Professional Documents
Culture Documents
Norton Internet Security 2008 Level 2 Training Manual
Norton Internet Security 2008 Level 2 Training Manual
1
Table Of Contents
2
Personal Firewall enhancements
The personal firewall in Norton Internet Security 2008 will utilize the COH or SONAR
functionality in order to scan applications that connect to the Internet. If an ALE does
not exist for an application or if the application is not recognized by Program Control,
then SONAR will be invoked to perform a heuristic scan on the application to
determine if it is malicious. If SONAR determines that the application is malicious
and if appropriate user consent is received upon displaying an alert (in Ask me what
to do mode), then NavW32.exe will be invoked to remove the application.
3
TP (Trust Process) – Personal Firewall utilizes the Trust Processor component to
calculate an overall decision to take after scanning a file.
fwPlugin.dll - An fwAgent plug-in for Norton Internet Security. This plug-in helps
fwAgent to get the interfaces that are required for configuration and alerting.
4
Home Networking
Home Networking component depends on Common Client 7.0, SymHTML 2.0, and
SymNetDrv 8.0.
Home Networking component requires SND to support
• ARP Discovery
• Neighbor Discovery in IPv6
Symantec Network Drivers will deliver discovery results in the form of (IP address,
MAC address) pairs to Home Networking components.
Symantec Network Drivers does not support LLTD due to its complexity. Home
Networking component will utilize Microsoft Function Discovery to get information for
LLTD, uPnP, and other discoverable devices that are detected by Windows Vista.
Function Discovery is not supported on Windows XP.
Definition
Local host having public IP
140.114.29.254/
255.255.255.0
` 140.114.29.188/
255.255.255.0 Router
Local host (could also be DSL modem/router,
cable modem/router)
Possible Actions
Restrict network
In this case users will not have the ability to trust the whole internet. They need to
do this through existing NIS Options UI.
Definition
Local host having private IP that is part of ISP’s NAT
5
Possible Actions
Trust/Restrict network
Comments
Users will be provided the ability to trust the whole NAT if it is in private IP
range because it is separated from the public network or the Internet.
Definition
Local host have private IP that is part of his/her own NAT
Possible Actions
Trust/Restrict network
6
Local Connections
Linear Topology
Definition
All devices are in the same subnet
192.168.1.150/
255.255.255.0
HP iPAQ
192.168.1.1/
255.255.255.0
` 192.168.1.100/
255.255.255.0 Linksys SRX400
Local host Wireless router
(wireless in AP mode)
192.168.1.151/
255.255.255.0
192.168.1.101/
255.255.255.0
Steven’s Laptop
192.168.1.102/
255.255.255.0
Emily’s iMAC
192.168.1.3/
255.255.255.0
Network printer
Possible Actions
• Local host trust/restrict a device on the LAN (by MAC address or IP
address)
• Categorize devices
Comments
Automatic wireless security setup may not be feasible for the user because it
might break the working connection of non-controllable devices (e.g. the HP
iPAQ’s wireless connection)
7
Tree Topology
Definition
Local subnet is organized as a tree topology and local host connected to a
router that has only upstream routing
192.168.1.150/
Local host 255.255.255.0 Linksys SRX400 D-Link DI-605
Wireless router Broadband router
(wireless in router mode)
192.168.0.102/ `
255.255.255.0
Steven’s Desktop
Possible Actions
• Local host trust/restrict a device on the LAN (by MAC address or IP
address)
• Categorize devices
Comments
This is a typical scenario that Steven’s Desktop’s file/printer share is not
accessible from local host. It can be solved by either of the following:
Tree Topology
Definition
Local subnet is organized as a tree topology and local host connected to a
router that has both upstream and downstream routing
8
192.168.1.1/ 192.168.0.101/ 192.168.0.1/
255.255.255.0 255.255.255.0 255.255.255.0
192.168.1.150/
Steven’s 255.255.255.0 Linksys SRX400 D-Link DI-605
Laptop Wireless router Broadband router
(wireless in router mode)
192.168.0.102/ `
255.255.255.0
Local host
Possible Actions
• Local host trust/restrict a device on the LAN (by MAC address or IP
address)
• Categorize devices
Comments
This is a typical scenario that Steven’s Laptop’s file/printer share is not
accessible from local host. It can be solved by either of the following:
9
Home Networking – communication port
Rule 1:
• Block
• Inbound/Outbound
• TCP
• [Communication Port] number
• Local subnet scope
Rule 2:
• Allow
• Inbound/Outbound
• TCP
• [Communication Port] number
• Local subnet scope
• Authorized MAC addresses
[Communication port] number is the port number assigned for Home Networking
communication (31077, by default).
Rule 2 will be placed above Rule 1 in the system rule list. The result is that traffic to
the [Communication Port] from computers in the Authorized List (computers that
have joined the virtual network to share the Norton status) will be allowed and other
traffic will be blocked.
Note that this system rule will affect all applications. There is a possibility that
another application will bind to the [Communication Port] before Norton Internet
Security. The end result is that the other application can only communicate with the
MAC addresses in the Gatekeeper List. Products without Symantec Network Drivers
firewall will not be configured with these two rules.
10
Security Inspector
The Browser Settings scan of Security Inspector scans for the following areas of the
browsers:
Internet Explorer:
Recommended
Scan Detectable setting
setting
Download unsigned ActiveX controls Disable Enable
Run ActiveX controls and plug-ins Disable N/A
Initialize and script ActiveX controls not marked as safe Disable Enable
Allow scripting of Internet Explorer web browser control Disable Enable
Active scripting Enable N/A
Scripting of Java applets Enable N/A
Script ActiveX controls marked safe for scripting Enable N/A
Access data sources across domains Disable Enable
Allow programmatic clipboard access Enable N/A
Submit non-encrypted form data Enable N/A
Font download Enable N/A
Userdata persistence Enable N/A
Navigate sub-frames across different domains Disable N/A
Allow META REFRESH Enable N/A
Display mixed content Prompt Enable
Installation of desktop items Prompt Enable
Drag and drop or copy and paste files Enable N/A
File download Enable N/A
Launching applications and files in an IFRAME Prompt Enable
Launching programs and files in web view Prompt Enable
Launching applications and unsafe files Prompt Enable
Use Pop-up Blocker Enable N/A
Logon Option 2 Options 1 and 3
Do not prompt for client certificate selection when no certificates or only
Disable Enable
one certificate exists
Software channel permissions Medium / High Low
Script and binary behaviors Enable N/A
Run .NET Framework-reliant components signed with Authenticode Enable N/A
Run .NET Framework-reliant components not signed with Authenticode Enable N/A
11
Allow scriptlets Disable / Prompt Enable
Display video and animation on a webpage the does not use an external
Disable Enable
media player
Allow status bar updates via script Disable Enable
Allow websites to open windows without address or status bar Disable Enable
Allow websites to prompt for information using scripted windows Disable Enable
Run Internet Explorer in Protected Mode Enable Disable
The items listen under the Scan column are the Security options of Internet
Explorer. These options can be accessed by clicking on the Custom Level button
under the Security tab (Tools >Internet Options).
The items listed under the Recommended Setting are the default values of the
corresponding option.
The values listed under the Detectable Setting column will trigger an alert in the
Security Inspector Scan, when applied for the corresponding option. When Security
Inspector detects these settings, it will provide the users an option to “fix” the scan.
Upon fixing the scan, the option is reverted back to its default value (The value that’s
in the Recommended Setting list.
N/A in the Detectable Setting column indicates that Security Inspector will not take
any action irrespective of the value set for the corresponding option.
The following areas are scanned in case of FireFox and Netscape Communicator.
12
Browser Vulnerability Protection
How Browser Vulnerability Protection works?
Script Hooking
• Script (Java of VB) interacts with the Document Object Model (DOM) or the
Browser Object Model (BOM) e.g. document.write
When Internet Explorer encounters an error in a script, which is what would happen
when Browser Vulnerability Protection detects a malicious script, Internet Explorer
will immediately stop running that script and display a yellow exclamation in the
status bar as shown in the following screenshot. It will then proceed to execute the
next script on the page and the process repeats.
13
Arbitrary function hooking
Arbitrary Function Hooking is a feature that is used to detect all other kinds of
browser attacks that cannot be detected with Script Hooking. This feature will
intercept any arbitrary function in any arbitrary DLL loaded by Internet Explorer. At
the point of interception, the engine will check the contents of various CPU registers
and if they are found to contain certain predefined values, an attack will be flagged.
Unfortunately since the engine detects the attack by looking for invalid values in
certain CPU registers, when such is found, there is no way to continue execution of
the operation. The only option at that point is to terminate the browser.
14
Transaction Security
Transaction Security includes the following core components:
Web Protection
Web Authentication
Crimeware Protection
Confidential Information Management
Web Protection
This component is responsible for protecting a user from fraudulent Web sites and
providing positive identification of trustworthy or harmless sites.
Internet
Internet Browser
Browser
. . .
Detection
Detection Modules
Modules
Scoring
Scoring Algorithm
Algorithm
• The sequence begins with the user performing navigation actions on their
browser. This can include default navigation actions such as accessing a
home page when the first browser instance is launched.
• The Web Protection component receives notification by the browser of the
user’s navigation actions. It examines the notifications and reacts to specific
ones that are used in processing (BeforeNavigate and DocumentComplete).
• These events trigger Web Protection analysis. These analysis include:
15
Analysis Description
Domain • Trusted Brands place their pages on known domains.
Analysis • Pages hosted on certain domains are more suspicious (free
web hosting domains).
URL Analysis • URLs have defined structure:
http://<username>:<password>@hostname/path
• Hackers often misspell the trusted brand name or misuse
the fields to mislead innocent victims
o Example:http://www.e-bay.net/index.html
(misspelled)
o Example:http://cgi5.ebay.com@xyz.net (password
field included in URL)
History • If user browses from mail client to URL, it is more likely to
Analysis hit a phish site.
• If user browses from home-page to a URL, it is more likely
to hit a legit site.
Content • All spoof pages have forms that try to steal information from
Analysis users.
• Hackers try to impersonate Trusted Brands via page
elements.
• Parse specific page content:
o Text: Trusted Brand names; asking for personal
information, etc.
o Images: copying Trusted Brand images such as
logos, etc.
o Links: including links back to a Trusted Brand.
o Forms: If the page has a form that sends data to
a trusted brand, then the site is more likely to
be legit
a service like “response-o-matic”, it is more
likely to be a spoof site
• JavaScript: Spoof pages often try to obfuscate by encoding
contents in JavaScript.
Layout • Certain popular Trusted Brand form pages are often spoofed
Analysis o Tri-Gram based text classification scheme applied to
HTML
o If the page is similar to a major online banking Login
Page, then the site is more likely to be a spoof site.
• Spoof Sites are often reused
• Black List entries have cached hash of pages – look for
matches.
Site Analysis • Ranking by Search Engines is an indicator.
• Pages with high rankings have longer lifetimes, are more
popular, and have more links than spoof sites.
16
Analysis Comments
Result
Neutral Good and bad detection routines have not found sufficient
characteristics to determine a value.
Phishing Enough characteristics in the browsing data (request URL, page
contents) have been detected that the page strongly resembles
examples of known-phishing pages.
Trusted The page being browsed is being provided by a Web server using a
known-good domain.
Cross-Site Characteristics of the request URL resemble examples of cross-site
Scripting scripting attacks.
Note: The Local Configuration Blacklist is stored in the active Web Caller
Identification (WCID) configuration file (nppw.zip).
Web Authentication
This component has a single feature goal: provide users assurance that they are
connected to legitimate websites. The Web authentication component checks the
integrity of the connection to the web server and identifies malicious conditions.
The general approach for Web Authentication involves three kinds of protection
checks, listed below:
Protection
Check Description
Type
If the user browses a trusted brand’s web page that uses HTTPS, Web
Authentication component will:
a. Verify the integrity of the HTTPS X.509 certificate (consistency
check and trusted CA check).
b. Verify the HTTPS X.509 certificate properties match reference
data collected externally for the trusted brand.
c. Wait until page data is obtained and check for HTTPS URL
attributes that reference domains that are not trusted by the
current page’s domain, warn if detected.
d. Wait until page data is obtained and check for HTTPS/HTTP
TLS/SSL mixed-mode, warn if detected.
Verification
If the user submits a form using an HTTP POST method to an URL
using HTTPS, NCO will check the HTTPS X.509 certificate as follows:
If either test above fails, then prevent the POST method from
executing.
17
Protection
Check Description
Type
If the user browses a trusted brand login page that does not use
Alternate HTTPS AND an alternate HTTPS login page exists, THEN:
HTTPS login
presentation NCO prompts user to navigate to the alternate HTTPS web page to log
in.
- Non trusted-
brand pages.
- Trusted brand
pages that are *+ Mixed-mode
HTTPS. HTTPS/HTTP security is
interpreted as “not safe”.
Suspicio Yes Yes
- Trusted brand No
us *+ ++
pages that are ++ NCO UI also guides
unprotected logins user to select the
with an HTTPS alternate HTTPS url.
alternate.
18
Web Authentication processing can
generate Web Fraud status?
- Trusted brand
pages that are
Web auth flags URL’s as
HTTPS.
“bad” when certificate
property issues and
Bad - Trusted brand Yes No Yes
unprotect web login pages
pages that are
that don’t match what we
unprotected logins
expect them to look like.
without HTTPS
alternate.
Whenever web auth
detects the entry condition
to trigger the start of its
Any web page analysis, the state is
described as “Analyzing”.
Analyzin
applicable for the Yes Yes Yes
g
above Web Fraud When the analysis actions
status values. are complete, then the
final state is determined
and “Analyzing” is no
longer applicable.
Web auth is not active
when the user is browsing
web pages not related to
trusted brands.
19
The following table describes how the Web Fraud status affects the overall NCO
application for the end user:
20
CrimeWare Protection
The CrimeWare Protection component includes the following functional elements:
21
Interaction with other Components
• ccEraser: The definitions-based scan will use the ccEraser engine. This will
require the Eraser engine (ccEraser.dll), Eraser definitions (ESRDEFS.BIN),
and a ccScan object to define the scan settings. Eraser definitions are
updated along with the AV definitions.
22
Norton Internet Security 2008 Alerting mechanism
Norton Internet Security 2008 displays events using ccAlert and ccNotify interfaces
provided by Common Client. In order to display events in a consistent manner,
Norton Internet Security 2008 integrates a framework called iAlert, which is provided
by Norton Protection Center.
Type of alerts
Firewall Alerts
Following are the firewall events that trigger an alert to be displayed to the user:
• Events are generated when rules are created for applications attempting to
access network resources
o Events may or may not be malicious based on Trust Processor
analysis, which provides risk and threat ratings.
• Events are generated if system rules have logging enabled
o Norton Internet Security displays as notifications
• Events are generated when IDS blocks an intrusion attempt
o Norton Internet Security displays as notifications
o Malicious event
o Does not require user action
AntiVirus Alerts
• Restore Risk
• Review Risk Details
• Remove From History
• Remove (i.e. if low risk and ignored)
• Run Quick Scan
• Exclude from future scans (for low risk items)
• Review (for manual removal items)
• Submit to Symantec
23
Type of Alerts
Following are the type of alerts that are generated by Norton Internet Security 2008:
Informational events or alerts will be displayed in pop-up window that timeout, i.e., a
notification. iAlert will display pop-up dialogs using a new style of alert with rounded
corners and fade-in/fade-out effect.
Events that do not require immediate user action are displayed as notifications.
Additional controls are included in the notification that allows user to perform
additional actions on the event. Typically, this is a hyperlink that will launch Security
History with the appropriate message displayed in an advanced detail view.
24
Alerts that require interaction from the user
Events that require immediate user action are presented in modal dialogs, i.e., an
alert. Most alerts will provide a recommended action. Users must select an action
for the alert to be closed.
25
Important components of Alerting
Firewall Alerts:
• fwAlert.dll
• PgmCtrl.dll
• ISDataCl.dll
• fwMCPlug.dll
• NISOptUI.dll
• NISLuCbk.dll
• ISPrdCtl.dll
AntiVirus Alerts:
• AVPApp32.dll
• avScanUI.dll
• ISLAlert.dll
• DefAlert.dll
• VAUI.dll
• VAUIOpt.dll
26