Norton Internet Security 2008

Level 2 Course Guide

Support Readiness Guide

September 10, 2007

1
Table Of Contents

Personal Firewall enhancements ....................................................................... 3

Home Networking .......................................................................................... 5
User Direct Connect to Internet .................................................................. 5
User Direct Connect to ISP’s NAT ................................................................ 5
User Connects to own NAT ......................................................................... 6
Linear Topology........................................................................................ 7
Tree Topology .......................................................................................... 8
Home Networking – communication port........................................................10
Security Inspector.........................................................................................11
Browser Vulnerability Protection ......................................................................13
Transaction Security......................................................................................15
Web Authentication ....................................................................................17
End User Effect of Web Authentication ........................................................18
Crimeware Protection ....................................................................................21
Interaction with other Components ............................................................22
Norton Internet Security 2008 Alerting mechanism ............................................23
Important components of Alerting ................................................................26

2
Personal Firewall enhancements
The personal firewall in Norton Internet Security 2008 will utilize the COH or SONAR
functionality in order to scan applications that connect to the Internet. If an ALE does
not exist for an application or if the application is not recognized by Program Control,
then SONAR will be invoked to perform a heuristic scan on the application to
determine if it is malicious. If SONAR determines that the application is malicious
and if appropriate user consent is received upon displaying an alert (in Ask me what
to do mode), then NavW32.exe will be invoked to remove the application.

The following flowchart illustrates this functionality:

3
TP (Trust Process) – Personal Firewall utilizes the Trust Processor component to
calculate an overall decision to take after scanning a file.

fwAgent – The user-mode firewall component.

fwPlugin.dll - An fwAgent plug-in for Norton Internet Security. This plug-in helps
fwAgent to get the interfaces that are required for configuration and alerting.

fwAlert.dll - fwAlert.dll is the user interface component. It is a ccApp plug-in that

subscribes to firewall events, displays alerts and notifications, and relays user actions
back to fwPlugin.dll.

4
Home Networking
Home Networking component depends on Common Client 7.0, SymHTML 2.0, and
SymNetDrv 8.0.
Home Networking component requires SND to support
• ARP Discovery
• Neighbor Discovery in IPv6
Symantec Network Drivers will deliver discovery results in the form of (IP address,
MAC address) pairs to Home Networking components.
Symantec Network Drivers does not support LLTD due to its complexity. Home
Networking component will utilize Microsoft Function Discovery to get information for
LLTD, uPnP, and other discoverable devices that are detected by Windows Vista.
Function Discovery is not supported on Windows XP.

Use Cases – Network Topology

The following use cases show various type of home networks that users may have.
Following each diagram is a note on what options will be provided in the Network
Security Map for each type of network:

User Direct Connect to Internet

Definition
Local host having public IP

140.114.29.254/
255.255.255.0
` 140.114.29.188/
255.255.255.0 Router
Local host (could also be DSL modem/router,
cable modem/router)

Possible Actions
Restrict network

In this case users will not have the ability to trust the whole internet. They need to
do this through existing NIS Options UI.

User Direct Connect to ISP’s NAT

Definition
Local host having private IP that is part of ISP’s NAT

5
 Possible Actions
Trust/Restrict network

Comments
Users will be provided the ability to trust the whole NAT if it is in private IP
range because it is separated from the public network or the Internet.

User Connects to own NAT

Definition
Local host have private IP that is part of his/her own NAT

Possible Actions
Trust/Restrict network

6
Local Connections
Linear Topology

Definition
All devices are in the same subnet

192.168.1.150/
255.255.255.0

HP iPAQ

192.168.1.1/
255.255.255.0
` 192.168.1.100/
255.255.255.0 Linksys SRX400
Local host Wireless router
(wireless in AP mode)
192.168.1.151/
255.255.255.0

192.168.1.101/
255.255.255.0

Steven’s Laptop
192.168.1.102/
255.255.255.0
Emily’s iMAC

192.168.1.3/
255.255.255.0

Network printer

Possible Actions
• Local host trust/restrict a device on the LAN (by MAC address or IP
address)
• Categorize devices

Comments
Automatic wireless security setup may not be feasible for the user because it
might break the working connection of non-controllable devices (e.g. the HP
iPAQ’s wireless connection)

7
Tree Topology

Definition
Local subnet is organized as a tree topology and local host connected to a
router that has only upstream routing

192.168.1.1/ 192.168.0.101/ 192.168.0.1/

255.255.255.0 255.255.255.0 255.255.255.0

192.168.1.150/
Local host 255.255.255.0 Linksys SRX400 D-Link DI-605
Wireless router Broadband router
(wireless in router mode)

192.168.0.102/ `
255.255.255.0

Steven’s Desktop

Possible Actions
• Local host trust/restrict a device on the LAN (by MAC address or IP
address)
• Categorize devices

Comments
This is a typical scenario that Steven’s Desktop’s file/printer share is not
accessible from local host. It can be solved by either of the following:

• Put the wireless router in Access Point mode

• Make Steven’s Desktop trust local host, make local host trust Steven’s
Desktop
• Make Steven’s Desktop trust the wireless network

Tree Topology

Definition
Local subnet is organized as a tree topology and local host connected to a
router that has both upstream and downstream routing

8
 192.168.1.1/ 192.168.0.101/ 192.168.0.1/
255.255.255.0 255.255.255.0 255.255.255.0

192.168.1.150/
Steven’s 255.255.255.0 Linksys SRX400 D-Link DI-605
Laptop Wireless router Broadband router
(wireless in router mode)

192.168.0.102/ `
255.255.255.0

Local host

Possible Actions
• Local host trust/restrict a device on the LAN (by MAC address or IP
address)
• Categorize devices

Comments
This is a typical scenario that Steven’s Laptop’s file/printer share is not
accessible from local host. It can be solved by either of the following:

• Put the wireless router in Access Point mode

• Make Steven’s Laptop trust local host, make local host trust Steven’s
Laptop
• Make local host trust the wireless network.

9
Home Networking – communication port

Home Networking feature will utilize a communication port (31077) to communicate

with other Norton products on the local network. As this port always remains open,
this could be a vector of attacks. In order to make sure that only valid connections
are made to this port, two firewall rules are created to validate connections that
happen over this particular port. Following are the details of the firewall rules:

Rule 1:
• Block
• Inbound/Outbound
• TCP
• [Communication Port] number
• Local subnet scope

Rule 2:
• Allow
• Inbound/Outbound
• TCP
• [Communication Port] number
• Local subnet scope
• Authorized MAC addresses

[Communication port] number is the port number assigned for Home Networking
communication (31077, by default).

Rule 2 will be placed above Rule 1 in the system rule list. The result is that traffic to
the [Communication Port] from computers in the Authorized List (computers that
have joined the virtual network to share the Norton status) will be allowed and other
traffic will be blocked.

Note that this system rule will affect all applications. There is a possibility that
another application will bind to the [Communication Port] before Norton Internet
Security. The end result is that the other application can only communicate with the
MAC addresses in the Gatekeeper List. Products without Symantec Network Drivers
firewall will not be configured with these two rules.

10
 Security Inspector

The Browser Settings scan of Security Inspector scans for the following areas of the
browsers:
Internet Explorer:

Recommended
Scan Detectable setting
setting
Download unsigned ActiveX controls Disable Enable
Run ActiveX controls and plug-ins Disable N/A
Initialize and script ActiveX controls not marked as safe Disable Enable
Allow scripting of Internet Explorer web browser control Disable Enable
Active scripting Enable N/A
Scripting of Java applets Enable N/A
Script ActiveX controls marked safe for scripting Enable N/A
Access data sources across domains Disable Enable
Allow programmatic clipboard access Enable N/A
Submit non-encrypted form data Enable N/A
Font download Enable N/A
Userdata persistence Enable N/A
Navigate sub-frames across different domains Disable N/A
Allow META REFRESH Enable N/A
Display mixed content Prompt Enable
Installation of desktop items Prompt Enable
Drag and drop or copy and paste files Enable N/A
File download Enable N/A
Launching applications and files in an IFRAME Prompt Enable
Launching programs and files in web view Prompt Enable
Launching applications and unsafe files Prompt Enable
Use Pop-up Blocker Enable N/A
Logon Option 2 Options 1 and 3
Do not prompt for client certificate selection when no certificates or only
Disable Enable
one certificate exists
Software channel permissions Medium / High Low
Script and binary behaviors Enable N/A
Run .NET Framework-reliant components signed with Authenticode Enable N/A

Run .NET Framework-reliant components not signed with Authenticode Enable N/A

Open files based on content, not file extension Enable N/A

Web sites in less privileged Web content zones can navigate into this
Enable N/A
zone
Allow script-initiated windows without size or position constraints Disable Enable
Automatic prompting for file downloads Disable Enable
Automatic prompting for ActiveX controls Disable Enable
Allow active content over restricted protocols to access my computer N/A
Allow previously unused ActiveX controls to run Disable Enable

11
 Allow scriptlets Disable / Prompt Enable
Display video and animation on a webpage the does not use an external
Disable Enable
media player
Allow status bar updates via script Disable Enable
Allow websites to open windows without address or status bar Disable Enable
Allow websites to prompt for information using scripted windows Disable Enable
Run Internet Explorer in Protected Mode Enable Disable

The items listen under the Scan column are the Security options of Internet
Explorer. These options can be accessed by clicking on the Custom Level button
under the Security tab (Tools >Internet Options).

The items listed under the Recommended Setting are the default values of the
corresponding option.

The values listed under the Detectable Setting column will trigger an alert in the
Security Inspector Scan, when applied for the corresponding option. When Security
Inspector detects these settings, it will provide the users an option to “fix” the scan.
Upon fixing the scan, the option is reverted back to its default value (The value that’s
in the Recommended Setting list.

N/A in the Detectable Setting column indicates that Security Inspector will not take
any action irrespective of the value set for the corresponding option.

Netscape and FireFox:

The following areas are scanned in case of FireFox and Netscape Communicator.

• Options > Web features

o Block Popup Windows enable / disable
ƒ Allowed Sites list
o Allow websites to install software
ƒ Allowed Sites list
o Enable Javascript >Advanced options
ƒ Hide the status bar
ƒ Change the status bar text
• Modifications to the three main configuration files:
o Userchrome.css (used to change the appearance of the browser)
o Usercontent.css (used to change appearance of webpages)
o User.js (used to change various browser preferences)

12
Browser Vulnerability Protection
How Browser Vulnerability Protection works?

Browser Vulnerability Protection contains two individual scanning engines for

scanning different type of attacks. Following are the type of attacks that are scanned
for:

Script Hooking

The Script Hooking feature is used to detect browser vulnerabilities where:

• Script (Javascript or VBscript) interacts with ActiveX objects. Examples of
this are:
o Instantiating an object
o Calling a method in an object
o Calling a method with an invalid parameter

• Script (Java of VB) interacts with the Document Object Model (DOM) or the
Browser Object Model (BOM) e.g. document.write

Browser Vulnerability Protection is able to detect exploits of this type by intercepting

calls made to the object. It then examines the parameters being passed to the call
among other things, and will decide when the call should be relayed on to the real
function. If it is found to contain malicious values, it will return an error code to the
caller and the original function will not be called. Such attacks will be cleanly blocked
without having to terminate the browser.

When Internet Explorer encounters an error in a script, which is what would happen
when Browser Vulnerability Protection detects a malicious script, Internet Explorer
will immediately stop running that script and display a yellow exclamation in the
status bar as shown in the following screenshot. It will then proceed to execute the
next script on the page and the process repeats.

13
Arbitrary function hooking

Arbitrary Function Hooking is a feature that is used to detect all other kinds of
browser attacks that cannot be detected with Script Hooking. This feature will
intercept any arbitrary function in any arbitrary DLL loaded by Internet Explorer. At
the point of interception, the engine will check the contents of various CPU registers
and if they are found to contain certain predefined values, an attack will be flagged.
Unfortunately since the engine detects the attack by looking for invalid values in
certain CPU registers, when such is found, there is no way to continue execution of
the operation. The only option at that point is to terminate the browser.

14
Transaction Security
Transaction Security includes the following core components:
ƒ Web Protection
ƒ Web Authentication
ƒ Crimeware Protection
ƒ Confidential Information Management

Web Protection
This component is responsible for protecting a user from fraudulent Web sites and
providing positive identification of trustworthy or harmless sites.

Internet
Internet Browser
Browser

. . .
Detection
Detection Modules
Modules

Scoring
Scoring Algorithm
Algorithm

The Web Protection components works in the following manner:

• The sequence begins with the user performing navigation actions on their
browser. This can include default navigation actions such as accessing a
home page when the first browser instance is launched.
• The Web Protection component receives notification by the browser of the
user’s navigation actions. It examines the notifications and reacts to specific
ones that are used in processing (BeforeNavigate and DocumentComplete).
• These events trigger Web Protection analysis. These analysis include:

15
Analysis Description
Domain • Trusted Brands place their pages on known domains.
Analysis • Pages hosted on certain domains are more suspicious (free
web hosting domains).
URL Analysis • URLs have defined structure:
http://<username>:<password>@hostname/path
• Hackers often misspell the trusted brand name or misuse
the fields to mislead innocent victims
o Example:http://www.e-bay.net/index.html
(misspelled)
o Example:http://cgi5.ebay.com@xyz.net (password
field included in URL)
History • If user browses from mail client to URL, it is more likely to
Analysis hit a phish site.
• If user browses from home-page to a URL, it is more likely
to hit a legit site.
Content • All spoof pages have forms that try to steal information from
Analysis users.
• Hackers try to impersonate Trusted Brands via page
elements.
• Parse specific page content:
o Text: Trusted Brand names; asking for personal
information, etc.
o Images: copying Trusted Brand images such as
logos, etc.
o Links: including links back to a Trusted Brand.
o Forms: If the page has a form that sends data to
ƒ a trusted brand, then the site is more likely to
be legit
ƒ a service like “response-o-matic”, it is more
likely to be a spoof site
• JavaScript: Spoof pages often try to obfuscate by encoding
contents in JavaScript.
Layout • Certain popular Trusted Brand form pages are often spoofed
Analysis o Tri-Gram based text classification scheme applied to
HTML
o If the page is similar to a major online banking Login
Page, then the site is more likely to be a spoof site.
• Spoof Sites are often reused
• Black List entries have cached hash of pages – look for
matches.
Site Analysis • Ranking by Search Engines is an indicator.
• Pages with high rankings have longer lifetimes, are more
popular, and have more links than spoof sites.

• A final phase is invoked to compute a score based on the results of the

various detection modules. The scoring configuration is able to assign
different values if the detection routine has either detected its condition or
not. After the scoring algorithm is executed, the results are interpreted as
Trusted, Neutral, Phishing, and Cross-Site Scripting detected

16
Analysis Comments
Result
Neutral Good and bad detection routines have not found sufficient
characteristics to determine a value.
Phishing Enough characteristics in the browsing data (request URL, page
contents) have been detected that the page strongly resembles
examples of known-phishing pages.
Trusted The page being browsed is being provided by a Web server using a
known-good domain.
Cross-Site Characteristics of the request URL resemble examples of cross-site
Scripting scripting attacks.

Note: The Local Configuration Blacklist is stored in the active Web Caller
Identification (WCID) configuration file (nppw.zip).

Web Authentication
This component has a single feature goal: provide users assurance that they are
connected to legitimate websites. The Web authentication component checks the
integrity of the connection to the web server and identifies malicious conditions.
The general approach for Web Authentication involves three kinds of protection
checks, listed below:

Protection
Check Description
Type
If the user browses a trusted brand’s web page that uses HTTPS, Web
Authentication component will:
a. Verify the integrity of the HTTPS X.509 certificate (consistency
check and trusted CA check).
b. Verify the HTTPS X.509 certificate properties match reference
data collected externally for the trusted brand.
c. Wait until page data is obtained and check for HTTPS URL
attributes that reference domains that are not trusted by the
current page’s domain, warn if detected.
d. Wait until page data is obtained and check for HTTPS/HTTP
TLS/SSL mixed-mode, warn if detected.
Verification
If the user submits a form using an HTTP POST method to an URL
using HTTPS, NCO will check the HTTPS X.509 certificate as follows:

a. Verify the integrity of the certificate (consistency check and

trusted CA check).
b. Verify the certificate properties match reference data collected
externally for the trusted brand.

If either test above fails, then prevent the POST method from
executing.

17
Protection
Check Description
Type
If the user browses a trusted brand login page that does not use
Alternate HTTPS AND an alternate HTTPS login page exists, THEN:
HTTPS login
presentation NCO prompts user to navigate to the alternate HTTPS web page to log
in.

End User Effect of Web Authentication

When web authentication is active, it affects the end user’s browsing experience. The
following table describes how Web Authentication affects the overall NCO Web Fraud
status.

Web Authentication processing can

generate Web Fraud status?
Web
TLS
Fraud Alt. Unpro
/ Comments
Status Applicable web HTTP t.
SSL
* page types S Login
Veri
Login Verif.
f.
- Trusted brand
pages that are
HTTPS.
Web protection alone does
Known not generate a “known
- Trusted brand Yes No Yes
Good good” result – only web
pages that are
auth can.
unprotected logins
without HTTPS
alternate.
- Trusted brand
pages that are
non-HTTPS.
This web fraud status is
- Trusted brand
Good No No No produced by web
pages that are not
protection only.
login pages.

- Non trusted-
brand pages.
- Trusted brand
pages that are *+ Mixed-mode
HTTPS. HTTPS/HTTP security is
interpreted as “not safe”.
Suspicio Yes Yes
- Trusted brand No
us *+ ++
pages that are ++ NCO UI also guides
unprotected logins user to select the
with an HTTPS alternate HTTPS url.
alternate.

18
 Web Authentication processing can
generate Web Fraud status?
- Trusted brand
pages that are
Web auth flags URL’s as
HTTPS.
“bad” when certificate
property issues and
Bad - Trusted brand Yes No Yes
unprotect web login pages
pages that are
that don’t match what we
unprotected logins
expect them to look like.
without HTTPS
alternate.
Whenever web auth
detects the entry condition
to trigger the start of its
Any web page analysis, the state is
described as “Analyzing”.
Analyzin
applicable for the Yes Yes Yes
g
above Web Fraud When the analysis actions
status values. are complete, then the
final state is determined
and “Analyzing” is no
longer applicable.
Web auth is not active
when the user is browsing
web pages not related to
trusted brands.

If the browser is used to

Any page that is
view non-HTML content,
Idle not using a Trusted - - -
including when it is used
brand domain.
to navigate the local file
system, then web auth
sets its state to “Idle”,
since it is not used to
actively analyze the
browser document data.
* -- Web fraud status is a combined interpretation of “web authentication” and “web
protection” analysis. This table describes the web authentication contribution to
web fraud status.

19
The following table describes how the Web Fraud status affects the overall NCO
application for the end user:

NCO Application Effect

Web Fraud
Browser
Status UI Notification CIM operation
navigation
Known Good Permit “green” indicator Permit full CIM
navigation usage
“trusted” alert with
brand name/logo
presentation
Good Permit “green” indicator Permit full CIM
navigation usage
Neutral Permit “Green” indicator Permit full CIM
navigation with text saying usage
site has been
scanned a nothing
bad found.
Suspicious Obscure “yellow” indicator Warn on CIM
navigation usage of sensitive
result, prompt data
user for
confirmation to
display.

Bad Block original Modal error dialog Disallow CIM

navigation;
prompt to go to “red” indicator
“safe page”.

20
CrimeWare Protection
The CrimeWare Protection component includes the following functional elements:

• Browser Interface: The Browser Interface is responsible for monitoring

current transaction status and performing scans. It resides in a Browser
Helper Object that is shared with other Norton Internet Security components.

• Definitions-based Scanner: This scanner performs scan and remediate

problems by using the ccEraser engine. Typically, definitions-based scans are
invoked by the browser interface at the start of a transaction.

• Behavioral (heuristics-based) Protection: When a webpage starts to

download NCO does not have enough information on transactional nature
until the complete HTML document downloads, however the browser will allow
user’s to interact with the web page as and when elements get rendered. This
provides for a possible attack period and to cover for this, the Behavior
Blocking engine is turn ON till transaction check can be made. If it is
transactional, the blocking is continued. If not, Behavior blocking is stopped.
This version of the Behavioral (heuristics-based) Protection will address:
o API based key loggers and screen capture
o Hook based key loggers and screen capture (SetWindowsHookEx,
CBTHook etc.)
This functional element will not address the following for the first release:
o Kernel based key loggers
o Proxy/Firewall based detection
o Key logger installation detection/prevention
o Malicious Layered Service Providers (LSPs)
o URL Based Hooks
o Other types such as clipboard logging and audio/video recorder based
crimeware.
o Identifying unknown BHO’s

ƒ On Demand Scan: Through the Transaction Security toolbar, a user may

initiate a crimeware scan. Any definitions-based problems will be remediated.
Potential threats found by heuristics will be reported (but not blocked).

ƒ LiveUpdate Mechanism: Crimeware Protection registers itself for the

following type of updates:
o Whitelist: The whitelist will be a listing of rules to prevent known good
programs from being blocked by Crimeware behavioral protection.
o AV Definitions: Crimeware Protection will use the NAV definitions. NCO
will tie into Hawking definition management. The UI will display the
definitions as “Crimeware Protection” definitions and not “AntiVirus”
definitions to avoid user confusion.
o Product updates: Updates to the Crimeware protection program files.

21
Interaction with other Components

The Crimeware Protection component interacts with the following components:

• Web Protection: Crimeware Protection shares a BHO with Web Protection

and other NCO components. This framework will also give Crimeware
Protection access to the NCO shared area of the browser’s toolbar.

• ccEraser: The definitions-based scan will use the ccEraser engine. This will
require the Eraser engine (ccEraser.dll), Eraser definitions (ESRDEFS.BIN),
and a ccScan object to define the scan settings. Eraser definitions are
updated along with the AV definitions.

• Behavior Blocking: This includes the following sub components:

o NCO Protection: SymProtect will protect the NCO program binaries and
registry keys, including those of the Crimeware Protection feature,
from unauthorized modification. Only Symantec-signed processes and
those specifically granted authorization through the associated
SymProtect manifest file will be authorized to modify the Crimeware
Protection program components.

o Behavioral Protection: One or more components developed by the

Austin Symantec team will provide behavioral detection and
remediation functionality and will disable unidentified crimeware.

22
Norton Internet Security 2008 Alerting mechanism
Norton Internet Security 2008 displays events using ccAlert and ccNotify interfaces
provided by Common Client. In order to display events in a consistent manner,
Norton Internet Security 2008 integrates a framework called iAlert, which is provided
by Norton Protection Center.

Type of alerts

Firewall Alerts

Following are the firewall events that trigger an alert to be displayed to the user:

• Events are generated when rules are created for applications attempting to
access network resources
o Events may or may not be malicious based on Trust Processor
analysis, which provides risk and threat ratings.
• Events are generated if system rules have logging enabled
o Norton Internet Security displays as notifications
• Events are generated when IDS blocks an intrusion attempt
o Norton Internet Security displays as notifications
o Malicious event
o Does not require user action

AntiVirus Alerts

• Restore Risk
• Review Risk Details
• Remove From History
• Remove (i.e. if low risk and ignored)
• Run Quick Scan
• Exclude from future scans (for low risk items)
• Review (for manual removal items)
• Submit to Symantec

23
Type of Alerts

Following are the type of alerts that are generated by Norton Internet Security 2008:

Alerts presented for information purposes.

Informational events or alerts will be displayed in pop-up window that timeout, i.e., a
notification. iAlert will display pop-up dialogs using a new style of alert with rounded
corners and fade-in/fade-out effect.

Following is an example for this of alert:

Alerts with information and option to interact

Events that do not require immediate user action are displayed as notifications.
Additional controls are included in the notification that allows user to perform
additional actions on the event. Typically, this is a hyperlink that will launch Security
History with the appropriate message displayed in an advanced detail view.

Following is an example for this type of alert:

24
Alerts that require interaction from the user

Events that require immediate user action are presented in modal dialogs, i.e., an
alert. Most alerts will provide a recommended action. Users must select an action
for the alert to be closed.

Following is an example for this type of alert:

25
Important components of Alerting

Following are the important components of Alerting:

Firewall Alerts:

• fwAlert.dll
• PgmCtrl.dll
• ISDataCl.dll
• fwMCPlug.dll
• NISOptUI.dll
• NISLuCbk.dll
• ISPrdCtl.dll

AntiVirus Alerts:

• AVPApp32.dll
• avScanUI.dll

Licensing / LiveUpdate Alerts:

• ISLAlert.dll
• DefAlert.dll

Security Inspector Alerts:

• VAUI.dll
• VAUIOpt.dll

26