WinXP Sp2- Firewall allows IE as an exception?

[JEDI]

Yesterday, I accidently clicked yes to allow an Active-X script to run.

i immediately ran adaware and norton antivirus. both came back clean.

today i took a look at SP2's built-in firewall.

Under exceptions, there was a line for Internet Explorer and it was checked.

When i clicked 'set to default', the Internet Explorer line was gone.

WTF?!

Is my computer compromised? Should I re-format???

 

[mechBgon]

What precise version of Norton Antivirus do you have (2003, 2004, 2005)? What is the date of the definition set that it is using?

You can get today's Intelligent Updater here to get the Jan. 4th defs if they're out-of-date. If you're using an old version of Norton such as 2003, then go here and run the security and virus checks for a second opinion.

 

[mechBgon]

BTW, also go to Internet Options > Security and reset the security to default levels for each of the zones there. Look in your Registry for stuff along the lines of what's described here, too.

 

[JEDI]

Originally posted by: mechBgon
What precise version of Norton Antivirus do you have (2003, 2004, 2005)? What is the date of the definition set that it is using?

You can get today's Intelligent Updater here to get the Jan. 4th defs if they're out-of-date. If you're using an old version of Norton such as 2003, then go here and run the security and virus checks for a second opinion.

norton 2002. last data file was 12/30/04. my subscription has NOT expired, but when i clicked on liveupdate, it didnt find 1/4/05 defs. i had to manually install it from your link.

now i'm doing another scan.

sigh....... leaning closer to reimage

 

[mechBgon]

The older Norton engines don't have detection of Trojans, dialers, adware and spyware, among other things. Grab a 15-day trialware of Norton 2005 from here, get it all updated (might need several sessions of LiveUpdate to get all components fully up-to-date), enable scanning within compressed files, max out the heuristics, run a full scan, and see what it finds.

 

[JEDI]

Originally posted by: mechBgon
BTW, also go to Internet Options > Security and reset the security to default levels for each of the zones there. Look in your Registry for stuff along the lines of what's described here, too.

i reset the security levels b4 i took a look at the registry

nav didnt find anything

 

[h2]

Unless Norton has magically improved, you'd be well advised to run a few other AV products on your machine. Try Antivir for starters, that's a good one to install, update, run the scan, then uninstall, usually catches a bunch of trojans norton and mcafee totally miss. The run pandasoft and trendmicro online scans, see what you come up with.

then turn off Windows XP firewall, permanently, and install a real one, with outbound packet filtering, zonealarm is fine, nortons I don't like. See what you come up with then. The norton failing to update is a bad sign.

 

[spyordie007]

The IE exception alone isnt really a cause for concern. I've seen web apps that use the IE process to recieve inbound traffic from the web and therefore would prompt you to open port(s) for it.

Now, do you have any idea just what Active-X controll you installed? I'd be much more concerned about what you just installed.

You might want to take a look at your IE addons to see if there is anything out of the ordinary installed (tools>manage add-ons...)

 

[mechBgon]

... and also get some antivirus software that's not running on a 3-year-old engine, of course Or there is mechBgon's favorite suggestion that no one ever likes to even think about... :Q yeah, that one!

 

[JEDI]

Originally posted by: mechBgon
... and also get some antivirus software that's not running on a 3-year-old engine, of course Or there is mechBgon's favorite suggestion that no one ever likes to even think about... :Q yeah, that one!

when nav updates, it doesnt update the engine???

i built a machine for my sister in 2000. it's running win98/nav 5.0. it's still in use and no viruses. (plenty of spyware, but adaware take care of that.)

 

[mikecel79]

I think your really over reacting here. Especially if Ad Aware didn't pick anything up. Chances are it wasn't a bad ActiveX control. Do like spyordie said and check what ActiveX controls you have loaded. See if anything looks suspicious there. Having IE in your exceptions list for the firewall ins't a sign your machine has been compromised.

 

[mechBgon]

Originally posted by: JEDI

Originally posted by: mechBgon
... and also get some antivirus software that's not running on a 3-year-old engine, of course Or there is mechBgon's favorite suggestion that no one ever likes to even think about... :Q yeah, that one!

when nav updates, it doesnt update the engine???

How many times do I have to drill that into your head here The Norton 2004 and 2005 engines can detect what Norton calls "Expanded Threats," including Trojans and dialers, adware, spyware and some other stuff. Get that free 15-day trial of Norton 2005, get it fully updated, and run an exhaustive scan after enabling compressed-file scanning and maxing out the heuristics.

 

[h2]

<< The Norton 2004 and 2005 engines can detect what Norton calls "Expanded Threats," including Trojans and dialers, adware, spyware and some other stuff. >>>

ha ha. Very funny. I just spent about 8 hours fixing a nav 2004 'protected' machine, don't make me laugh. Unless you work for Symantec or something. But some people just like believing things they like to believe.

By the way, when a software company puts out a consistently bad product year after year, I don't tend to reward them with loyalty, like a sports fan with their local losing team, I switch software, and reward the company that did a better job.

 

[mechBgon]

Originally posted by: h2
<< The Norton 2004 and 2005 engines can detect what Norton calls "Expanded Threats," including Trojans and dialers, adware, spyware and some other stuff. >>>

ha ha. Very funny. I just spent about 8 hours fixing a nav 2004 'protected' machine, don't make me laugh. Unless you work for Symantec or something. But some people just like believing things they like to believe.

By the way, when a software company puts out a consistently bad product year after year, I don't tend to reward them with loyalty, like a sports fan with their local losing team, I switch software, and reward the company that did a better job.

You are welcome to buy whatever you like, but what you quoted me on is factually correct as it stands. Norton's latest two engine revisions will detect more categories of threats (using the same definition sets) than their 2003 and earlier versions, and they are what Symantec calls "Expanded Threats." If you want to hear that from an actual Symantec lead programmer instead of me, I can probably arrange that very promptly. :evil:

Since this thread is about a possible threat that got installed from a web page, possibly falling into the Expanded Threats categories (Trojan, adware, spyware, dialers, keystroke loggers...), it is important for JEDI to understand that a clean NAV2002 scan is not necessarily relevant. And that's my main point, not that Norton is the worst, the best, or anything else, simply that he/she is using a very, very outdated program. You're welcome to make alternative suggestions, including your favorite antivirus software. Go for it.

 

[h2]

<< How many times do I have to drill that into your head here The Norton 2004 and 2005 engines can detect what Norton calls "Expanded Threats," including Trojans and dialers, adware, spyware and some other stuff. >>

No matter how you now decide to more reasonably state it, this is what I am and was commenting on. This makes it sound like Norton has suddenly gone from being a completely unreliable product to now suddenly a great product. This is not the case, as I noted. Although I can't really say I like any AV product out there, I think if pushed I'd recommend nod32, that's one of a very few that crackers will admit is half way decent.

And it needs also to be noted: 'can detect' but often 'can detect some, misses many, can't delete some of the ones it can detect', whereas other av products 'can detect, can delete'. Suggesting nav has suddenly somehow become better can lead readers of threads like this down very virus/trojan ridden pathways that they probably don't want to go down.

 

[mechBgon]

Next time you encounter a system that's been seriously bogged down by massive spyware, clean it up with Spybot and Ad-Aware, then take an additional pass at it with Norton 2005 trialware, fully maxed on all detection options. You might be in for a little surprise. :evil:

 

[h2]

Ok, I'll try that, I'm always happy to check out new tools, even when they are written by companies whose software was usually what allowed teh problems in the first place.

 

[cmv]

Get Microsoft's beta AntiSpyware. They brought Giant and rereleased it as their own (it was a regular non-beta at Giant so it's not a risky program to run). See the other thread here.

 

[Raincity]

You can keep your Nortons 05. I will stick with Kaspersky 5 personal.

 

[h2]

I'm pulling all my clients off Norton, we're trying nod32 at the moment, that's gotten some of the best reviews from those I consider best qualified to judge, the people trying to crack your system. Kaspersky was something I was looking at too, but I've been told by people I respect in this area that it doesn't quite do the job. Again, when a software company puts out a bad product year after year, remind me again why I'm supposed to give them another chance? Maybe norton has really turned over a new leaf, fired all it's staff, especially the management, and decided to get serious about what they do again. Stranger things have happened, Apple dumped their stupid mac os and replaced it with Unix and suddenly had a real OS to offer.

 

[mechBgon]

If you're in the experimentative mood, you might see if you can get a trial of McAfee VirusScan Enterprise 8.0i. I've been monitoring our fleet using ePO for about two years x 80 computers, and McAfee's lineup has proven satisfactory. Number of successful infections on computers running McAfee, over 160+ machine-years: zero. There was one infection on a system whose McAfee had malfunctioned and could not run... so I'm not perfect, sue me We have used VirusScan Enterprise 7.0 and deployed the new 8.0i almost as soon as it became available.

VSE 8.0i adds anti-intrusion and buffer-overflow capabilities. I like the buffer-overflow capability... remember that Bofra incident at The Register, for example? VSE 8.0i would stop Bofra, and any other exploit using the IFRAME vulnerability, regardless of its antivirus signatures, simply on the basis that it is a buffer-overflow situation. http://vil.nai.com/vil/content/v_129631.htm

If you'd like to check out the VSE 8.0i options range, it's rather extensive and I made a little configuration guide for anyone who wants configuration suggestions or simply to check out what VSE 8.0i looks like: http://www.omnicast.net/~tmcfadden/vse8/index.html

And here you were thinking I was a Norton fanboy Hehe...