Norton Personal Firewall Alerts

What ports are the connection attempts directed at? I'll have a guess at 135. It is caused by other PCs with various worms on them attempting to find other PCs to infect. It does not necessarily mean that your PC is infected. You should be blocking this with an external firewall/router between your Internet connection and your PC. NOT with a software firewall on your PC.

As far as Norton personal firewall 2005 is concerned I prefer not to comment.

Which virus scanner are you using?

Jason

On Thu, 16 Dec 2004 19:47:39 GMT, C. spoketh

Never, ever, never, ever, never never never allow outbound connection in to port 1026 through 1029. Those are associated with the Windows Messenger Service (not to be confused with the Windows Messenger IM client or the MSN Messenger client). All that crap you see are so-called "Messenger Spam", and you don't need it. The only address that should need access to those ports are 127.0.0.1, which is your own computer!

Why Symantec recommends "always permit"? Because that happens to be the default setting for everything for most of these types of firewall. The default action for all the software firewalls have always been wrong, leaving the user to actually know to change the answer to whatever is correct. So, you are likely to err on the unsafe side (allow) rather than on the safe side (block).

Lars M. Hansen

Jason:

I assume the port number is the number following the local address -- if so it is always port 1026.

My anti-virus software is Norton's also!

If this is indeed a worm trying to find a place to get in; why would Norton's software carry a recommended action of "Always Permit" this type of connection?

C.

TCP or UDP? Either way you should have an external firewall drop it before it reaches your PC.

Perhaps you should contact Symantec support. As I said I would prefer not to comment on Norton products. Perhaps someone who uses them would like to help you.

Jason

To never allow *outbound* connections *in* is probably a good idea in most cases. :-p

Some exceptions are when you bounce packets off a router to reach yourself on the physical interface. This can be useful if you run multiple operating systems sharing one interface, but with no loopback between the two (like Softwindows), or when an outside DNS points to a DMZ server (like dynamic DNS). But for most networks, you'd never need this.

Not so. Behind a firewall, it's quite useful. I can do things like

net send othermachine "Is there paper in the DeskJet?" net send /users "I'm going to reboot this box in a minute" net send "*" "Dinner!"

The equivalent in the Unix world is wall/rwall, which can be likewise quite useful when used correctly. They're much lighter weight than instant messaging clients, and also much safer (no sending files, for one thing).

Just don't allow either Windows Messenger or rwall from untrusted sources, like internet.

Regards,

UDP.

Have submitted an inquiry to Symantec (but haven't heard back yet), but wanted to hear from others as well.

Thanks, C.

C.

What version of Windows and are you able to tell me whether or not the messenger service is running? (nothing to do with msn messenger).

Jason

Windows XP, SP2. Windows Messenger is not activated.

Well I can't be 100% certain but it looks to me like you are being told about incoming packets which would be of no consequence even if you didn't have that personal firewall you mentioned.

So you may want to ask yourself why that personal firewall is bothering you with this. I suppose it's possible that you may not want to buy the 2006 upgrade unless it looks like it's doing something useful but um maybe you can decide for yourself.

Get an external firewall between the Internet and your PC.

Jason

Or just spend $50 and buy a Linksys BEFSR41 router that provides NAT and connect it between your cable modem or DSL modem and you won't see the probes any more.

Exactly. That's what I mean by an external firewall in this case :) Ok you can pay a lot more for a real external firewall but the BEFSR41 or BEFSX41 (I put one of those in for a home user a few days ago) is a good start at home.

Jason

Looks like we've come full circle now! The "no consequence" packets you mention would appear to fit with the Symantec recommended action of "Always Permit" and their category of "Low Risk". If I were to do that one time, the Alerts would be no more bother! So, back to the original question -- what is it that these folks are really doing that is of "no consequence" and why do they need to do it with my computer?

Appreciate the recommendation for an external firewall and I'll look into that; meanwhile my curiosity begs to be satisfied. Appreciate you guys taking the time to try to help educate me.

Thanks,

Yes if your operating system is suitably patched such that the messenger service is not vulnerable. How would the personal firewall know that? Maybe it could figure it out. Maybe not.

"Jason Edwards" wrote in news:32efauF3j93g3U1 @individual.net:

Jason:

Thanks for the links. They seem to explain what may be happening.

C.

"C." wrote in news:kikwd.509949$wV.342612@attbi_s54:

Don't use Norton. Don't use WinXP. Case closed.