Scott Hanselman

Symantec Client Firewall is Psycho

July 10, '05 Comments [8] Posted in ASP.NET | DasBlog | Bugs
Sponsored By

Some how I got myself into using the Symantec Client Firewall instead of the Windows XP SP2 Firewall.

Today, while doing some local (localhost) debugging, I noticed that when I requested a file called http://localhost/dasblog/themes/elegante/banner.jpg, I was getting back NOTHING. No banner.

Ok, that's weird. So I fired up ieHttpHeaders and saw this (emphasis mine):

GET /DasBlog/themes/elegante/banner.jpg HTTP/1.1
Accept: */*
Accept-Language: en-us,tr;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 25 Aug 2000 01:00:00 GMT; length=881
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Tablet PC 1.7; .NET CLR 2.0.50215)
Host: localhost
Connection: Keep-Alive

HTTP/1.0 200 OK
Server: Netscape-Enterprise/2.0a
Pragma: No-cache
Date: Fri, 25 Aug 2000 23:00:00 GMT
Last-modified: Fri, 25 Aug 2000 01:00:00 GMT
Accept-Ranges: bytes
Content-length: 881
Content-type: image/gif

Holy crap! Do I have a Trojan? Spyware? I don't have Netscape anything running on my system. Notice the weird date, the weird Content-length for what was supposed to be a 35k file. I was getting all ready to look at who's got what open on what port, I ran Spyware scans with Search&Destroy and Microsoft AntiSpyware...then I thought, maybe it was AdBlock within FireFox. No, that doesn't make sense, I'm in IE. Who else could be messing around...

Damn you Norton! I disabled the Symantec Client Firewall and poof, there was my banner.

GET /DasBlog/themes/elegante/banner.jpg HTTP/1.1
Accept: */*
Accept-Language: en-us,tr;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Fri, 25 Aug 2000 01:00:00 GMT; length=881
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Tablet PC 1.7; .NET CLR 2.0.50215)
Host: localhost
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
X-Powered-By: ASP.NET
Date: Sun, 10 Jul 2005 05:43:40 GMT
Content-Type: image/jpeg
Accept-Ranges: bytes
Last-Modified: Sun, 10 Jul 2005 01:31:50 GMT
ETag: "ae93325ef84c51:8ad"
Content-Length: 36634

Turns out that Symantec Client Firewall has their own brand of ad blocking built in. That's not a bad thing except:

  • They block any graphic requested with the name "banner" anywhere in it - hence the fake HTTP Response.
  • The perform this blocking/sniffing even on requests to your OWN MACHINE (localhost)

Sigh. 7 minutes wasted. Hopefully this tidbit will save you a little time one day.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Sunday, July 10, 2005 7:29:58 AM UTC
Hi Scott,

I love how you hate to waste time. "Sigh. 7 minutes wasted.", "Saved 1 minute a day with that shortcut/tool".
Hermann Klinke
Sunday, July 10, 2005 1:39:29 PM UTC
Scott, have you ever used ZoneAlarm (http://www.zonelabs.com), and if so, do you feel that the Symantec firewall is better?
James
Sunday, July 10, 2005 4:09:20 PM UTC
7 minutes? Man, that would have taken me, well - forever...

Speaking of forever - The Rails part of my Ruby on rails install is hanging on WinXP...and Mort is my smarter brother.

Any clues or ideas of tools that will help my investigation? I tried netstat -n and it says I have a connection established to rubyforge.org but nada...tried for days...
KC
Sunday, July 10, 2005 5:09:39 PM UTC
Scott,

I spent over a week trying to track down why some of our users couldn't see our Ads. We have a steady stream of users that go to our web sites just to look at our specials:

http://www.haggen.com/
http://www.top-foods.com/

Most of our users are not very sophisticated and have no idea why our ad buttons aren't showing up. Turned out to be that they had installed the same product on their systems.

-Andrew
Andrew Robinson
Sunday, July 10, 2005 7:28:56 PM UTC
Firefox, not FireFox
Can Use
Monday, July 11, 2005 10:21:25 AM UTC
I've found the Symantec Security Client to be a difficult product to get working correctly. It is very powerful but you need to have a fairly good knowledge of how it works before it becomes a useful tool. I use Kerio or Sygate myself.
Monday, July 11, 2005 3:54:07 PM UTC
Speaking of the Windows XP firewall. Does anyone else find it odd that you can't set rules to block outbound traffic? For instance, to a specific domain, IP, or port? True, there's other mechanisms elsewhere in windows in the crazy IP stack elsewhere, but really, why not on a component labeled "FIREWALL". Sigh. I was all set to be able to add/remove domains/IPs for PORN/GAMBLING/OTHER CATEGORY via a WMI script or Group Policy. System administration headache removed.
Monday, July 11, 2005 6:17:43 PM UTC
I use Kerio Personal Firewall. They've got an insanely feature-rich version available for free. It too does banner blocking, etc. (Maybe the free version doesn't....)

The big key: I don't know which version does it or not, as I disabled it. That kind of functionality is something you should be able to turn on/off.

Frankly, Kerio's firewall is definitely good enough to make it onto your list of killer apps...
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.