Norton PF 2002 configuring over and over...

Lately whenever I go on the internet, I notice a huge slowdown on my PC.
So we checked the running processes and some other status things, and it
turns out that our Norton Personal Firewall 2002 is getting a "Firewall
configuration updated" message 2-4 times per second! It used to only do
that once a day. Our Win98 machine is doing it too (the main PC is XP Pro
and we're sharing a DSL connection).

LiveUpdate still works, we don't have any viruses (the Symantec automatic
support said that we had MyDoom, but the removal tool didn't find it), and
things like ICQ and PuTTy still seem to work fine. If we don't have an IE
window open, everything is slow.

Has anyone heard of this before? Is it just Norton's way of forcing an
upgrade? Our subscription is still valid.

--
chuk

Chuk Goodin

On Mon, 17 May 2004 17:29:24 +0000 (UTC), (Chuk Goodin)
brought the following to our attention:

>Lately whenever I go on the internet, I notice a huge slowdown on my PC.
>So we checked the running processes and some other status things, and it
>turns out that our Norton Personal Firewall 2002 is getting a "Firewall
>configuration updated" message 2-4 times per second! It used to only do
>that once a day. Our Win98 machine is doing it too (the main PC is XP Pro
>and we're sharing a DSL connection).
As of WED 05-12 LiveUpdates.. NPF and it's associated routines have
been VERY troublesome. One of the things that happened.. was the Win2k
Wkstn slowed noticeably. Checking in Task Manager.. a Norton routine
(perhaps redirector) was hogging one of the CPU's (50% on a dual-Xeon)

Soon another update came out.. like the same day or the NEXT day for
redirector. Ther are STILL issues when browsing like.. IE gets stuck
in a localhost (127. ) loop and cannot be recovered short of a reboot.

Often the NFW will repeatedly ask for permissions which no reply will
satisfy. Then Win2k will bluescreen. Very annoying!!

>
>LiveUpdate still works, we don't have any viruses (the Symantec automatic
>support said that we had MyDoom, but the removal tool didn't find it), and
>things like ICQ and PuTTy still seem to work fine. If we don't have an IE
>window open, everything is slow.
>
>Has anyone heard of this before? Is it just Norton's way of forcing an
>upgrade? Our subscription is still valid.

I wondered that as well.. so I uninstalled NPF and reinstalled from
the CD.. then did about three simultaneous LiveUpdates. It has
malfunctioned JUST ONCE since then.. and not in the last 1-2 days.

One More ALICE.. and I'm yankin' it and going with ZA or SyGate!!


-Mike

mike@mechanic.com

Chuck,

It's all over the place. You can find it being discussed at Computer Cops,
at Wilders Security Forums and at the DSLR/BBR Security Forum. Seems like
the LiveUpdate of 12 May (or maybe one thereafter) blew the socks off
NIS/NPF 2002 (but people using NIS/NPF 2003 or 2004 appear to be okay).

If you're bored, you can always try reading through the thread at
http://www.dslreports.com/forum/rema...8995~mode=flat (start about six
posts in). <g>

Firewall rules appear to be okay as do the basic configuration settings.
Looks like one of the downloaded components is causing NIS/NPF 2002 to
'burp'. There's a bit of suspicion that they inadvertently stuffed a
NIS/NPF 2003/2004 update into the update for NIS/NPF 2002. No word (yet) on
a fix for the fix.

Could be something they did to get a response out the door in short time in
response to the eEYE vulnerabilities which also impact NIS/NPF 2002.
(There's exploit code out for this now, so it sort of leaves people between
a rock and a hard place.)

I presume what you're seeing looks similar to the following?

Firewall Event Log
17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:30 Owner Firewall configuration updated: 64 rules
17/05/2004 03:14:28 Not Logged In Firewall configuration updated: 64 rules
17/05/2004 03:14:26 Not Logged In NDIS filtering is enabled

(That's for an XP box with NIS User Accounts enabled.)

Joseph V. Morris

On Mon, 17 May 2004 15:16, "Joseph V. Morris" <> wrote:
>If you're bored, you can always try reading through the thread at
>http://www.dslreports.com/forum/rema...8995~mode=flat (start about six
>posts in). <g>

Thanks, I'll look at that.

>I presume what you're seeing looks similar to the following?
[snip example]

Yep, that's it exactly. It's hogging cycles and RAM like crazy, too.

Thanks a lot for the quick responses -- Google and Symantec's "support"
(such as it is for 1.5 year old programs) were getting me nowhere.



--
chuk

Chuk Goodin

On Mon, 17 May 2004 15:16:37 -0400, "Joseph V. Morris"
<> brought the following to our attention:

>Chuck,
>
>It's all over the place. You can find it being discussed at Computer Cops,
>at Wilders Security Forums and at the DSLR/BBR Security Forum. Seems like
>the LiveUpdate of 12 May (or maybe one thereafter) blew the socks off
>NIS/NPF 2002 (but people using NIS/NPF 2003 or 2004 appear to be okay).
>
>If you're bored, you can always try reading through the thread at
>http://www.dslreports.com/forum/rema...8995~mode=flat

YES.. that's exactly what it's doing.. hogging CPU.. repeatedly asks
for the same PERMISSION over-and-over.. not satisfied with ANY reply
to a `permission'.. getting stuck in a localhost type loop.. requires
a reboot to remedy.. and also bluescreens frequently!! Pretty
serious situation. I uninstalled using the INSTALL CD menu.. then
reinstalled and did about three LU's. Has since been behaving..
somewhat that is!!

-Mike

>(start about six posts in). <g>
>
>Firewall rules appear to be okay as do the basic configuration settings.
>Looks like one of the downloaded components is causing NIS/NPF 2002 to
>'burp'. There's a bit of suspicion that they inadvertently stuffed a
>NIS/NPF 2003/2004 update into the update for NIS/NPF 2002. No word (yet) on
>a fix for the fix.
>
>Could be something they did to get a response out the door in short time in
>response to the eEYE vulnerabilities which also impact NIS/NPF 2002.
>(There's exploit code out for this now, so it sort of leaves people between
>a rock and a hard place.)
>
>I presume what you're seeing looks similar to the following?
>
>Firewall Event Log
>17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:31 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:30 Owner Firewall configuration updated: 64 rules
>17/05/2004 03:14:28 Not Logged In Firewall configuration updated: 64 rules
>17/05/2004 03:14:26 Not Logged In NDIS filtering is enabled
>
>(That's for an XP box with NIS User Accounts enabled.)
>

mike@mechanic.com