Professional Documents
Culture Documents
Course Guide
Support Readiness Training
Copyright Notice
Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Other brands and products are trademarks of their respective
holder/s. Copyright © 2005 Symantec Corporation. All Rights Reserved. Any
technical documentation that is made available by Symantec Corporation is the
copyrighted work of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and
Symantec Corporation makes no warranty as to its accuracy or use. Any use of the
technical documentation or the information contained therein is at the risk of the
user. Documentation may include technical or other inaccuracies or typographical
errors. Symantec reserves the right to make changes without prior notice.
No part of this publication may be copied without the express written
permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino,
CA 95014.
Authorized Symantec courseware materials contain a yellow Symantec watermark
on the front side of each page. Use of unauthorized courseware materials is strictly
prohibited and should be reported to Symantec Corporation immediately.
Trademarks
Symantec, the Symantec logo, Intruder Alert, NetProwler, Raptor, VelociRaptor,
Symantec Desktop Firewall, Symantec Enterprise VPN, Symantec Enterprise
Firewall, Symantec Ghost, Symantec pcAnywhere, RaptorMobile, NetRecon,
Enterprise Security Manager, NAV, Norton Anti Virus, Symantec System Center,
Symantec Web Security, Mail-Gear and I-Gear are trademarks of Symantec
Corporation.
Windows is a registered trademark of Microsoft Corporation. Pentium is a registered
trademark of Intel Corporation. Other product names mentioned in this manual
may be trademarks of their respective companies and are hereby acknowledged.
10987654321
This is a training program to support the latest release of Norton Internet Security. It
is estimated that this training will be a three-days, instructor-led, hands-on program
that is designed for the global technical support organizations.
The Norton Internet Security 2007 course is divided into eleven sections. The
instructor's lecture is followed by lab exercises in which students apply knowledge
gained throughout the course.
Intended audience
This course is intended for those who have responsibility for supporting, installing,
and configuring Norton Internet Security.
Course prerequisites
Course objectives
After you complete this course, you will be able to do the following:
• Install Norton Internet Security 2007
• Understand the install-over matrix for Norton Internet Security 2007
• Troubleshoot installation of Norton Internet Security 2007
• Identify the components of Norton Internet Security 2007
o Personal Firewall
o Intrusion Prevention
o Norton AntiVirus
o Security Inspector
• Understand techniques for troubleshooting Norton Internet Security 2007
issues
• Monitor Norton Internet Security activities via reporting section
• Understand the Symantec shared components used in Norton Internet
Security 2007
o SymProtect
o Norton protection Center
o Activation
o Subscription
o LiveUpdate
Unit 9 SymProtect........................................................................................
Overview......................................... ..........................................................107
What SymProtect does?................................................................................108
How SymProtect works? ...............................................................................109
Summary....................................................................................................111
Appendix A..............................................................................................132
Appendix B..............................................................................................136
Norton Internet Security 2007 is the tenth version in the product line. While today’s
Internet provides a wealth of information and resources, it is also a gateway for
threats and hackers to enter or exploit a user’s computer. This makes every Internet
user more concerned about his PC security and the user looks out for the best
available security product in the market. Norton Internet Security 2007 satisfies
every consumer’s PC security needs by providing the best available security features
to counter today’s threats and security attacks.
With the growing dependency on Internet which provides instant access to a range of
information and resources that could be of great aid. A need for protection against
malicious content which enters and exploits a computers security while on the
internet has increased.
This makes every Internet user more concerned about the security of his computer
while connected to the Internet and the user looks out for the best available
protection to secure his computer. Norton Internet Security satisfies every
consumer's Computer security needs by providing the best available security
features to counter today's threats and security attacks. Norton internet Security
2007 the tenth version of this product continues to provide optimum security as its
predecessors, through its new enhanced features.
Objectives
After you complete this unit, you will be able to do the following:
This section provides a brief overview of some of the most common Internet threats
today. While these are not the only threats that exist, they have been added in this
manual to provide an overview to the reps.
DoS attacks
A Denial of Service (DoS) attack is not a virus but a method hackers use to prevent
or deny legitimate users access to a computer.
DoS attacks are typically executed using DoS tools that send many request packets
to a targeted Internet server (usually Web, FTP, or Mail server), which floods the
server's resources, making the system unusable. Any system that is connected to
the Internet and is equipped with TCP-based network services is subject to attack.
For example, imagine a hacker creates a program that calls a local pizza store. The
pizza store answers the telephone, but learns that it is a prank call. If the program
repeats this task continuously, it prevents legitimate customers from ordering pizza
because the telephone line is busy. This is a denial of service, and analogous to a
DoS attack.
Many DoS attack tools are capable of executing a distributed DoS attack. For
example, imagine the hacker secretly plants his program onto many computers on
the Internet. This would have a bigger impact because there would be more
computers calling the same pizza store. It would also be more difficult to locate the
attacker, since the program is not running from the attacker's computer; the
attacker is only controlling the computer that secretly had the program installed.
This is an analogy for a Distributed DoS (DDoS) attack.
DoS tools such as TFN, TFN2K, and Trinoo are distributed DoS attack tools. The DoS
attack tools can be secretly installed onto a large number of innocent systems that
can be centrally managed by a hacker to initiate DoS attacks at targeted computers.
Systems that unknowingly have DoS attack tools installed are called Zombie agents
or Drones.
Ping is a software tool available on most operating systems and commonly used to
check if a specified machine is reachable.
When the ping tool is executed, an ICMP (Internet Control Message Protocol) echo
request packet (includes the return IP address) is sent to the destination computer.
If the destination computer receives the TCP packet, it replies to confirm the ping
request.
In the case of a Smurf DoS attack, the ping's packet return IP address is forged with
the IP of the targeted machine. The ping is issued to the entire IP broadcast address.
This causes every machine to respond to the bogus ping packets and reply to the
targeted machine, which floods it.
One way to reduce risk of this attack is to disable IP-directed broadcast, which is
often not used or needed. Some OS can be even be configured to prevent the
machine from responding to ICMP packets.
Port Scanning
Phishing
• Requests for confidential information via email or Instant Message are not
legitimate
• Phishing attacks may use scare tactics to entice a response
• Fraudulent messages are often not personalized and can contain malicious
links
• Phishing attacks may consist of a group of emails that share similar properties
like details in the header and footer
• Phishing attacks re-direct victims to a bogus Web site where malicious code is
downloaded and used to collect sensitive information
Spyware is a general term used for programs that covertly monitor your activity on
your computer, gathering personal information, such as usernames, passwords,
account numbers, files, and even driver’s license or social security numbers. Some
spyware focuses on monitoring a person’s Internet behavior; this type of spyware
often tracks the places you visit and things you do on the web, the emails you write
and receive, as well as your Instant Messaging (IM) conversations. After gathering
this information, the spyware then transmits that information to another computer,
usually for advertising purposes. While a firewall can block the online transactions of
a Spyware program, an antivirus program will be able to identify and remove this
threat from a computer.
Remote Access
Programs that allow another computer to gain information or to attack or alter your
computer, usually over the Internet. Remote access programs detected in virus
scans may be recognizable commercial software, which are brought to the user’s
attention during the scan. A firewall can block Remote access attempts as well.
New features
• Anti-Spam
• Parental Control
• NIS User Accounts
• Ad Blocking
• Privacy Control
• Option to disable the entire security suite is now removed
One of the main reasons for removal of these features is low usage. It is also
determined that the most annoying forms of spam are most effectively handled
upstream with technologies implemented by the companies that run mail servers.
Also, the option to disable the entire security suite is now removed. You can no
longer disable the entire Norton Internet Security program through a single click.
Features need to be disabled individually.
Description
This unit focuses on installation of Norton Internet Security 2007. The installation of
the 2007 products is remarkably optimized and requires less user intervention as
compared to the previous releases.
Objectives
After you complete this unit, you will be able to do the following:
Before installing Norton Internet Security 2007 customers should review the
hardware and software requirements. These requirements are detailed in the
following pages under the hardware and software sections.
Norton Internet Security 2007 is supported only on the following operating systems:
Hardware requirements
The following list illustrates the minimum hardware requirements for Norton Internet
Security 2007 to be installed. Platform performance is directly related to the
robustness of the hardware and the resources taken from other applications running
on a PC. Customers will find increased performance in Norton Internet Security with
a more robust hardware
Windows XP editions
300-MHz processor
256 MB of RAM
175 MB of available hard disk space
CD-ROM or DVD-ROM drive
Internet Explorer 6.0
Administrator privileges to install program
Installation from CD
Installation from CD is the most common way of installing Norton Internet Security
2007. Installation runs from the Autorun file on the CD automatically. If the
installation doesn’t start automatically, you can open the CD and double-click the
Navsetup.exe file.
The following screenshots will help you better in understanding the process of
purchasing, downloading, and installing the product from Symantec Store.
Download Manager starts downloading. Windows XP SP2 may block the download
After extracting all the installation files to the Temp folder, it will start NAVSetup,
which will continue the installation. From here, the installation process is same as in
the CD version. The complete process and screenshots are added at end of this unit.
If the setup detects a previous installation of Norton Internet Security 2004 or later,
it automatically removes the earlier version. If the version is earlier than 2004, it
must be uninstalled manually from Add/Remove programs before installing the
Norton Internet Security 2007. If the uninstallation fails, the following tools can be
used to remove the product from the computer:
Note: Norton Internet Security 2007 does not import any settings from the previous
versions. The installation will be done with default settings and configurations.
Symsetup.exe
Pre-flight checks
The installer checks the client machine prior to making any changes to make sure
that it meets all requirements. The following checks are made:
Pre-install scanner
NAVSetup
PreScan.exe
ccEraser.dll
ecmldr32.dll
ccScanS.dll
Virus Definitions from CD
Prescan.exe interacts directly with ccEraser.dll & ccScanS.dll to begin the scan.
ccScanS.dll, in turn interacts with ecmldr32.dll and the virus definitions to scan the
users computer. Preinstall Scanner is dependent the following four Symantec
components:
Dependencies
1. ccScanS.dll
2. ecmldr32.dll
3. Virus Definitions
4. ccEraser.dll
During the installation the user would get an option to install the Symantec-Yahoo
tool bar. This toolbar adds to the functionality of Internet Explorer. If the installation
fails, it will fail silently and continue the installation without alerting the user.
Note: Customers will need to contact Yahoo! support for any issues pertaining to
the functionality of the Yahoo! toolbar.
SymSetup supports Common Error Display error messages. The Common Error
Display (CED) messages work exactly the same way the product errors work. After
alerting the user about an installation error, the software will direct the user to an
online Knowledge Base article.
Norton Internet Security 2007 installation will provide automatic submission system
for reporting install success or failure.
If the installation fails, users will be able to submit their error log through the CED
reporting system.
The installer will also check the results of executable based nested installers such as
LiveUpdate. If the installations of these components fail, SymSetup will alert the user
using CED.
During uninstallation of the program if there is still any subscription left in the
product, users will be informed on the period remaining in the subscription.
Conditions which display the Subscription remainder dialog:
- When users manually uninstall via Add/Remove
- When some other program launches Symantec uninstaller
Conditions which do not display the dialog:
- When installing the same or newer version of Norton Internet Security. And, all
install over scenarios including reinstallation and upgrade.
The installer will be able to upgrade older Norton Internet Security products. This is
done by removing the previous product prior to installing the new one. Products that
can be upgraded will include:
Norton Internet Security 2007 will be capable of installing over a version with a
higher Minor version number when the installed product is an OEM product and
product being installed is a Retail/SCSS product. That is, NIS 12.0.0.xx Retail will be
able to install over NIS 12.0.2.xx OEM, but NIS 12.0.0.xx Retail will NOT be able to
install over NIS 12.0.2.xx Retail.
Folders list:
The registry keys that are created during the installation of Norton Internet Security
contain information to ensure the proper functionality and settings of the product
and its components. The key registry locations of interest are:
• HKEY_LOCAL_MACHINE\Software\Symantec\Installed Apps
This key lists all of the Symantec Products and components installed on the
computer, as well as their locations.
• HKEY_LOCAL_MACHINE\Software\Symantec\Shared Defs
This key list the components of Norton Internet Security that use definitions, as well
as the name of the definition file used by each component and the locations of these
definition files.
• HKEY_LOCAL_MACHINE\Software\Symantec\Symsetup\refcounts
This key lists the GUID (Globally Unique Identifier, a unique 128-bit number that is
produced to identify any particular Symantec component) for each component as
well as the number of installations that have been counted by Digital Rights
Management for each.
• HKEY_LOCAL_MACHINE\Software\Symantec\CommonClient
This key lists the version of the Common Client that is installed.
The order of Norton Internet Security 2007 component installation from first to last:
• MSRedist.msi
• ccCommon.msi
• SymNet.msi
• AppCore.msi
• uiNPC.msi
• Firewall.msi
• Setup.msi
• SymLT.msi
• Browser.msi
• WebProt.msi
• Help.msi
• PARENT.MSI
• SPBBC32.MSI
• AV.msi
• SRTSP.msi
• Sevinst.exe
• NAV.MSI
The following registry keys will indicate successful installations of Norton Internet
Security and can be located in the following path:
Version key – Upon a successful installation of NIS this key contains the internal
version number.
Value = (String) "version"
Data = (String) "x.y.z"
SymSetup
• Perform all pre-install launch condition checking and prompt for any unmet
conditions.
• Displays all install UI panels; including the wizard pages, progress pages and
any error dialogs.
• Call each child (MSI) install in the correct order.
• Keep track of all products installed during installation and remove them
during uninstall.
Microsoft Installer
The Microsoft Installer (MSI) handles the installation of all Norton Internet Security
2007 components. MSI is only concerned with installation; it doesn’t do pre-
installation checks such as those done by Navsetup.exe. The MSI installers check to
see only that Navsetup.exe launched the MSI.
Note: In Norton Internet Security 2007, users are unable to run the MSI files as
stand-alone executables. SymSetup.exe must be used to control the MSI packages.
2. License agreement
6. Activation screen
The resolution for any issue that may arise in this stage depends on the type of
issue/error message that’s encountered. With the integration of the Common Error
Display with the installer, a majority of the installation issues can easily be identified
and resolved.
In case of any installation failure, generally a “9999, XXX” series error would be
flagged. The procedure to troubleshoot installation issues is outlined below:
In many cases, issues might also occur due to a failed uninstall attempt of a previous
installation. This could be an uninstall attempt of a previous version or a failed
installation attempt of the same version. In both cases, it is recommended to remove
the remnants before attempting a clean installation. Here is the list of SymSetup
errors which can appear based on the action that it performs:
Issue
Solution
For the 9999,171 error message there are 6 documents currently available. These
documents are created depending on the stage where the installation fails. When the
user clicks on the URL in the CED, it will direct the user to the appropriate document
depending on the parameters that CED fetches.
You can view the exact document that the user is directed to from the URL.txt file.
To view this file:
You should see at least one zip file in the folder. If you see multiple files, please look
at the latest one. The zip file will have a randomly-generated name. For example:
{D1A19EF5-5886-4EEE-BEE5-694827069F2D}1cc9b170.zip
3. Open the file URL.txt and look the values for the “a” and “h” variable.
http://www.symantec.com/techsupp/servlet/ProductMessages?&module=9999&error
=171&language=English&product=Norton+AntiVirus+2006&version=12.0.0.94&e=2
753&a=1603&h=NAV_CTO_Action_comm&k=AVSTE.dll&l=PARENT.MSI&c=false
&m=2753&n=11.5.0&build=Standard
Depending on the “a” and “h” variable, direct the user to the appropriate document.
The Lotus Notes internal document will have the “a” and “h” variable for the
document. The link for all the documents is provided below:
Installation issues
Configuration issues
SYMSetup
Installation Issues
(Module 9999)
MSI
Feature Issues
(Module 1002, 4002, 1007...)
NIS User Interface
The User interface of Norton Internet Security has been greatly improved as opposed
to any of the previous version's. The interface now is enhanced and simplified .It is
optimized for easy usability and performance.
Norton Internet Security 2007 uses a new rendering engine to display its interface.
The new engine integrates with the existing components seamlessly and provides
NAV with a fresh and streamlined user interface.
Objectives
After you complete this unit, you will be able to do the following:
Tabbed approach
The program window which can be maximized stays static and the actions and
configurable options appear under the tabs or as drop down menus as displayed in
the screen shot below:
NIS features are categorized into four groups. The following table
lists the UI categories along with its subcategories and features.
The Norton Internet Security user interface is now enhanced and uses SymHTML.
The SymHTML component has a new integrated engine that uses Terra Informatica,
which is a faster HTML rendering engine than the Internet Explorer rendering engine.
This should resolve the UI responsiveness issues that were in the previous versions.
File dependencies
This unit focuses on providing a brief overview of Norton AntiVirus 2007. For detailed
information on Norton AntiVirus 2007, please refer to the Norton AntiVirus 2007
Training Manual.
Objectives
After you complete this unit, you will be able to do the following:
Norton AntiVirus offers the best protection against viruses and other threats. It
protects computers from getting infected from threats through the Internet, Email,
and other media. The powerful features of Norton AntiVirus stay guard and block
malicious programs from harming a computer.
• AutoProtect
• Manual Scanning
• Instant Messenger Scanning
• ccEraser
Note: Internet Worm Protection will not be installed when Norton AntiVirus is
installed along with Norton Internet Security.
Manual Scanning
A manual scan lets you check for viruses and other threats in specific files or folders.
You can include additional types of files to scan, such as boot records. You can also
specify whether you want the manual virus scan to check all files on your computer
or exclude files based on their extensions. Lastly, you can specify that scans include
memory infections and infections referenced by threats.
ccEraser
ccEraser replaces the Generic Side Effects Engine that was introduced in Norton
AntiVirus 2005. Norton AntiVirus 2007 will detect and remove Spyware and other
expanded threats on-demand through the use of ccEraser.
For detailed information on Norton AntiVirus, please refer to the Norton AntiVirus
2007 Training Manual
Objectives
After you complete this unit, you will be able to do the following:
Norton Personal Firewall uses both kernel-mode and user-mode drivers. Kernel-mode
drivers have direct access to system memory and hardware, whereas user-mode
drivers function within a system-assigned memory space and cannot affect other
running applications.
NDIS NDIS
SYMNDIS
SYMTDI
SYMREDRV
SYMFW
SYMDNS
Windows TCP/IP Stack without NIS Windows TCP/IP Stack with NIS
• Symndis: This module, one of the two hooks to the Microsoft stack, filters
raw packets coming from the NDIS layer to the protocol layer. It handles any
ICMP and IGMP traffic, as well as stopping any fragmented packets that
arrive. Symndis does not process higher-level protocols such as HTTP, FTP,
and SMTP.
• Symtdi: This module, the second hook to the Microsoft stack, handles the
higher-level, port-based protocols and serves as the host for the filters that
examine the incoming packet and data stream.
• Symdns: This module does not do any filtering. It monitors and stores
associated URL/IP address pairs for use by other Norton Personal Firewall
components.
The integration of the firewall component (fwAgent) with Norton Internet Security is
dependent on two new components: fwPlugin.dll and fwEvent.dll.
fwPlugin.dll - An fwAgent plug-in for Norton Internet Security. This plug-in helps
fwAgent to get the interfaces that are required for configuration and alerting.
The previous versions of NIS used SymFirewallAgent to handle network alerting and
notification events. However, SymFirewallAgent only passed these events to NIS and
did not process them. NIS would be dependent on several other event types in order
to do the processing.
The consolidated firewall in NIS 2007 will simplify alerting by requiring NIS to be
dependant upon a single event type (a class of fwEvent.dll) and will need to
subscribe to this single event. Although a single event type will be used, Norton
Internet Security will still need to do some processing to format the event into
understandable alert or notification.
fwEvent.dll
fwEvent.dll implements the event used to communicate between Norton Internet
Security and its fwAgent plug-in. It also implements the event factory, event
subscriber, and event provider.
fwPlugin.dll
fwPlugin.dll is the fwAgent plug-in for NIS. It implements the interfaces required by
fwAgent.
fwAlert.dll
fwAlert.dll is the UI component. It is a ccApp plug-in that subscribes to firewall
events, displays alerts and notifications, and relays user actions back to fwPlugin.dll.
• Alerting mode
• Program Control
• Network Locations
The Auto mode allows Personal Firewall to take decisions automatically when a
network connection is established and no user alerts or prompts are shown. Auto
Mode is an enhancement to the “Learning mode” of Norton Internet Security 2006.
However, unlike Learning mode, Auto mode is not directly dependant on Virus
definitions. Learning mode in the 2006 version cannot be enabled if Virus definitions
of Norton AntiVirus are out of date. Auto mode in Norton Internet Security 2007
doesn’t check for the Virus Definitions’ date, it is rather dependant on the ccEraser’s
threat list.
The Interactive (Ask me what to do) mode allows known applications to connect to
the Internet and requests for user intervention in case of an unknown application’s
attempt to establish a connection. Running the Personal Firewall in Interactive mode
can cause a lot of alerts from the firewall asking whether to allow or block a specific
connection.
By default, Personal Firewall is set to work in Auto mode and will continue to work in
the same mode for 2 weeks. After 2 weeks, the user will be prompted either to keep
the alerting mode to Auto or to switch to interactive mode. This technique will help
the firewall learn the Internet-enabled applications for a period and then the switch
to Interactive mode will provide an option to the user to take a decision (either to
block or allow). However, Auto mode will be recommended when the alert is
presented to the user.
A new component AlertMode.dll controls the Alerting level for Norton Internet
Security. AlertMode reads the alerting level from ccSettings and opens up an API
that the Personal Firewall components can use to produce alerts when required.
Occurrence of alerts is based on certain conditions. If the conditions match, then the
alert will be shown or action will be taken automatically.
Auto Mode
The following rules are applied to unknown applications (applications that are not
present in the ALE lookup) in Auto mode
• ccLib
• cSettings
• ccEventMgr
The Program Control feature in this version of Norton Internet Security is much more
enhanced and automatic. Users will no longer be able to perform a Program Scan, as
Program Control itself will learn the programs that connect to the Internet and
automatically create a Program Rule.
A greater ALE database now removes the necessity for the users to run a Program
Scan, as it allows Program Control to take the right decision when a program tries to
connect to the Internet. However, once a Program Rule is created automatically,
users can go ahead and modify the rule as desired.
Personal Firewall
Program Control
On (always on when firewall is in
in Quiet Mode)
Automatic Program Control
Off
Add
Modify
By default, Program Control is ON. When the firewall is in “Auto mode”, Program
Control performs its job silently in the background and doesn’t show up any alerts or
notifications for the user. If a Program tries to access the Internet, Program Control
will study the program and will take a decision of either blocking or allowing it’s
access to the Internet. However, if the firewall is set to Interactive mode, Program
Control will prompt the user for specific action (Block / Allow) every time a program
tries to connect to the Internet for the first time.
Once Program Control has created a rule for a specific application, it will show up in
the rules’ list as shown in the screenshot X.Y.
Through the Access column, a user can perform the following actions for a specific
program:
Allow: Allows the program to connect to the Internet without any restrictions.
Block: Blocks the program from establishing any type of Internet connection.
Custom: Allows a user to create a Program Rule. Using this option, a user can
restrict the type of connection that programs can establish. For example: a custom
rule for Outlook Express to establish a connection to ports 110 and 25, will restrict
Outlook Express to connect to remote ports 110 and 25 only. If Outlook Express tries
to connect to a different port (other than 110 and 25), the connection will be
blocked).
Auto: Automatic Program Control will take its own decision when this program tries
to connect to the Internet.
Network locations are profiles that allow a user to switch between multiple networks.
By assigning a network to a pre-defined location, a user can customize the firewall
settings that are specific to each location. By default, Norton Internet Security 2006
allowed the user to configure four different network locations: Home, Office, Away
and Default.
The Network Locations concept in Norton Internet Security 2007 has been simplified
and no configurable Network locations have been presented through the interface.
However, internally, there are 3 network locations: Unknown, Trusted and
Restricted. The following table provides an overview of the Network location
simplification as compared to Norton Internet Security 2007:
Like the previous versions, the entries in the Trusted / Restricted zones are still
bound to IP addresses. Any change in a computer’s IP address will result in that
computer’s removal from the Trusted / Restricted zones (if it’s out of the local
subnet).
When the user joins a new network, the network is automatically placed into the
“Unknown” location until the user switches it to “Trusted” or “Restricted”. When a
computer that’s on the Trusted location communicates with any other computer in
the local subnet, the communication will be allowed. And when a computer that’s on
the Restricted location tries to communicate with any other computer in the local
subnet, the communication will be blocked. Any other traffic that comes from other
than Trusted and Restricted location will have the rules applied. The following
flowchart provides an overview of the traffic control:
The Symneti component will automatically detect any change in the network and will
place the network in the Unknown Location. If the detected network is a wireless
network with no encryption security, then a log entry is created with Medium
priority. It’s then up to the user to place the network either in Trusted or Restricted
zones, depending upon his configuration needs.
Network Reclassification
Following is a follow chart of the events that occur when a user reclassifies his
network into different locations:
User attempts to
classify network Done
No
User Adheres Warning
No
Yes
Call SymNeti API User Ignores Warning
SymNet
FWAgent
Move/Commit
NISFWPlugin network to (LOCATION_CHANGE_EVENT is
specified location generated as a result)
(add netspec)
UI / Product
Once Norton Internet Security 2007 detects a network, it can be defined either as
“Trusted” or “Restricted”. To access Network locations:
In the above screenshot, the Security column reads “Protected”. This indicates that
the network is currently identified by the firewall. However, it’s neither trusted nor
restricted and any communication from this network will have the general rules
applied to it. When the home network is “Trusted” or “Restricted”, the Security
column will display the label as “Trusted” or “Restricted” respectively.
Firewall Rules
A Firewall Rule allows a user to control the type of data that comes in and goes out
of the computer through the Internet or Local Area Network. It also allows a user to
restrict the number of computers that can connect to his computer. To access the
firewall rules’ list:
Personal Firewall >Configure >Advanced Settings.
In the above screenshot, “Default Inbound ICMP” and “Default Outbound ICMP” are
two rules on top of the list that allow specific Inbound and Outbound ICMP
connections. If a user creates a firewall rule to block Inbound and Outbound ICMP
connections below these two rules, then the user-created rules will not work,
because we already have two rules on top of the newly created ones. For the user to
make his rules work, the newly created rules need to be moved on top of the
existing ones or the user can simply uncheck the two pre-defined rules.
By default, there are several pre-defined firewall rules that block malicious data from
entering your computer. Some firewall rules control outbound connections as well.
Let’s now look at the procedure of creating a firewall rule. Let’s create a firewall rule
to Block Telnet connections from a specific computer:
10. Type a name for the firewall rule and click Next.
The word “Stealth” stands for operating in hidden mode. Stealthing a closed port
would hide that port from being visible as “closed”. If techniques like port scanning
are applied against a computer whose ports are stealthed, the stealthed computer
would not respond to the port scanning at all, as if it does not exist. In case of ports
being closed (not stealthed), the ports scanner would ideally receive an alert
notifying that the access is denied or couldn’t open a port. It is always recommended
to Stealth blocked ports for better security.
The Personal Firewall can be turned ON or OFF by checking the respective radio
buttons.
This feature monitors when one program launches another and checks access control
for both the programs. Depending upon the access control, that particular program
will be allowed or blocked from establishing a connection. For e.g. when you open a
.pdf link in Internet Explorer, Adobe Acrobat Reader is opened by Internet Explorer.
In this case, if Acrobat Reader is blocked in the Program Control list, the online pdf
file will not load.
This feature monitors the external modules’ Internet access. The programs shown in
the list of Program Monitoring are trusted ones and can be used by programs to
connect to the Internet.
As the Personal Firewall feature deals with network and Internet connectivity,
majority of the issues that relate to Personal Firewall will be based on loss of network
/ Internet connection. Connectivity issues vary from not being able to the Internet to
not being able to use a specific “Internet-enabled program”. Troubleshooting
approach in this case, needs to be situation-based. Let’s now look at some of the
issues and troubleshooting scenarios:
Scenario 1: Cannot access the Internet when the Personal Firewall feature is
enabled.
Solution:
Check if Norton Internet Security is set to Block traffic. Right click on the
Norton Internet Security tray icon in the system tray. If there’s a menu option
that reads “Allow Traffic”, then traffic is blocked. Click on “Allow Traffic” to
“Allow” traffic. When traffic is allowed, the menu option reads “Block Traffic”.
Check the Program Control list to see if the customer’s ISP program or
browser is set to “Block All”. If it’s set to “Block All”, changing it to “Permit
All” should resolve this issue. Also, have a look at the Alerting mode. If the
Alerting mode is set to “interactive”, change it to “Auto” mode. Interactive
mode might have had the customer unknowingly block his browser or ISP’s
dialer.
Certain viruses can corrupt files, which in turn may block Internet connection.
Run the anti-virus manual scan with the latest virus definitions and make sure
that there no viruses present in the computer. If an infection is found, remove
the viruses and re-install all infected applications for their proper
functionality.
4. Network Locations
In case of a small or home network, make sure that the network is not placed
in the “Restricted” zone. If the user’s computer is connecting to the Internet
through the local network gateway, then placing the network in the Restricted
zone will not only block the Internet connection, it will also block the network
connectivity as well.
Check the Personal Firewall logs and check if any communication is blocked
through firewall rules. If it’s blocked, then check the rule that’s blocking the
connection and modify it accordingly. Please check the Product Activity logs
section for more information on reading the Personal Firewall logs.
Symantec has developed an automated tool that checks for connectivity issues and
resolves them automatically. This tool can be run online from the knowledge base.
The following knowledge base article provides an option to the user to run this tool:
‘I can connect to the Internet only if I first disable Norton Internet Security
or Norton Personal Firewall'
Document ID: 2005091311192136
http://service1.symantec.com/Support/nip.nsf/docid/2005091311192136
Scenario 2: Cannot access the Internet even after disabling Norton Internet
Security.
Situation: After installing Norton Internet Security, you are unable to access the
Internet even after disabling Norton Internet Security.
Solution:
The SymNCTS tool performs various checks on conditions that can block the
Internet access. If any condition matches, then SymNCTS will fix it. Please
see Appendix A for more information on SymNCTS.
Note: Usage of this tool was not validated for Norton Internet Security 2007
when this manual was created.
Certain viruses and treats block Internet access. Have the customer run a
manual scan and see if it detects any viruses. However, make sure that the
customer has the latest virus definitions. Have the customer download the
latest definitions on a different computer that can connect to the Internet and
copy it on to a CD or a USB drive. The definitions can be transferred and
installed to the affected computer to perform a virus scan.
Make sure that there are no other third party firewall programs installed on
the computer. Some of the third party firewall programs are:
If any of these firewall programs exist, then you will need to uninstall them. It
is not recommended to have two firewall programs installed on a computer.
Uninstall Norton Internet Security and try accessing the Internet. If you still
cannot access the Internet, then contact the ISP to make sure that the
Internet connection settings are fine. If you are able to access the Internet
after uninstalling Norton Internet Security, then re-install it back and check
for the issue.
Situation: After installing Norton Internet Security and restarting the computer, you
notice that the personal firewall feature is disabled.
Solution:
Select Personal Firewall >Configure >System Settings and make sure that the
startup option is set to Automatic.
Make sure that all required Symantec services are running and are set to start
Automatically. Also make sure that ccApp.exe is set to load at startup.
If re-enabling all required services does not fix this issue, then you will need
to uninstall and reinstall Norton Internet Security through Add/Remove
Programs.
Incoming traffic
Destination is in
Restricted Unknown
Trusted or Restricted
Trusted
No Yes
Allow Block
Security Inspector scans the computer for vulnerabilities and fixes and/or notifies the
user about them. Security Inspector performs various scans that are designed to
scan potential areas of vulnerabilities and provide corrective suggestions to the user.
Objectives
After you complete this unit, you will be able to do the following:
Basic Scans
Advanced Scans
• Windows Passwords
• IP Addresses
• Browser Settings
• Instant Messaging
Windows Password
This particular scan checks for the password strength of all user accounts in the
system. It checks if the password is blank or if it can be easily guessed. There are
certain criteria involved for a user account to pass the “Windows password” scan. If
the password defined for a user account does not match any of the following criteria,
then it will be shown as vulnerability in the scan results:
Security Inspector cannot “fix” a weak password issue automatically by itself. Fixing
this vulnerability involves user intervention. When Security Inspector detects a weak
password, the affected user name will be displayed with the recommendations to
define a stronger password.
IP Addresses
This scan checks if the computer’s hosts file has been tampered with. For example,
redirection of the localhosts entry to some other address other than 127.0.01
The Browser Settings scan checks for specific settings in the browser that can lower
the security settings and provides an option to “fix” the issues. If a user chooses to
fix, the change will be reflected on the actual browser settings. This scan is currently
performed for Internet Explorer only.
Instant Messaging
This scanner checks whether Norton AntiVirus is configured to protect the user’s
Instant Messenger program. For AOL and Yahoo, the scanning Engine checks each
Windows account, and each Instant Messenger account within that Windows account,
and reports whether each of these is properly configured to integrate with Norton
AntiVirus. For MSN Messenger, which does not store this setting on a per Instant
Messenger basis, but only on a per Windows account basis, the scanning Engine does
not report information about individual MSN Messenger accounts.
• User Rights
• Windows Services
• Shared Folders
User Rights
The User Rights scan checks all of the user accounts on the computer for a set of
user rights and returns a list of accounts which have more user rights than they
need. If a user account has excess rights, then the scanner will provide an option to
“fix” it. Fixing it would mean removing the rights of that particular user towards an
object.
Windows Services
This Security Inspector policy defines two categories of Windows services. The first
category includes services that may potentially increase system vulnerability. The
second category includes services that are considered unnecessary for an average
home user and, therefore, not recommended to be running all the time. A
vulnerability score is assigned to each category.
For example IIS, Telnet, FTP, Messenger services increase system vulnerability and
should be disabled unless the user needs them. NetMeeting, Remote Registry, DTC
services are not recommended and should be configured to manual start unless the
user determines otherwise.
Shared Folders
This scanner checks if there are shared resources on a user’s system and provides an
option to “fix” or “unshare” them. It ideally looks for the following criteria:
After a scan is run, and the user is presented with a list of shares that will be closed,
here's the behavior of what is presented to the user:
• If there are any Global Shares (i.e. C$, D$, etc.) or System-Folder Shares
(i.e. C:\Windows or C:\Windows\System, etc.), then no user-created shares
will be listed/closed. This is so that the most-critical shares are closed first.
• If there are less than 5 user-created shares on the system, then nothing will
be listed/closed.
• If there are 5 or more user-created shares on the system, they will all be
listed in the details dialog, but the default action will be set to "No Action".
This is to avoid any accidental decision by the user.
Security Inspector scan results provide the options of either “fixing” a vulnerability,
taking “No Action” or to “Exclude” the vulnerability in a future scan. If a user selects
SAM.dll – Obtains Password hashes from the Windows Local Security Authority
Service (LSASS.exe)
VAPswd.dll – Security Inspector weak password check component
VAOSOb.dll – Security Inspector Operating Systems Object check component.
VABrws.dll – Security Inspector Browser Check Component.
VAIM.dll – Security Inspector IM check component.
VAMngr.dll – Security Inspector Policy Manager Component.
VASrvs.dll – Security Inspector Services Check Component.
VAShrs.dll – Security Inspector Shares Check Component.
The first step to look for in this type of error is to check if the following Windows
Services are started:
• Server
• Workstation
• Netlogon
If the error continues to occur then make sure that proper policy settings
(Administrative rights) are set for the Windows account through which the user is
logged in. If the error continues to occur then you will need to uninstall and reinstall
Norton Internet Security.
All error messages starting with the module 5010 correspond to Security Inspector.
Other error messages that the users may come across with Security Inspector:
Description
Intrusion Prevention monitors all inbound and outbound network activity and
identifies suspicious patterns that may indicate an attack from someone attempting
to break into or compromise a system.
Objectives
After you complete this unit, you will be able to do the following:
Intrusion Prevention does not scan for intrusions by computers in the Trusted
location. However, Intrusion Prevention does monitor the information that’s sent to
computers in the Trusted locations for signs of “zombies” and other remote control
attacks.
Norton Internet Security does not scan for intrusions by computers in your Trusted
zone. However, Intrusion Prevention does monitor the information that you send to
Trusted computers for signs of remote control attacks.
Excluding a signature will allow that specific type of data flow, making the computer
vulnerable. However, at times, there might be instances of false positives wherein,
actual data flow is blocked as a result of a signature match. In this case, excluding
that signature will not only allow the valid data flow to happen, but will also open a
vulnerability for the user.
The following link provides information on all the attack signatures of Intrusion
Prevention:
http://securityresponse.symantec.com/avcenter/nis_ids/
You can also unblock a computer that’s blocked by the AutoBlock feature and to
block the computer permanently, you can “Restrict” the computer.
One of the most common issues with Intrusion Prevention is reports of false
positives. A valid data communication can sometimes be detected as an attack
signature. This will in turn display an intrusion alert to the user. While this is not an
“issue”, it might be of concern to the user as it deals with an intrusion alert. To
overcome this, the attack signature needs to be excluded.
Other issues with Intrusion Prevention involve with the feature’s functionality itself.
The following scenario provides an overview:
Solution 1: Make sure that the required services are started and running.
Make sure that all required Symantec services are running and are set to start
automatically. Also make sure that ccApp.exe is set to load at startup.
Solution 2: Make sure that the computer is not infected by any viruses.
Ensure that the computer is threat free by performing a virus scan. It can either be a
manual scan using Norton AntiVirus or an Online Virus scan. By verifying that all
detected threats are removed and following the procedure mentioned above to
enable the Symantec files.
If no viruses are found, then to fix this issue, you will need to uninstall and reinstall
Norton Internet Security through Add/Remove Programs.
Overview
Description
The Fraud Site Protection feature of Norton Internet Security is designed to detect
and prompt users when they access fraudulent WebPages. The process of creating
fraudulent WebPages and collecting personal information is known as “Phishing”. It is
characterized by attempts to fraudulently acquire sensitive information, such as
passwords and credit card details, by disguising as a trustworthy business in an
apparently official electronic communication.
Objectives
After you complete this unit, you will be able to do the following:
Domain Analysis
Domain analysis is done to check the domain of the site that the user is currently
navigating. Trusted Brands host their websites on known domains. Sites hosted on
certain domains are more suspicious (free web hosting domains).
URL Analysis
URL analysis is done to check whether the URL that’s being opened is a spoof of a
valid URL. URLs have a defined structure. For example:
http://<username>:<password>@hostname/path
Hackers often misspell the trusted brand name or misuse the fields to mislead
innocent victims. Example:http://www.e-bay.net/index.html (misspelled)
Example:http://cgi5.ebay.com@xyz.net (password field included in URL)
History Analysis
History Analysis is done to check the exact source of the site’s launch. If a site is
launched through a link from an email client, chances of this site being a phishing
site are more than a site being opened through the browser itself.
Content Analysis
Web forms - All spoof pages have forms that try to steal information from users.
Page elements - Hackers try to impersonate Trusted Brands via page elements.
Content -
• Text: Trusted Brand names; asking for personal information, etc.
• Images: copying Trusted Brand images such as logos, etc.
• Links: including links back to a Trusted Brand.
• Forms: If the page has a form that sends data to
o a trusted brand, then the site is more likely to be a legitimate site.
o a site that’s hosted on a free domain or any other spoofed domain.
Once these tests are performed on a site, a final phase is invoked where a score is
calculated based on the results of the various detection modules. The scoring
configuration is able to assign different values if the detection routine has either
detected its condition or not.
After the scoring algorithm is executed, the results are interpreted as Trusted,
Neutral, Phishing, and Cross-Site Scripting detected
User navigates to a
site
Passes
Domain Analysis,
URL Analysis, History
Analysis, Content
Analysis, and Layout
Analysis
Yes No
Suspicious
Check in server
whether there is any
updated verdict
Yes, verdict is to allow Yes, verdict is to block
No verdict available
User is allowed to view User is alerted and the
the page site is blocked
After the installation of Norton Internet Security 2007, a Phishing Protection toolbar
appears in Internet Explorer which provides the status of the webpage currently
being displayed.
Clicking on the Green toolbar will display the status of Phishing Protection and will
also notify if the current open page is fraudulent.
Clicking on the Options menu provides two options. One to report a particular site as
a fraudulent webpage and the other for Help as shown below:
Once the Report site option is selected a report site window would appear containing
the URL of the current webpage being displayed, to be submitted to Symantec
Objectives
After you complete this unit, you will be able to do the following:
However, it does not prevent the reading of our files and registry keys to avoid
interfering with normal operations, such as backup. Authorized applications have full
access, so they do not require any changes to continue to work.
The following authorization methods are used by Norton Internet Security 2007 to
authorize an application, which can make changes to protected resources:
Applications which are signed with a Symantec digital signature are free to
access all protect assets. This will cover a great deal of legacy products,
Intelligent Updaters and all fix tools should also be signed.
The product can register the name of the authorized software, such as
System Restore or the Windows XP Backup program,
%SystemRoot%\System32\Ntbackup.exe.
SymEvent is a kernel mode process. The kernel is the core of the operating system.
It is the piece of software responsible for providing secure access to the machine's
hardware and to various computer processes. Most applications do not run in kernel
mode. SymEvent can intercept calls to and from the applications and the kernel.
A flowchart of the order of events that are followed after an attempt to modify
Symantec files are as shown below:
SPBBCSrv converts to an
IBBEvent
No
All the Symantec Program folders, common folders, Registry keys under the HKLM
and HKCR paths are protected. A list of protected resources are provided below:
SymProtect files
SymProtect Files
File name Description
Spbbcdrv.sys SymProtect driver
The Message Center provides a categorical view of all logged events and also makes
it easy to track and view the events and their details including the firewall events
and also the Antivirus events.
Description
The components of Norton Internet Security log all activities that are performed by
them. These Message Center provides the user, the ability to read and analyze the
activity, which includes events such as alerts, application activities, and threat
activities that have occurred in Norton Internet Security 2007.
Objectives
After you complete this unit, you will be able to do the following:
Message Center stores all event data that is generated by Norton Internet Security.
This is achieved by common client files which monitor all event details that
components produce. The Message Center component is a generic log viewer that is
plug-in driven and provides a common user interface to display logged events,
including all of those listed above.
The following categories of information are available in the Message Center of Norton
Internet Security 2007:
This displays a history of all TCP/IP network connections made from or to this
computer. Connections are logged when the connection is closed. When you highlight
a connection, the Event Details Panel displays details about that particular
connection.
This displays information about the recent activity of the Intrusion Prevention
component. When you highlight an event, the Event Details Panel displays
information about the event, or activity, such as whether it has been activated, and
how many signatures it is monitoring.
Firewall log
This displays a list of events that are logged by the firewall. The Firewall logs are
best used when a specific program is having difficulty connecting to the Internet. It
can also be useful when there is no connectivity at all. Almost every entry in the
Firewall log can be configured through the Personal Firewall configuration window.
The only exception will be related to fragmented packets. When you encounter
fragmented packets, resolution must be obtained through other means than
configuring NIS.
Security Risks
This provides the user with details about all security risks that were detected by
Norton AntiVirus; this includes threats detected by Manual Scans, Auto Protect, Email
scanning and IM scanning. The information provided the about the threats that are
partially removed or those which were not deleted, would be of importance in
ensuring optimum security.
Manual Scans
This provides information about the various components that perform scans that are
initiated by the user. Such as context scans, IM scanning and Email scanning events.
It provides information about the various scan entries such as the number of files
scanned, infection detection and removal details could be obtained.
Quarantine Items
This contains a list of items that are quarantined either automatically or that have
been added manually. Also, the quarantined file could be submitted to the Symantec
Security Response through this console.
Submissions
This option displays in detail the files that are submitted to the Symantec Security
Response and the status of their submission. It also provides the details about the
file, the threat detected in it and the date and time the file was updated. This
information could be used by the customer to ensure that a suspicious file has been
sent to Security Response for analysis.
Following are the log files that are maintained by the log viewer:
Network connections
Displays a history of all TCP/IP network connections made with the computer.
Connections are logged when the connection is closed. When you highlight a
connection, the Event Details Panel displays details about that particular connection.
This is the category to look in when trying to determine if a customer suspects a
threat from a Trojan or hacker.
Firewall activities
Logs all the activities that are monitored by the Personal Firewall feature. Any data
traffic that’s assessed by the firewall along with any Internet-enabled application’s
attempt to connect to the Internet will be logged here. Using this log, technician’s
can identify which programs connected to the Internet (along with time stamps) and
to what ports the connection was established. This log also displays the type of
network / Internet connections that the computer might have established (provided
that connection was monitored by the Personal Firewall feature).
This displays the information about Intrusion Prevention activities. When you
highlight an event, the Event Details Panel displays information about the event, or
activity, such as whether it has been activated, and how many signatures it is
monitoring.
This category will show any attacks and their signatures if a customer believes they
have been attacked.
Service activities
Firewall alerts
Logs all the alerts that were shown by the Personal Firewall feature and also logs the
action that was taken by the user when the alert was shown.
Security risks
Logs the security threats identified and deleted by the Spyware Protection feature.
Protection activities
Logs the activities completed by protection features like Email Scanning and Manual
Scanning feature of Norton AntiVirus
Error messages
Logs the error messages that are generated by Norton Internet Security.
The Log files provide a great level of detail about the activities that are performed by
the user. These include a detailed statistics of the network traffic and the
corresponding Firewall logs, which would be of assistance in troubleshooting
Connectivity issues.
To read a particular log file choose a log entry and click on “More info” on the right
side information Window to view details of the selected event.
The Detailed information view would provide information about the actions that were
recommended and the actions that were performed by the user. Also a link for more
information about the particular log type being viewed would be available.
Information about each log type and its functionality is explained below:
Full history
The Full history view display all log entries. Selecting an entry displays brief
summary about it in the "Alert Details" window. Clicking on the More details display
complete information about the event. The information provided for events of each
feature are explained below.
Firewall Alerts
The window displays a list of alerts and events, their names and their priority and
status.
In case of an alert The Alert Details displayed are the source of the alert the Risk
level of the source. The Source and destination IP addresses and the traffic
description.
Incase of an Event it displays the event details and information about any IP
addresses involved and a description of the event. Also it provides an option to
configure NIS to automatically perform an action such as to allow or restrict a
particular event from occurring again automatically.
Network Alerts
This displays the Alert details and information about any IP addresses involved and a
description of the event. Also it provides an option to configure NIS to automatically
perform an action such as to allow or restrict a particular event from occurring again
automatically.
The alert details window displays the Risk name, type and any impact that it has on
the computer. It also displays the component which detected the risk which could be
either of the two "AutoProtect" or "Manual Scan" and the recommended and
performed actions. Finally it displays the filename, path and file information.
The advanced details window in addition to the above provides the product name
and version which generated the alert .The component version and the internal
definition version. These would be helpful in trouble shooting virus removal issues.
Also, it displays a link to the Symantec Security response article corresponding to the
threat. And general information about Viruses and Auto-protect as provided in the
Help files.
The results of a manual scan operation are different from the results of the other
scanning related log entries. The alert window displays all the information that the
advanced details provide, which is the component that initiated the scan. The Task
name for the scan and finally the time taken for the completion of the Scan in
seconds will also be displayed. In this, you can also view the results of that scan
which includes the number of
The event window displays details about Priority, title and the status of removal of
the threat. The alert details display the Risk name and level, the threat Category and
the component which placed it in quarantine. It also does provide the state of the
threat removal.
The advanced details window displays the risk type, eraser version and the internal
definition version. Also, it provides a link to the corresponding Symantec Security
response article about the threat.
In the advanced details window the Threat could be Sent to the Security Response
Team, Deleted permanently or be restored back.
Submissions
This Window displays a list of "submissions" and their priorities and names. The
details window displays details about the date the event was updated, the source
which updated the file and the description of the updated file.
7/30/2006 5:42:30 AM, The user has created a rule to "block" communications." The
user has created a rule to ""block"" communications. Outbound UDP packet. Local
address, service is (USER-LUU234NKJV,0). Remote address, service is
(symlab1.symlab.com,domain(53)). Process name is ""C:\Program Files\Internet
Explorer\iexplore.exe""."
Above is a typical entry of the Firewall activities log when a user blocks an
application’s attempt to access the Internet. Let’s analyze the entry by breaking it
into pieces:
• Date and Time: The first portion of the entry shows the date and time when
the user blocked the application.
• The next section is a synopsis of the rule, starting with the action by the user.
• Next is the type of communication. In this case it is an Outbound UDP
connection that is being blocked.
• The remote address is symlab1.symlab.com.
• The remote port to which the connection is being established is port 53.
• And the name of the application that’s attempting to connect to the Internet
is iexplore.exe (which is the executable of Internet Explorer)
• Date and Time: The date and time when the connection was established.
• IP address (192.168.1.100 on port 1230): IP address of the user’s computer
and the local port through which the connection was initiated.
• Connection was established to the Yahoo website (68.142.197.71 through
http port 80).
0 bytes were sent, 0 bytes were received, and the total elapsed time was 0.062
seconds.
Explaining the Symantec Shared components in details is not within the scope of this
manual. But, without explaining the components like Activation and LiveUpdate,
Norton AntiVirus manual will not be complete.
Here, we discuss how Norton AntiVirus uses the Activation and LiveUpdate
components to activate and update the product.
Objectives
Norton Protection Center reports on how safe it is for you to use your computer to
perform popular tasks. It groups your activities into five protection categories. Your
protection is based on the programs that you have installed. To improve your
protection status, ensure that your installed programs are up to date.
The Security Basics category includes programs that protect your computer from
viruses and other security risks, and ensures that the protection is updated
frequently. It reports on whether your disks have been scanned for viruses recently,
whether you have spyware protection, and whether you receive Windows updates
and antivirus updates automatically.
After the installation a Norton Protection Center icon appears on the Windows
System tray which provides the status of the Norton AntiVirus.
LiveUpdate
LiveUpdate is a program through which, a user can download virus definitions and
program updates. It is recommended to run LiveUdpate immediately after the
product’s installation and frequently, to check if there are any updates released for
the installed product. The version of LiveUpdate that ships with Norton AntiVirus
2007 is Version 3.1.
Also, note that the user needs to have a valid subscription in order to download the
updates through LiveUpdate.
LIVEUPDATE
AUTOMATIC LIVEUPDATE
SYMEVENT INSTALLER - CONSUMER
COMMON CLIENT CORE
COMMON CLIENT CORE RESOURCE
SYMANTEC SECURITY SOFTWARE
DECOMPOSER
IDS
SYMNET CONSUMER
APPCORE
NORTONPROTECTIONCENTER
Description
• Anti-Spam
• Parental Control
• Confidential Information Blocking
• Ad Blocking & Pop-up Blocking
Bonus pack will be available on the NIS 2007 CD. However, this package will be
available only after 30 days of release.
LiveUpdate
Bonus Pack will be delivered as an optional bundle through LiveUpdate as well. It will
be available as a download through LiveUpdate for a period of 60 days after the
2007 release.
If some of the customers face trouble with the LiveUpdate download, or if they
declined the download for the first time, they can choose to download from the
website.
Third - Through CD
This will not be a main delivery method. It’s meant only for customer support reps to
handle complaints.
AntiSpam
The Norton AntiSpam feature monitors the incoming POP mail for spam and filters /
isolates all spam mails
Privacy Control
Ad Blocking
Parental Control allows parents to control what websites should open based on user
account types.
Acronyms
Appendix
A
DLL – A Dynamic link library is a collection of shared libraries in the Microsoft
Windows. These libraries usually have the file extension DLL. The code in a DLL is
usually shared among all the processes that use the DLL
Remote Registry – Remote Registry is a Windows registry editor that displays the
registry for a remote device and enables you to add, delete, and modify registry keys
and entries remotely over a network or Internet.
GUID- A GUID is a 128-bit integer (16 bytes) that can be used across all computers
and networks wherever a unique identifier is required. Such an identifier has a very
low probability of being duplicated.
Service Pack- A Service pack is the means by which product updates, fixes and/or
enhancements are distributed. Service packs may contain updates for system
reliability, program compatibility, security, and more. All of these updates are
conveniently bundled for easy downloading.
AutoRun - AutoRun is the ability of the operating system to automatically take some
or the default action upon the insertion of a removable media such as a CD-ROM,
DVD-ROM, or flash media. This feature can be bypassed by holding down the shift
key as the media is inserted.
Protocol - A method or predefined set of rules by which two dissimilar systems can
communicate
Hosts – The Hosts file is used to look up the Internet Protocol address of a device
connected to a computer network. It also provides mapping of device names to IP
addresses. When accessing a device by name, the networking system will attempt to
locate the name within the hosts file; this is used as a first means of locating the
address of a system, before accessing the Internet domain name system
IIS - Internet Information Services is the Microsoft's Web server that runs on
Windows NT platforms is tightly integrated with the operating system; it is relatively
easy to administer.
TCP- Transmission Control Protocol is one of the core protocols of the Internet
protocol suite. Using TCP, applications on networked hosts can create connections to
one another, over which they can exchange data or packets. The protocol guarantees
reliable and orderly delivery of data both at the sender to receiver ends.
IP- The Internet Protocol (IP) is a data-oriented protocol used for communicating
data across a packet-switched internetwork. It is a network layer protocol and is
encapsulated in a data link layer protocol. As a lower layer protocol, IP provides a
unique global addressing amongst computers.
Mac address - Media Access Control address is a unique identifier available in NIC
and other networking equipment. Most network protocols use one of three
numbering spaces managed by the IEEE: MAC-48, EUI-48, and EUI-64, which are
designed to be globally unique. A computer in the network can be identified by using
its MAC and IP address.
SMTP - Simple Mail Transfer Protocol is the protocol used to send mail between
servers and to send mail from your client to a mail server.
FTP - File Transfer Protocol is the language used for file transfer from computer to
computer across a network such as the Internet.
Telnet - TELNET is a network protocol used on the Internet or local area network
LAN connection. It is used to provide user oriented command line login sessions
between hosts on the Internet. The name is derived from the words telephone
network, since the program is designed to emulate a single terminal attached to the
other computer.
Loopback - A diagnostic test that returns the transmitted signal back to the sending
device after it has passed through a network or across a particular link. The returned
signal can then be compared to the transmitted one. The discrepancy between the
two helps to trace the fault.
‘I can connect to the Internet only if I first disable Norton Internet Security
or Norton Personal Firewall'
Document ID: 2005091311192136
http://service1.symantec.com/Support/nip.nsf/docid/2005091311192136
The SymNCTS.exe tool checks for the following criteria and changes the condition if
any of the criteria matches:
• Checks the program and version numbers - If the program is 2005 and the
version is less than 8.0.5, the Troubleshooter runs LiveUpdate to download
the latest updates.
• Checks the date of the Trusted Program List. (The Trusted Program List is a
list of programs that Symantec has determined are safe.) - If the Trusted
Program List is not the most recent, the Troubleshooter gives the choice to
try to update it.
• Reviews the current firewall program rules - If a block rule exists, the
Troubleshooter compares the blocked program with the programs on the
Trusted Program List. If the blocked program is on the Trusted Program List,
the Troubleshooter changes the firewall rule to either Automatic or Permit All.
• Creates a log that tracks what the Troubleshooter does. The log is stored in
the Windows %temp% folder. The log file name includes the date and time,
and is similar to the following: SymNCTS 12-30-2005 10h46m51s.log
Program Control rules – Removes all programs from the Program Control list.
Network locations – Clears the entries in the Trusted and Restricted zones.
Firewall rules – Removes all the user-created rules and restores the default firewall
rules.
Rnav2003.exe
Rnav2003.exe is a utility that removes Norton AntiVirus 2003 and its previous
versions. The installation of Norton AntiVirus 2007 automatically removes Norton
AntiVirus 2004, 2005 and 2006 if they are present in the computer. If a 2003 version
is installed, then the user will need to remove it manually, preferably through the
Rnav2003.exe tool. The following knowledge base article provides more information
on downloading this tool:
RnisUPG.exe
RnisUPG.exe is used to remove Norton Internet Security 2003 and earlier versions.
The following article provides more information on RnisUPG.exe:
While using this tool, make sure that you remove only Symantec-related entries (if
you plan to re-install it). Removing entries related to other programs may require a
reinstallation of that program. Caution needs to be maintained while using this tool
and while selecting entries from the Cleanup window. The cleanup tool can be
downloaded from the following link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
The start of the log is easy to find. It is at the beginning of the file. Even though
this is a simple thing, we can still obtain important information from the beginning.
Example:
=== Verbose logging started: 02/10/2005 12:52:58 Build type: SHIP UNICODE
2.00.2600.1183 Calling process:
C:\DOCUME~1\jeanne\LOCALS~1\Temp\NAV\NAVSetup.exe ===
The top line of the log contains the date and time that the logging started, which can
be used to compare this log with others that may be found on a particular machine.
In addition, the initial installation process is called which initiates an installation or
uninstall. The path to this process is also very telling in that it can indicate the
product that is being installed, and the layout as well.
• Processes called from a specific drive path OTHER than the root drive
usually suggest a CD installation:
=== Verbose logging started: 21-02-04 15:10:59 Build type: SHIP
UNICODE 2.00.2600.1106 Calling process: E:\symsetup.exe ===
• Processes originating from a temp directory are often a result of an
ESD installation:
=== Verbose logging started: 02/10/2005 12:52:58 Build type: SHIP UNICODE
2.00.2600.1183 Calling process:
C:\DOCUME~1\jeanne\LOCALS~1\Temp\NAV\NAVSetup.exe ===
The product lines identify which package or product is being installed or uninstalled.
We will see the importance of this in our troubleshooting section. The product line
indicates which MSI packages are being called during the installation or uninstall
process. There are two forms for this. The first is by product or package name, and
******* Product:
C:\DOCUME~1\jeanne\LOCALS~1\Temp\NAV\Support\MSRedist\MSRedist.MSI
Each MSI package will have a variety of routine and custom actions that it
performs during the installation process. In most cases, when an MSI package is
being called by its name, it will be performing an installation action. When an MSI
package is called by its GUID, it will be performing an uninstall action. This is not
always the case, but generally, this is a good convention that represents a majority
of the logs that are created when installing or uninstalling Symantec products.
A typical MSI log file will contain entries starting with MSI (c), MSI (s) or MSI (n)
followed by the action that took place during the installation at that point of time.
Let’s now discuss some of the key entries of a typical MSI log file:
MSI (c) – Denotes an operation that’s taking place in the client engine (NAVSetup).
MSI (s) – Denotes an operation happening in the Windows Installer service.
MSI (n) – Denotes a nested installation activity.
Note
The 4 digit number that follows the “Note” string denotes the code for the action
that’s following. At times, this number can be used to lookup information on the
Microsoft website to determine the exact action that took place. If an error occurs
during the installation, then the error message would contain the same 4 digit code.
Return Values
Every action that’s performed during the setup is noted in the log file. And the
completion of each action is logged as a “Return Value”.
Return Value 2: Indicates user abortion or an instruction by the user to cancel the
installation.
Return Value 3: Indicates a failed install action. And this is the key value to look for
while troubleshooting.
Any errors that occur during the processing of this script will be returned at the end
of the action. This is important to note, as these customer scripts are often long and
detailed, and any error will cause a failure. It’s important to note that the failure is
not in the InstallFinalize action itself, but a more specific action that has been called
earlier and has returned an error.
While reading an MSI log file for errors, it’s a good practice to search for errors from
the bottom of the document. Reach the bottom of the document, and do a top
search for the “Return Value 3” string. If there’s a Return Value 3 entry in the log,
analyze the values just above the “Return Value 3” entry for the actual cause of the
failure. The resolution for the installation issue depends on the cause of the failure.
In the above Norton AntiVirus log, the installation has encountered an error while
trying to install a file (in this case msvcp71.dll). We also understand from this log
that the installation was being done through the hard drive and not a CD-ROM, as
the file’s (msvcp71.dll) path is shown as Desktop. An error has occurred in this
installation due to the file’s absence in the source. The error: “System error 3. Verify
that the file exists and tat you can access it.” clearly confirms this.
The solution is this case would be to make sure that the product source is complete
and has all the required files and folders.
In the example, we see that the action that failed was UpdateEncCCVer_Rol. We
also see, that this action failed due to “Error 1722: There is a problem with this
windows Installer package.” In this instance, we would expect to see an Error 1722
during the installation process. As noted earlier, in the section of the structure of the
install log, we see that this error is within the MSI message line. This will be the
most common when a specific Install error is returned. However, there are certain
custom actions within the SymSetup sequence where the error is the return value
itself.
After you have determined which action failed, next we need to identify which
package failed. If you have identified the specific action that failed, search for
“source type from package” and ensure that you are searching in an upward
direction in the document. This ensures that we are identifying the package that was
being run for the particular failed action. As we can see from the example below,
that the package that failed in this case was ccCommon.msi.
The most important pieces of information that you can obtain from the installation
log files, are steps towards resolution. In some instances, discovering what is
needed for resolution can be difficult to determine. In others, it can be quite simple.
The types of failures we will look at are Error coded failures, Action failures, and
Package failures.
Error codes
Whenever we obtain an error-coded failure, we can consult the Microsoft developer’s
network. A list of base installer codes can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/msi/setup/error_codes.asp and a list of Installer errors can be obtained at
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/msi/setup/error_codes.asp. Although these are comprehensive lists of installer
codes and errors, the document published on the Microsoft Knowledge Base and
Microsoft Developers Network will not always point to the proper resolution.
It is necessary to always look at the previous 10-20 lines above an installer error to
locate “Notes.” In the examples in the previous section, we saw an error 1722,
which is an installer error, that had a Note of 1402, another installer error, relating
to a specific registry key. When we consult the msdn website, we see that 1402 is
related to key permissions. So, in this instance resolution would come from adding
permissions to the key referenced for the administrative/power user that is
attempting the installation. This can occur when they logged in user is already a
part of the administrative group or while logged into the administrator itself.
Using the Windows Event logs, a user can check all the events that occur in the
computer irrespective of the user being logged on / off. Information about the
computer’s hardware / software or an application crash can also be gathered through
the Windows event logs.
1. Click Start
2. Click Control Panel
3. Click Performance and Maintenance
4. Click Administrative Tools
5. Double-click Event Viewer.
• Application log
• Security log
• System log
Application log
System log
The system log contains all entries related to the operating system components.
Information on drivers that fail to load or any system service that fails to start will be
logged here.
Security log
Security logs make entries of successful and unsuccessful login attempts. It also logs
the attempts made to access a restricted file / folder etc.
Error
An error occurs due to loss of functionality. If a specific file or a program fails to load
(either manually or automatically), then this event can be termed as an error, as
there’s an interruption to the normal behavior. These types of “Error” events will be
recorded in the Application logs as Error
Warning
Any event that may cause a problem in the future will be an ideal Warning type of
log entry. For e.g. Low Disk Space
Information
Success Audit
Failure Audit
Orca is a utility that has been created by Microsoft to give software developers the
ability to view information in an MSI installation package. In order to obtain Orca, it
is necessary to obtain the either the Orca.msi file from Microsoft, or install the
Microsoft Software Developers Kit and then installing. Information on how to obtain
and install Orca can be obtained from the following Microsoft Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255905
The primary developer use for Orca is to edit MSI files. However, it can be an
invaluable support tool for viewing these files as well. In order to use Orca to view
the content of an .msi file, locate the file in question and right click on the file. Orca
installs a context menu handler that allows you to then choose “edit with Orca.” This
will then open the Orca editor and display all of the information contained with the
.msi file in question.
There is a large amount of information that can be found by using Orca. Not all of
this information is useful for troubleshooting purposes. Therefore, we will only
concentrate on the items necessary to aid with our troubleshooting.
SymNestedInstaller Table
The first section to look at is the SymNestedInstaller table within the products’ .msi
file, which gives us the following information: product codes, installation patch, the
type of installation (executable, or MSI script), and the order of installation. In this
example, we are looking at the NSW.msi file. This is the “parent” MSI file for the
Norton SystemWorks product. It lists all of the other installation packages that will
be launched, and run during the installation process. For our purposes in this
document, as outlined in below, we are concerned with the installation path; install
type, and the order.
CustomAction Table
Within the installation log file, will be every action that is outlined by the .msi file.
These are located within the CustomAction table within Orca. In the example below
we can see several examples of these actions, such as RollBackStuff, Upgrade,
EnableOBC, etc. In analyzing an installation log file, we would expect to see
instances of every singly action listed in this table.
All of the custom actions that are listed above will be found at some point, during the
actual installation sequence.
InstallExecuteSequence Table
The Property Table can be used to obtain the ProductCode and UpgradeCode for any
MSI package, as shown below.
The ProductCode and UpgradeCode are important to note, in case a removal was not
completely done. The ProductCode is sometimes the sole means of identification for
Uninstall keys. These are located in the registry at HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\Uninstall. The UpgradeCode’s are
located in the registry at
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\ (for Windows
98, Me and 2000) and
HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\ (for Windows
Xp).
The MSI Log Analyzer is a utility that is used to analyze reports generated from the
Windows Installer log files. This is of great assistance in troubleshooting installation
issues.
The Windows Installer Verbose Log Analyzer enables users to select a log file for
analysis, once a log file is open it then provides a preview of the log file and when
the Analyze button is selected it provides a detailed view of the log file and options
to debug the log files.
For further information on the MSI Log Analyzer, please refer to the MSDN
documentation of the Tool:
http://msdn.microsoft.com/library/en-us/msi/setup/wilogutl_exe.asp
Debughlp.exe tool needs to be executed before installing the Norton program so that
the debugger can track and log the MSI activities. Unlike MSI log files, logging
through DebugHlp.exe is done module-wise. Once Debugging is enabled, the logs are
saved in C:\Symlogs folder. To use the DebugHlp tool:
1. Click Start
2. Click Run
3. Drag and drop the DebugHlp.exe
4. Enter the switch to start debugging and hit the enter key.
5. Logging starts.
/Debugon
This switch enables logging and starts creating logs in the Symlogs folder.
/DebugOff
/DebugOnOff
Enables and disabled degugging instantly. This switch is used to log instant activities.
/Runconfigwiz
Each log file holds the install information for that specific module. In case of an error,
the verbose logging will give information about that specific error and the cause of
the error.
If the debugger is enabled while the Norton program is working, then it logs debug
information related to all activities. Any error feature based error message can be
tracked by looking into log that corresponds to that feature.
Debughlp.exe logs the updates that LiveUpdate downloads and installs as well. The
information on Update logging is held in Spa.log
It uses standard Windows security APIs to populate its list view with read, write and
deny access information. This information can be very useful in troubleshooting
installation or usage issues while using Norton applications.
http://www.sysinternals.com/Utilities/AccessEnum.html
With this, you can verify that the User has sufficient permissions to read and write
the ROOT directories and registry keys to ensure that all files can be read and
written to by both the User and the Norton Program started by the user.
Process Explorer
Process Explorer is a tool which shows the complete information about a process
including which handles and DLLs that a particular process has opened.
It also has a search capability that will quickly show you which processes have
particular handles opened or DLLs loaded
The display consists of two sub-windows. The top window shows a list of the
currently active processes, including the names of their owning user accounts. The
information displayed in the bottom window depends on the mode that Process
Explorer is in, which can be either of the two:
Handle Mode
If the bottom Window is in the handle mode you can see the handles that the
process selected in the top window has opened.
DLL Mode
If Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that
the process has loaded.
http://www.sysinternals.com/Utilities/ProcessExplorer.html
Most of the access denied error messages that you get can be determined and
troubleshoot using Process Explorer and AccessEnum. For more details on Access
denied error, please read the document from Microsoft:
http://support.microsoft.com/kb/q245068/
The maximum number of hops is 30 by default and can be specified using the -h
parameter.
-j HostList : Specifies that Echo Request messages use the Loose Source Route
option in the IP header with the set of intermediate destinations specified in HostList.
With loose source routing, successive intermediate destinations can be separated by
one or multiple routers. The maximum number of addresses or names in the host list
is 9. The HostList is a series of IP addresses (in dotted decimal notation) separated
by spaces.
-w Timeout : Specifies the amount of time in milliseconds to wait for the ICMP Time
Exceeded or Echo Reply message corresponding to a given Echo Request message to
be received. If not received within the time-out, an asterisk (*) is displayed. The
default time-out is 4000 (4 seconds).
Further Information about the utility can be obtained at the “Tracert” page of the
Windows XP documentation. A link for the same is provided below:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/tracert.mspx?mfr=true
This tool can be used to determine the path traversed while trying to access a
Website.
InstallRite Scan
After running the scan, you install the program on the machine. Then you
perform another scan of your machine hard drive, and any changes reported
compared to the initial scan is considered to be part of the software installation. We
it is finished, you get a complete image of the trace left by an installation package.
The “Export details to HTML” and “Export detail to TEXT” option can be used to get a
copy of the log from the customer’s computer.
The files that are added during the installation of the program
You can view the added, modified and deleted registry keys
http://www.epsilonsquared.com/anonymous/InstallRite25.exe
HijackThis
This section will provide you a brief overview on the HijackThis tool. After you
complete this section, you will be able to do the following:
HijackThis scans all the load points and displays the contents or values that are
stored in them. It also shows the Processes that run in the background when the tool
is run. While HijackThis displays the values and data present in the load points, it is
up to the user to decide which program or file is malicious and which is valid. Once a
file or a program has been identified as illegitimate or malicious, it can be easily
deleted through the tool. The HijackThis tool itself cannot differentiate between a
legitimate and an illegitimate program. There are various ways of differentiating a
legitimate program from an illegitimate one, which will be covered in a later section.
Let’s now have a look at the tool itself.
http://www.hijackthis.de
Note: Extract the downloaded zip file and save HijackThis.exe in a folder.
Double-clicking on the tool should open a screen with several options. To analyze all
load points and running tasks, click on the “Do a System Scan and Save log file”
button. Clicking on this button should open a screen similar to the one shown below:
HijackThis also creates a log file for the user’s convenience so that it can be sent
across to an expert (or a technician for an analysis).
Once the log file has been obtained, it can either be analyzed manually or can be
pasted on the HijackThis website (www.hijackthis.de) for automatic analysis.
Note: Before deleting a file through HijackThis, make sure that the file / program is
malicious.
By analyzing the log / results, browser hijackers and host file redirections can also be
countered. To remove a host file entry, simply place a check mark next to the O1
value (s) and click the “Begin Fix” button. Do not remove entries in the host file that
may be intentionally added by systems administrators.
Miscellaneous Tools
There are several Miscellaneous Tools available in HijackThis that can be used for
advanced troubleshooting. The following section provides an overview of the
advanced HijackThis options:
Process Manager
Process Manager is a Task Manager like tool that shows all running tasks along with
their paths and Process IDs. Information about DLL file dependencies can also be
viewed by clicking the “Show DLLs” check box.
This option opens a small hosts file editor to remove / modify the hosts file entries.
A file specified through this option will be deleted upon the next system restart. This
option can be ideally used if a user is unable to delete a file that’s in use or is
running in the background.
Delete an NT service
Uninstall Manager
Remove entries from the Add/Remove Programs’ list using this feature. This option
can be used to remove an entry of a program that’s left out in the Add/Remove
Programs list despite of that program being uninstalled.
The main usage of HijackThis tool is to identify malicious programs and eliminate
them. The usage of this tool needs to be controlled and operated in a relevant
environment. Do not delete a file or a program through HijackThis which you are
unsure of being illegitimate. Always consult a Supervisor or a lead before doing so.