FAQ - READ BEFORE POSTING

Before you post a question to a Microsoft.public.*.security newsgroup, you
should see the following collection of answers to common questions:

http://securityadmin.info/faq.htm

In many cases, you will be able to find the answer to your question
*immediately,* with no waiting, by searching this web page. Searching this
page before posting can also help you reduce the amount of spam in your
email inbox, since posting questions to this newsgroup can sometimes
broadcast your email address.

[Searching www.google.com and www.google.com/advanced_group_search is also
usually helpful in getting you a correct answer quickly.]


Long-time readers of this newsgroup are certainly welcome to post links to
this FAQ when answering questions, so that you might spend less of your time
answering common questions.

Other URLs that might be helpful include:

http://securityadmin.info/faq.htm#password [resetting a forgotten
Windows 2000/XP/NT password]
http://securityadmin.info/faq.htm#virus [antivirus and antitrojan
programs; how to deal with viruses and trojans]
http://securityadmin.info/faq.htm#attachments [disabling the Outlook
feature that blocks unsafe attachments]
http://securityadmin.info/faq.htm#pop-ups [how to block pop-ups
including Messenger pop-ups & adware]
http://securityadmin.info/faq.htm#contentadvisor [how to remove the IE
Content Advisor password]
http://securityadmin.info/faq.htm#hacked [how to investigate and
discover possible hacking / intrusions]
http://securityadmin.info/faq.htm#re-secure [how to re-secure a
computer/server that has been hacked]
http://securityadmin.info/faq.htm#harden [how to harden / secure a
Windows computer or IIS server]
http://securityadmin.info/faq.htm#startup [inspecting and disabling
unwanted programs that launch with Windows]
http://securityadmin.info/faq.htm#firewall [firewall, IDS, IPsec and
packet filtering technologies]
http://securityadmin.info/faq.htm#encryption [file and disk encryption
software]
http://securityadmin.info/faq.htm#efs [questions regarding EFS
encryption, including EFS file recovery]
http://securityadmin.info/faq.htm#spam [spam prevention software
and techniques]
http://securityadmin.info/faq.htm#auditing [enabling Windows auditing]
http://securityadmin.info/faq.htm#trace [how to investigate a
suspicious IP address]
http://securityadmin.info/faq.htm#reporthacker [how to report a hacking
event]
http://securityadmin.info/faq.htm#portscanner [port scanners and
vulnerability scanners]
http://securityadmin.info/faq.htm#contentfilter [ways to filter / block /
monitor internet browsing of objectionable content]
http://securityadmin.info/faq.htm#ftpfolder [how to delete a hacker's
FTP folder that cannot be deleted normally]
http://securityadmin.info/faq.htm#banner [how to change the banner
used by various services including IIS web server]
http://securityadmin.info/faq.htm#urlscan [questions and problems
with IIS URLScan]
http://securityadmin.info/faq.htm#runas [using RUNAS to launch
programs as Administrator with no password, and allow users to change IP
address or run defrag]
http://securityadmin.info/faq.htm#moreinfo [resources for further
information and tools]
http://securityadmin.info [resources for further
information and tools]


Note that this is NOT a full list of all the questions answered in the FAQ.

HTH. Feedback, suggestions and criticism regarding the FAQ are welcome and
may be emailed to me.

kind regards,
Karl Levinson, CISSP, MCSE, MVP
email:

"Karl Levinson [x y] mvp" > wrote in message
...
> FAQ - READ BEFORE POSTING
>
> Before you post a question to a Microsoft.public.*.security newsgroup, you
> should see the following collection of answers to common questions:
>
> http://securityadmin.info/faq.htm
>
When I click that link my Norton Personal Firewall icon starts flashing with
a security alert about a nimda_propagation and blocks the page, strange
behaviour from something called securityadmin.

* Kerry >:
>
> "Karl Levinson [x y] mvp" > wrote in message
> ...
>> FAQ - READ BEFORE POSTING
>>
>> Before you post a question to a Microsoft.public.*.security newsgroup, you
>> should see the following collection of answers to common questions:
>>
>>
> When I click that link my Norton Personal Firewall icon starts flashing with
> a security alert about a nimda_propagation and blocks the page, strange
> behaviour from something called securityadmin.
>
>

Could also be a false positive? I didn't go there so I can't say one way
or another but it wouldn't be the first time that happened.

Jason

> When I click that link my Norton Personal Firewall icon starts flashing
with
> a security alert about a nimda_propagation and blocks the page, strange
> behaviour from something called securityadmin.

-can you check the fingerprint what causes the problem?

_jussi

I can't tell from here what you are seeing. This should be a safe link--I
don't think Karl's site has been hijacked, and he is entirely trustworthy.

It'd be useful if you can dig a bit deeper and see what the issue might
be--I'm sure others using that Norton product must have used this link
before.

"Kerry" > wrote in message
...
>
> "Karl Levinson [x y] mvp" > wrote in message
> ...
> > FAQ - READ BEFORE POSTING
> >
> > Before you post a question to a Microsoft.public.*.security newsgroup,
you
> > should see the following collection of answers to common questions:
> >
> > http://securityadmin.info/faq.htm
> >
> When I click that link my Norton Personal Firewall icon starts flashing
with
> a security alert about a nimda_propagation and blocks the page, strange
> behaviour from something called securityadmin.
>
>

"Kerry" > wrote in message
...

> > http://securityadmin.info/faq.htm
> >
> When I click that link my Norton Personal Firewall icon starts flashing
with
> a security alert about a nimda_propagation and blocks the page, strange
> behaviour from something called securityadmin.

This is a known false alarm that only Norton appears to generate. It's
because a sample log file that shows you what Nimda looks like is contained
in the file. I might be able to change the FAQ file so this doesn't happen,
but haven't yet had time.

On Thu, 1 May 2003 09:34:28 +0100, "Kerry" > wrote:

>
>"Karl Levinson [x y] mvp" > wrote in message
...
>> FAQ - READ BEFORE POSTING
>>
>> Before you post a question to a Microsoft.public.*.security newsgroup, you
>> should see the following collection of answers to common questions:
>>
>> http://securityadmin.info/faq.htm
>>
>When I click that link my Norton Personal Firewall icon starts flashing with
>a security alert about a nimda_propagation and blocks the page, strange
>behaviour from something called securityadmin.

Actually, strange behavior from a product that's supposed to be a
firewall... :)

It's a classic Norton false positive. Really.

Jeff

In article >,
(Jeff Cochran) wrote:
>On Thu, 1 May 2003 09:34:28 +0100, "Kerry" > wrote:
>>"Karl Levinson [x y] mvp" > wrote in message
...
>>> http://securityadmin.info/faq.htm
>>>
>>When I click that link my Norton Personal Firewall icon starts flashing with
>>a security alert about a nimda_propagation and blocks the page, strange
>>behaviour from something called securityadmin.
>
>Actually, strange behavior from a product that's supposed to be a
>firewall... :)
>
>It's a classic Norton false positive. Really.

To put it in really simple language, if the page has text on it that says
something along the lines of "all infected machines will have a page with
'Drogna Rangdo' on it", then a scanner that looks for that as a sign of
infection will declare the page to be infected.

It's an occasional problem with anything that uses inactive signatures,
rather than active monitoring of activity, to determine what's virus / worm,
and what's not. A half-dozen years ago, I had a similar problem with a
"Trojan scanner" claiming that my software was a Trojan, because it
contained the same sequence of bytes as a worm - this wasn't as professional
an outfit as Norton, mind you, so when I complained to them and asked them
to let their customers know, they didn't bother replying, just released a
new version.

So, now, I take it upon myself to remind people every now and again that
security tools will generally return false positives, and let through false
negatives. Relying on a tool alone is no good security. It is aided by the
agile thought of a human mind to perceive an unusual pattern that hasn't
been anticipated by the programmer of the tool.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | .
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Kerry wrote:
> "Karl Levinson [x y] mvp" > wrote in message
> ...
>> FAQ - READ BEFORE POSTING
>>
>> Before you post a question to a Microsoft.public.*.security
>> newsgroup, you should see the following collection of answers to
>> common questions:
>>
>> http://securityadmin.info/faq.htm
>>
> When I click that link my Norton Personal Firewall icon starts
> flashing with a security alert about a nimda_propagation and blocks
> the page, strange behaviour from something called securityadmin.

Strange but sadly expected behaviour from Norton software I'm afraid. Norton
are the home of false alarms.