A Digital Age Deserves A Digital Leader

Symantec strikes again

Symantec strikes again

Postby Absolute-Zero » Fri Mar 10, 2006 10:31 am

Yesterday morning I got a worried call from one of our clients that none of their machines could send email.

"They were working perfectly fine yesterday", they said, "but this morning we keep getting an error message from Norton Antivirus saying that the connection has been interrupted."

Checking things out on the server revealed that it was running just fine and that the, so-called, interrupted session were still open, at least as far as our server was concerned. Getting the client to do a netstat check for connections on port 25 revealed that the connection their end was closed.

A bit of digging around later and, lo and behold, another client phones up having the same problem.

"Do you know if your version has been updated recently?" I ask.

"I think it updated first thing this morning, why?" They reply.

Hmmm.... Fishy!

A few more investigations revealed that if messages were sent in plaintext the were fine, HTML or Richtext failed, with the client terminating the connection before Norton had finished processing the message, hence the "Connection Interrupted" error.

It appears that an old chestnut of the mail-client software handing the mail over to Norton to scan and believing that mail had been succesfully delivered, thus, terminating the outgoing connection to the server before Norton had completed processing had reared it's head again.

A telephone call to Symantec confirmed that there had been an update to the AntiSpyware Edition of Norton Internet Security that was causing this problem and they would be issuing a patch "within the next 24 hours".

Suprisingly, I could find no reference to this problem on the Symantec Website. In the meantime, I've had to set-up a custom tunnel on our Firewall so clients using said version of Norton can alter their SMTP port and bypass the NAV Outgoing Email Scanning proxy and start sending mail again.

Makes me wonder how many thousands of other people out there are suffering from this self-same problem.
Last edited by Absolute-Zero on Fri Mar 10, 2006 10:39 am, edited 1 time in total.
PROfessional Member
User avatar
Posts: 2495
Joined: Sat Jun 26, 2004 2:46 pm
Location: Forever blowing bubbles...
Real Name: Dan

Postby Mac33 » Fri Mar 10, 2006 10:38 am

That's typical Dan and quite unbelievable, and to round it off by saying a patch will be available within 24 hours, just rubs salt in the wound. I take it businesses will just have to twiddle their thumbs for this period of time until this update is available. :no
PROfessional Member
User avatar
Posts: 4910
Joined: Tue Mar 12, 2002 4:55 pm
Location: Scotland

Postby meromero » Tue Mar 28, 2006 9:53 am

can u explain more
PRO New Member
Posts: 4
Joined: Wed Mar 22, 2006 11:41 am
Location: Egypt

Postby Absolute-Zero » Tue Mar 28, 2006 10:10 am

meromero wrote:can u explain more


When Norton AV Scans your outgoing mail, it simply intercepts all communications on your machine using TCP Port 25, the default Port for SMTP, the protocol that email uses.

When your email client (Outlook Express, for example) attempts to connect to your outgoing mailserver, Norton intercepts the message and scans it before sending it out itself. It passes a 'delivery successful' message to your mail client and opens the connection to the outgoing mailserver itself.

What was happening here was that Norton's SMTP Proxy itself was closing the outgoing connection before it had finished scanning the mail. This caused the Anti-Virus package to report that the connection to the SMTP server had been interrupted and prompted the user to re-send the message by going into Sent Items, selecting the message that had failed and clicking on re-send this message in the actions menu.

They way to get round this was either to send the message as plaintext, rather than HTML or RichText, or use a different TCP port to connect to the outgoing mailserver.

Norton's email scanning proxy isn't clever enough to realise that you're sending mail over a different port, it simply 'listens' for connections over TCP Port 25. If you alter the port number for outgoing messages from within you account settings, you can by-pass the outgoing mail scanner completely.

However, the owner of the mailserver you are using to send you mail needs to make a port other than 25 available for you to connect to, otherwise your messages will simply fail as your email client application won't be able to connect to the server.
PROfessional Member
User avatar
Posts: 2495
Joined: Sat Jun 26, 2004 2:46 pm
Location: Forever blowing bubbles...
Real Name: Dan

Postby Computerwiz2489 » Wed Mar 29, 2006 1:32 am

How much are they paying programmers again? That is just stupid listening just for one port. As if a more knowledgale user couldn't just switch ports.
PRO Level 15
Posts: 1043
Joined: Sat Oct 18, 2003 7:40 am
Location: Pro Networks forum board

Postby kd1966 » Wed Mar 29, 2006 2:28 am

I just met with a customer today that had a similar problem; she is a pretty savvy computer user, but the more technical aspects kind of internet security.................. anyhow, she could receive email but could not send; she was using NIS 2005 (And still is until June of this year) I told her of this "issue" with Norton and that she could turn off the email scanning if it became a problem again (It was a problem last weekend, but now appears to be working)
I take great issue with Symantec on their completely ridiculous "technical support" for software issues such as "Live Update" errors................ Seen a few of them recently and the Symantec site says to "Run the update again" or "Reinstall component"............ in many more words than I just described. Ok, first off................. if a component in Live Update gets an error, it ain't gonna work the next time either..............DUH!!! and second, many of the components that fail Live Update DON'T HAVE AN ASSOCIATED UNINSTALL/REINSTALL OPTION!! My personal experience is that the ENTIRE SUITE has to be uninstalled (Sometimes w/Symnrt) and reinstalled. If it comes to this, I ALWAYS recommend my customers to NOT reinstall.

Funny story - I have done 3 symantec uninstalls recently, and I kid you not, each time I did the uninstall and reboot, there were icons in the system tray or devices that "suddenly" started working again that weren't working when NIS or other Symantec products were installed. The people just thought that the items were broken. Today it was a HP USB scanner that the lady was ready to throw away................lol
User avatar
Posts: 6831
Joined: Tue Aug 09, 2005 2:00 am
Location: USA - GSO - NC

Postby JabbaPapa » Wed Mar 29, 2006 7:28 am

When I have a bad Symantec installation, sometimes the fastest way to fix the rig is to uninstall, delete the relevant folders, open regedit, search for "Norton" and "Syman" and delete 99% of the search results ...

The other way is to just reinstall Windows...

I keep a 10-foot pole between me and the NIS and the NAV, but I _do_ like the NU suite in the Systemworks ... I just have to remember that to install it correctly, you MUST install it as the first thing immediately on first boot to Windows, or it's likely to mess up the installation ... and certainly to install it BEFORE my AV of choice... :roleeyes
User avatar
Posts: 9538
Joined: Sun Feb 22, 2004 5:17 pm
Location: Monte-Carlo
Real Name: Julian Lord

Postby RRCinci » Thu Mar 30, 2006 3:20 am

AS much as I LOVE slamming Symantec(they've lost my vote on any number of levels!!) they're not the only ones that have had trouble lately!! Mcafee blew it just a couple of weeks ago...big time!! Check out the story in eWeek !

Of course Pro covered it well...rippinchikkin
posted it Here the next day....the eWeek article is just another post that I saw.

What a hoot! This is why I've stuck with AVG for so long...it just works!

Life is not measured by the number of breaths we take, but by the moments that take our breath away.

Women and cats will do as they please, and men and dogs should relax and get used to the idea.
-Robert A. Heinlein

longhornrulescensor444 Here

<a href='http://www.pro-networks.org/forum/viewtopic.php?t=62589' target='_blank'><img src='http://img134.imageshack.us/img134/4245/pronetkatrinahelp7gs.gif'></a>
PROfessional Member
User avatar
Posts: 1577
Joined: Fri Jul 12, 2002 5:38 pm
Location: Cincinnati, OH

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 0 guests