WIn XP Pro SP3, Norton IS 2001 - ver. .250 About a week ago I downloaded the portable ver. of Hitman Pro 3.5 to my USB thumb drive. I ran the program at that time. I might have received firewall alerts at that time. I don’t remember. I do know that if any Norton program firewall rules were created for Hitman Pro, I deleted them. Today I ran Hitman Pro again from the thumb drive and was shocked to see it connect to the Internet to perform it’s cloud scanning. I received no popup alerts from Norton’s firewall. I subsequently verified that Norton had not created any program firewall rules for Hitman Pro. All that existed as evidence Hitman Pro had run was a message in the frewall log “You allowed Hitman Pro 3,5 to access your network resources.” I most certainly did not! Firewall is not set in the “silent” mode. I never encountered this type of activity to date with Norton IS 2011 with any other program that I executed. If it accessed the Internet, it always created a outbound program firewall rule. I find this event very disburbing. What will prevent malware from performing the same behavior? Attached is a screen print of the firewall log showing the above message.
Sorry, forum won’t add the screen print so you will have to take my word for it.
Hi donziehm,
The best way to control any program's access to the internet is to leave the Smart Firewall configured to Automatic Program Control. When a known safe program first requests access, Norton will allow it and will create an entry in the Program Contol list showing that program's access permission as "Auto." If you want to block that program from getting online, simply go into the Program Control list and change "Auto" to "Block." At that point you are done and the program in question will never again know the joys of freedom on the internet. You do not have to create special rules - just tell Norton to block the program.
Since you have already made a lot of modifications to your firewall, I would suggest that you might want to use the Firewall Reset feature, found in the Smart FIrewall Advanced Settings configuration screen. This will remove all user created rules and changes and will reset the FIrewall settings back to their defaults. Then follow the advice above to control permissions for each program as each is added to the list. At this point, I think this would be simpler than trying to retrace your steps over such things as what mode the firewall was in, and what rules were created and deleted for particular programs, such as Hitman Pro. You can then re-add whatever rules you think are still necessary to the General Rules, although the default set is usually considered optimal.
Firewall has always run in “Smart” mode! From what I tell it doesn’t appear to be too intelligent …
donziehm wrote:
Firewall has always run in "Smart" mode! From what I tell it doesn't appear to be too intelligent ..........
Hitman Pro would then be listed in Program Control. Change its access to "Blocked."
Sorry, donziehm, but I can not confirm the Firewall actions you have reported. I just downloaded Hitman Pro to a USB stick, turned the Firewall to "Automatic Program Control -> OFF", inserted the USB stick and then ran Hitman Pro. The firewall alert popped up and asked for "Allow this time (default)"; I choose this and let the program run (scan the system). After the scan was finished, I exited Hitman Pro and removed the USB stick from the system. I then opened the NIS2011 Firewall settings and removed the rule(s) / entry for Hitman Pro in the Program Control listing.
No matter how many times I repeated this procedure, Norton's Smart Firewall always asked the next time Hitman Pro was ran (the program wanted DNS and HTTP access). The program was never allowed to "just run through the network" without my consent.
The only time I have ever seen the issue you are having is when the installation of NIS2011 has been corrupted, either by malware or conflicting software during the installation.
What OS did you run Hitman Pro 3.5 on? WIN XP Pro SP3 fully patched? What ver. .Net you have installed, etc , etc? Unless your machine is an exact mirror image of mine, it is highly unlikely we would have the same test results ...............
I would not rule out my IS 2011 is corrupted. But to quote Symantec tech support " if the green arow shows on the Symantec IS lower tollbar, your fully protected and Symantec is 100% functional." Give me a break! At least, the corp. ver. - Symantec Endpoint 11 and 12 have diagnostic tools to check software status plus a Windows repair feature via add/remove programs. What is this uninstall, clean, and re-install baloney anyway. Sounds like software not ready for prime time in my book!
Anyway, I am not going uninstall and reinstall IS 2011 unless I absoletely have to. When I unstall IS 2011, it will be permanently and I will return to Comodo's firewall which is the best software firewall for Windows XP in my opinion. At least Comodo's firewall works properly, is easy to create program rules, and has one of the best firewall logs available. Whether I stick with Norton for IPS, anti-spy, anti-phishing, and AV depends on how those perform before my subscription expires.
In the meantime, I run IS 2011 firewall with Automatic Program Control off. Oh, all all those scare statements about getting bombareded with firewall alerts. I received one IE8 alert and that was it. Does help to have most of your firewall rules in place before turning on Automatic Program Control.
I just turned off Automatic Program Control since I don't trust this firewall. This is just one instance of many where the firewall has failed in my book. If it keeps up, I will turn the firewall off and go back to using Comodo's firewall that I trust, is easier to create program rules for, and has better logging capability, etc. etc.
I ran the tests on XP Pro SP3, fully updated with latest .NET and Win7 32bit (fully updated). Just for my own info, did you have SEP 10 / 11 on this machine before NIS2011?
As to Comodo, can't blame you there; it is a very fine Firewall. The latest version has added IPv6 filtering (not just Toredor) but they still don't have all the necessary templates in place for the user to utilize it.
Yes, I did have SEP 11.5 installed at one time on this PC. Only the A/V was installed minus the firewall. However when I installed NIS 2011, I did an HDD C: partition image restore using Paragon’s Disk Manager Pro ver. 9.0 back to a time when I had loaded WIN XP SP3 but no A/V had been installed. I assume that would have removed any traces of SEP. Note: that I have another partition on this drive that contain my Paragon images and of course that partition has never been restored.
In the meantime, I run IS 2011 firewall with Automatic Program Control off. Oh, all all those scare statements about getting bombareded with firewall alerts.
_________________________________________________________________________________
You might need to purge the firewall rules that are already in place and then turn on advanced events monitoring to see what is happening.
If you end up going back to auto, the rules made will remain.
I must say, things seem to be running better now with Automatic Program Control set to off. I saw a couple of blocks directed to Norton processes I never saw before. Also some alerts I saw in the logs that bothered me such as ctfmon.exe trying to terminate ccSvcHst.exe have disappeared. What I don’t like is how Norton lists every WIN XP process in the world in the Program Control area of Automatic Program Control. Makes it extremely difficult to view non-OS applications which is what you want to concentrate on. Really don’t know why 50+ OS .exe’s and .dll’s are listed. Obviously not all those processes access the Internet. Hell I used to think monitoring the WIN XP firewall logs were bad …
donziehm wrote:
What I don't like is how Norton lists every WIN XP process in the world in the Program Control area of Automatic Program Control. Makes it extremely difficult to view non-OS applications which is what you want to concentrate on. Really don't know why 50+ OS .exe's and .dll's are listed. Obviously not all those processes access the Internet. Hell I used to think monitoring the WIN XP firewall logs were bad ..........
Hi donziehm,
You are seeing a lot of unusual things in your firewall because you are doing a lot of hands-on things that are necessary with older style firewalls, but which just tend to complicate the picture when using a smart firewall.
If we were discussing automobile transmissions, Norton would be an automatic that works best if left in "Drive." You can manually shift the gears yourself but that is not really how this type of transmission is designed to be used, and it is never going to feel like a stick shift. You are more familiar and comfortable with a manual transmission. It doesn't mean the automatic is any less capable, only that you prefer to actually drive, where others are content to let the car pick the correct gear. Smart FIrewalls just may not be your cup of tea.
(I cannot resist a good mixed metaphor!) 
Looks like we have a problem here. I reset firewall back to it’s default settings using the Norton IS option for that. Did not change anything. I then rebooted to let things initialize. Plugged in my USB drive and ran Hitman Pro 3.5 one-time scan. Exact same behavior happened as previously. Not one alert from the firewall. Norton firewall log shows the exact same message “You allowed Hitman Pro 3.5 to access your network resources.”
When you reset the firewall, did you leave "Automatic Program Control" enabled after the reset? Just asking as that is the default.
Norton remembers that you allowed this same program previously, so the next time Norton encouters the file, it will revert to your last action.
This post may help in explaining also:
Yes, Automatic Progran Control is set to “On” and Advanced Events Monitoring is “grayed out” or set to “Off”. “Norton remembers that you allowed this same program previously, so the next time Norton encouters the file, it will revert to your last action.” I would buy what you say here except I have not seen this behavior with any other software I have executed on this PC. If I remove a Norton generated program rule, the rule will be recreated the next time the software is run and an entry of such activity is recorded in the firewall log. Remember what the issue is here. First, the execution of Hitman Pro 3.5 never resulted in a Notron firewall program rule being created. Second, Norton firewall allowed the software to access network resources unconditionally. No firewall program rules were ever created for Hitman Pro period. The only references I could find in the Norton forum pertaining to “You allowed xxxxxxx to access your network resources” message pertains to new network connections being created and allowed by Norton. The creator is usually a new wireless network connection being detected and allowed. I am on a wired ethernet connection with a Netopia 3347 router. Wireless on this router is disabled. No application software should be able to unconditionally access network resources period. I reviewed your previous posting about your testing of this issue. However, you tested with Automatic Program Control set to “off.” That is not the issue. The issue is Norton IS 2011 allowing software to unconditionally access the Internet with Automatic Program Control set “on.” I have to say at this point I believe Norton’s firewall outbound process has a vulnerability.
donziehm wrote:
The issue is Norton IS 2011 allowing software to unconditionally access the Internet with Automatic Program Control set "on." I have to say at this point I believe Norton's firewall outbound process has a vulnerability.
Hi donziehm,
Norton does not grant any programs unconditional access. All traffic is monitored. Known good programs on your PC that request network access in ways that do not indicate anything malicious will be allowed. Norton will block anything that appears suspicious, taking into account the program making the request and the nature of the traffic (and a lot of other things). Hitman Pro should be listed in the Program Control panel, as rules will definitely be created the first time it asks for access.
Please refer to my earlier posts. I have said repeatly here that the issue is NO PROGRAM RULES WERE CREATED FOR HITMAN PRO 3.5 - period when running with Automatic Program Control set on. I would not be writing this as problem if they were created. Nor should any software application program be unconditionally granted access to network resources.
I did some more testing. First, I turned off automatic program control. I then removed the firewall rules for a program that has been previously allowed when automatic program control was set on. I then executed this program and received the expected popup to select allow/block/etc. I allow it. I check the firewall log and see the entry “You allowed xxxxxxx to access your network resources.” So this message format “allow or disallow” is what is displayed WHEN YOU MANUALLY SELECT PROGRAM PERMISSION." This is important to remember. Next, I execute the Hitman Pro 3.5 program from the USB drive. This time I received the popup to allow/disallow/etc. Note that the details are for outbound UDP port 53 - DNS request. I allow it one time. Then the program executes till the end. No additional popup for any TCP outbound activity. Nada, zip, nothing. I check the firewall log. All that is recorded there is the detail from the UDP port 53 popup message mentioned previously and the “You allowed Hioman Pro 3.5 to access your network resources.” Again no log entry of any type of TCP connection initiated by HItman Pro. So what happened to the TCP connection? It obviously occured or did it? Perhaps Hitman Pro is using a protocol unrecognized by NIS 2011? So there is no way to record what IP address Hitman Pro connected to for verification. Bottom line - even under manual control this firewall has problems.
Confirmed in both situations and this is a wording issue.
Help file text from the Firewall popup:
If you "Allow this Instance" (the default selection on the popup), this creates a temporary rule to allow all communications of this program. If you select "Manually create a firewall rule" then this will make a new rule for JUST the current communication request (TCP / UDP, port, type of protocol, etc.). If you select the "Manually create ...." for each connection Hitman Pro requests, you will find the Smart Firewall works as you expect (it will make three rules and each is loged in the History log as such).