Tuesday 2 December 2003

Norton Internet Security: High Risk to Sanity

I'm using a shared computer at my parents' house at present (I live with them because it's very expensive to rent or buy around here, buying anything would cost about five times my salary) - it's the only one connected to the 'net (no in-house network).

My Dad (who has worked for ICL since graduating in 1970) has installed Norton Internet Security on this box. Tonight, it's decided to do its periodic trick of continually popping up 'High Risk - A Remote Computer is Trying to Access Your Computer' boxes.

Now, someone probably has a port scanner set up - possibly even a group of compromised computers, since all the requests are coming from different IP addresses. But NIS is telling me that they're trying to access TCP port 3794. There's nothing listening on this port (according to netstat), so setting aside any possible TCP stack problems that can be exploited with the first packet sent, this cannot do any harm (and NIS probably isn't low enough in the stack to catch an attack on the TCP stack anyway).

For information, port 3794 is assigned to a service called JAUS Robots, according to IANA's Port Assignments table (although JAUS think they have port 3792 reserved).

Normally I run as a non-administrative user, which doesn't give the option to select, but since my Dad, who's in the Administrators group, is also logged in (we use Fast User Switching), NIS is popping the messages. 'Always use this action' seems not to have any effect (maybe it's related to the remote end-point, not the local one?)

Norton Internet Security seems to me to be more trouble than it's worth. Stick to XP's built-in firewall.

No comments: