Norton Internet Security 2007 L2

Symantec Norton Internet Security 2007
Course Guide
Support Readiness Training
July 24, 2006
Supporting Norton Internet Security 2007 1

Supporting Symantec Norton Internet Security 2007
July 24, 2006
Copyright Notice
Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Other brands and products are trademarks of their respective
holder/s. Copyright © 2005 Symantec Corporation. All Rights Reserved. Any
technical documentation that is made available by Symantec Corporation is the
copyrighted work of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and
Symantec Corporation makes no warranty as to its accuracy or use. Any use of the
technical documentation or the information contained therein is at the risk of the
user. Documentation may include technical or other inaccuracies or typographical
errors. Symantec reserves the right to make changes without prior notice.
No part of this publication may be copied without the express written
permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino,
CA 95014.
Authorized Symantec courseware materials contain a yellow Symantec watermark
on the front side of each page. Use of unauthorized courseware materials is strictly
prohibited and should be reported to Symantec Corporation immediately.
Trademarks
Symantec, the Symantec logo, Intruder Alert, NetProwler, Raptor, VelociRaptor,
Symantec Desktop Firewall, Symantec Enterprise VPN, Symantec Enterprise
Firewall, Symantec Ghost, Symantec pcAnywhere, RaptorMobile, NetRecon,
Enterprise Security Manager, NAV, Norton Anti Virus, Symantec System Center,
Symantec Web Security, Mail-Gear and I-Gear are trademarks of Symantec
Corporation.
Windows is a registered trademark of Microsoft Corporation. Pentium is a registered
trademark of Intel Corporation. Other product names mentioned in this manual
may be trademarks of their respective companies and are hereby acknowledged.
10987654321

Course overview
Course description
This is a training program to support the latest release of Norton Internet Security. It
is estimated that this training will be a three-days, instructor-led, hands-on program
that is designed for the global technical support organizations.
The Norton Internet Security 2007 course is divided into eleven sections. The
instructor's lecture is followed by lab exercises in which students apply knowledge
gained throughout the course.
Intended audience
This course is intended for those who have responsibility for supporting, installing,
and configuring Norton Internet Security.
Course prerequisites
It is assumed that the following prerequisites have been met:

• Students have a working knowledge of Microsoft Windows operating systems.
• Students have a working knowledge of computer security practices and
software.
• Students have read the Norton Internet Security 2007 User’s Guide.
Course objectives
After you complete this course, you will be able to do the following:
• Install Norton Internet Security 2007
• Understand the install-over matrix for Norton Internet Security 2007
• Troubleshoot installation of Norton Internet Security 2007
• Identify the components of Norton Internet Security 2007
o Personal Firewall
o Intrusion Prevention
o Norton AntiVirus
o Security Inspector
• Understand techniques for troubleshooting Norton Internet Security 2007
issues
• Monitor Norton Internet Security activities via reporting section
• Understand the Symantec shared components used in Norton Internet
Security 2007
o SymProtect
o Norton protection Center
o Activation
o Subscription
o LiveUpdate

Unit 1: Introduction to Norton Internet Security 2007.........................
Overview......................................................................................................06
Introduction to Online threats..........................................................................07
What is new to Norton Internet Security 2007? .................................................10
Summary.....................................................................................................11
Unit 2: Installing Norton Internet Security................................................

Overview......................................................................................................12
System Requirements....................................................................................13
Installation Options........................................................................................14
Installation Features......................................................................................21
Key file and Registry locations.........................................................................25
Component Installation..................................................................................26
Installation Technologies................................................................................27
Installation Screenshots.................................................................................28
Troubleshooting Installation............................................................................32
Differentiating between an installation and a configuration issue..........................35
Summary.....................................................................................................36
Unit 3: User Interface……………………………………………………………………….......

Overview......................................................................................................37
New Features................................................................................................38
UI dependencies / Internal enhancements.........................................................42
Summary.....................................................................................................43
Unit 4: Norton AntiVirus…………………………………………………………………………...

Overview......................................................................................................44
Introduction to Norton AntiVirus......................................................................45
Features of Norton AntiVirus...........................................................................46
Summary.....................................................................................................48
Unit 5: Personal Firewall…………………………………………………………………………..

Overview......................................................................................................49
How Personal Firewall works?..........................................................................50
Personal Firewall drivers.................................................................................51
Functions of Personal Firewall..........................................................................54
Firewall Alerting mode....................................................................................54
Program Control......................................... ..................................................57
Network Locations.........................................................................................60
Personal Firewall Advanced options..................................................................65
Troubleshooting Personal Firewall....................................................................78
Firewall data filtering hierarchy........................................................................81
Summary.....................................................................................................83

Unit 6 Security Inspector.............................................................................
Overview......................................................................................................84
What Security Inspector does?........................................................................85
Basic Scan....................................................................................................86
Advanced Scans............................................................................................88
Security Inspector Screenshots........................................................................89
Security Inspector files...................................................................................91
Troubleshooting Security Inspector..................................................................92
Summary.....................................................................................................93
Unit 7 Intrusion Prevention..........................................................…………….

Overview......................................... ............................................................94
How Intrusion Prevention works?.....................................................................95
Intrusion Preventions options and configuration.................................................96
Troubleshooting Intrusion Prevention...............................................................99
Summary....................................................................................................100
Unit 8 Phishing Protection…………………………………………………………………………

Overview....................................................................................................101
What Phishing Protection does?......................................................................102
How Phishing Protection works?.....................................................................102
Phishing Protection files and their functions.....................................................104
Phishing Protection Options and Configuration................................................. 104
Summary...................................................................................................106
Unit 9 SymProtect........................................................................................
Overview......................................... ..........................................................107
What SymProtect does?................................................................................108
How SymProtect works? ...............................................................................109
Summary....................................................................................................111
Unit 10 Message Center...............................................................................

Overview....................................................................................................112
What Message Center does? .........................................................................113
Norton Internet Security activities..................................................................114
Norton AntiVirus activities.............................................................................115
Activity logs................................................................................................116
What Activity Logging does? .........................................................................116
Reading Norton Internet Security Logs............................................................118
Analyzing the logs........................................................................................121
Summary....................................................................................................122
Unit 11 Symantec Shared components…………………………………………….......

Overview....................................................................................................123
Activation...................................................................................................124
Norton Portection Center ..............................................................................124
LiveUpdate..................................................................................................125
Summary....................................................................................................127
Unit 12 XP-Bonus Pack................................................................................

Overview....................................................................................................128
How to obtain the XP Bonus Pack...................................................................129
Features of the XP Bonus pack.......................................................................130

Summary....................................................................................................131
Appendix A..............................................................................................132
Appendix B..............................................................................................136

Introduction to Norton Internet Security
Unit
Unit
Unit
11
1
Overview
Description
Norton Internet Security 2007 is the tenth version in the product line. While today’s
Internet provides a wealth of information and resources, it is also a gateway for
threats and hackers to enter or exploit a user’s computer. This makes every Internet
user more concerned about his PC security and the user looks out for the best
available security product in the market. Norton Internet Security 2007 satisfies
every consumer’s PC security needs by providing the best available security features
to counter today’s threats and security attacks.
With the growing dependency on Internet which provides instant access to a range of
information and resources that could be of great aid. A need for protection against
malicious content which enters and exploits a computers security while on the
internet has increased.
This makes every Internet user more concerned about the security of his computer
while connected to the Internet and the user looks out for the best available
protection to secure his computer. Norton Internet Security satisfies every
consumer's Computer security needs by providing the best available security
features to counter today's threats and security attacks. Norton internet Security
2007 the tenth version of this product continues to provide optimum security as its
predecessors, through its new enhanced features.
Objectives
After you complete this unit, you will be able to do the following:
• Describe the need of Norton Internet Security

• Describe what is new in Norton Internet Security
• Describe what features have been removed from the previous versions

Introduction to Online threats
Courtesy: Symantec Security Response
This section provides a brief overview of some of the most common Internet threats
today. While these are not the only threats that exist, they have been added in this
manual to provide an overview to the reps.
DoS attacks
A Denial of Service (DoS) attack is not a virus but a method hackers use to prevent
or deny legitimate users access to a computer.
DoS attacks are typically executed using DoS tools that send many request packets
to a targeted Internet server (usually Web, FTP, or Mail server), which floods the
server's resources, making the system unusable. Any system that is connected to
the Internet and is equipped with TCP-based network services is subject to attack.
For example, imagine a hacker creates a program that calls a local pizza store. The
pizza store answers the telephone, but learns that it is a prank call. If the program
repeats this task continuously, it prevents legitimate customers from ordering pizza
because the telephone line is busy. This is a denial of service, and analogous to a
DoS attack.
Many DoS attack tools are capable of executing a distributed DoS attack. For
example, imagine the hacker secretly plants his program onto many computers on
the Internet. This would have a bigger impact because there would be more
computers calling the same pizza store. It would also be more difficult to locate the
attacker, since the program is not running from the attacker's computer; the
attacker is only controlling the computer that secretly had the program installed.
This is an analogy for a Distributed DoS (DDoS) attack.
DoS tools such as TFN, TFN2K, and Trinoo are distributed DoS attack tools. The DoS
attack tools can be secretly installed onto a large number of innocent systems that
can be centrally managed by a hacker to initiate DoS attacks at targeted computers.
Systems that unknowingly have DoS attack tools installed are called Zombie agents
or Drones.
Smurf DoS attacks
Ping is a software tool available on most operating systems and commonly used to
check if a specified machine is reachable.
When the ping tool is executed, an ICMP (Internet Control Message Protocol) echo
request packet (includes the return IP address) is sent to the destination computer.
If the destination computer receives the TCP packet, it replies to confirm the ping
request.
In the case of a Smurf DoS attack, the ping's packet return IP address is forged with
the IP of the targeted machine. The ping is issued to the entire IP broadcast address.
This causes every machine to respond to the bogus ping packets and reply to the
targeted machine, which floods it.

This is called a Smurf attack because the DoS tool used to perform the attack is
called Smurf.
One way to reduce risk of this attack is to disable IP-directed broadcast, which is
often not used or needed. Some OS can be even be configured to prevent the
machine from responding to ICMP packets.
Port Scanning
An attempt by hackers to find the weaknesses of a computer or network by scanning

or probing system ports. While this is not an attack in reality, it can be used by
hackers to detect what ports are open on a computer, based on which, unauthorized
access can be gained. This technique is also used by IT professionals as a genuine
tool to discover and correct security holes.
Phishing
Pronounced “Fishing”. Phishing is an act of sending an email to a user falsely

claiming to be an established or already existing legitimate organization to scam the
user into submitting private information (that will be used for identity theft). The e-
mail directs the user to visit a Web site where they are asked to update personal
information, such as passwords and credit card, social security, and bank account
numbers, that the legitimate organization already has. The Web site, however, is
bogus and set up only to steal the user’s information. Identifying Phishing scams:
• Requests for confidential information via email or Instant Message are not
legitimate
• Phishing attacks may use scare tactics to entice a response
• Fraudulent messages are often not personalized and can contain malicious
links
• Phishing attacks may consist of a group of emails that share similar properties
like details in the header and footer
• Phishing attacks re-direct victims to a bogus Web site where malicious code is
downloaded and used to collect sensitive information
Man in the middle
Man-in-the-middle attack (MITM) is an attack in which an attacker is able to read,

insert and modify messages between two users / systems without either user/system
knowing that the link between them has been compromised. The attacker must be
able to observe and intercept messages going between the two victims.

Spyware
Spyware is a general term used for programs that covertly monitor your activity on
your computer, gathering personal information, such as usernames, passwords,
account numbers, files, and even driver’s license or social security numbers. Some
spyware focuses on monitoring a person’s Internet behavior; this type of spyware
often tracks the places you visit and things you do on the web, the emails you write
and receive, as well as your Instant Messaging (IM) conversations. After gathering
this information, the spyware then transmits that information to another computer,
usually for advertising purposes. While a firewall can block the online transactions of
a Spyware program, an antivirus program will be able to identify and remove this
threat from a computer.
Remote Access
Programs that allow another computer to gain information or to attack or alter your
computer, usually over the Internet. Remote access programs detected in virus
scans may be recognizable commercial software, which are brought to the user’s
attention during the scan. A firewall can block Remote access attempts as well.

What’s new to Norton Internet Security 2007?
This version of Norton Internet Security has several added features that enhance the
functionality and user experience. And at the same time, some features from the
previous versions have been removed.
New features
• User Interface improvements

• LiveUpdate 3.1
• Fraud Site Protection
• Improved Home Networking
• Enhanced ALE (Application Lookup Engine)
• Less user intervention required
• XP-Bonus pack for Norton Internet Security 2006 users
Features Removed from the previous version
• Anti-Spam
• Parental Control
• NIS User Accounts
• Ad Blocking
• Privacy Control
• Option to disable the entire security suite is now removed
One of the main reasons for removal of these features is low usage. It is also
determined that the most annoying forms of spam are most effectively handled
upstream with technologies implemented by the companies that run mail servers.
Also, the option to disable the entire security suite is now removed. You can no
longer disable the entire Norton Internet Security program through a single click.
Features need to be disabled individually.

Summary
In this unit we have covered the following:
• Introduction to Norton Internet Security 2007

• What is new Norton Internet Security 2007
• What features are removed from the previous versions

Installing Norton Internet Security 2007
Unit
Unit
22
2
Overview
Description
This unit focuses on installation of Norton Internet Security 2007. The installation of
the 2007 products is remarkably optimized and requires less user intervention as
compared to the previous releases.
Objectives
• Understand system requirements for installation

• Describe the installation options for Norton Internet Security
• Locate key installed file locations and registry keys
• Detail the order of component installation
• Discuss the installation technologies used in Norton Internet Security
• Understand the difference between installation and configuration issues
• Know the logic behind troubleshooting installation issues
• Troubleshoot installation issues

System requirements
Before installing Norton Internet Security 2007 customers should review the
hardware and software requirements. These requirements are detailed in the
following pages under the hardware and software sections.
Operating System requirements
Norton Internet Security 2007 is supported only on the following operating systems:
• Windows XP Home or Professional, Tablet PC or Media Center Editions

• Windows Vista (32 bit only)
Norton Internet Security 2007 is not supported on Windows 95/98/Me/NT/2000, NEC

PC98, Macintosh, Linux, or server versions of Windows 2000/2003/XP computers.
Hardware requirements
The following list illustrates the minimum hardware requirements for Norton Internet
Security 2007 to be installed. Platform performance is directly related to the
robustness of the hardware and the resources taken from other applications running
on a PC. Customers will find increased performance in Norton Internet Security with
a more robust hardware
Windows XP editions
300-MHz processor
256 MB of RAM
175 MB of available hard disk space
CD-ROM or DVD-ROM drive
Internet Explorer 6.0
Administrator privileges to install program

Installation options
Installation from CD
Installation from CD is the most common way of installing Norton Internet Security
2007. Installation runs from the Autorun file on the CD automatically. If the
installation doesn’t start automatically, you can open the CD and double-click the
Navsetup.exe file.
Installation from download
The Download is packaged into a single file from a third-party organization to

facilitate easier downloading. After the package has been downloaded the installation
files are unwrapped to a temporary location the contents of which are same to that
of the Norton Internet Security 2007 CD. And the “SymSetup” engine is launched.
Installation from download
The Download is packaged into a single file from a third-party organization to

facilitate easier downloading. After the package has been downloaded the installation
files are unwrapped to a temporary location the contents of which are same to that
of the Norton Internet Security 2007 CD. After that the SymSetup is launched.
The following screenshots will help you better in understanding the process of
purchasing, downloading, and installing the product from Symantec Store.
The Symantec Store page for Home users

Selected the product to purchase
The product is added to the cart

In the same page: Purchase Information
In the same page: Provide a password for the purchase

Click the Start Download button to start the download
Download Manager starts downloading. Windows XP SP2 may block the download

Click on Install to install the Symantec download Manager
The download starts

After downloading the extraction process starts automatically.
After extracting all the installation files to the Temp folder, it will start NAVSetup,
which will continue the installation. From here, the installation process is same as in
the CD version. The complete process and screenshots are added at end of this unit.

Upgrade or install over
If the setup detects a previous installation of Norton Internet Security 2004 or later,
it automatically removes the earlier version. If the version is earlier than 2004, it
must be uninstalled manually from Add/Remove programs before installing the
Norton Internet Security 2007. If the uninstallation fails, the following tools can be
used to remove the product from the computer:
RNav2003.EXE to remove NAV 2003 and its previous versions

RnisUPG. EXE to remove NIS 2003 or NPF 2003 and its previous versions
SymClean.EXE to remove NAW 2003 and its previous versions
Note: Norton Internet Security 2007 does not import any settings from the previous
versions. The installation will be done with default settings and configurations.

Installation features
The following section describes the features and components that are involved in the
Norton Internet Security 2007 installation. The new features that are incorporated in
the Norton Internet Security 2007 installation are:
• 3rd Party Installers

• Report Install Success or Failure
• Automatic Error Log Submission
• Error checking of .EXE Installs
• Uninstall Subscription Check
• MSI 4.0
• Improved Install over
Symsetup.exe
SymSetup.exe is responsible for controlling MSI-based installations in Norton

Internet Security 2007.
Pre-flight checks
The installer checks the client machine prior to making any changes to make sure
that it meets all requirements. The following checks are made:
Check for Internet Explorer 5.01 Service Pack 2

Check for Minimum Operating System
Check for Admin user rights
Check for Server Operating System
Check for Multiple Terminal Services users
Check for LiveUpdate running
Check for running Norton Internet Security windows
Check for Symantec AntiVirus Corp. Edition on the system
Check for Services and Files marked for deletion
Check for newer versions of Norton Internet Security
Check for old versions that cannot be installed over
Check for other AntiVirus products
Pre-install scanner
The Pre-install scanner is a simple, lightweight virus scanner capable of detecting

and repairing viruses which can interfere with the installation, configuration wizard or
activation process. The preinstall scanner scans only the load points does not scan
files contained in archives. This eliminates the need for the decomposer DLL’s and
significantly reduces the dependencies list. The Preinstall Scanner scans for Adware
and Spyware programs as well.

How Pre-install Scanner works
The diagram below shows how the Pre-install Scanner works:
NAVSetup
PreScan.exe
ccEraser.dll
ecmldr32.dll
ccScanS.dll
Virus Definitions from CD
Scans the load points for

threats
Prescan.exe interacts directly with ccEraser.dll & ccScanS.dll to begin the scan.
ccScanS.dll, in turn interacts with ecmldr32.dll and the virus definitions to scan the
users computer. Preinstall Scanner is dependent the following four Symantec
components:
1 SymSetup.exe loads the scanner, Prescan.exe.

2 The scanner uses the Norton AntiVirus plug-in DLL file to start the scan.
3 The pre-install scan is run.
Dependencies
The Pre-Install Scanner is dependent on these Symantec components:
1. ccScanS.dll
2. ecmldr32.dll
3. Virus Definitions
4. ccEraser.dll

3rd Party Installers
During the installation the user would get an option to install the Symantec-Yahoo
tool bar. This toolbar adds to the functionality of Internet Explorer. If the installation
fails, it will fail silently and continue the installation without alerting the user.
Installing Yahoo Toolbar adds the following functionality to Internet Explorer:
• Tabbed browsing functionality

• Access Yahoo! from anywhere using a context menu through the browser.
• Access your favorite sites & bookmarks instantly
• Receive new mail notifications and check your email
• Add RSS feeds to My Yahoo!
Note: Customers will need to contact Yahoo! support for any issues pertaining to
the functionality of the Yahoo! toolbar.
Common Error Display
SymSetup supports Common Error Display error messages. The Common Error
Display (CED) messages work exactly the same way the product errors work. After
alerting the user about an installation error, the software will direct the user to an
online Knowledge Base article.
Report Install Success or Failure
Norton Internet Security 2007 installation will provide automatic submission system
for reporting install success or failure.
Automatic Error Log Submission
If the installation fails, users will be able to submit their error log through the CED
reporting system.
Error checking of .EXE Installs
The installer will also check the results of executable based nested installers such as
LiveUpdate. If the installations of these components fail, SymSetup will alert the user
using CED.
Uninstall Subscription Check
During uninstallation of the program if there is still any subscription left in the
product, users will be informed on the period remaining in the subscription.
Conditions which display the Subscription remainder dialog:
- When users manually uninstall via Add/Remove
- When some other program launches Symantec uninstaller
Conditions which do not display the dialog:
- When installing the same or newer version of Norton Internet Security. And, all
install over scenarios including reinstallation and upgrade.

Improved Install over
The installer will be able to upgrade older Norton Internet Security products. This is
done by removing the previous product prior to installing the new one. Products that
can be upgraded will include:
• Norton Internet Security 2004

The following table shows the 2007 product Install-over matrix:
Product being installed

RETAIL TRIAL OEM SUITE
RETAIL N/A ALLOW ALLOW ALLOW
Currently TRIAL NOTIFY N/A NOTIFY NOTIFY
installed
product OEM ALLOW ALLOW ALLOW ALLOW
SUITE ALLOW ALLOW ALLOW N/A
ALLOW = Allow Install-Over

BLOCK= Block Install Over
NOTIFY = Allow, with notification that the licensing scheme is going to change.
Norton Internet Security 2007 will be capable of installing over a version with a
higher Minor version number when the installed product is an OEM product and
product being installed is a Retail/SCSS product. That is, NIS 12.0.0.xx Retail will be
able to install over NIS 12.0.2.xx OEM, but NIS 12.0.0.xx Retail will NOT be able to
install over NIS 12.0.2.xx Retail.

Key file and Registry locations
The Location of files and the directory structure is the same in Norton Internet
Security 2007 as its previous versions, with an additional list of directories and files
under the Standard Path. The list provided below contains information about the
Folders that are created after installing Norton Internet Security.
Folders list:
C:\Program Files\Internet Security

C:\Program Files\Symantec\
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec\
C:\Documents and Settings\<<User Name>>\Application Data\Symantec\
Registry key locations
The registry keys that are created during the installation of Norton Internet Security
contain information to ensure the proper functionality and settings of the product
and its components. The key registry locations of interest are:
• HKEY_LOCAL_MACHINE\Software\Symantec\Installed Apps
This key lists all of the Symantec Products and components installed on the
computer, as well as their locations.
• HKEY_LOCAL_MACHINE\Software\Symantec\Shared Defs
This key list the components of Norton Internet Security that use definitions, as well
as the name of the definition file used by each component and the locations of these
definition files.
• HKEY_LOCAL_MACHINE\Software\Symantec\Symsetup\refcounts
This key lists the GUID (Globally Unique Identifier, a unique 128-bit number that is
produced to identify any particular Symantec component) for each component as
well as the number of installations that have been counted by Digital Rights
Management for each.
• HKEY_LOCAL_MACHINE\Software\Symantec\CommonClient
This key lists the version of the Common Client that is installed.

Component installation
Understanding the order of component installation in Norton Internet Security is
important. Knowing this helps troubleshoot where an installation may have failed and
the dependencies that might contribute to the problem.
Order of component installation
The order of Norton Internet Security 2007 component installation from first to last:
• MSRedist.msi
• ccCommon.msi
• SymNet.msi
• AppCore.msi
• uiNPC.msi
• Firewall.msi
• Setup.msi
• SymLT.msi
• Browser.msi
• WebProt.msi
• Help.msi
• PARENT.MSI
• SPBBC32.MSI
• AV.msi
• SRTSP.msi
• Sevinst.exe
• NAV.MSI
Indicators of a successful installation in the Registry
The following registry keys will indicate successful installations of Norton Internet
Security and can be located in the following path:
HKEY_LOCAL_MACHINE\Software\Symantec\Norton Internet Security\
Success key - On a successful installation the key value is set to “success”.

Value = (String) "install"
Data = (String) "success"
Version key – Upon a successful installation of NIS this key contains the internal
version number.
Value = (String) "version"
Data = (String) "x.y.z"

Installation technologies
This section deals with the Norton Internet Security 2007 installation technology.
These items include: SymSetup and the Microsoft Installer.
SymSetup
SymSetup.exe is responsible for controlling MSI-based installations in Norton

Internet Security 2007. The primary functions of SymSetup are:
• Perform all pre-install launch condition checking and prompt for any unmet
conditions.
• Displays all install UI panels; including the wizard pages, progress pages and
any error dialogs.
• Call each child (MSI) install in the correct order.
• Keep track of all products installed during installation and remove them
during uninstall.
Microsoft Installer
The Microsoft Installer (MSI) handles the installation of all Norton Internet Security
2007 components. MSI is only concerned with installation; it doesn’t do pre-
installation checks such as those done by Navsetup.exe. The MSI installers check to
see only that Navsetup.exe launched the MSI.
Note: In Norton Internet Security 2007, users are unable to run the MSI files as
stand-alone executables. SymSetup.exe must be used to control the MSI packages.

Installation screenshots
1. The Autorun screen
2. License agreement

3. Choose the destination and install the Yahoo Toolbar if you wish
4. Run the pre-install scan.

5. File copying starts automatically.
6. Activation screen

7. Activation successful.

Troubleshooting Installation
Installation issues arise due to a failed or partial installation of Norton AntiVirus.
There are several causes for the installation to fail. Some of the common causes are
software environment, software bugs, operating system configuration / policy
settings etc. This section will provide an overview of the type of issues that can arise
during the installation and the basic troubleshooting logic that can be followed to
resolve these issues.
Before discussing the installation issues, it is important to understand the installation

technology itself. The flowchart below provides an overview of the installation
procedure that we’ve covered so far:

There are various stages where the installation may fail. And the resolution depends
on the stage or the area of the installation in which, it is failing. One of the areas
where the installation fails is the “file copy” process or the automatic uninstall
process of a previous version.
The resolution for any issue that may arise in this stage depends on the type of
issue/error message that’s encountered. With the integration of the Common Error
Display with the installer, a majority of the installation issues can easily be identified
and resolved.
In case of any installation failure, generally a “9999, XXX” series error would be
flagged. The procedure to troubleshoot installation issues is outlined below:
1. Ensure the computer is threat free.

2. Ensure the integrity of the installation media/files
3. Ensure that all requisite dependencies are satisfied. These include Windows
Services (Such as Event logging, Remote Procedure Call, Windows Installer
service and their dependencies)
4. Ensure that there are no applications active/running in the background that
might interfere with the installation process.
In many cases, issues might also occur due to a failed uninstall attempt of a previous
installation. This could be an uninstall attempt of a previous version or a failed
installation attempt of the same version. In both cases, it is recommended to remove
the remnants before attempting a clean installation. Here is the list of SymSetup
errors which can appear based on the action that it performs:
9999,171 This error message indicates an installation failure

9999,172 This message indicates an uninstall failure
9999,173 This message indicates a modify failure
This message appears when it is unable to find/read the MSI
9999,174
database
This message appears when an error occurs while removing previous
9999,175
product
Issue
"9999,171 The installation encountered an error and is unable to continue."
Solution
1. Follow the link to the Knowledge Base Article.

2. If the issue persists, uninstall using Norton Removal tool and reinstall.
3. If the issue persists, collect the installation log file and examine the possible
causes.
For the 9999,171 error message there are 6 documents currently available. These
documents are created depending on the stage where the installation fails. When the
user clicks on the URL in the CED, it will direct the user to the appropriate document
depending on the parameters that CED fetches.
You can view the exact document that the user is directed to from the URL.txt file.
To view this file:

1. Enable Hidden System Files and folders in the Windows Explorer folder options.
2. Go to C:\Documents and Settings\All Users\Application Data\Symantec\Errlogs
You should see at least one zip file in the folder. If you see multiple files, please look
at the latest one. The zip file will have a randomly-generated name. For example:
{D1A19EF5-5886-4EEE-BEE5-694827069F2D}1cc9b170.zip
3. Open the file URL.txt and look the values for the “a” and “h” variable.
For example, the file contents will look like this:
http://www.symantec.com/techsupp/servlet/ProductMessages?&module=9999&error
=171&language=English&product=Norton+AntiVirus+2006&version=12.0.0.94&e=2
753&a=1603&h=NAV_CTO_Action_comm&k=AVSTE.dll&l=PARENT.MSI&c=false
&m=2753&n=11.5.0&build=Standard
Depending on the “a” and “h” variable, direct the user to the appropriate document.
The Lotus Notes internal document will have the “a” and “h” variable for the
document. The link for all the documents is provided below:
Title: 'Error: "9999,171 The installation encountered an error and is unable to

continue" when installing your Norton program'
Document ID: 2005102615163513
http://service1.symantec.com/Support/sharedtech.nsf/docid/2005102615163513

continue" when installing your Symantec program'
Document ID: 2005101916055513

Document ID: 2006030913475313
Title: 'Error: "(9999,171) The installation encountered an error and is unable to

Document ID: 2005101816411513

continue" when installing your Symantec program'
Document ID: 2005100611361513

Document ID: 2005070717173313

Differentiating between an installation and a
configuration issue
Installation issues
Installation issues arise from failed or corrupted installations. Configuration issues

arise from problems with settings or the environment. Some of the common
installation issues are listed below. Please refer to the issues / resolutions in the
knowledge base to get familiar with them:
Configuration issues
Configuration issues are typically caused by the settings or environmental issues.

Configuration issues could be caused by settings of features such as Email Scanning,
Internet Worm Protection etc.
SYMSetup
Installation Issues
(Module 9999)
MSI
File copy process is over
Configuration issues Configuration Wizard

- Module 3009
- Cfgwiz does not launch
- Cfgwiz crashes
CfgWiz.exe finishes
Feature Issues
(Module 1002, 4002, 1007...)
NIS User Interface

Summary
• Describe system requirements for installation

• Describe the installation options for Norton Internet Security
• Describe the order of component installation
• Discuss the installation technologies used in Norton Internet Security

User Interface
Unit
Unit
3
3
Overview
Description
The User interface of Norton Internet Security has been greatly improved as opposed
to any of the previous version's. The interface now is enhanced and simplified .It is
optimized for easy usability and performance.
Norton Internet Security 2007 uses a new rendering engine to display its interface.
The new engine integrates with the existing components seamlessly and provides
NAV with a fresh and streamlined user interface.
Objectives
• Describe system requirements for installation

• Describe the installation options for Norton AntiVirus
• Describe the order of component installation
• Discuss the installation technologies used in Norton AntiVirus
• Define the difference between installation and configuration issues
• Troubleshoot installation issues

New Features
The important features of the new interface are:
• All New integrated NPC and NAV windows

• Tabbed approach
• Less User intervention required to perform any task including Scans and
Configuration
• The program window can be maximized
• New Options Menu which follows the programs usability flow.
• Option to disable the NAV system tray Icon
• Removal of Many Redundant options
• The General Security risks option is now specialized for spyware protection
configuration
• New scanning window and dynamic interface
Tabbed approach
The program window which can be maximized stays static and the actions and
configurable options appear under the tabs or as drop down menus as displayed in
the screen shot below:

The Norton Internet Security 2007 main UI

Clicking a feature on the UI pops up a context menu that contains a list of actions.
The list of actions is corresponding to status of the feature. Below is a screenshot of
the context menu of the Scan feature.
Norton Internet Security 2007 UI Enhancements
• The features of Norton AntiVirus and Norton Internet Security will be

displayed together rather than in separate tabs.
• Privacy Control, AntiSpam, Parental Control, User Account, Outbreak Alert,
and Statistics are removed from NIS UI.
• NCO Web Protection and its Statistics are added.
• In 2006, health status of a feature such as AutoProtect, Spyware protection,
etc. is determined based on feature state, virus definitions date, and
subscription status. For example, if AutoProtect state is on and virus
definitions are out of date, AutoProtect health is in warning mode. In 2007,
this dependency shall be removed from product UI, but shall be covered
under NPC global system health.

UI categories
NIS features are categorized into four groups. The following table
lists the UI categories along with its subcategories and features.
Category SubCategory Feature

Tasks Run a Scan
Configure a Scan
Manage Quarantined Files
Run Security Inspector
Settings Basic Security Auto-Protect

Virus Definitions
Automatic LiveUpdate
Web Browsing Personal Firewall

Intrusion Prevention
Spyware Protection
Fraud Site Protection
Email & Messaging Incoming Email Scanning

Outgoing Email Scanning
Instant Messenger Scanning
Additional Options Virus and Spyware Protection

Internet Security and Firewall
Reports & View Activity Log

Statistics View Online Encyclopedia
View Fraud Site Protection
Statistics
Help & TechSupport Browse Technical Support
Support
General Security Symantec Security Response
Info More Symantec Solution
Subscription & Subscription Information
Account Info Norton Account
About Norton Internet
Security
ClubSymantec

UI dependencies / Internal enhancements
The Norton Internet Security user interface is now enhanced and uses SymHTML.
The SymHTML component has a new integrated engine that uses Terra Informatica,
which is a faster HTML rendering engine than the Internet Explorer rendering engine.
This should resolve the UI responsiveness issues that were in the previous versions.
File dependencies
SymHTMLU.dll - Responsible to render the UI.

SymTheme.dll – Holds the UI themes.
UIStub.exe – The interface executable. This file is a part of the Norton Protection
Center component and launches the product interface and replaces Nmain.exe.

Summary
In this unit we covered the following:
• Describe the enhanced user interface of Norton Internet Security 20007

• Describe the different sections and conventions of the user interface
• Understand the difference between the user interface of the previous versions
and Norton Internet Security 2007

Unit
Unit
Unit 4
4
Norton AntiVirus
Overview
Description
This unit focuses on providing a brief overview of Norton AntiVirus 2007. For detailed
information on Norton AntiVirus 2007, please refer to the Norton AntiVirus 2007
Training Manual.
Objectives
• Understand what Norton AntiVirus does

• Understand the key features of Norton AntiVirus
• Describe what is new in Norton AntiVirus 2007

Introduction to Norton AntiVirus
Norton AntiVirus is the fourteenth release of the Norton AntiVirus product line. This
latest version continues to provide enhanced protection to the customers against
latest Internet threats and malicious code. The user interface is enhanced and
provides a categorical view of all features. New looks of Norton AntiVirus 2007, which
are designed to be optimally user-friendly, provide a new exciting experience to the
customers.
What Norton AntiVirus does?
Norton AntiVirus offers the best protection against viruses and other threats. It
protects computers from getting infected from threats through the Internet, Email,
and other media. The powerful features of Norton AntiVirus stay guard and block
malicious programs from harming a computer.

Features of Norton AntiVirus
As viruses and threats can spread through different ways, Norton AntiVirus has
categorized features to counter viruses and threat infections. Each feature tackles
infections based on its unique functionalities. This section will provide you an
overview of all features of Norton AntiVirus 2007. For detailed information on each
feature, please refer to the Norton AntiVirus 2007 Training Manual.
Features of Norton AntiVirus 2007:
• AutoProtect
• Manual Scanning
• Instant Messenger Scanning
• ccEraser
New features in Norton AntiVirus 2007:
• Advanced support for removal of Spyware Threats

• New User Interface rendering engine
• Changes to the installation Engine
• Improved User Interface
• Inclusion of the Symantec-Yahoo! Internet Explorer Toolbar
• Enhanced Common Error Display
• Error Log submission
Note: Internet Worm Protection will not be installed when Norton AntiVirus is
installed along with Norton Internet Security.

Auto-Protect
Auto-Protect is the real-time scanner of Norton AntiVirus. By using a set of virus

definitions, Auto-Protect feature provides real-time protection against Viruses,
Trojans, Worms, and Expanded threats. AutoProtect scans any file accessed on your
system. This ensures that all files in any active state are inspected and verified
before the user acts on them. This is the module that makes sure that your system is
protected at all times. Auto-Protect can only sustain this level of protection if the
system has current and up-to-date virus definitions.
Manual Scanning
A manual scan lets you check for viruses and other threats in specific files or folders.
You can include additional types of files to scan, such as boot records. You can also
specify whether you want the manual virus scan to check all files on your computer
or exclude files based on their extensions. Lastly, you can specify that scans include
memory infections and infections referenced by threats.
Instant Messenger Scanning
Norton AntiVirus Instant messenger protection is the real-time scanning technology

that protects users from malicious items in instant messenger attachments. Instant
Messenger scanning scans files that are downloaded through the Instant Messenger
clients from AOL, Yahoo and MSN.
ccEraser
ccEraser replaces the Generic Side Effects Engine that was introduced in Norton
AntiVirus 2005. Norton AntiVirus 2007 will detect and remove Spyware and other
expanded threats on-demand through the use of ccEraser.
ccEraser is designed to provide an expanded set of tools to improve the detection

and removal of Expanded Threats. It will have its own definitions, and have the
ability to deal with Viral Infections and Expanded Threat infections, including
Spywares.
For detailed information on Norton AntiVirus, please refer to the Norton AntiVirus
2007 Training Manual

Summary
In this unit we covered the following:
• Describe what is Norton AntiVirus

• Describe the main features of Norton AntiVirus
• Describe the new features in Norton AntiVirus 2007

Unit
Unit 5
Personal Firewall
Overview
Description
Norton Personal Firewall is the firewall component of Norton Internet Security.

Norton Personal Firewall monitors incoming and outgoing network traffic and blocks
the data which is defined to be blocked either by the user or through predefined
rules.
Objectives
• Understand the details of the components of Norton Personal Firewall 2007

• Detail how the various modules in Norton Personal Firewall 2007 interact with
each other and with the operating system
• Understand the logic behind troubleshooting Norton Personal Firewall
• Troubleshoot Norton Personal Firewall product issues

How Norton Personal Firewall Works
Norton Personal Firewall works by inserting itself into the Windows TCP/IP stack at
both sides of the transport protocol layer.
Norton Personal Firewall uses both kernel-mode and user-mode drivers. Kernel-mode
drivers have direct access to system memory and hardware, whereas user-mode
drivers function within a system-assigned memory space and cannot affect other
running applications.
Network Card Network Card

(NIC) (NIC)
NDIS NDIS
SYMNDIS
Microsoft TCP Microsoft TCP
SYMTDI
Winsock Drivers Winsock Drivers
SYMREDRV
SYMFW
SYMDNS
Windows TCP/IP Stack without NIS Windows TCP/IP Stack with NIS

Personal Firewall drivers
• Symndis: This module, one of the two hooks to the Microsoft stack, filters
raw packets coming from the NDIS layer to the protocol layer. It handles any
ICMP and IGMP traffic, as well as stopping any fragmented packets that
arrive. Symndis does not process higher-level protocols such as HTTP, FTP,
and SMTP.
• Symtdi: This module, the second hook to the Microsoft stack, handles the
higher-level, port-based protocols and serves as the host for the filters that
examine the incoming packet and data stream.
• Symdns: This module does not do any filtering. It monitors and stores
associated URL/IP address pairs for use by other Norton Personal Firewall
components.
• Symfw: This is the firewall filter. It regulates inbound and outbound

connections based on the current set of firewall rules and settings. Outbound
requests, if permitted, pass through this filter to the protocol layer and
beyond. If denied, the requested port is not opened, and the request stops at
this module. This module manages port stealthing.
• Symredrv: This component provides a mechanism that enables Norton

Personal Firewall to redirect outbound TCP traffic destined for a particular port
to another port. This is used as the basis for the HTTP and IM filtering. We
employ a proxy that listens on a port, and then we redirect traffic destined for
the Web and instant message servers through it.

Firewall component Integration
The integration of the firewall component (fwAgent) with Norton Internet Security is
dependent on two new components: fwPlugin.dll and fwEvent.dll.
fwPlugin.dll - An fwAgent plug-in for Norton Internet Security. This plug-in helps
fwAgent to get the interfaces that are required for configuration and alerting.
fwEvent.dll – This component will be used by Norton Internet Security to

communicate with fwPlugin. fwEvent will be a plug-in to ccEvtMgr and implements
the events for the fwAgent.
The previous versions of NIS used SymFirewallAgent to handle network alerting and
notification events. However, SymFirewallAgent only passed these events to NIS and
did not process them. NIS would be dependent on several other event types in order
to do the processing.
The consolidated firewall in NIS 2007 will simplify alerting by requiring NIS to be
dependant upon a single event type (a class of fwEvent.dll) and will need to
subscribe to this single event. Although a single event type will be used, Norton
Internet Security will still need to do some processing to format the event into
understandable alert or notification.
The Firewall configuration settings will be stored in ccSettings. Fwplugin will

subscribe to ccSettings change event in order to pick up any configuration changes.
Important files of Personal Firewall
fwEvent.dll
fwEvent.dll implements the event used to communicate between Norton Internet
Security and its fwAgent plug-in. It also implements the event factory, event
subscriber, and event provider.
fwPlugin.dll
fwPlugin.dll is the fwAgent plug-in for NIS. It implements the interfaces required by
fwAgent.
fwAlert.dll
fwAlert.dll is the UI component. It is a ccApp plug-in that subscribes to firewall
events, displays alerts and notifications, and relays user actions back to fwPlugin.dll.

Component Organization

Functions of Personal Firewall
The personal firewall feature in Norton Internet Security 2007 has several functions
or sub-features that are designed to provide the best user experience. While these
features are optimized to work automatically in the background, they are also
enhanced to provide maximum security against online threats:
• Alerting mode
• Program Control
• Network Locations
Firewall Alerting Mode

Firewall Alerting is a new feature of Norton Internet Security 2007. There are two
alerting modes: Auto mode (Automatically decide what to do) and Interactive
(Ask me what to do) mode.
The Auto mode allows Personal Firewall to take decisions automatically when a
network connection is established and no user alerts or prompts are shown. Auto
Mode is an enhancement to the “Learning mode” of Norton Internet Security 2006.
However, unlike Learning mode, Auto mode is not directly dependant on Virus
definitions. Learning mode in the 2006 version cannot be enabled if Virus definitions
of Norton AntiVirus are out of date. Auto mode in Norton Internet Security 2007
doesn’t check for the Virus Definitions’ date, it is rather dependant on the ccEraser’s
threat list.
The Interactive (Ask me what to do) mode allows known applications to connect to
the Internet and requests for user intervention in case of an unknown application’s
attempt to establish a connection. Running the Personal Firewall in Interactive mode
can cause a lot of alerts from the firewall asking whether to allow or block a specific
connection.
By default, Personal Firewall is set to work in Auto mode and will continue to work in
the same mode for 2 weeks. After 2 weeks, the user will be prompted either to keep
the alerting mode to Auto or to switch to interactive mode. This technique will help
the firewall learn the Internet-enabled applications for a period and then the switch
to Interactive mode will provide an option to the user to take a decision (either to
block or allow). However, Auto mode will be recommended when the alert is
presented to the user.

How Alerting mode works
A new component AlertMode.dll controls the Alerting level for Norton Internet
Security. AlertMode reads the alerting level from ccSettings and opens up an API
that the Personal Firewall components can use to produce alerts when required.
Occurrence of alerts is based on certain conditions. If the conditions match, then the
alert will be shown or action will be taken automatically.
Auto Mode
The following rules are applied to unknown applications (applications that are not
present in the ALE lookup) in Auto mode
Threat No risk Low risk Med risk High risk

status in
Eraser
Clean Permit Permit Block Block All
Traffic Traffic
(log) (log) (log)
(notification) (notification)
Unknown Permit Permit Block Block All
Traffic Traffic
(log) (log) (log)
(notification) (notification)
Malicious Block All Block All Block All Block All
(log) (log) (log) (log)
(notification) (notification) (notification) (notification)
Clean applications: Legitimate applications or Applications that do not belong to

the “threats” category.
Malicious applications: Illegitimate applications or Applications that belong to the
“threats” category.
Unknown applications: Applications that are neither classified as Clean nor as
Malicious. Applications that are not identified by Eraser.
“Ask me what to do” Mode
In the interactive mode, users will experience alerts in all cases.
Threat status No risk Low Med risk High risk

in Eraser risk
Clean Alert Alert Alert Alert
(rec: (rec: (rec: (rec: Block)
Permit) Permit) Block)
Unknown Alert Alert Alert Alert
Permit) Permit) Block)
Malicious Alert Alert Alert Alert
Block) Block) Block)

Alert mode files and functions
The AlertMode component is dependent on the following common client services:
• ccLib
• cSettings
• ccEventMgr
Non-functionality of any of these services can directly affecting Alert mode.
Alerting Mode functionality

Program Control
Program Control allows a user to restrict the online communication of a specific
program. A user can either block a specific Internet-enabled application from
establishing any kind of remote communication or restrict to specific type of
communication, through specific ports or addresses.
The Program Control feature in this version of Norton Internet Security is much more
enhanced and automatic. Users will no longer be able to perform a Program Scan, as
Program Control itself will learn the programs that connect to the Internet and
automatically create a Program Rule.
A greater ALE database now removes the necessity for the users to run a Program
Scan, as it allows Program Control to take the right decision when a program tries to
connect to the Internet. However, once a Program Rule is created automatically,
users can go ahead and modify the rule as desired.

Program Control options
Personal Firewall
Program Control
On (always on when firewall is in
in Quiet Mode)
Automatic Program Control
Off
Add
Manual Program Control Remove
Modify

Configuring Program Control
By default, Program Control is ON. When the firewall is in “Auto mode”, Program
Control performs its job silently in the background and doesn’t show up any alerts or
notifications for the user. If a Program tries to access the Internet, Program Control
will study the program and will take a decision of either blocking or allowing it’s
access to the Internet. However, if the firewall is set to Interactive mode, Program
Control will prompt the user for specific action (Block / Allow) every time a program
tries to connect to the Internet for the first time.
Once Program Control has created a rule for a specific application, it will show up in
the rules’ list as shown in the screenshot X.Y.
Through the Access column, a user can perform the following actions for a specific
program:
Allow: Allows the program to connect to the Internet without any restrictions.
Block: Blocks the program from establishing any type of Internet connection.
Custom: Allows a user to create a Program Rule. Using this option, a user can
restrict the type of connection that programs can establish. For example: a custom
rule for Outlook Express to establish a connection to ports 110 and 25, will restrict
Outlook Express to connect to remote ports 110 and 25 only. If Outlook Express tries
to connect to a different port (other than 110 and 25), the connection will be
blocked).
Auto: Automatic Program Control will take its own decision when this program tries
to connect to the Internet.

Network Locations
Network Location Simplification
Network locations are profiles that allow a user to switch between multiple networks.
By assigning a network to a pre-defined location, a user can customize the firewall
settings that are specific to each location. By default, Norton Internet Security 2006
allowed the user to configure four different network locations: Home, Office, Away
and Default.
The Network Locations concept in Norton Internet Security 2007 has been simplified
and no configurable Network locations have been presented through the interface.
However, internally, there are 3 network locations: Unknown, Trusted and
Restricted. The following table provides an overview of the Network location
simplification as compared to Norton Internet Security 2007:
NIS 2006 NIS 2007

Users are allowed to create additional No option to create additional locations
locations
Users can add IP addresses in the Users will see a Trusted / Restricted list.
Trusted / Restricted list to block / allow However, they will not be able to add any
them correspondingly IP address or computer here. However,
the user’s home network can be added to
either of the lists.
Users can customize specific program Rules are tied with all locations and
rules and general rules for each location cannot be customized for each location

How Network Location works
Like the previous versions, the entries in the Trusted / Restricted zones are still
bound to IP addresses. Any change in a computer’s IP address will result in that
computer’s removal from the Trusted / Restricted zones (if it’s out of the local
subnet).
When the user joins a new network, the network is automatically placed into the
“Unknown” location until the user switches it to “Trusted” or “Restricted”. When a
computer that’s on the Trusted location communicates with any other computer in
the local subnet, the communication will be allowed. And when a computer that’s on
the Restricted location tries to communicate with any other computer in the local
subnet, the communication will be blocked. Any other traffic that comes from other
than Trusted and Restricted location will have the rules applied. The following
flowchart provides an overview of the traffic control:

Handling a Network change
The Symneti component will automatically detect any change in the network and will
place the network in the Unknown Location. If the detected network is a wireless
network with no encryption security, then a log entry is created with Medium
priority. It’s then up to the user to place the network either in Trusted or Restricted
zones, depending upon his configuration needs.
Network Reclassification
Following is a follow chart of the events that occur when a user reclassifies his
network into different locations:
User attempts to
classify network Done
No
User Adheres Warning
Is new location Is wireless

Is in Private IP
the Trusted Yes Yes Is Wireless? Yes encryption No Warn User
range?
location? sufficient?
No
Yes
Call SymNeti API User Ignores Warning
SymNet
FWAgent
Move/Commit
NISFWPlugin network to (LOCATION_CHANGE_EVENT is
specified location generated as a result)
(add netspec)
UI / Product

Network Locations options

Configuring Network Locations
Once Norton Internet Security 2007 detects a network, it can be defined either as
“Trusted” or “Restricted”. To access Network locations:
Personal Firewall >Configure >Trust Control
In the above screenshot, the Security column reads “Protected”. This indicates that
the network is currently identified by the firewall. However, it’s neither trusted nor
restricted and any communication from this network will have the general rules
applied to it. When the home network is “Trusted” or “Restricted”, the Security
column will display the label as “Trusted” or “Restricted” respectively.

Personal Firewall advanced options
Firewall Rules
A Firewall Rule allows a user to control the type of data that comes in and goes out
of the computer through the Internet or Local Area Network. It also allows a user to
restrict the number of computers that can connect to his computer. To access the
firewall rules’ list:
Personal Firewall >Configure >Advanced Settings.
Creating a Firewall Rule in Norton Internet Security is very comprehensive. However,

it is important to note that the rules in the list work and execute on a hierarchy
basis. Higher the rule is in the list, greater is the priority given to the rule.
In the above screenshot, “Default Inbound ICMP” and “Default Outbound ICMP” are
two rules on top of the list that allow specific Inbound and Outbound ICMP
connections. If a user creates a firewall rule to block Inbound and Outbound ICMP
connections below these two rules, then the user-created rules will not work,
because we already have two rules on top of the newly created ones. For the user to
make his rules work, the newly created rules need to be moved on top of the
existing ones or the user can simply uncheck the two pre-defined rules.
By default, there are several pre-defined firewall rules that block malicious data from
entering your computer. Some firewall rules control outbound connections as well.

Default firewall rules
A list of the default firewall rules:
System Rules Policy

Default Inbound DNS Allow
Default Inbound NetBIOS Block
Default Inbound NetBIOS Name Block
Default Outbound NetBIOS Allow
Default Inbound Loopback Allow
Default Outbound Loopback Allow
Access to secure sites Allow
Inbound and Outbound ICMP Allow
Windows File Sharing Block
Default Inbound Bootp Allow
Default Outbound Bootp Allow
Windows 2000 SMB Block
EPMAP Block
Default Digital Signature Verification Allow

Creating a firewall rule
Let’s now look at the procedure of creating a firewall rule. Let’s create a firewall rule
to Block Telnet connections from a specific computer:
1. Open Norton Internet Security, Select Personal Firewall, click Configure

2. Click on the Advanced Settings button and click Configure.
3. Click Add to start the Procedure of creating a rule.

3. Click “Connections from other computers” and click Next.
4. Click Block and Click Next

5. Select “Only the computers and sites listed below” and click Add. Selecting
“Any computer” will impact every computer that tries to establish a Telnet
connection.

6. Type the IP address of the computer that you wish to block. You can also add
a range of computers (IP addresses) or an entire Network Address (along with
the network’s subnet.

7. Click Next and Select the type of protocol that you wish to block. In this case,
it’s TCP and UDP. Since we’re blocking only Telnet, Select “Only the types of
communication or ports listed below” and click Add. Selecting “All types of
communication” will block all type of communication coming through from
172.16.211.2.

7. Since we’re blocking Telnet, which runs on a “well-known” port, select the “Known
ports list” option and select port 23 from the list. If you’re creating a firewall rule to
block / open a port that does not fall into the “well known” list, then select
“Individually specified ports” and specify the port numbers individually. To add a
range of port numbers, select “port numbers”. Also, while Blocking / Permitting
connections “from” other computers, the “Locality” will remain “Local”. While
creating a firewall rule to block connections “To” other computers, the Locality will
change to “Remote”.
8. Click Ok and then Click Next.

9. Click the “Create an event log entry” option if you wish to create a log entry every
time the rule is executed and click Next.
10. Type a name for the firewall rule and click Next.

11. Once the rule is created, move the rule to the top of the list so that it’s not overridden
by any other rules. The rules listed here execute on a hierarchy basis. The rule that’s on
top takes priority over a rule that’s below it in the list.

Stealth Blocked Ports
The word “Stealth” stands for operating in hidden mode. Stealthing a closed port
would hide that port from being visible as “closed”. If techniques like port scanning
are applied against a computer whose ports are stealthed, the stealthed computer
would not respond to the port scanning at all, as if it does not exist. In case of ports
being closed (not stealthed), the ports scanner would ideally receive an alert
notifying that the access is denied or couldn’t open a port. It is always recommended
to Stealth blocked ports for better security.

General Firewall Settings
The Personal Firewall can be turned ON or OFF by checking the respective radio
buttons.
Program Launch Monitoring
This feature monitors when one program launches another and checks access control
for both the programs. Depending upon the access control, that particular program
will be allowed or blocked from establishing a connection. For e.g. when you open a
.pdf link in Internet Explorer, Adobe Acrobat Reader is opened by Internet Explorer.
In this case, if Acrobat Reader is blocked in the Program Control list, the online pdf
file will not load.
Program Component Monitoring
This feature monitors the external modules’ Internet access. The programs shown in
the list of Program Monitoring are trusted ones and can be used by programs to
connect to the Internet.

Personal Firewall Advanced settings functions

Troubleshooting Personal Firewall
As the Personal Firewall feature deals with network and Internet connectivity,
majority of the issues that relate to Personal Firewall will be based on loss of network
/ Internet connection. Connectivity issues vary from not being able to the Internet to
not being able to use a specific “Internet-enabled program”. Troubleshooting
approach in this case, needs to be situation-based. Let’s now look at some of the
issues and troubleshooting scenarios:
Scenario 1: Cannot access the Internet when the Personal Firewall feature is
enabled.
Solution:
1. Block / Allow Traffic
Check if Norton Internet Security is set to Block traffic. Right click on the
Norton Internet Security tray icon in the system tray. If there’s a menu option
that reads “Allow Traffic”, then traffic is blocked. Click on “Allow Traffic” to
“Allow” traffic. When traffic is allowed, the menu option reads “Block Traffic”.
2. Check the Program Control list
Check the Program Control list to see if the customer’s ISP program or
browser is set to “Block All”. If it’s set to “Block All”, changing it to “Permit
All” should resolve this issue. Also, have a look at the Alerting mode. If the
Alerting mode is set to “interactive”, change it to “Auto” mode. Interactive
mode might have had the customer unknowingly block his browser or ISP’s
dialer.
3. Scan for viruses
Certain viruses can corrupt files, which in turn may block Internet connection.
Run the anti-virus manual scan with the latest virus definitions and make sure
that there no viruses present in the computer. If an infection is found, remove
the viruses and re-install all infected applications for their proper
functionality.
4. Network Locations
In case of a small or home network, make sure that the network is not placed
in the “Restricted” zone. If the user’s computer is connecting to the Internet
through the local network gateway, then placing the network in the Restricted
zone will not only block the Internet connection, it will also block the network
connectivity as well.
5. Personal Firewall logs
Check the Personal Firewall logs and check if any communication is blocked
through firewall rules. If it’s blocked, then check the rule that’s blocking the
connection and modify it accordingly. Please check the Product Activity logs
section for more information on reading the Personal Firewall logs.

Using the Automated Tools:
SymNCTS.exe (Symantec Network Connectivity Troubleshooter)
Symantec has developed an automated tool that checks for connectivity issues and
resolves them automatically. This tool can be run online from the knowledge base.
The following knowledge base article provides an option to the user to run this tool:
‘I can connect to the Internet only if I first disable Norton Internet Security
or Norton Personal Firewall'
Document ID: 2005091311192136
http://service1.symantec.com/Support/nip.nsf/docid/2005091311192136
Scenario 2: Cannot access the Internet even after disabling Norton Internet
Security.
Situation: After installing Norton Internet Security, you are unable to access the
Internet even after disabling Norton Internet Security.
Solution:
1. Run the Norton Connectivity Troubleshooter (SymNCTS).
The SymNCTS tool performs various checks on conditions that can block the
Internet access. If any condition matches, then SymNCTS will fix it. Please
see Appendix A for more information on SymNCTS.
Note: Usage of this tool was not validated for Norton Internet Security 2007
when this manual was created.
2. Make sure that the computer is not infected by viruses or other

threats.
Certain viruses and treats block Internet access. Have the customer run a
manual scan and see if it detects any viruses. However, make sure that the
customer has the latest virus definitions. Have the customer download the
latest definitions on a different computer that can connect to the Internet and
copy it on to a CD or a USB drive. The definitions can be transferred and
installed to the affected computer to perform a virus scan.
3. Check for other firewall programs.
Make sure that there are no other third party firewall programs installed on
the computer. Some of the third party firewall programs are:
• Tiny Personal Firewall

• Zone Alarm Pro/Plus
• McAfee Firewall
• Check Point Firewall
• Outpost Firewall
If any of these firewall programs exist, then you will need to uninstall them. It
is not recommended to have two firewall programs installed on a computer.

4. Uninstall and Reinstall Norton Internet Security
Uninstall Norton Internet Security and try accessing the Internet. If you still
cannot access the Internet, then contact the ISP to make sure that the
Internet connection settings are fine. If you are able to access the Internet
after uninstalling Norton Internet Security, then re-install it back and check
for the issue.
Scenario 3: Personal Firewall starts in disabled mode.
Situation: After installing Norton Internet Security and restarting the computer, you
notice that the personal firewall feature is disabled.
Solution:
1. Confirm that Personal Firewall is set to start automatically at

windows startup.
Select Personal Firewall >Configure >System Settings and make sure that the
startup option is set to Automatic.
2. Ensure that all required services are started.
Make sure that all required Symantec services are running and are set to start
Automatically. Also make sure that ccApp.exe is set to load at startup.
A. On the Windows taskbar, click Start > Run.

B. In the Run dialog box, type msconfig and then click OK.
C. In the System Configuration Utility window, on the Startup tab, verify that
the files in the list for your version of Norton Internet Security or Norton
Personal Firewall are checked (in Windows XP, you must look in both the
Services and Startup tabs):
• ccApp
• Symlcsvc
• Spbbcsvc
• ccEvtMgr
• ccSetMgr
D. Click Apply.
E. On the Services tab, verify that all Symantec services in the list are
checked.
F. Click OK.
G. Click Yes to restart the computer.
3. Uninstall and Re-install Norton Internet Security
If re-enabling all required services does not fix this issue, then you will need
to uninstall and reinstall Norton Internet Security through Add/Remove
Programs.

Firewall data filtering hierarchy
Incoming traffic

Outgoing traffic
Data going out
From a program From a program From a program

which is Allowed which is Unknown which is Blocked
The program takes the decision according

to the Trusted Application List or ask the
user whether to allow or not
Yes User allowed No Block
Destination is in
Restricted Unknown
Trusted or Restricted
Trusted
Data matching any Blocked by any

Block Yes No
Intrusion signature General rule
No Yes
Allow Block

Summary
In this unit, we have covered the following:
• Describe the components of Norton Personal Firewall 2007

• Detail how the various modules in Norton Personal Firewall 2007 interact with
each other and with the operating system
• Describe the logic behind troubleshooting Norton Personal Firewall
• Troubleshoot issues related to Personal Firewall and its components.

Security Inspector
Unit
Unit
6
6
Overview
Description
Security Inspector scans the computer for vulnerabilities and fixes and/or notifies the
user about them. Security Inspector performs various scans that are designed to
scan potential areas of vulnerabilities and provide corrective suggestions to the user.
Objectives
• Understand the functionality of Security Inspector

• Understand the various scans run by Security Inspector
• Understand how to “fix” an issue through Security Inspector
• Exclude vulnerabilities through Security Inspector
• Troubleshoot the Security Inspector feature

What Security Inspector does?
The Security Inspector feature inspects a user’s computer for potential vulnerabilities
and provides possible “fixes” or suggestions to fix the vulnerability. Security
Inspector offers two types of scans: Basic Scan and Advanced Scan
Basic Scans
Advanced Scans

Basic Scans
By default, all checks present as part of the Basic Scan are done. If the user wishes
to skip a specific type of check, he can un-check the desired scan option. Following
are the checks made in the Basic Scan category:
• Windows Passwords
• IP Addresses
• Browser Settings
• Instant Messaging
Windows Password
This particular scan checks for the password strength of all user accounts in the
system. It checks if the password is blank or if it can be easily guessed. There are
certain criteria involved for a user account to pass the “Windows password” scan. If
the password defined for a user account does not match any of the following criteria,
then it will be shown as vulnerability in the scan results:
• A password should have at least 8 characters including one or more non-

alphanumeric characters.
• A password should not match user account or host computer name.
• A password should not match user account or host computer name in reverse
spelling.
• A password should not match name of OS registered owner.
• A password should not match user Full Name.
• A password should not include double occurrences of user account, host
name.
• A password should not match any words described above with letter ‘o’
replaced with ‘0’,
• Letter ‘i’ replace with ‘1’, letter ‘a’ replaced with ‘4’, letter ‘s’ replaced with ‘5’.
• A password cannot be found in supplied dictionaries.
Security Inspector cannot “fix” a weak password issue automatically by itself. Fixing
this vulnerability involves user intervention. When Security Inspector detects a weak
password, the affected user name will be displayed with the recommendations to
define a stronger password.
IP Addresses
This scan checks if the computer’s hosts file has been tampered with. For example,
redirection of the localhosts entry to some other address other than 127.0.01

Browser Settings
The Browser Settings scan checks for specific settings in the browser that can lower
the security settings and provides an option to “fix” the issues. If a user chooses to
fix, the change will be reflected on the actual browser settings. This scan is currently
performed for Internet Explorer only.
Instant Messaging
This scanner checks whether Norton AntiVirus is configured to protect the user’s
Instant Messenger program. For AOL and Yahoo, the scanning Engine checks each
Windows account, and each Instant Messenger account within that Windows account,
and reports whether each of these is properly configured to integrate with Norton
AntiVirus. For MSN Messenger, which does not store this setting on a per Instant
Messenger basis, but only on a per Windows account basis, the scanning Engine does
not report information about individual MSN Messenger accounts.

Advanced Scans
There are 3 scans that can be run through the Advanced Scans section. These scans
are not run by default and are ideally meant for advanced users. Following are the
advanced scans:
• User Rights
• Windows Services
• Shared Folders
User Rights
The User Rights scan checks all of the user accounts on the computer for a set of
user rights and returns a list of accounts which have more user rights than they
need. If a user account has excess rights, then the scanner will provide an option to
“fix” it. Fixing it would mean removing the rights of that particular user towards an
object.
Windows Services
This Security Inspector policy defines two categories of Windows services. The first
category includes services that may potentially increase system vulnerability. The
second category includes services that are considered unnecessary for an average
home user and, therefore, not recommended to be running all the time. A
vulnerability score is assigned to each category.
For example IIS, Telnet, FTP, Messenger services increase system vulnerability and
should be disabled unless the user needs them. NetMeeting, Remote Registry, DTC
services are not recommended and should be configured to manual start unless the
user determines otherwise.
Shared Folders
This scanner checks if there are shared resources on a user’s system and provides an
option to “fix” or “unshare” them. It ideally looks for the following criteria:
• Global shares must not be enabled.

• System folders should not be shared.
After a scan is run, and the user is presented with a list of shares that will be closed,
here's the behavior of what is presented to the user:
• If there are any Global Shares (i.e. C$, D$, etc.) or System-Folder Shares
(i.e. C:\Windows or C:\Windows\System, etc.), then no user-created shares
will be listed/closed. This is so that the most-critical shares are closed first.
• If there are less than 5 user-created shares on the system, then nothing will
be listed/closed.
• If there are 5 or more user-created shares on the system, they will all be
listed in the details dialog, but the default action will be set to "No Action".
This is to avoid any accidental decision by the user.

Security Inspector Scan screenshots
Click on Scan Now to start the scan
Security Inspector scan results provide the options of either “fixing” a vulnerability,
taking “No Action” or to “Exclude” the vulnerability in a future scan. If a user selects

“No Action” on a specific scan result, then Security Inspector will not take any action
and will retain the settings as they are. If the user selects “Exclude”, then that
particular vulnerability will be added to the Exclusions list and will be excluded in
future scans. If a user wishes to “fix” an excluded vulnerability, then he first needs to
remove it from the “Exclusions” list.

Security Inspector files
SAM.dll – Obtains Password hashes from the Windows Local Security Authority
Service (LSASS.exe)
VAPswd.dll – Security Inspector weak password check component
VAOSOb.dll – Security Inspector Operating Systems Object check component.
VABrws.dll – Security Inspector Browser Check Component.
VAIM.dll – Security Inspector IM check component.
VAMngr.dll – Security Inspector Policy Manager Component.
VASrvs.dll – Security Inspector Services Check Component.
VAShrs.dll – Security Inspector Shares Check Component.

Troubleshooting Security Inspector
Some of the Security Inspector scans are dependant on Windows Services. If the
dependant Windows service is stopped, then Security Inspector’s functionality will
get affected and the user will be alerted through a CED error. Following is a
screenshot:
The first step to look for in this type of error is to check if the following Windows
Services are started:
• Server
• Workstation
• Netlogon
If the error continues to occur then make sure that proper policy settings
(Administrative rights) are set for the Windows account through which the user is
logged in. If the error continues to occur then you will need to uninstall and reinstall
Norton Internet Security.
All error messages starting with the module 5010 correspond to Security Inspector.
Other error messages that the users may come across with Security Inspector:
5010,302: Hosts file missing.

5010,303: An AntiSpyware program installed on the computer is protecting the
Hosts file.
5010,501: The “Server” service is not running.

Summary
In this unit, we covered the following:
• Understanding the functionality of Security Inspector

• Different type of scans run by Security Inspector
• Important files of Security Inspector
• Troubleshooting Security Inspector

Unit
Unit
7
7
Overview
Description
Intrusion Prevention monitors all inbound and outbound network activity and
identifies suspicious patterns that may indicate an attack from someone attempting
to break into or compromise a system.
Objectives
• Understand what is Intrusion Prevention

• Discuss how Intrusion Prevention works
• Understand about the Intrusion Prevention signatures.
• Identify and use Intrusion Prevention data
• Determine the possible issues with Intrusion Prevention
• Troubleshoot problems with the Intrusion Prevention

How Intrusion Prevention Works
Intrusion Prevention scans each incoming and outgoing packet individually looking
for patterns that are typical of an attack. It also monitors the packets as a stream of
information, which lets it identify attacks spread across multiple packets. If the
information matches a known attack, Intrusion Prevention automatically discards the
packet and severs the connection with the computer that sent the data. This protects
your computer from being affected in any way.
Intrusion Prevention does not scan for intrusions by computers in the Trusted
location. However, Intrusion Prevention does monitor the information that’s sent to
computers in the Trusted locations for signs of “zombies” and other remote control
attacks.

Intrusion Preventions options and configuration
You can modify how Intrusion Prevention responds to attacks by excluding attack
signatures from being monitored, and by enabling or disabling AutoBlock, which
automatically blocks all communication from an attacking computer.
Norton Internet Security does not scan for intrusions by computers in your Trusted
zone. However, Intrusion Prevention does monitor the information that you send to
Trusted computers for signs of remote control attacks.
Intrusion Prevention can be configured to either display alerts when an attack

signature is matched or to block the attack without displaying any alerts.

Signatures
Intrusion Detection relies on an exclusive list of attack signatures to detect and block
suspicious network activity. Users need to run LiveUpdate regularly update the list of
signatures to the latest ones.
Excluding a signature will allow that specific type of data flow, making the computer
vulnerable. However, at times, there might be instances of false positives wherein,
actual data flow is blocked as a result of a signature match. In this case, excluding
that signature will not only allow the valid data flow to happen, but will also open a
vulnerability for the user.
The following link provides information on all the attack signatures of Intrusion
Prevention:
http://securityresponse.symantec.com/avcenter/nis_ids/

AutoBlock
When Intrusion Prevention detects an attack, it places the attacking computer’s IP

address in the “AutoBlock” zone. While a computer’s IP address is in the AutoBlock
zone, it cannot establish a connection. By default, the computer will be placed in the
AutoBlock zone for 30 minutes.
You can also unblock a computer that’s blocked by the AutoBlock feature and to
block the computer permanently, you can “Restrict” the computer.

Troubleshooting Intrusion Prevention
One of the most common issues with Intrusion Prevention is reports of false
positives. A valid data communication can sometimes be detected as an attack
signature. This will in turn display an intrusion alert to the user. While this is not an
“issue”, it might be of concern to the user as it deals with an intrusion alert. To
overcome this, the attack signature needs to be excluded.
Other issues with Intrusion Prevention involve with the feature’s functionality itself.
The following scenario provides an overview:
Scenario 1: Intrusion Prevention is disabled.
Solution 1: Make sure that the required services are started and running.
Make sure that all required Symantec services are running and are set to start
automatically. Also make sure that ccApp.exe is set to load at startup.
A. On the Windows taskbar, click Start > Run.

B. In the Run dialog box, type msconfig and then click OK.
C. In the System Configuration Utility window, on the Startup tab, verify that
the files in the list for your version of Norton Internet Security or Norton
Personal Firewall are checked (in Windows XP, you must look in both the
Services and Startup tabs):
• ccApp
• Symlcsvc
• Spbbcsvc
• ccProxy
• ccEvtMgr
• ccSetMgr
• SndSrvc
D. Click Apply.
E. On the Services tab, verify that all Symantec services in the list are
checked.
F. Click OK.
G. Click Yes to restart the computer.
Solution 2: Make sure that the computer is not infected by any viruses.
Ensure that the computer is threat free by performing a virus scan. It can either be a
manual scan using Norton AntiVirus or an Online Virus scan. By verifying that all
detected threats are removed and following the procedure mentioned above to
enable the Symantec files.
Solution 3: Uninstall and Reinstall Norton Internet Security.
If no viruses are found, then to fix this issue, you will need to uninstall and reinstall
Norton Internet Security through Add/Remove Programs.

Summary
• Understand Intrusion Prevention.

• Discuss how Intrusion Prevention works.
• Learn about the interface and configuration Intrusion Prevention
• Determine the possible issues with the Intrusion Prevention

Unit
Unit 8
Unit
Phishing Protection
Overview
Description
The Fraud Site Protection feature of Norton Internet Security is designed to detect
and prompt users when they access fraudulent WebPages. The process of creating
fraudulent WebPages and collecting personal information is known as “Phishing”. It is
characterized by attempts to fraudulently acquire sensitive information, such as
passwords and credit card details, by disguising as a trustworthy business in an
apparently official electronic communication.
Objectives
• Understand what Phishing Protection does

• Discuss how Phishing Protection works
• Identify and use Phishing Protection data
• Determine the possible issues with Phishing Protection
• Troubleshoot problems with the Phishing Protection

What Phishing Protection does?
The Phishing Protection feature detects and prompts the user about the security
status and genuineness of a WebPage that is currently being displayed in Internet
Explorer.
Note: Phishing Protection is currently compatible with Internet Explorer only.
How Phishing Protection works

Phishing Protection analyzes a website and categorizes it as fraudulent based on its
advanced heuristics scan and several conditions. Below is a list of conditions that it
checks for when a website is accessed:
Domain Analysis
Domain analysis is done to check the domain of the site that the user is currently
navigating. Trusted Brands host their websites on known domains. Sites hosted on
certain domains are more suspicious (free web hosting domains).
URL Analysis
URL analysis is done to check whether the URL that’s being opened is a spoof of a
valid URL. URLs have a defined structure. For example:
http://<username>:<password>@hostname/path
Hackers often misspell the trusted brand name or misuse the fields to mislead
innocent victims. Example:http://www.e-bay.net/index.html (misspelled)
Example:http://cgi5.ebay.com@xyz.net (password field included in URL)
History Analysis
History Analysis is done to check the exact source of the site’s launch. If a site is
launched through a link from an email client, chances of this site being a phishing
site are more than a site being opened through the browser itself.
Content Analysis
The website’s content analysis is done based on the following conditions:
Web forms - All spoof pages have forms that try to steal information from users.
Page elements - Hackers try to impersonate Trusted Brands via page elements.
Content -
• Text: Trusted Brand names; asking for personal information, etc.
• Images: copying Trusted Brand images such as logos, etc.
• Links: including links back to a Trusted Brand.
• Forms: If the page has a form that sends data to
o a trusted brand, then the site is more likely to be a legitimate site.
o a site that’s hosted on a free domain or any other spoofed domain.
JavaScript - Spoof pages often try to disguise by encoding contents in JavaScript.

Layout Analysis
Phishing Site Protection uses a blacklist of websites to determine if a given website is

fraudulent. The blacklist contains cached hashes of fraudulent WebPages, which is
used to lookup fraudulent sites (by attempting matches).
Once these tests are performed on a site, a final phase is invoked where a score is
calculated based on the results of the various detection modules. The scoring
configuration is able to assign different values if the detection routine has either
detected its condition or not.
After the scoring algorithm is executed, the results are interpreted as Trusted,
Neutral, Phishing, and Cross-Site Scripting detected
If Phishing Protection is able to identify a website as a Phishing site after performing

the above mentioned analysis, then the user is notified and the website’s navigation
is closed. If the website is found to be legitimate, then the user is allowed to
navigate the website further. However, if Phishing Protection determines the website
to be suspicious and cannot locate any data locally to block it or validate it as a valid
Phishing site, then a request is sent to the server for further processing. The
flowchart below provides an overview of the process:
User navigates to a
site
NPP intercepts the

navigation
Passes
Domain Analysis,
URL Analysis, History
Analysis, Content
Analysis, and Layout
Analysis
Yes No
Suspicious
Check in server
whether there is any
updated verdict
Yes, verdict is to allow Yes, verdict is to block
No verdict available
User is allowed to view User is alerted and the
the page site is blocked

Phishing Protection files and their functions
NppBHO.dll – The Browser Helper Object that adds-on to the Internet Explorer
toolbar.
NppW.dll – The Phishing Protection scanning engine.
NppW.zip – Blocked sites’ list.
Phishing Protection Options and Configuration
Internet Explorer toolbar
After the installation of Norton Internet Security 2007, a Phishing Protection toolbar
appears in Internet Explorer which provides the status of the webpage currently
being displayed.

Usage of Phishing Protection
Clicking on the Green toolbar will display the status of Phishing Protection and will
also notify if the current open page is fraudulent.
Clicking on the Options menu provides two options. One to report a particular site as
a fraudulent webpage and the other for Help as shown below:
Once the Report site option is selected a report site window would appear containing
the URL of the current webpage being displayed, to be submitted to Symantec

Summary
• Understand what “Phishing” is and what Fraud Site Protection does to

encounter it.
• Discuss how Fraud Site Protection works.
• Learn about the interface and configuration of Norton Protection Center
• Determine the possible issues with the Norton Protection Center

Behavior Blocking (SymProtect)
Unit
Unit
Unit
69
9
Overview
Description
Many computer threats attack security software to prevent detection or removal.

These threats are known as retroviruses. These programs terminate processes,
delete files, or remove registry keys in an attempt to prevent the user from
responding to the threat. To counter this threat, Symantec Consumer products
include Behavior Blocking (known as SymProtect), to protect our software from
attacks.
Objectives
• Understand what SymProtect does

• Discuss how SymProtect works
• Identify and use SymProtect logs
• Determine the possible issues with the Behavior Blocking
• Troubleshoot problems with the Behavior Blocking

What SymProtect does?
SymProtect is a technology which prevents modification or deletion of Symantec
files, folders, processes and registry keys by unauthorized applications or
accidentally by the user.
However, it does not prevent the reading of our files and registry keys to avoid
interfering with normal operations, such as backup. Authorized applications have full
access, so they do not require any changes to continue to work.
In order to be protected by SymProtect, a Symantec application provides a list of

files and registry keys that are to be protected. An “.eve” file that carries a Symantec
Digital Signature is automatically protected.
The following authorization methods are used by Norton Internet Security 2007 to
authorize an application, which can make changes to protected resources:
• Digitally signed by Symantec
Applications which are signed with a Symantec digital signature are free to
access all protect assets. This will cover a great deal of legacy products,
Intelligent Updaters and all fix tools should also be signed.
• Running from a preregistered path
An administrator can preconfigure a path, or set of paths, such that

applications that run from those locations are authorized. This might be a
network share location, or a location on the local disk on which software is
delivered.
• Possessing a preregistered name
The product can register the name of the authorized software, such as
System Restore or the Windows XP Backup program,
%SystemRoot%\System32\Ntbackup.exe.

How SymProtect works
Manifest files
In order for SymProtect to protect resources, their names need to be listed in an

encrypted
XML file known as a manifest. Items to exclude from protection are also listed in the
manifest. There are separate manifest files for directories and named kernel objects.
The contents of the manifest file can also be viewed in C:\Program Files\Common
Files\Symantec Shared\SPManifests.
SymProtect Logic Flow
SymEvent is a kernel mode process. The kernel is the core of the operating system.
It is the piece of software responsible for providing secure access to the machine's
hardware and to various computer processes. Most applications do not run in kernel
mode. SymEvent can intercept calls to and from the applications and the kernel.
A flowchart of the order of events that are followed after an attempt to modify
Symantec files are as shown below:
SymEvent intercepts the

events
SPBBCSrv converts to an
IBBEvent
Yes Protected Resource No
Process Authorized Yes Allow the process
No
Block the event
Send alert to user via ccEvent

Manager

Resources that are monitored
All the Symantec Program folders, common folders, Registry keys under the HKLM
and HKCR paths are protected. A list of protected resources are provided below:
SymProtect files
The following table lists the core SymProtect files.
SymProtect Files
File name Description
Spbbcdrv.sys SymProtect driver
Spbbcevt.dll Handles SymProtect events
Spbbcsvc.exe Responsible for the SymProtect Service
Updmgr.exe Handles SymProtect updates
Determine the possible issues with the Behavior Blocking
User would be unable to delete a Symantec file/folder as suggested in the

Troubleshooting Procedure, unless the feature is disabled.

Summary
• Understand what SymProtect does

• Discuss how SymProtect works
• Read SymProtect Logs
• Determine the possible issues with the Behavior Blocking

Unit 10
Message Center
Overview
With the changes to the user interface of Norton Internet Security the Log viewer is
also updated to ensure maximum program usability and ease of use. It has been
streamlined and is now available as Message Center.
The Message Center provides a categorical view of all logged events and also makes
it easy to track and view the events and their details including the firewall events
and also the Antivirus events.
Description
The components of Norton Internet Security log all activities that are performed by
them. These Message Center provides the user, the ability to read and analyze the
activity, which includes events such as alerts, application activities, and threat
activities that have occurred in Norton Internet Security 2007.
Objectives
• Understand what Message Center Logs are.

• Study about the Activity logs.
• Discuss what logs do.
• Identify and analyze the various logs created.
• Determine and Troubleshoot the possible issues by using the Log entries

What Message Center does?
Message Center stores all event data that is generated by Norton Internet Security.
This is achieved by common client files which monitor all event details that
components produce. The Message Center component is a generic log viewer that is
plug-in driven and provides a common user interface to display logged events,
including all of those listed above.
The following categories of information are available in the Message Center of Norton
Internet Security 2007:
• Norton Internet Security activities:

o Firewall Alerts
o Network Alerts
o Traffic Alerts
• Norton AntiVirus activities

o Security Risks
o Manual Scans
o Quarantine Items
o Submissions

Norton Internet Security activities
Traffic Alerts
This displays a history of all TCP/IP network connections made from or to this
computer. Connections are logged when the connection is closed. When you highlight
a connection, the Event Details Panel displays details about that particular
connection.
Intrusion Prevention/Network Alerts
This displays information about the recent activity of the Intrusion Prevention
component. When you highlight an event, the Event Details Panel displays
information about the event, or activity, such as whether it has been activated, and
how many signatures it is monitoring.
Firewall log
This displays a list of events that are logged by the firewall. The Firewall logs are
best used when a specific program is having difficulty connecting to the Internet. It
can also be useful when there is no connectivity at all. Almost every entry in the
Firewall log can be configured through the Personal Firewall configuration window.
The only exception will be related to fragmented packets. When you encounter
fragmented packets, resolution must be obtained through other means than
configuring NIS.

Norton AntiVirus activities
Security Risks
This provides the user with details about all security risks that were detected by
Norton AntiVirus; this includes threats detected by Manual Scans, Auto Protect, Email
scanning and IM scanning. The information provided the about the threats that are
partially removed or those which were not deleted, would be of importance in
ensuring optimum security.
Manual Scans
This provides information about the various components that perform scans that are
initiated by the user. Such as context scans, IM scanning and Email scanning events.
It provides information about the various scan entries such as the number of files
scanned, infection detection and removal details could be obtained.
Quarantine Items
This contains a list of items that are quarantined either automatically or that have
been added manually. Also, the quarantined file could be submitted to the Symantec
Security Response through this console.
Submissions
This option displays in detail the files that are submitted to the Symantec Security
Response and the status of their submission. It also provides the details about the
file, the threat detected in it and the date and time the file was updated. This
information could be used by the customer to ensure that a suspicious file has been
sent to Security Response for analysis.

Activity logs
Activity logs log or record the events and activities that occur with the program. The
information stored in the log files can be used extensively for troubleshooting as they
store all events that occur in the program’s environment.
What Activity Logging does?

Activity logs allow a technician or a user to view the events that occur in the
program’s environment. This technique allows a user or a technician to look what
exactly happened with the program and also helps in tracking or narrowing down an
issue through the recorded details.
Following are the log files that are maintained by the log viewer:
• Symantec resource protection activities:

o Alerts
• Norton Internet Security activities:

o Network connections
o Firewall activities
o Intrusion Prevention
o Service activities
o Firewall alerts
o Security risks
o Protection activities
o Error messages
Network connections
Displays a history of all TCP/IP network connections made with the computer.
Connections are logged when the connection is closed. When you highlight a
connection, the Event Details Panel displays details about that particular connection.
This is the category to look in when trying to determine if a customer suspects a
threat from a Trojan or hacker.
Firewall activities
Logs all the activities that are monitored by the Personal Firewall feature. Any data
traffic that’s assessed by the firewall along with any Internet-enabled application’s
attempt to connect to the Internet will be logged here. Using this log, technician’s
can identify which programs connected to the Internet (along with time stamps) and
to what ports the connection was established. This log also displays the type of
network / Internet connections that the computer might have established (provided
that connection was monitored by the Personal Firewall feature).

This displays the information about Intrusion Prevention activities. When you
highlight an event, the Event Details Panel displays information about the event, or
activity, such as whether it has been activated, and how many signatures it is
monitoring.
This category will show any attacks and their signatures if a customer believes they
have been attacked.
Service activities
Displays information about Norton Internet Security activity as a Windows service

and any error messages encountered by Norton Internet Security.
Firewall alerts
Logs all the alerts that were shown by the Personal Firewall feature and also logs the
action that was taken by the user when the alert was shown.
Security risks
Logs the security threats identified and deleted by the Spyware Protection feature.
Protection activities
Logs the activities completed by protection features like Email Scanning and Manual
Scanning feature of Norton AntiVirus
Error messages
Logs the error messages that are generated by Norton Internet Security.

Reading Norton Internet Security Logs
The Log files provide a great level of detail about the activities that are performed by
the user. These include a detailed statistics of the network traffic and the
corresponding Firewall logs, which would be of assistance in troubleshooting
Connectivity issues.
To read a particular log file choose a log entry and click on “More info” on the right
side information Window to view details of the selected event.
The Detailed information view would provide information about the actions that were
recommended and the actions that were performed by the user. Also a link for more
information about the particular log type being viewed would be available.
Information about each log type and its functionality is explained below:
Full history
The Full history view display all log entries. Selecting an entry displays brief
summary about it in the "Alert Details" window. Clicking on the More details display
complete information about the event. The information provided for events of each
feature are explained below.
Firewall Alerts
The window displays a list of alerts and events, their names and their priority and
status.
In case of an alert The Alert Details displayed are the source of the alert the Risk
level of the source. The Source and destination IP addresses and the traffic
description.
Incase of an Event it displays the event details and information about any IP
addresses involved and a description of the event. Also it provides an option to
configure NIS to automatically perform an action such as to allow or restrict a
particular event from occurring again automatically.
Network Alerts
This displays the Alert details and information about any IP addresses involved and a
description of the event. Also it provides an option to configure NIS to automatically
perform an action such as to allow or restrict a particular event from occurring again
automatically.

Security Risks
The alert details window displays the Risk name, type and any impact that it has on
the computer. It also displays the component which detected the risk which could be
either of the two "AutoProtect" or "Manual Scan" and the recommended and
performed actions. Finally it displays the filename, path and file information.
The advanced details window in addition to the above provides the product name
and version which generated the alert .The component version and the internal
definition version. These would be helpful in trouble shooting virus removal issues.
Also, it displays a link to the Symantec Security response article corresponding to the
threat. And general information about Viruses and Auto-protect as provided in the
Help files.
Manual Scan results
The results of a manual scan operation are different from the results of the other
scanning related log entries. The alert window displays all the information that the
advanced details provide, which is the component that initiated the scan. The Task
name for the scan and finally the time taken for the completion of the Scan in
seconds will also be displayed. In this, you can also view the results of that scan
which includes the number of
• Master Boot Records

o Scanned
o Infected
o Repaired
• Boot Records
o Scanned
o Infected
o Repaired
• Files
o Scanned
o Infected
o Repaired
o Quarantined
o Excluded

Quarantine Items
The event window displays details about Priority, title and the status of removal of
the threat. The alert details display the Risk name and level, the threat Category and
the component which placed it in quarantine. It also does provide the state of the
threat removal.
The advanced details window displays the risk type, eraser version and the internal
definition version. Also, it provides a link to the corresponding Symantec Security
response article about the threat.
In the advanced details window the Threat could be Sent to the Security Response
Team, Deleted permanently or be restored back.
Submissions
This Window displays a list of "submissions" and their priorities and names. The
details window displays details about the date the event was updated, the source
which updated the file and the description of the updated file.

Analyzing the logs
Example 1 – Firewall activities log:
7/30/2006 5:42:30 AM, The user has created a rule to "block" communications." The
user has created a rule to ""block"" communications. Outbound UDP packet. Local
address, service is (USER-LUU234NKJV,0). Remote address, service is
(symlab1.symlab.com,domain(53)). Process name is ""C:\Program Files\Internet
Explorer\iexplore.exe""."
Above is a typical entry of the Firewall activities log when a user blocks an
application’s attempt to access the Internet. Let’s analyze the entry by breaking it
into pieces:
• Date and Time: The first portion of the entry shows the date and time when
the user blocked the application.
• The next section is a synopsis of the rule, starting with the action by the user.
• Next is the type of communication. In this case it is an Outbound UDP
connection that is being blocked.
• The remote address is symlab1.symlab.com.
• The remote port to which the connection is being established is port 53.
• And the name of the application that’s attempting to connect to the Internet
is iexplore.exe (which is the executable of Internet Explorer)
Example 2 – Network connections log:
5/23/2005 4:04:34, User(192.168.0.10),1240, www.yahoo.com

(68.142.197.71),http(80),0,0,0: 00:00.062,"Connection:
www.yahoo.com(68.142.197.71): http(80) from User(192.168.1.100): 1230, 0 bytes
sent, 0 bytes received, 0.062 elapsed time."
• Date and Time: The date and time when the connection was established.
• IP address (192.168.1.100 on port 1230): IP address of the user’s computer
and the local port through which the connection was initiated.
• Connection was established to the Yahoo website (68.142.197.71 through
http port 80).
0 bytes were sent, 0 bytes were received, and the total elapsed time was 0.062
seconds.

Summary
• Understand what is the Message Center

• Describe what Message Center does
• Discuss what logs do.
• Identify and analyze the various logs created.
• Determine and Troubleshoot the possible issues by using the Log entries

Unit 11
Symantec Shared components
Overview
Description
Explaining the Symantec Shared components in details is not within the scope of this
manual. But, without explaining the components like Activation and LiveUpdate,
Norton AntiVirus manual will not be complete.
Here, we discuss how Norton AntiVirus uses the Activation and LiveUpdate
components to activate and update the product.
Objectives
After completing this unit, you will be able to:
• Understand what Activation does

• Describe what Norton Protection Center does
• Understand what LiveUpdate does
• Describe how Norton AntiVirus uses LiveUpdate

Activation
Digital Rights Management is a technology that protects you from pirated or
counterfeit software. It limits the use of a Norton program to those who purchased
the program legitimately. When you install a Norton program, you are required to
use a unique product key to activate it. You can activate your Norton program during
installation, or after you install. If you choose to activate after you install, you must
activate within a limited time, or the product will not work.
Norton Protection Center

Norton Protection Center detects and prompts the user about the security status and
the status of the Norton Product, including the Virus Definition, previous scan date
and other product related data.
Norton Protection Center reports on how safe it is for you to use your computer to
perform popular tasks. It groups your activities into five protection categories. Your
protection is based on the programs that you have installed. To improve your
protection status, ensure that your installed programs are up to date.
The Security Basics category includes programs that protect your computer from
viruses and other security risks, and ensures that the protection is updated
frequently. It reports on whether your disks have been scanned for viruses recently,
whether you have spyware protection, and whether you receive Windows updates
and antivirus updates automatically.
After the installation a Norton Protection Center icon appears on the Windows
System tray which provides the status of the Norton AntiVirus.

The Norton Protection Center Interface
LiveUpdate
LiveUpdate is a program through which, a user can download virus definitions and
program updates. It is recommended to run LiveUdpate immediately after the
product’s installation and frequently, to check if there are any updates released for
the installed product. The version of LiveUpdate that ships with Norton AntiVirus
2007 is Version 3.1.
Also, note that the user needs to have a valid subscription in order to download the
updates through LiveUpdate.
Following are the Norton AntiVirus components that are updated by

LiveUpdate:
LIVEUPDATE
AUTOMATIC LIVEUPDATE
SYMEVENT INSTALLER - CONSUMER
COMMON CLIENT CORE
COMMON CLIENT CORE RESOURCE
SYMANTEC SECURITY SOFTWARE
DECOMPOSER
IDS
SYMNET CONSUMER
APPCORE
NORTONPROTECTIONCENTER

COMPONENT FRAMEWORK
FIREWALL
SYMANTEC TRUSTED APPLICATION LIST
SUBMISSION ENGINE
SUBMISSION ENGINE DATA
SUBMISSION CONTROL DATA
SUBMISSION CONTROL DATA
NORTON INTERNET SECURITY
NORTON INTERNET SECURITY OTHER
NORTON INTERNET SECURITY RESOURCE
RETAIL
IDS DEFS 2007 MICRODEFS25
IDS DEFS 2007 MICRODEFS25
VULNERABILITY ASSESSMENT
CCPD_RETAIL_LICENSING_TECHNOLOGY
OPC7_CFGWIZ
OPC7_SYMCUW
WEB PROTECTION ENGINE
WEB PROTECTION DATA
SPBBC
SYMANTEC KNOWN APPLICATION SYSTEM
COH UPDATE
SRTSP CONSUMER
AVENGE MICRODEFS25 NAV2007
NAVNT 2007 - PRE RELEASE
AVENGE MICRODEFS25 NAV2007
COH WHITE LIST

Summary
• Understand what Activation does

• Describe what Norton Protection Center does
• Understand what LiveUpdate does
• Describe how Norton AntiVirus uses LiveUpdate

Unit 12
XP Bonus Pack
Overview
Description
XP-Bonus pack is an additional software package provided to Norton Internet

Security 2006 customers. The Bonus Pack contains those features of Norton Internet
Security 2006, which have been removed from the 2007 version.
Features in Bonus Pack:
• Anti-Spam
• Parental Control
• Confidential Information Blocking
• Ad Blocking & Pop-up Blocking

How to obtain the XP Bonus Pack
The Bonus Pack can be obtained through the following ways:
Through the NIS 2007 CD
Bonus pack will be available on the NIS 2007 CD. However, this package will be
available only after 30 days of release.
LiveUpdate
Bonus Pack will be delivered as an optional bundle through LiveUpdate as well. It will
be available as a download through LiveUpdate for a period of 60 days after the
2007 release.
Secondary - Download via website
If some of the customers face trouble with the LiveUpdate download, or if they
declined the download for the first time, they can choose to download from the
website.
Third - Through CD
This will not be a main delivery method. It’s meant only for customer support reps to
handle complaints.

Features of the XP Bonus pack
The Bonus pack will contain the following features:
AntiSpam
The Norton AntiSpam feature monitors the incoming POP mail for spam and filters /
isolates all spam mails
Privacy Control
Privacy Control protects users’ private and confidential data
Ad Blocking
Blocks pop-up and image ads on websites
Parental Control and User accounts
Parental Control allows parents to control what websites should open based on user
account types.

Summary
In this unit, we covered:
• What XP Bonus pack is

• How to obtain XP Bonus pack
• Features of XP Bonus Pack

•
Acronyms
Appendix
A
DLL – A Dynamic link library is a collection of shared libraries in the Microsoft
Windows. These libraries usually have the file extension DLL. The code in a DLL is
usually shared among all the processes that use the DLL
MSI - The Windows Installer (previously known as Microsoft Installer) is an engine

for the installation, maintenance, and removal of software in Windows. The
installation information and the files to be installed are packaged in these.
Windows Registry- Windows registry is a database which stores settings and

options for the operating system and information and settings for all the hardware,
software, users, and preferences of the PC.The Registry is split into five logical
sections, which are further divided in to sub sections and keys. The sections of the
registry are: HKEY_CLASSES_ROOT, HKEY_LOCAL_MACHINE,
HKEY_CURRENT_USER, HKEY_USERS, and HKEY_CURRENT_CONFIG
Remote Registry – Remote Registry is a Windows registry editor that displays the
registry for a remote device and enables you to add, delete, and modify registry keys
and entries remotely over a network or Internet.
Windows Services - A service is an application that conforms to the interface rules

of the Service Control Manager (SCM). It can be started automatically at system
boot, by a user through the Services control panel applet, or by an application that
uses the service functions. Services can execute even when no user is logged on to
the system.
GUID- A GUID is a 128-bit integer (16 bytes) that can be used across all computers
and networks wherever a unique identifier is required. Such an identifier has a very
low probability of being duplicated.
Service Pack- A Service pack is the means by which product updates, fixes and/or
enhancements are distributed. Service packs may contain updates for system
reliability, program compatibility, security, and more. All of these updates are
conveniently bundled for easy downloading.
NetMeeting - Microsoft NetMeeting is a Voice over Internet and videoconferencing

client included in Microsoft Windows (from Windows 98SE to Windows XP). It also
has features such as white boarding, Desktop sharing, and file transfers.
AutoRun - AutoRun is the ability of the operating system to automatically take some
or the default action upon the insertion of a removable media such as a CD-ROM,
DVD-ROM, or flash media. This feature can be bypassed by holding down the shift
key as the media is inserted.
IM- Instant Messenger, it is a real-time communication medium between two or

more people. The text is conveyed via computers connected over a network such as
the Internet.

Port- A Port is an interface between the computer and other computers or devices
used to transfer data from one computer to another via a cable that links connecting
ports.
Packet - A packet is a self-contained bundle of data sent over a packet switching

network. Packets are typically less than 1500 bytes in size.
Protocol - A method or predefined set of rules by which two dissimilar systems can
communicate
Hosts – The Hosts file is used to look up the Internet Protocol address of a device
connected to a computer network. It also provides mapping of device names to IP
addresses. When accessing a device by name, the networking system will attempt to
locate the name within the hosts file; this is used as a first means of locating the
address of a system, before accessing the Internet domain name system
IIS - Internet Information Services is the Microsoft's Web server that runs on
Windows NT platforms is tightly integrated with the operating system; it is relatively
easy to administer.
NetBIOS - Network Basic Input/Output System allows applications on separate

computers to communicate over a local area network. It provides services related to
the session layer. It does not support a routing mechanism, so applications
communicating on a wide area network must use another "transport mechanism"
(such as TCP/IP) rather than, or in addition, to NetBIOS.
TCP- Transmission Control Protocol is one of the core protocols of the Internet
protocol suite. Using TCP, applications on networked hosts can create connections to
one another, over which they can exchange data or packets. The protocol guarantees
reliable and orderly delivery of data both at the sender to receiver ends.
IP- The Internet Protocol (IP) is a data-oriented protocol used for communicating
data across a packet-switched internetwork. It is a network layer protocol and is
encapsulated in a data link layer protocol. As a lower layer protocol, IP provides a
unique global addressing amongst computers.
IPaddress- IP address is a unique number that is used by devices to identify and

communicate with each other on a computer network utilizing the Internet Protocol
standard (IP).
Mac address - Media Access Control address is a unique identifier available in NIC
and other networking equipment. Most network protocols use one of three
numbering spaces managed by the IEEE: MAC-48, EUI-48, and EUI-64, which are
designed to be globally unique. A computer in the network can be identified by using
its MAC and IP address.

DNS - Domain name system translates domain names to IP addresses, it also stores
and associates information with domain names, also DNS lists mail exchange servers
accepting e-mail for each domain.
SMTP - Simple Mail Transfer Protocol is the protocol used to send mail between
servers and to send mail from your client to a mail server.
FTP - File Transfer Protocol is the language used for file transfer from computer to
computer across a network such as the Internet.
IGMP - Internet Group Management Protocol is a communications protocol used to

manage the membership of Internet Protocol multicast group.
ICMP - Internet Control Message Protocol is used by networked computers to send

error messages.
Bootp - Bootstrap Protocol, is a UDP network protocol used by a network client to

obtain its IP address automatically. This is usually done in the bootstrap process of
computers or operating systems running on them. The BOOTP servers assign the IP
address from a pool of addresses to each client.
Telnet - TELNET is a network protocol used on the Internet or local area network
LAN connection. It is used to provide user oriented command line login sessions
between hosts on the Internet. The name is derived from the words telephone
network, since the program is designed to emulate a single terminal attached to the
other computer.
HTTP – HyperText Transfer Protocol is the protocol used to transfer or convey

information on the World Wide Web. It is a patented open internet protocol whose
purpose is to provide a way to publish and receive HTML pages.
HTML - HyperText Markup Language is a computer language designed for the

creation of web pages with hyperlinks and other information to be displayed in a web
browser. HTML is used to format text; that is to denote certain text as headings,
paragraphs, lists and also structure information in a particular manner.
XML - Extensible Markup Language is a computer language that provides a text-

based format for information and services to be encoded with a common structure
and semantics that both computers and humans can understand. It can easily be
extended to include user-specified and default tags.
URL - Uniform Resource Locator is a string of characters conforming to a

standardized format, which refers to a resource on the Internet by its location.
ISP – An Internet Service Provider is a company that provides an Internet

connection. They also provide services such as Internet transit, domain name
registration and hosting, dial-up or DSL access, leased line access and co-location

EPMAP –End Point Mapper allows clients on a network to find servers, services of
servers and objects managed by those services on the host. This is achieved by a
database called the local endpoint map.
Loopback - A diagnostic test that returns the transmitted signal back to the sending
device after it has passed through a network or across a particular link. The returned
signal can then be compared to the transmitted one. The discrepancy between the
two helps to trace the fault.

Appendix
B
Advanced Tools
SymNCTS.exe (Symantec Network Connectivity
Troubleshooter)
Symantec has developed an automated tool that checks for connectivity issues and
resolves them automatically. This tool can be run online from the knowledge base.
The following knowledge base article provides an option to the user to run this tool:
‘I can connect to the Internet only if I first disable Norton Internet Security
or Norton Personal Firewall'
Document ID: 2005091311192136
The SymNCTS.exe tool checks for the following criteria and changes the condition if
any of the criteria matches:
• Checks to see if LiveUpdate is blocked from connecting to the Internet - If it

is, the Troubleshooter changes the rule to permit connection.
• Checks the program and version numbers - If the program is 2005 and the
version is less than 8.0.5, the Troubleshooter runs LiveUpdate to download
the latest updates.
• Checks to see if the Symantec Network Driver service is running - If it is not,

the Troubleshooter starts it.
• Checks that the computer has an IP address - If there is no IP address, this

information is logged.
• Checks to see if the program's Automatic Program Control option is enabled -

If it is not enabled, the Troubleshooter enables it.
• Checks the date of the Trusted Program List. (The Trusted Program List is a
list of programs that Symantec has determined are safe.) - If the Trusted
Program List is not the most recent, the Troubleshooter gives the choice to
try to update it.
• Reviews the current firewall program rules - If a block rule exists, the
Troubleshooter compares the blocked program with the programs on the
Trusted Program List. If the blocked program is on the Trusted Program List,
the Troubleshooter changes the firewall rule to either Automatic or Permit All.
• Creates a log that tracks what the Troubleshooter does. The log is stored in
the Windows %temp% folder. The log file name includes the date and time,
and is similar to the following: SymNCTS 12-30-2005 10h46m51s.log

ISRLRstr.exe (Internet Security Rule and Location
Restore)
This tool restores the following categories to default:
Program Control rules – Removes all programs from the Program Control list.
Network locations – Clears the entries in the Trusted and Restricted zones.
Firewall rules – Removes all the user-created rules and restores the default firewall
rules.
Rnav2003.exe
Rnav2003.exe is a utility that removes Norton AntiVirus 2003 and its previous
versions. The installation of Norton AntiVirus 2007 automatically removes Norton
AntiVirus 2004, 2005 and 2006 if they are present in the computer. If a 2003 version
is installed, then the user will need to remove it manually, preferably through the
Rnav2003.exe tool. The following knowledge base article provides more information
on downloading this tool:
'Removing Norton AntiVirus 2003 or earlier by using the Rnav2003.exe

removal utility when Add/Remove programs fails'
Document ID: 2001092114452606
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2001092114452606
RnisUPG.exe
RnisUPG.exe is used to remove Norton Internet Security 2003 and earlier versions.
The following article provides more information on RnisUPG.exe:
Title: 'Uninstalling Norton Internet Security or Personal Firewall 2003 or

earlier using the RnisUPG.exe removal utility'
Document ID: 2001090510510636
SymNRT.exe (Norton Removal Tool)

SymNRT.exe is used to remove all installed Symantec programs. This tool can be
used if the standard method of removing through Add/Remove programs fails.
Running SymNRT.exe also needs a human verification so that it’s not automated to
uninstall all Norton programs. SymNRT.exe can remove the following Norton
programs:
• Norton AntiSpam 2004 and 2005

• Norton AntiVirus 2003 to 2006
• Norton Ghost 2003, 9.0, and 10.0
• Norton GoBack 3.1 to 4.1
• Norton Internet Security 2003 to 2006
• Norton Password Manager
• Norton Personal Firewall 2003 to 2006
• Norton SystemWorks 2003 to 2006

SymNRT.exe tool can be downloaded from the following knowledge base article:
'Using the Norton Removal Tool: Manual file download'

Document ID: 2006031710323113
Msicuu.exe (Microsoft Windows Installer CleanUp

utility)
The Windows Installer Cleanup Utility removes the installer related Registry
information. This tool allows you to select one or more Windows Installer programs
from a dialog box and remove registry items that are related to the Windows
Installer for the program or programs selected. The tool does not remove the
Windows Installer; nor does it remove files of any Windows Installer programs.
While using this tool, make sure that you remove only Symantec-related entries (if
you plan to re-install it). Removing entries related to other programs may require a
reinstallation of that program. Caution needs to be maintained while using this tool
and while selecting entries from the Cleanup window. The cleanup tool can be
downloaded from the following link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

Reading MSI Logs
The Microsoft Installer creates log files for each instance of its installation and places
the logs in the Temp folder. These installation logs can be very handy while
troubleshooting installation issues. The installer logs every activity that takes place
during the installation and maintains several conventions to record specific events.
Based on these conventions, installation errors and the “cause” of the error can be
narrowed down.
Accessing the logs
To access the logs,
1. Click Start >Run

2. Type %temp% and click Open
3. In the Temp folder, look for a .log file with the name of the product that just
installed (or attempted to install). Example: A Norton Internet Security 2006
installation log file would have the name: Norton Internet Security 2006 7-7-
2006 6h50m10s.log. The name of the log file also contains the date and time
when the log was created.
Start of the log
The start of the log is easy to find. It is at the beginning of the file. Even though
this is a simple thing, we can still obtain important information from the beginning.
Example:
=== Verbose logging started: 02/10/2005 12:52:58 Build type: SHIP UNICODE
2.00.2600.1183 Calling process:
C:\DOCUME~1\jeanne\LOCALS~1\Temp\NAV\NAVSetup.exe ===
The top line of the log contains the date and time that the logging started, which can
be used to compare this log with others that may be found on a particular machine.
In addition, the initial installation process is called which initiates an installation or
uninstall. The path to this process is also very telling in that it can indicate the
product that is being installed, and the layout as well.
• Processes called from a specific drive path OTHER than the root drive
usually suggest a CD installation:
=== Verbose logging started: 21-02-04 15:10:59 Build type: SHIP
UNICODE 2.00.2600.1106 Calling process: E:\symsetup.exe ===
• Processes originating from a temp directory are often a result of an
ESD installation:
=== Verbose logging started: 02/10/2005 12:52:58 Build type: SHIP UNICODE
2.00.2600.1183 Calling process:
C:\DOCUME~1\jeanne\LOCALS~1\Temp\NAV\NAVSetup.exe ===
The Product Lines
The product lines identify which package or product is being installed or uninstalled.
We will see the importance of this in our troubleshooting section. The product line
indicates which MSI packages are being called during the installation or uninstall
process. There are two forms for this. The first is by product or package name, and

the other is by the product code or GUID (Global Unique Identifier). Here are
examples:
******* Product:
C:\DOCUME~1\jeanne\LOCALS~1\Temp\NAV\Support\MSRedist\MSRedist.MSI
******* Product: {D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Each MSI package will have a variety of routine and custom actions that it
performs during the installation process. In most cases, when an MSI package is
being called by its name, it will be performing an installation action. When an MSI
package is called by its GUID, it will be performing an uninstall action. This is not
always the case, but generally, this is a good convention that represents a majority
of the logs that are created when installing or uninstalling Symantec products.
A typical MSI log file will contain entries starting with MSI (c), MSI (s) or MSI (n)
followed by the action that took place during the installation at that point of time.
Let’s now discuss some of the key entries of a typical MSI log file:
MSI (c) – Denotes an operation that’s taking place in the client engine (NAVSetup).
MSI (s) – Denotes an operation happening in the Windows Installer service.
MSI (n) – Denotes a nested installation activity.
Note
The 4 digit number that follows the “Note” string denotes the code for the action
that’s following. At times, this number can be used to lookup information on the
Microsoft website to determine the exact action that took place. If an error occurs
during the installation, then the error message would contain the same 4 digit code.
Return Values
Every action that’s performed during the setup is noted in the log file. And the
completion of each action is logged as a “Return Value”.
Return Value 0: Action was skipped.
Return Value 1: The action was successfully performed.
Return Value 2: Indicates user abortion or an instruction by the user to cancel the
installation.
Return Value 3: Indicates a failed install action. And this is the key value to look for
while troubleshooting.

Install Finalize
InstallFinalize is a standard MSI action that is regularly called. This is of particular

importance in that MSI packages will develop long lists of specific instructions that
are a result of the settings and configuration of both the computer and the installing
package. This script is run when the InstallFinalize command is called.
Action start 12:56:17: InstallFinalize.
Any errors that occur during the processing of this script will be returned at the end
of the action. This is important to note, as these customer scripts are often long and
detailed, and any error will cause a failure. It’s important to note that the failure is
not in the InstallFinalize action itself, but a more specific action that has been called
earlier and has returned an error.

Analyzing an MSI log file
While reading an MSI log file for errors, it’s a good practice to search for errors from
the bottom of the document. Reach the bottom of the document, and do a top
search for the “Return Value 3” string. If there’s a Return Value 3 entry in the log,
analyze the values just above the “Return Value 3” entry for the actual cause of the
failure. The resolution for the installation issue depends on the cause of the failure.
Let’s now take a look at a failed install log file:
In the above Norton AntiVirus log, the installation has encountered an error while
trying to install a file (in this case msvcp71.dll). We also understand from this log
that the installation was being done through the hard drive and not a CD-ROM, as
the file’s (msvcp71.dll) path is shown as Desktop. An error has occurred in this
installation due to the file’s absence in the source. The error: “System error 3. Verify
that the file exists and tat you can access it.” clearly confirms this.
The solution is this case would be to make sure that the product source is complete
and has all the required files and folders.

Let’s have a look at another failed install log:
In the example, we see that the action that failed was UpdateEncCCVer_Rol. We
also see, that this action failed due to “Error 1722: There is a problem with this
windows Installer package.” In this instance, we would expect to see an Error 1722
during the installation process. As noted earlier, in the section of the structure of the
install log, we see that this error is within the MSI message line. This will be the
most common when a specific Install error is returned. However, there are certain
custom actions within the SymSetup sequence where the error is the return value
itself.
After you have determined which action failed, next we need to identify which
package failed. If you have identified the specific action that failed, search for
“source type from package” and ensure that you are searching in an upward
direction in the document. This ensures that we are identifying the package that was
being run for the particular failed action. As we can see from the example below,
that the package that failed in this case was ccCommon.msi.

Arriving to a resolution
The most important pieces of information that you can obtain from the installation
log files, are steps towards resolution. In some instances, discovering what is
needed for resolution can be difficult to determine. In others, it can be quite simple.
The types of failures we will look at are Error coded failures, Action failures, and
Package failures.
Error codes
Whenever we obtain an error-coded failure, we can consult the Microsoft developer’s
network. A list of base installer codes can be found at
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/msi/setup/error_codes.asp and a list of Installer errors can be obtained at
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/msi/setup/error_codes.asp. Although these are comprehensive lists of installer
codes and errors, the document published on the Microsoft Knowledge Base and
Microsoft Developers Network will not always point to the proper resolution.
It is necessary to always look at the previous 10-20 lines above an installer error to
locate “Notes.” In the examples in the previous section, we saw an error 1722,
which is an installer error, that had a Note of 1402, another installer error, relating
to a specific registry key. When we consult the msdn website, we see that 1402 is
related to key permissions. So, in this instance resolution would come from adding
permissions to the key referenced for the administrative/power user that is
attempting the installation. This can occur when they logged in user is already a
part of the administrative group or while logged into the administrator itself.

Windows Event Logs
This unit will provide you an overview of the Windows Event logs. After the
completion of this unit, you will be able to do the following:
• Read / understand and analyze the Windows event logs

• Clear the event logs
• Export the event logs to a text format
Using the Windows Event logs, a user can check all the events that occur in the
computer irrespective of the user being logged on / off. Information about the
computer’s hardware / software or an application crash can also be gathered through
the Windows event logs.
Accessing the Windows Event logs:
There are several ways of accessing the Windows Event logs:
1. Click Start
2. Click Control Panel
3. Click Performance and Maintenance
4. Click Administrative Tools
5. Double-click Event Viewer.
A Windows XP computer logs events in three types of logs.
• Application log
• Security log
• System log
Application log
This log contains events logged by installed applications. If a particular program

crashes during its launch or during an operation, then this log can be analyzed to see
what component or file of the program caused the crash.
System log
The system log contains all entries related to the operating system components.
Information on drivers that fail to load or any system service that fails to start will be
logged here.
Security log
Security logs make entries of successful and unsuccessful login attempts. It also logs
the attempts made to access a restricted file / folder etc.

Event Entries
Windows Event Logs create three types of event entries:
Error
An error occurs due to loss of functionality. If a specific file or a program fails to load
(either manually or automatically), then this event can be termed as an error, as
there’s an interruption to the normal behavior. These types of “Error” events will be
recorded in the Application logs as Error
Warning
Any event that may cause a problem in the future will be an ideal Warning type of
log entry. For e.g. Low Disk Space
Information
An event that starts successfully or a Service that loads successfully started.
Success Audit
A successful Windows Login.
Failure Audit
An unsuccessful login attempt.
Information to look for
If you’re looking for application specific information because of a specific program

not functioning properly, then “Application log” is the place to look for. Since this log
contains “Application specific” information, it can be utilized to check if all Norton
services have started. Double-clicking on a service that’s listed in the Application log
will provide us more information on the status of the service.
Double-click on the ccSvcHst entry to view more information.

At times, after determining that a required Norton service is stopped, when you try
to start it, you may not be able to do so. In this case, look for the status of a
dependant service. If the dependant service is stopped, then we won’t be able to
start the service in question.

Orca
(By Erik Carlstrom, with contributions from Nate Cantrell and Andrew Doggett)
Orca is a utility that has been created by Microsoft to give software developers the
ability to view information in an MSI installation package. In order to obtain Orca, it
is necessary to obtain the either the Orca.msi file from Microsoft, or install the
Microsoft Software Developers Kit and then installing. Information on how to obtain
and install Orca can be obtained from the following Microsoft Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255905
The primary developer use for Orca is to edit MSI files. However, it can be an
invaluable support tool for viewing these files as well. In order to use Orca to view
the content of an .msi file, locate the file in question and right click on the file. Orca
installs a context menu handler that allows you to then choose “edit with Orca.” This
will then open the Orca editor and display all of the information contained with the
.msi file in question.
There is a large amount of information that can be found by using Orca. Not all of
this information is useful for troubleshooting purposes. Therefore, we will only
concentrate on the items necessary to aid with our troubleshooting.
SymNestedInstaller Table
The first section to look at is the SymNestedInstaller table within the products’ .msi
file, which gives us the following information: product codes, installation patch, the
type of installation (executable, or MSI script), and the order of installation. In this
example, we are looking at the NSW.msi file. This is the “parent” MSI file for the
Norton SystemWorks product. It lists all of the other installation packages that will
be launched, and run during the installation process. For our purposes in this
document, as outlined in below, we are concerned with the installation path; install
type, and the order.

From the figure we can tell, that we are only going to receive logging from the
following installation packages: MSRedist, NSWLT, NSW, NAV, NU, NCS, Ghost, and
PassMan. The LUSetup, LRSetup, and Sevinst installation packages are executables,
and therefore will not insert logging information in the installation log file.
CustomAction Table
Within the installation log file, will be every action that is outlined by the .msi file.
These are located within the CustomAction table within Orca. In the example below
we can see several examples of these actions, such as RollBackStuff, Upgrade,
EnableOBC, etc. In analyzing an installation log file, we would expect to see
instances of every singly action listed in this table.
All of the custom actions that are listed above will be found at some point, during the
actual installation sequence.
InstallExecuteSequence Table
If we go to the InstallExecuteSequence table, we can look at the order for each

action that will occur when this .msi package is run. If a particular action fails, or is
skipped, we can look in the CustomAction table to determine if that action is a
Symantec action or a Microsoft action. Within the table below, we see the sequence
column. This gives us the ability to determine the exact order of the actions that
occur for this .msi package.

Property Table
The Property Table can be used to obtain the ProductCode and UpgradeCode for any
MSI package, as shown below.
The ProductCode and UpgradeCode are important to note, in case a removal was not
completely done. The ProductCode is sometimes the sole means of identification for
Uninstall keys. These are located in the registry at HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\Uninstall. The UpgradeCode’s are
located in the registry at
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\ (for Windows
98, Me and 2000) and
HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\ (for Windows
Xp).

Without looking in Orca, there are other methods for obtaining ProductCode and
UpgradeCode information. For example, on Windows Xp if you go to
HKEY_CLASSES_ROOT\Installer\Products\<GUID>\SourceList you can look on the
right at the PackageName. This means the GUID in the path is the ProductCode. If
you are doing a removal, and want to find the UpgradeCode, you can delete keys
already found (HKEY_CLASSES_ROOT\Installer\Products\<ProductCode>) and then
go back to HKEY_CLASSES_ROOT\Installer\, search for the ProductCode and delete
any key found. Once you come to a registry value on the right with the
ProductCode, and you will have found the UpgradeCode. This can be useful in cases
where a previous product is preventing the install from completing successfully.

MSI Log Analyzer
The MSI Log Analyzer is a utility that is used to analyze reports generated from the
Windows Installer log files. This is of great assistance in troubleshooting installation
issues.
The Windows Installer Verbose Log Analyzer enables users to select a log file for
analysis, once a log file is open it then provides a preview of the log file and when
the Analyze button is selected it provides a detailed view of the log file and options
to debug the log files.
For further information on the MSI Log Analyzer, please refer to the MSDN
documentation of the Tool:
http://msdn.microsoft.com/library/en-us/msi/setup/wilogutl_exe.asp
A screenshot of the utility is as provided below:

DebugHlp
This tool replaces the Symlogon and Symlogoff registry keys. This tool enables
verbose logging for MSI and activities that take place within the program
environment.
Using the tool
Debughlp.exe tool needs to be executed before installing the Norton program so that
the debugger can track and log the MSI activities. Unlike MSI log files, logging
through DebugHlp.exe is done module-wise. Once Debugging is enabled, the logs are
saved in C:\Symlogs folder. To use the DebugHlp tool:
1. Click Start
2. Click Run
3. Drag and drop the DebugHlp.exe
4. Enter the switch to start debugging and hit the enter key.
5. Logging starts.
The tool Debughlp.exe can be used with 3 switches.
/Debugon
This switch enables logging and starts creating logs in the Symlogs folder.
/DebugOff
This switch turns off debugging
/DebugOnOff
Enables and disabled degugging instantly. This switch is used to log instant activities.
/Runconfigwiz
Forces the Configuration wizard to start.

Once the installation is done, browse through the Symlogs folder to view logs of
individual installation modules.
Each log file holds the install information for that specific module. In case of an error,
the verbose logging will give information about that specific error and the cause of
the error.
If the debugger is enabled while the Norton program is working, then it logs debug
information related to all activities. Any error feature based error message can be
tracked by looking into log that corresponds to that feature.
Debughlp.exe logs the updates that LiveUpdate downloads and installs as well. The
information on Update logging is held in Spa.log

AccessEnum
AccessEnum is a utility that can be used to view user accesses to a tree of directories
or registry keys. It gives you a full view of your file system and Registry security
settings
It uses standard Windows security APIs to populate its list view with read, write and
deny access information. This information can be very useful in troubleshooting
installation or usage issues while using Norton applications.
AccessEnum can be obtained from:
http://www.sysinternals.com/Utilities/AccessEnum.html
With this, you can verify that the User has sufficient permissions to read and write
the ROOT directories and registry keys to ensure that all files can be read and
written to by both the User and the Norton Program started by the user.
Process Explorer
Process Explorer is a tool which shows the complete information about a process
including which handles and DLLs that a particular process has opened.
It also has a search capability that will quickly show you which processes have
particular handles opened or DLLs loaded
The display consists of two sub-windows. The top window shows a list of the
currently active processes, including the names of their owning user accounts. The
information displayed in the bottom window depends on the mode that Process
Explorer is in, which can be either of the two:
Handle Mode
If the bottom Window is in the handle mode you can see the handles that the
process selected in the top window has opened.
DLL Mode
If Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that
the process has loaded.
Process Explorer can be downloaded from the link provided below:
http://www.sysinternals.com/Utilities/ProcessExplorer.html
Most of the access denied error messages that you get can be determined and
troubleshoot using Process Explorer and AccessEnum. For more details on Access
denied error, please read the document from Microsoft:
http://support.microsoft.com/kb/q245068/

Tracert
This diagnostic tool determines the path taken to a destination by sending ICMP Echo
Request messages. Tracert determines the path by sending the first Echo Request
message with a TTL of 1 and incrementing the TTL by 1 on each subsequent
transmission until the target responds or the maximum number of hops is reached.
The maximum number of hops is 30 by default and can be specified using the -h
parameter.
The following Command Switches are available with this utility:
-d : Prevents tracert from attempting to resolve the IP addresses of intermediate

routers to their names.
-h MaximumHops : Specifies the maximum number of hops in the path to search

for the target (destination).
-j HostList : Specifies that Echo Request messages use the Loose Source Route
option in the IP header with the set of intermediate destinations specified in HostList.
With loose source routing, successive intermediate destinations can be separated by
one or multiple routers. The maximum number of addresses or names in the host list
is 9. The HostList is a series of IP addresses (in dotted decimal notation) separated
by spaces.
-w Timeout : Specifies the amount of time in milliseconds to wait for the ICMP Time
Exceeded or Echo Reply message corresponding to a given Echo Request message to
be received. If not received within the time-out, an asterisk (*) is displayed. The
default time-out is 4000 (4 seconds).
TargetName : Specifies the destination, identified either by IP address or host

name.
-? : Displays help at the command prompt.
Further Information about the utility can be obtained at the “Tracert” page of the
Windows XP documentation. A link for the same is provided below:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/tracert.mspx?mfr=true
This tool can be used to determine the path traversed while trying to access a
Website.

InstallRite
InstallRite is a program used to detect the modifications that are made to the system
after installing a program. When you perform a scan with InstallRite, it makes a full
database of your system, including files, folders, date stamp of files, CRC check and
Registry.
InstallRite Scan
After running the scan, you install the program on the machine. Then you
perform another scan of your machine hard drive, and any changes reported
compared to the initial scan is considered to be part of the software installation. We
it is finished, you get a complete image of the trace left by an installation package.
The “Export details to HTML” and “Export detail to TEXT” option can be used to get a
copy of the log from the customer’s computer.
The files that are added during the installation of the program
You can view the added, modified and deleted registry keys

InstallRite will even let you build an InstallKit, which is a self-extract file that will
copy all files and registry entries as they have been identified as part of a software
package. You can also use this to perform uninstalls.
In addition it provides "application cloning" as opposed to "disk cloning." This is

interesting, because it is not a sequential script or a batch file. In fact, it is much
simpler than this, it gives you the final result of the installation process, not the
process itself. This means that you can install a piece of software, configure it to suit
your needs, and then make an InstallKit containing all your custom settings. It
allows PATH redirection, so if some machines have different path names, it will still
be working. You can specify what action to take when encountering existing files,
and force or prevent rebooting after install.
The latest version of InstallRite (Version 2.5) can be downloaded from:
http://www.epsilonsquared.com/anonymous/InstallRite25.exe
HijackThis
This section will provide you a brief overview on the HijackThis tool. After you
complete this section, you will be able to do the following:
• Describe the usage of the HijackThis tool

• Analyze the results / logs generated by the tool
• Troubleshoot a relevant issue using the tool
HijackThis scans all the load points and displays the contents or values that are
stored in them. It also shows the Processes that run in the background when the tool
is run. While HijackThis displays the values and data present in the load points, it is
up to the user to decide which program or file is malicious and which is valid. Once a
file or a program has been identified as illegitimate or malicious, it can be easily
deleted through the tool. The HijackThis tool itself cannot differentiate between a
legitimate and an illegitimate program. There are various ways of differentiating a
legitimate program from an illegitimate one, which will be covered in a later section.
Let’s now have a look at the tool itself.
Obtaining the tool
HijackThis can be downloaded from the following link:
http://www.hijackthis.de
Note: Extract the downloaded zip file and save HijackThis.exe in a folder.
Double-clicking on the tool should open a screen with several options. To analyze all
load points and running tasks, click on the “Do a System Scan and Save log file”
button. Clicking on this button should open a screen similar to the one shown below:

Each entry shown in this window has a specific value in the beginning. Each value
has its own specifications. Following is a description of each value:
* R0, R1, R2, R3 - Internet Explorer Start/Search pages

* F0, F1 – Programs that start automatically
* N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages
* O1 - Hosts file redirections
* O2 - Browser Helper Objects
* O3 - Internet Explorer toolbars
* O4 - Autoloading programs from Registry
* O5 - IE Options icon not visible in Control Panel
* O6 - IE Options access restricted by Administrator
* O7 - Regedit access restricted by Administrator
* O8 - Extra items in IE right-click menu
* O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
* O10 - Winsock hijacker
* O11 - Extra group in IE 'Advanced Options' window
* O12 - IE plugins
* O13 - IE DefaultPrefix hijack
* O14 - 'Reset Web Settings' hijack
* O15 - Unwanted site in Trusted Zone
* O16 - ActiveX Objects (Downloaded Program Files)
* O17 - Lop.com domain hijackers
* O18 - Extra protocols and protocol hijackers
* O19 - User style sheet hijack
* O20 - AppInit_DLLs Registry value autorun
* O21 - ShellServiceObjectDelayLoad Registry key autorun
* O22 - SharedTaskScheduler Registry key autorun
* O23 - Windows NT Services
HijackThis also creates a log file for the user’s convenience so that it can be sent
across to an expert (or a technician for an analysis).
Identifying an illegitimate program
Once the log file has been obtained, it can either be analyzed manually or can be
pasted on the HijackThis website (www.hijackthis.de) for automatic analysis.

Manual Analysis
Manual analysis deals with differentiating a legitimate program from an illegitimate

one. When a suspicious entry is found in the HijackThis results / log, the suspicion
can be confirmed by looking up information in the security response website. To
delete a malicious entry, simply place a check mark next to the entry (s) and click
the “Fix Checked” button to delete the malicious file.
Note: Before deleting a file through HijackThis, make sure that the file / program is
malicious.
By analyzing the log / results, browser hijackers and host file redirections can also be
countered. To remove a host file entry, simply place a check mark next to the O1
value (s) and click the “Begin Fix” button. Do not remove entries in the host file that
may be intentionally added by systems administrators.
Miscellaneous Tools
There are several Miscellaneous Tools available in HijackThis that can be used for
advanced troubleshooting. The following section provides an overview of the
advanced HijackThis options:
Process Manager
Process Manager is a Task Manager like tool that shows all running tasks along with
their paths and Process IDs. Information about DLL file dependencies can also be
viewed by clicking the “Show DLLs” check box.
Hosts file manager
This option opens a small hosts file editor to remove / modify the hosts file entries.
Delete a file on reboot
A file specified through this option will be deleted upon the next system restart. This
option can be ideally used if a user is unable to delete a file that’s in use or is
running in the background.
Delete an NT service
This is a “handle with care” option that deletes a specified NT-service.
Uninstall Manager
Remove entries from the Add/Remove Programs’ list using this feature. This option
can be used to remove an entry of a program that’s left out in the Add/Remove
Programs list despite of that program being uninstalled.
The main usage of HijackThis tool is to identify malicious programs and eliminate
them. The usage of this tool needs to be controlled and operated in a relevant
environment. Do not delete a file or a program through HijackThis which you are
unsure of being illegitimate. Always consult a Supervisor or a lead before doing so.


Norton Internet Security 2007 L2

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Norton Internet Security 2007 L2

Uploaded by

Copyright:

Available Formats

Symantec Norton Internet Security 2007

July 24, 2006

Supporting Norton Internet Security 2007 1

Supporting Norton Internet Security 2007 2

It is assumed that the following prerequisites have been met:

Supporting Norton Internet Security 2007 3

Unit 2: Installing Norton Internet Security................................................

Unit 3: User Interface……………………………………………………………………….......

Unit 4: Norton AntiVirus…………………………………………………………………………...

Unit 5: Personal Firewall…………………………………………………………………………..

Supporting Norton Internet Security 2007 4

Unit 7 Intrusion Prevention..........................................................…………….

Unit 8 Phishing Protection…………………………………………………………………………

Unit 10 Message Center...............................................................................

Unit 11 Symantec Shared components…………………………………………….......

Unit 12 XP-Bonus Pack................................................................................

Supporting Norton Internet Security 2007 5

Supporting Norton Internet Security 2007 6

• Describe the need of Norton Internet Security

Supporting Norton Internet Security 2007 7

Smurf DoS attacks

Supporting Norton Internet Security 2007 8

An attempt by hackers to find the weaknesses of a computer or network by scanning

Pronounced “Fishing”. Phishing is an act of sending an email to a user falsely

Man in the middle

Man-in-the-middle attack (MITM) is an attack in which an attacker is able to read,

Supporting Norton Internet Security 2007 9

Supporting Norton Internet Security 2007 10

• User Interface improvements

Features Removed from the previous version

Supporting Norton Internet Security 2007 11

• Introduction to Norton Internet Security 2007

Supporting Norton Internet Security 2007 12

• Understand system requirements for installation

Supporting Norton Internet Security 2007 13

Operating System requirements

• Windows XP Home or Professional, Tablet PC or Media Center Editions

Norton Internet Security 2007 is not supported on Windows 95/98/Me/NT/2000, NEC

Supporting Norton Internet Security 2007 14

Installation from download

The Download is packaged into a single file from a third-party organization to

Installation from download

The Download is packaged into a single file from a third-party organization to

The Symantec Store page for Home users

Supporting Norton Internet Security 2007 15

The product is added to the cart

Supporting Norton Internet Security 2007 16

In the same page: Provide a password for the purchase

Supporting Norton Internet Security 2007 17

Supporting Norton Internet Security 2007 18

The download starts

Supporting Norton Internet Security 2007 19

Supporting Norton Internet Security 2007 20

RNav2003.EXE to remove NAV 2003 and its previous versions

Supporting Norton Internet Security 2007 21

• 3rd Party Installers

SymSetup.exe is responsible for controlling MSI-based installations in Norton

Check for Internet Explorer 5.01 Service Pack 2

The Pre-install scanner is a simple, lightweight virus scanner capable of detecting

Supporting Norton Internet Security 2007 22

The diagram below shows how the Pre-install Scanner works:

Scans the load points for

1 SymSetup.exe loads the scanner, Prescan.exe.