network access, and the GRC Leak Test is a known safe program. In other words, although the test is allowed because it poses no risk, actual malware using the same techniques demonstrated in the test would be blocked. Norton recognizes programs by using unique identifiers other than their names, so malware cannot masquerade as a legitimate application by simply using the name of a trusted program.
You cannot accurately run a leak test while the firewall is in Automatic Program Control mode. Instead, you will have to disable APC and turn on Advanced Events Monitoring. When you do this, you will get firewall alerts when running leak tests because the firewall will be monitoring the traffic behavior without regard to whether the program involved is trusted or not.
SendOfJive wrote:Hi oem7110,
This is not a security issue. Leak tests are not malicious. The Norton Smart Firewall allows known safe programs to have network access, and the GRC Leak Test is a known safe program. In other words, although the test is allowed because it poses no risk, actual malware using the same techniques demonstrated in the test would be blocked. Norton recognizes programs by using unique identifiers other than their names, so malware cannot masquerade as a legitimate application by simply using the name of a trusted program.
You cannot accurately run a leak test while the firewall is in Automatic Program Control mode. Instead, you will have to disable APC and turn on Advanced Events Monitoring. When you do this, you will get firewall alerts when running leak tests because the firewall will be monitoring the traffic behavior without regard to whether the program involved is trusted or not.
Should Automatic Program Control mode be turned off by default for Norton 360?
Could you please tell me more about how safe programs are defined within Norton Smart Firewall? GRC Leak is unknown program for me, by default, it should enquiry user first when any program trys to access internet, then let user make decision. However, Norton recognizes programs by using unique identifiers other than their names, could you please tell me more about what unique identifiers are defined? Can malware be programmed using unique trusted identifiers to access internet? so it will be the potential security loophole for Norton 360.
Do you have any suggestions?
Thanks you very much for suggestions
Automatic Program Control is turned on by default, and should be left on, unless you are an advanced user with knowledge of firewalls, network traffic and how to tell a legitimate program access request from a malicious one. Norton uses a hashing scheme to prevent one program from being able to impersonate another. GRC Leak Test is known by Norton to be safe, and when Automatic Program Control is enabled, rules for it will be created automatically. Because you have run Leak Test, it is probably listed now in the Program Control panel in your Firewall settings. Again, Norton blocks malicious programs from using the tricks demonstrated in leak tests, but does not block known-safe leak test programs, because they are not a threat.
GRC Leak Test is known by Norton to be safe, and when Automatic Program Control is enabled, rules for it will be created automatically.
Does Norton have a list of database for known programs to be safe? if yes, I would like to know where it is,
Could you please tell me more how Norton manages this list of database?
How does Norton determine whether the program GRC Leak Test is safe or unsafe?
Do you have any suggestions?
Thanks you very much for suggestions
Norton analyzes thousands of files and programs. Programs like GRC Leak Test, that are found to be completely safe are trusted. Data can be stored on servers or locally. I really don't fully understand the point of your questions - the whole basis of any security software is the ability to tell a good program from a bad one.
--------------------------------------------------------------------------------
Norton analyzes thousands of files and programs ... Data can be stored on servers or locally ... the whole basis of any security software is the ability to tell a good program from a bad one.
--------------------------------------------------------------------------------
For Norton to tell a good program from a bad one, it must based on a list of criteria within database.
Could you please tell me more what kinds of database it is?
Will it be database of specific action for blocking?
Will it be database for good program (Safe lists)?
Will it be database for bad program (Blacklists)?
Do you have any suggestions?
Thanks you very much for suggestions
oem7110 wrote:For Norton to tell a good program from a bad one, it must based on a list of criteria within database.
It is based on testing to determine if a program is safe or malicious. If a program is not malicious, it will be trusted and will be allowed to access the internet.
SendOfJive wrote:It is based on testing to determine if a program is safe or malicious. If a program is not malicious, it will be trusted and will be allowed to access the internet.
When you mention testing to determine if a program is safe or malicious, is the testing criteria based on a list of specific actions?
If any unknown program does not perform any action within a given list, then by default, Norton assumes that the program is safe and will be allowed to access the internet, will it be correct?
Do you have any suggestions?
Thanks you very much for suggestions
As I said previously, the basis of any security program is the ability to tell a good program from a bad program. Symantec examines hundreds, if not thousands, of new malicious files everyday, so I imagine they have a fair idea of what sorts of actions constitute a threat. There really is no point in going into a list of malicious behaviors here, since there is no shortage of information on the subject, should you wish to do a little online research on your own. The short answer though is yes, the Norton Firewall knows which programs can be trusted, nothing is "assumed."
SendOfJive wrote:... the basis of any security program is the ability to tell a good program from a bad program. ... so I imagine they have a fair idea of what sorts of actions constitute a threat. ... the [ONLY] Norton Firewall knows which programs can be trusted ...
Base on your description, I will turn off Automatic Program Control at all time.
Thanks you very much for suggestions
SendOfJive wrote:As I said previously, the basis of any security program is the ability to tell a good program from a bad program. Symantec examines hundreds, if not thousands, of new malicious files everyday, so I imagine they have a fair idea of what sorts of actions constitute a threat. There really is no point in going into a list of malicious behaviors here, since there is no shortage of information on the subject, should you wish to do a little online research on your own. The short answer though is yes, the Norton Firewall knows which programs can be trusted, nothing is "assumed."
I can give one example to prove that Norton is not a good security program to tell a good program from a bad program.
When I install some downloaded program, which contains Spigot extension applications, Norton cannot detect it at all, and the default browner is changed. It could change anything within my computer, and Norton still keeps silent.
Please convince me if Norton 360 has the ability to tell a good program from a bad program.
Thanks you very much for any suggestions
Spigot, inc is a software company offering free extension applications for Mozilla Firefox browser called iObit Toolbar and Widgi Toolbar Platform. The extensions are considered malicious because it manipulated the browser to use Yahoo search even if the user is changing the search engines on manually to Google or Bing. Apart from that the Toolbar also provide dubious applications such as system scan and security scan options which serve for the benefits of iObit. Amazon and eBay search also included in the Toolbar
http://howtodosteps.blogspot.hk/2011/06/what-is-spigot-inc-searchsettingexe.html
oem,
Re your question about the trustworthyness of GRC -- naturally individual software needs checking but so far as reputation is concerned Steve Gibson of GRC has been around about as long as Peter Norton !
oem7110 wrote:
Spigot, inc is a software company offering free extension applications for Mozilla Firefox browser called iObit Toolbar and Widgi Toolbar Platform. The extensions are considered malicious because it manipulated the browser to use Yahoo search even if the user is changing the search engines on manually to Google or Bing. Apart from that the Toolbar also provide dubious applications such as system scan and security scan options which serve for the benefits of iObit. Amazon and eBay search also included in the Toolbar
http://howtodosteps.blogspot.hk/2011/06/what-is-spigot-inc-searchsettingexe.html
Most users consider that kind of software to be annoying, myself included, but they are usually downloaded as an 'added Feature' to a legitimate software download. The user has to be diligent in reading the download instructions and check or uncheck as the case may be, the option to download the added extras. As such, and because some users do actually want the added features ( or think they do) these downloads come under the heading of Potentially Unwanted Programs, PUPs.
It has often been debated on this and other forums, how the security software companies should handle this type of infection. The line from Norton and some others is that it does not actually do damage to a user's system, and some users actually want it, so their products do not look for that type of download.
What I and others here suggest is a secondary scan with an on demand program such as the free version of Malwarebytes or SuperAntiMalware to catch and remove this kind of malware.
In the end, we all have to remember that no one security program can catch 100% of malware 100% of the time. The best defense is a users due diligence in their use if the internet.
oem7110 wrote:I can give one example to prove that Norton is not a good security program to tell a good program from a bad program.When I install some downloaded program, which contains Spigot extension applications, Norton cannot detect it at all, and the default browner is changed. It could change anything within my computer, and Norton still keeps silent.
I had a feeling this is where the conversation was going. The program you describe is more properly referred to as a PUP, a Potentially Unwanted Program, rather than malware. Norton does not alert to PUPS, and the reasons for that have been discussed extensively elsewhere on the Norton Forums.
If you are willing to put up with the numerous Firewall alerts and are knowledgeable enough to differentiate between suspicious internet traffic and legitimate internet traffic, and understand what all of the technical jargon in the firewall alerts means, then you will be at home with Advanced Events Monitoring, despite its inconveniences. I would argue that you won't be any safer doing it that way, but if you are more comfortable relying your own expertise, that is certainly an option..