Nice try but I don't buy it. "Allow this instance" means to me permit this immediate activity only. If the prompt is for outbound UDP port 53, that is what I am allowing or denying. Furthermore, I confirned this with other outbound applications. They generated the expected two alerts; one for outbound UDP port 53 and one for outbound TCP port 80. As people in this forum have repeatedly pointed out, this firewall has a major leak issue. And this rubbish about being on a safe list of programs is just plain garbage. It really stinks also. There is only one way to ensure a system program or any piece of software has not been modified; that is to run a MD hash on it. Digital signatures - forget it. They can and have been hacked.
donziehm wrote:And this rubbish about being on a safe list of programs is just plain garbage. It really stinks also. There is only one way to ensure a system program or any piece of software has not been modified; that is to run a MD hash on it. Digital signatures - forget it. They can and have been hacked.
A hashing scheme is involved, along with a lot of other factors including input from other components of the Norton program. This is not a simple whitelist - a lot of data is analyzed when a program requests network access.
donziehm wrote:
Nice try but I don't buy it. "Allow this instance" means to me permit this immediate activity only. If the prompt is for outbound UDP port 53, that is what I am allowing or denying. Furthermore, I confirned this with other outbound applications. They generated the expected two alerts; one for outbound UDP port 53 and one for outbound TCP port 80. As people in this forum have repeatedly pointed out, this firewall has a major leak issue. And this rubbish about being on a safe list of programs is just plain garbage. It really stinks also. There is only one way to ensure a system program or any piece of software has not been modified; that is to run a MD hash on it. Digital signatures - forget it. They can and have been hacked.
As dbrisendine indicated, instance in this case means "application instance". In the past this did mean a single communication but today it means a single launch of an application. As far as the 'other' outbound applications generating two alerts, you've experienced a small timing bug. When you indicate to allow 'this instance' the next communication, for these applications, is already in the pipeline and will still notify you even though you've allowed all instances for the application. Once you've allowed this instance and the initial queue has been flushed out you shouldn't see an further notifications.
As far as white lists are concerned, the firewall doesn't have any such thing. What you see in the rules is what you get. Each application listed in the rules is uniquely identified by its hash preventing malware from, say, replacing iexplore.exe with itself and getting the permissions of IE.
Reese if this was a timing issue, there should be consistent behavior pertaining to all outbound applications. As I stated previously and repeatedly when I tested other applications, I always received two oubound firewall popups, one for DNS and one for the TCP connection attempt. I am not sayiing unconditional that what you stated is not the case. However, inconsistency does not build confidence in a firewall.
donziehm wrote:
Reese if this was a timing issue, there should be consistent behavior pertaining to all outbound applications. As I stated previously and repeatedly when I tested other applications, I always received two oubound firewall popups, one for DNS and one for the TCP connection attempt. I am not sayiing unconditional that what you stated is not the case. However, inconsistency does not build confidence in a firewall.
I understand what you are saying about inconsistency placing doubt on any security product. I believe that you will find the behavior fairly consistent for any given application. Since different applications perform different network actions in different orders, the behavior will change for each one. The behavior may change for the same application if timings get changed for some reason (fast user response to prompt or other background tasks running.) For this particular issue, the problem is that pending notifications aren't reevaluated and potentially dismissed after you set the new policy for this instance of the application, pretty harmless but definately a bit confusing from the end user perspective.
There is still the issue of Automatic Program Control. This is important since NIS 2011 is designed to run in that mode. When the Hitman Pro application executes under Automatic Program Control, no firewall rules were created. I have run no application to date running under NIS 2011 that did that. All other applications created rules (outbound) in the Program Control area. Again inconsistent behavior and one that is very suspect at that. I also cannot reason out the “You allowed Hitman Pro 3.5 to access your network resources” firewall log message that was recorded since no firewall alert appeared to allow or block access.This message from what I can determine is generated under manual control, that is when Automatic Program Control is set to “off.” My concern remains if “safe” software can before this type of activity what is too stop it from performing undesireable activity? This is what firewall rules were created for.
donziehm wrote:
There is still the issue of Automatic Program Control. This is important since NIS 2011 is designed to run in that mode. When the Hitman Pro application executes under Automatic Program Control, no firewall rules were created. I have run no application to date running under NIS 2011 that did that. All other applications created rules (outbound) in the Program Control area. Again inconsistent behavior and one that is very suspect at that. I also cannot reason out the "You allowed Hitman Pro 3.5 to access your network resources" firewall log message that was recorded since no firewall alert appeared to allow or block access.This message from what I can determine is generated under manual control, that is when Automatic Program Control is set to "off." My concern remains if "safe" software can before this type of activity what is too stop it from performing undesireable activity? This is what firewall rules were created for.
Let me start by saying that I work on the core firewall functionality. The part that actually the policy that is set through settings and rules. When traffic doesn't match one of the settings or rules my component queries 'the product' about what should be done. If network traffic isn't being detected by my component it is a serious issue for me and it will be investigated. From the description so far, it sounds like the traffic is being detected. I'll have someone on my team investigate why the product isn't generating rules when the traffic is detected.
The "You have allowed..." message has been discussed numerous times in this forum. The wording could definately be better. This message is generated when traffic is allowed to occur due to some policy beyond settings and rules. Usually this occurs because you enabled Automatic Program Control (APC) and APC has determined that the traffic is safe (exe is not malware, does not contain a virus, etc.). I'll also ask my investigator to determine why you are seeing this under manual control.
It looks like a lot of this is attributable to the fact that you are running from a removable drive. The product does not automatically create rules for applications that are on removable media.
Thanks for checking this out Reese. I also wondered if this behavior was due to the execution from a portable drive. Now I have to decide if I can live with that. I have always preferred portable applications since I viewed them as more secure to operate that way and secondly, there is much less “clutter” to clean up when I no longer use the portable applications. This does beg the question as to why is Norton IS 2011 not providing the same level of secuirty capability to portable applications as those that are installed?
Norton Internet Security is providing the same level of security for apps running from removable devices, it just doesn't automatically create rules for them. Every communication is still seen and evaluated. There may be a small performance hit since extra evaluation has to be done for each communication whereas the rules are very fast but you probably aren't likely to notice that difference.
You could just create a folder on your main drive for portable applications. When you have no need for one of them anymore or want to free up space, (because they are portable) it is only a case of deleting the program or its folder.
Thanks for the suggestion to run from a local drive. Honestly, don’t know why I didn’t think of that! Anyway not only did IS 2011 create the proper firewall rules but Insight scanned the executable before allowing it to execute. I do recommend that Symantec beef up it’s next IS 2011 upgrade to include external HDDs for full firewall functionality. I am also left wondering if this same current behavior applies to all externally connect PnP devices?