Configuring program access in Norton Internet Security 2007

"Firewall processing" or "Application Control" by another name, you should disable it if you can as it's worthless. It can easily be circumvented and defeated by malware or mis-configured. So, why be bothered with such things in a solution.

You can use the tools in the link to look around for yourself, if you have an NT based O/S such as XP..

long

short

You can Active Ports. You can put a short-cut for AP in the Start-up folder and watch for dubious connections, along with using AP on a router basis. You can use Process Explorer to look at running processes and what is running with the process, the hidden processes.

If the machine has a direct connection to the modem, then harden the O/S to attack, like disable Client for MS Networks and MS File and Print Sharing off of the NIC or dial-up connection, as the machine has no business being in a networking situation on the Internet, along with other things you can do to the O/S.

You can practice safehex.

I disabled "Firewall processing" or "Application Control" by another name long ago on the personal FW/packet filter running on this laptop that has s direct connection to the Internet.

I look for myself as to what's happening or running on the machine, as "Firewall processing" or "Application Control" is worthless..

Duane :)

Duane-Thanks for the in-depth response! I'll check out the links etc. I'm not only concerned about blocking "malware", I also wonder why the hell something like windows explorer has to "call home" when I'm looking for a file on my hdd! And what the heck are all those "svchost.exe's" that keep connecting? In addition to SECURITY, I also want some PRIVACY (I only trust M$ slightly more than the malware goons ;-) and to keep unnecessary background crap to a minimum!

Thanks again,

Dan

Explorer does try to connect to a network, that's part of its job. But at the most, in your case, the Loop Back IP, look it up using Google, if Explorer is not really in a LAN situation is being used by Explorer. You can use Active Ports and start Explorer and see if Explorer.exe is actually connecting to a remote IP on the Internet. I think you'll find that it's not doing that.

Svchost.exe is the messenger for the O/S programs and other programs that can be malware. You should be aware of what's using an Svchost.exe, what SVChost.exe is hosting as it's a hosting program or what remote IP an SVChost.exe is connecting to. You can use Process Explorer to see what hidden processes are hosted by and SVchost.exe and there can be many SVChost.exe(s) running doing various things for the O/S and other programs. You can

If SVChost.exe is not running out of Winnt/system32 Win 2k and down or Windows/system32 Win XP and up, then it's a Trojan. Again, you can use Active Ports to see what an given SVchost.exe is connecting to. But I think you'll find that Svchost.exe is just doing its job communications and is not doing anything dubious itself. Most likely, svchost.exe is hanging out on a Loop Back IP doing nothing, if that.

Look for yourself and see what's happening and don't depend upon a personal FW to tell you what is happening. You should set AP's refresh rate to high. You can use Arin whois to see who owns a remote IP.

Duane :)

Just a little comment to that.

You should'nt put too much trust in magazine reviews when it comes to security products. The review writers there very seldom have the skills to technically validate the real quality of the products.

They review primarily from a usability standpoint. They look at functionality - "Bells-and-whistles" and the "look-and-feel" of the products. They seldom are skilled enough to really test if the products provide the protection they claim to do.

/B. Nice

Probably because it was configured to search not only your harddisk, but also the web locations. Inspecting the traffic with a protocol analyzer (e.g. wireshark [1]) helps with understanding what exactly happens there.

svchost is a host for several services. What service exactly tries to establish those connections? Use "netstat -anb" to find out.

Well, if you don't trust Microsoft you should refrain from using their operating system, plain and simple. There's no way on earth any software running ON TOP of their operating system could enforce control over their operating system.

You keep unnecessary background crap at a minimum by NOT RUNNING IT in the first place. Autoruns [2], Silent Runners [3] or msconfig may help you with that. In addition to that [4,5,6] may help with disabling services you don't need. Running additional unnecessary background crap does NOT help with it. Which should be obvious, but obviously isn't.

[1] cu 59cobalt