How to setup Norton Firewall rules for Spyblocker?

How to setup Norton Firewall rules for Spyblocker?
Links: home · search · speed test · login · more ·

Links: Reply New Topic
Forums » Security » Security » How to setup Norton Firewall rules for Spyblocker?

SpBob @ 21st Mar 06:49PM:
How to setup Norton Firewall rules for Spyblocker?

I'm having a problem with Norton Internet Security Pro 2004 and SpyBlocker. When I run a portscan from grc.com it shows all ports stealthed except for port 80 which is open, apparently because this is the port that spyblocker uses, which acts as a web server? If I enable winXP's built-in firewall in addition to as Norton firewall then rescan port 80 now shows as stealthed, so something must be set wrong in norton.

I've been asking on the spyblocker forum, but I've not come across abyone who can help, someone told me to ask here.

I'm not sure how to setup norton firewall with spyblocker, I have told it to "permit all" for spyblocker.exe and sb-updater.exe. This must allow all in/outbound traffic, which also may explain why I have a lot of alerts saying another system has tried to access spyblocker.exe on my machine.

I have allowed norton to scan the computer and provide automatic rules for all known progs. I've also permitted anything related to or named symantec or microsoft to have full access, as I assume symantec needs access for their software to run and MS needs access for it's own stuff, and they both surely have plenty of programs permitted/trusted. I'm not even sure if I should have lots and lots of programs trusted/permitted full in/ou access?

I know absolutely nothing about firewalls, that's why I chose one which was supposed to be a no-brainer. If anyone here uses NIS2004 and spyblocker, who could help with the configuration settings, it would be really appreciated.
reply

RangerTX7 @ 22nd Mar 12:10AM:
Re: How to setup Norton Firewall rules for Spybloc

Welcome to BBR, SpBob! I'd like to run a little security-related background stuff by you first before getting to the specific issue. Check out the following threads to learn a little about closed v. stealth. The first one is very recent; the second older and very long (thanks to Randy Bell for reminding everyone about it ;))
»Stealth still beats closed.
»Closed vs Stealthed Ports

My take on the matter is that stealth has become a buzzword. You can have an extremely secure computer and not be fully stealth. Steve Gibson, of grc.com fame, has some rather questionable viewpoints on various issues. I wouldn't take everything he states as gospel.

I tend to run enterprise (corporate) versions of security software, including McAfee Desktop Firewall. When not behind a router, several ports will turn up as closed. Nevertheless, it's an outstanding firewall with an incredible feature set. It can get a perfect score on the difficult Atelier tests right out of the box; few products can.

NIS really isn't a "no brainer." Matter of fact, it's also a feature rich firewall that can be extremely complex to set up. Its core is the old At Guard firewall (excellent product); unfortunately, it's been overburdened with the characteristic Norton bloat over the years. Greater simplicity comes with an application-based firewall, such as Zone Alarm. NIS is not application-based.

I ran Norton for years, but no longer do so, so unfortunately I can't take a quick look and tell you exactly how to stealth port 80. Someone else on here most likely will. But not to worry if they don't. The very point I'm trying to make is: don't worry about being fully stealth. A feature of NIS is its automatic rules creation. It does a decent job and it's good for the novice user, so use it. As for port 80, keep the XP firewall running alongside NIS if you like (which is OK unless you have a home network). Continue your research re: Spyblocker (e.g., Google something like: NIS spyblocker "port 80") Perhaps consider replacing spyblocker with an alternative (such as Spybot S&D -- free) until you can resolve the issue. As long as you can get port 80 closed, not necessarily stealth, you'll be fine.

reply

SpBob @ 22nd Mar 06:19PM:
Re: How to setup Norton Firewall rules for Spybloc

Thanks for replying RangerTx. I've read through many of the previous posts that you referred to, very long winded... I never knew there was such debate about this sort of thing.

IMO, ports closed or stealthed, either way is certainly better than *OPEN* as my port 80 is with NIS 2004 Pro and SpyBlocker. I'd be happy if I could get Norton to close port 80. Spyblocker acts as a web server filtering stuff coming in on port 80.

Most people just tell me to trash the Norton stuff and go with Sygate firewall and AVG AV combo which is much better. Virtually everyone I've asked doesn't use norton stuff at all and they tell me they have no problem at all. They say Symantec stuff is bloatware and very resource hungry, and causes more problems than it cures. Plus it's virtually impossible to uninstall and remove all trace of it from a system. They don't paint a very good picture. I feel like the guy who bet everything on red when black kept winning.

Btw, what exactly is an application-based firewall?

Re. Norton's automatic rules creation... I liked this feature. But I've heard people say it can't be relied upon. When setting up I just let the firewall scan the computer and do it's own thing with the programs it knows about, then for everything else I had to choose to permit or block internet access, so if any program detected was made by Symantec or Microsoft I permitted full access, all others I block. Except for SpyBlocker which will not work unless I permit full access, whereupon port 80 becomes OPEN!

I already use Spybot S&D and AdAware. But SpyBlocker is a real time advert, tracker, script and web bug blocker.

I'll continue to search for an answer in the hope that I'll eventually come across someone who uses both Norton Firewall and Spyblocker together, in the meantime I'll keep both firewalls running together, as I don't like port 80 showing as OPEN.

Rgds.
reply

BooBooBear @ 22nd Mar 09:06PM:
Re: How to setup Norton Firewall rules for Spybloc

I wouldnt blow off norton just yet. I use spyware blaster, the one spybot recommends and I run it with Norton just fine... all ports shows being 'stealthed"

I also use adware pro. I don't see how people can say Norton is bad when in fact they havent used the product. I am a "happy camper", I had Mcafee and didnt like it - antispam never worked right. My only wish is a better GUI in terms of viewing the log files!

I also run a router and have no problem running something similar to spyblocker and norton security pro together.
reply

anon @ 22nd Mar 09:10PM:
msg deleted

deleted by a moderator
reply

anon @ 22nd Mar 09:45PM:
msg deleted

deleted by a moderator
reply

RangerTX7 @ 22nd Mar 11:21PM:
Re: How to setup Norton Firewall rules for Spybloc

There's debates on many issues at BBR, which is why it's such a dynamic online community. And we're fortunate to have on-the-ball mods who keep potentially heated issues from turning ugly, in contrast to so many sites online these days... ;)

Your question about application-based v. rule-based firewalls: A rule-based firewall applies communications rules on a FIFO (first in, first out) basis. It accomplishes this either by creating the rules based upon its database of trusted applications, by the answers you give to questions it asks, or by having rules manually set by the user. Here's an example:

You want to run Shareaza, but limit your exposure to open ports. You begin by creating a rule to allow TCP communications on ports 1024-65535. Next, you add a rule to block communication on all TCP ports. This will have the end result of only allowing TCP communications on ports 1024-65535. That's due to the FIFO. A rules-based firewall looks at its list of rules and applies them in order. The first rule you made here takes precedence over the second. So, the firewall sees the rule to allow, and grants access, then sees the rule to block, and denies access to other ports. Were you to reverse these rules, it wouldn't work. In that case, with the rule to block everything coming first, all ports would be blocked. With allowing ports 1024-65535 coming second, all ports would still be blocked, because the "block all ports" rule came first.

In contrast, an application-based firewall just asks for permission to permit or deny access on a per-application basis. Generally, that means all or nothing. As you can see, a rules-based firewall allows you to "fine tune" access. NIS/NPF automatic rule creation does a great job with this without your intervention if you allow it to, creating rules only for applications it knows can be trusted. People may have told you that's not good because people like to be in control and worry that the decisions NIS makes might be wrong, might somehow be compromised, etc. So you are in control of how to implement the rules here, whichever way makes sense for you.

As for people's opinions on Norton in general, I think it's best that you make up your own mind. Yes, there are problems with some Norton software, especially of late, and yes, the products can be very difficult to totally eradicate...but then, they're no worse than McAfee in that regard (and I'm pretty happy with most of McAfee's core security components BTW -- nevertheless, always a PITA to fully uninstall 'em). As with most things regarding PCs, dedication and applied logic can accomplish a great deal :) You can learn more than you ever wanted to know about the general consensus on Norton. Do a search on Norton here at BBR and be prepared to read, read, read....;)

Your solution of combining the XP Firewall and NIS seems to be working...so if it ain't broke, don't fix it. In doing some research on your problem, I did turn up one opinion that stated Spyblocker had to hold port 80 open in order to work, but that in doing so it also effectively and automatically blocked other malicious traffic on the port. Hmmmm...sounds interesting, but doesn't account for your tale of receiving stealth status when adding in the XP firewall, and from what I can determine, you didn't indicate that doing so "broke" Spyblocker either. If it were me, and I wanted to see the end result you're looking for, I'd get with Spyblocker's tech support. They should be able to tell you for sure about this, and then you can come on back and share the knowledge with us :) And FWIW, I'd suggest you stick with NIS, unless it's giving you real trouble, because it really is a very good firewall, despite the bloat. Good luck man!
reply

SpBob @ 24th Mar 10:24PM:
Re: How to setup Norton Firewall rules for Spybloc

RangerTX, thanks for explaining about the rule based v application based firewalls, I understand now. This would explain why ppl are not having probs with zonealarm and suchlike because they just give full access to spyblocker application.

With regard to NIS/NPF auto rule creation, I read somewhere in this forum about stuff getting past it just by changing it's name to a known/ trusted app! Surely NIS/NPF is more aware than just to check on filenames?

I appreciate what you're saying about norton. There are a lot of people with varying opinions when it comes to symantec. I like their s/ware, when it's running properly, but I think "they've got too big for their boots", they've lost the personal touch and it's difficult and expensive to get tech support from them. It's a free country (or so they say) and everyone's entitled to their own views (unless the mod gets in their first :-))

Thanks for taking the time to research my problem. My findings confirm what you say about SpyBlocker [SB] holding port 80 open and thus acting as a server in order to work. Yes, it's strange that the addition of the XP firewall can make it show stealth even though "SB" is runnning perfectly well and holding port 80 open/acting as a server. But this reinforces my assumption that I currently have NIS/NPF setup wrong.

I've asked on the "SB" support forum, but as yet I have to receive a definitive answer from the author - Paul Kurland. I've been told not to worry, port 80 is very secure. SB monitors port 80 and acts as a mini firewall in it's own right. Therefore if SB is indeed secure and keeping port 80 closed to malicious intruders and it is a mini firewall, it should be able to show a closed status to port scanners but it doesn't! What I'd really like is for SB to show stealth itself, without having to resort to configuring NIS/NPF. I know I can show stealth with both firewalls running, but it still bugs me why I can't get NIS to stealth it. For the time being, "if it ain't broke dont't fix it", holds good.

To anyone else reading this reading this, until I get to the bottom of this problem, I'm still on the lookout for anyone running both NIS/NPF and SB combo.
reply

Zupe @ 24th Mar 11:17PM:
Re: How to setup Norton Firewall rules for Spybloc

From a quick look at the Spyblocker website, if I understand what they're saying, there should be no reason to allow any inbound access for Spyblocker. Change your rule to allow outbound only and block inbound and then see if it works and what a port scan shows. You may even be able to limit it to port 80 only, but I'm not sure about that.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
reply

Randy Bell @ 24th Mar 11:54PM:
Re: How to setup Norton Firewall rules for Spyblocker?

You mentioned the difference between applcation and rules-based firewalls. ZA is the typical application-based firewall, and if you were running ZA you would probably get a prompt from Spyblocker asking permission for server rights. "Server rights" is the ZA terminology for "allow unsolicited inbound communication" -- that is, allow sources from the outside to establish inbound connections that were not first initiated from your computer. Normally a stateful firewall {or even a NAT router} will only allow inbound traffic that is return traffic -- i.e., traffic that your PC initiated; forex when your internet browser {a client app} requests a webpage from a remote internet server on the http port 80, then the reply to that request {the page being served up} is inbound traffic which is return traffic to what your browser requested, in which case it would be allowed by a stateful firewall or a NAT router. Any other attempts from the outside at establishing an inbound connection with your PC would fail {would be blocked by firewall or NAT router} because they were unsolicited inbound communication. By contrast, when you allow server rights to an app, you are allowing it to "listen" for inbound communication that is initiated by the remote computer and not by your PC. This is the difference: and with ZA, whenever you allow server rights, you create "holes" or open ports; whereas when you deny server rights, you close those "holes". In your case, NIS is apparently allowing unsolicited inbound communication for Spyblocker that it doesn't need, and if you create a rule to block this inbound traffic, you should return to a stealth result -- just like you would be stealth if in ZA you denied server rights to Spyblocker. Hope that helps. ;-)
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
reply

SpBob @ 28th Mar 06:49PM:
Re: How to setup Norton Firewall rules for Spyblocker?

Hi Guys, sorry I've not gotten back to you sooner, but I've been trying all sorts of things to get this firewall to stealth port 80 whilst SpyBlocker is running, but I'm sorry to say it's a no go :-(

Apparently Norton stealths unused ports only, the problem is port 80 is in use by spyblocker and therefore acting as a server. Spyblocker author says this is how SB supposed to work... As a webserver, filtering all web pages I request and serving the clean/safe versions of them to me.

I've tried (too) many things and spent more time on this problem than is healthy :-) I've tried blocking inbound connnections to spyblocker, I've tried blocking general inbound connections to port 80 (both TCP and UDP), I've tried blocking outbound general and program on port 80, I've tried blocking all access to spyblocker. I've read numerous articles, etc, etc. At some points I thought I'd solved it, but alas no. So I must concede that this can't be done and run both WinXP's ICF and Norton's firewall together.

The solution would be for norton to allow stealthing of all ports used or unused, like Sygate does. Another, solution would be for Spyblocker software to make the spyblocker program stealth itself. Symantec support are as much use as a chocolate teapot! and based on previous, their simple answer would be to stop using spyblocker, and I'm still waiting for an answer from spyblocker software.

I've searched around the net on google and on groups, etc. A few ppl mention the open port 80 problem. It's a pity nobody has a definitive answer specific to norton firewall and spyblocker. I would have really liked to hear from someone who uses both products, who has had and solved this problem.

Thanks for your time guys..
reply

CrazyM @ 28th Mar 11:52PM:
Re: How to setup Norton Firewall rules for Spyblocker?

If XP's ICF stealths your port 80 and SpyBlocker still functions properly, then this would suggest to me it only needs to listen (act as a server) locally. In which case NIS should stealth this port.

Is the firewall setting configured to High?

You mention earlier creating a permit all rule, which is something you usually do not want to do, and trying several other rules combinations. You might want to check all your rules (including general, program and trojan) for anything related to your previous attempts and remove them. Then wait for NIS to prompt and select the manual rules creation option and create a rule permitting outbound access for remote service HTTP only. Make note of any other access it may prompt for as this may help determine what other rules may be required. If it is listening/filtering on localhost, this should be covered by the default loopback rules (unless you have removed them).

Regards,

CrazyM
--
"The best thing we can do in cyberspace is exactly what we do in the real world: do our best to manage the risks." - Bruce Schneier
reply

SpBob @ 29th Mar 04:54PM:
Re: How to setup Norton Firewall rules for Spyblocker?

Custom Firewall Settings are :-

Personal Firewall: High
Java Applet Security: Medium, prompt each time
ActiveX control security: Medium, prompt each time

I currently have 118 program rules defined. Mainly for Microsoft (it seems like virtually every MS program is in there), but with a lot of Symantec stuff and some Sun Java stuff. These rules were all auto created by NIS after I did a program scan. NIS doesn't let me copy these rules to a text file and there's far too many to copy into a text file myself, so I'll not post them here.

I have been told to delete all of these auto created rules, but make sure that I don't remove any specific blocks.?? Surely if I just remove all of the program rules, it shouldn't make any difference or will it? Possibly NIS will stop working if I remove the Symantec rules? Is there a way to reset the firewall rules back to how it was when installed? There sure seems to be a lot of MS stuff that needs internet access, I just counted 62 prog rules for MS and 42 rules for Symantec.

Regarding the stealthing of port 80, I've discovered that NIS only stealths blocked ports, but I tried blocking port 80 and spyblocker malfunctions.

As I mentioned earlier, I chose NIS because I thought it would be a no-brainer. Symantec stuff is usually pretty simple to setup, but it seems that their firewall is the exception to the rule.

-Bob-
reply

jvmorris @ 29th Mar 05:00PM:
Re: How to setup Norton Firewall rules for Spyblocker?

Bob,

If this is in response to my directions in the Wilders "Other Firewalls" forum post, then I either phrased it badly or you misread it. (I'll go over and take another look.)

Only thing I was saying was clear your existing rule(s) for SpyBlocker. Lemme go back over there and see what's going on. . . .
--
Regards, Joseph V. Morris
reply

SpBob @ 29th Mar 05:03PM:
Re: How to setup Norton Firewall rules for Spyblocker?

I've not been on wilders yet, I was going to log on shortly (time permitting), so not sure what I've missed.

-Bob-
reply

jvmorris @ 29th Mar 05:20PM:
Re: How to setup Norton Firewall rules for Spyblocker?

The way I read CrazyM's advice (both here and at Wilders) is that if dropping all rules for SpyBlocker and then letting NIS recreate them does not work, the next likely place to look is in your General Rules (which apply to all applications and consequently are evaluated before application-specific rules).

What you would be looking for (starting at the beginning of the rules) is a rule that

PERMITS
INBOUND (or BOTH directions)
TCP (or TCP and UDP)
TO Local Port 80 (or some list of ports including 80 or some range of ports including 80 OR simply to ALL Local Ports).

Now, if you find such a rule, please recreate it here before you get too carried away and simply delete it, okay?
--
Regards, Joseph V. Morris
reply

SpBob @ 29th Mar 05:30PM:
Re: How to setup Norton Firewall rules for Spyblocker?

I don't have any rules for spyblocker at all! It just works. If I try to create any kind of program block rule for it, then it malfunctions.

I'll have a look at the general rules, but not knowing what I'm doing, I don't like messing about in there. I only tried creating one general rule to block inbound on port 80 but that didn't work so I deleted the rule. Everything else must have been created by Norton for some reason.

I'll look for any general rules matching the stuff you said and get back to you, either here or on wilders.

If only these rules were easier to access and work with instead of just using a tiny little viewing/editing window.

-Bob-
reply

jvmorris @ 29th Mar 06:13PM:
Re: How to setup Norton Firewall rules for Spyblocker?

said by SpBob:
I don't have any rules for spyblocker at all! It just works. If I try to create any kind of program block rule for it, then it malfunctions.

Okay, this is getting confusing. I go over to the SpyBlocker Forum and read that you do have a rule for SpyBlocker and that's it's a "Permit All" rule. Now, you're saying you don't have any rule at all. Which is it?

quote:
I'll have a look at the general rules, but not knowing what I'm doing, I don't like messing about in there.

I didn't say anything about 'messing about' in there. I just want you to write down the details of any rule satisfying these constraints that I noted above and post them here.

quote:
I only tried creating one general rule to block inbound on port 80 but that didn't work so I deleted the rule. Everything else must have been created by Norton for some reason.

Is this rule still active or have you removed it?

quote:
I'll look for any general rules matching the stuff you said and get back to you, either here or on wilders.

If only these rules were easier to access and work with instead of just using a tiny little viewing/editing window.

Don't get me started on that subject! :D
--
Regards, Joseph V. Morris
reply

SpBob @ 30th Mar 07:07PM:
Re: How to setup Norton Firewall rules for Spyblocker?

Joseph,

Re: SpyBlocker - I shall try to clarify the situation..

Spyblocker has two programs, SB itself and the SB updater program. After I first installed it on this new machine, I checked for updates, NIS popped up an alert asking if I wanted to permit or block, etc, SBupdater, so I chose permit always. I've used SB for some time on my old machine and I assumed it must be ok to trust it. This created a program entry for SBupdater.exe. I then manually setup the same "permit all" rule for spyblocker.exe, as I assumed this was the right thing to do and I didn't want to run into problems with it later on.

I later discovered that Spyblocker does not require any program rule in NIS at all to work. Don't ask me why though. I think it was explained somewhere on the Spyblocker forum. So I deleted the program rules, and sure enough it works. I've not tried using the auto updater since as I currently don't know what's best and what's not?

Re: General rule to block inbound on port 80

As I said before, I deleted this rule.

Joseph, If it's ok with you, I'd be grateful if we could continue this over on Wilders, in order to avoid retyping and duplication....

»www.wilderssecurity.com/index.ph···id=26122

Regards, Bob
reply