Norman Security Suite 9.00 - User guide [English]

Intrusion GuardAntispamAntivirus Parental Control

Personal Firewall Privacy Tools

User Guideversion 9.00

Norman Security SuiteUser Guide |

Copyright © 1990-2011 Norman ASA ii

Limited WarrantyNorman guarantees that the enclosed CD-ROM or DVD and documentation do not have production flaws. If you report a flaw within 30 days of purchase, Norman will replace the defective CD-ROM or DVD and/or documentation at no charge. Proof of purchase must be enclosed with any claim.

This warranty is limited to replacement of the product. Norman is not liable for any other form of loss or damage arising from use of the software or documentation or from errors or deficiencies therein, including but not limited to loss of earnings.

With regard to defects or flaws in the CD-ROM, DVD, or documentation, or this licensing agreement, this warranty supersedes any other warranties, expressed or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose.

In particular, and without the limitations imposed by the licensing agreement with regard to any spe-cial use or purpose, Norman will in no event be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages.

This warranty expires 30 days after purchase.

The information in this document as well as the functionality of the software is subject to change with-out notice. The software may be used in accordance with the terms of the license agreement. The purchaser may make one copy of the software for backup purposes. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchaser’s personal use, without the explicit written permission of Norman.

The Norman logo is a registered trademark of Norman ASA.

Names of products mentioned in this documentation are either trademarks or registered trademarks of their respective owners. They are mentioned for identification purposes only.

Norman documentation and software are

Copyright © 1990-2011 Norman ASA.

All rights reserved.

Revised September 2011.

Introduction ..........................................................4System requirements ............................................... 4Training and technical support ............................... 5What is Norman Security Suite? ............................. 6

Installation ..........................................................10Retrieving the software .......................................... 10License key ..............................................................11Installing .................................................................. 12

Wizards ................................................................. 14

Getting started ...................................................15Application tray icon .............................................. 15

Tray warning icons ................................................. 16Open the application .............................................. 17

Product warning icons ............................................ 17Application settings ............................................... 17

Home ....................................................................18

Antivirus & Antispyware ................................. 19Quick scan ............................................................ 20Scan computer ....................................................... 21

Quarantine .............................................................. 24Quarantine ............................................................ 24Settings ................................................................. 25

Task Editor .............................................................. 26Create a task ......................................................... 26

Exclude list ............................................................. 28Exclude list ............................................................ 28Potentially unwanted programs ................................ 29

Settings ................................................................... 30Automatic scanner.................................................. 31Manual scanner ..................................................... 33Internet protection .................................................. 34Block attachments .................................................. 36Other scanning methods ......................................... 37

Personal Firewall ..............................................39Expert Tools ............................................................ 41

Rule Editor ............................................................ 42Real-time Log Utility ............................................... 45Advanced ports viewer ............................................ 46Export Personal Firewall rules ................................. 47Import Personal Firewall rules ................................. 47

Settings ................................................................... 48Configure Personal Firewall ..................................... 48Advanced Settings ................................................. 49

Antispam .............................................................50Block/Allow ............................................................. 52Settings ................................................................... 53

Parental Control ................................................54User Configuration ................................................. 56

Create user ........................................................... 58Log Viewer .............................................................. 59Settings ................................................................... 59

Privacy Tools .....................................................60Delete a user’s program history ........................... 60Secure Delete .......................................................... 61

Intrusion Guard .................................................62Settings ................................................................... 62

Drivers & Memory .................................................. 62Processes ............................................................. 64Network ................................................................ 66

Install and Update .............................................67Settings ................................................................... 69

Select update method ............................................. 69Proxy settings ........................................................ 70

Support Center ..................................................71Messaging Log Viewer ............................................ 72

Uninstalling ........................................................73

Appendix A .........................................................74What is a Sandbox? ............................................... 74

Appendix B .........................................................75Advanced System Reporter .................................. 75

Operating System Internals ..................................... 76Internet Explorer .................................................... 77Processes ............................................................. 78

Appendix C .........................................................79Advanced Firewall .................................................. 79

Advanced Rule Editor Settings ................................ 79

Table of contents

Copyright © 1990-2011 Norman ASA iii

Norman Security SuiteUser Guide Table of Contents

Norman Security SuiteUser Guide Introduction

Copyright © 1990-2011 Norman ASA 4

Introduction

System requirementsThis program release supports installation of Norman Security Suite v9.00 on computers running Windows XP, Windows Vista, and Windows 7 with the following specifications:

Windows XP Vista 7Bits 32 64 32 64 32 64

Antivirus

Intrusion Guard -

Personal Firewall -

Parental Control -

Antispam 1) -

Privacy Tools -

Service Pack or higher 2 1

CPU (Pentium-based) Recommended 1,8 GHz 1,8 GHz 1,8 GHz

RAM Recommended 2 GB 2 GB 2 GB

Internet Explorer or higher 7 (8) 7 (8) 7 (8)

Available disk space Recommended 500 MB 500 MB 500 MB

Screen resolution Recommended 1024x768 1024x768 1024x768

1) Antispam is only applicable with Microsoft Office Outlook (2003 or later), Windows Outlook Express, and Windows Mail (both 32- and 64-bits).

About this versionThe current release is available in several languages. Contact your dealer for information about your language. Check our web site for details, or contact your local dealer for more information about lan-guage versions.

About this manualThis manual presents an overview of products, features and key functions, and any other bundled ver-sion incorporating these modules. Please refer to the online help for a detailed explanation of all avail-able options and to our web pages for information on the different program packages.

NOTE: Special or important notes are marked with an exclamation mark icon in the left margin.

About managed clientsConfiguration of a product locally on your computer may be restricted by management console poli-cies. This may be the case if your computer is part of a network and most likely governed by an administrator.

http://www.norman.com



Training and technical supportFor training or technical support, please contact your local dealer or Norman. We provide technical support and consultancy services for the program suite and security issues in general.

Technical support also comprises quality assurance of your antivirus installation, including assistance in tailoring the program suite to match your exact needs.

Note that the number of services available will vary between the different countries. Our contact infor-mation is presented on the last page of this document.

www.norman.com



What is Norman Security Suite?This program suite is a software security package made up from these security programs:

Antivirus & Antispyware Stops viruses from reaching your computer

Personal Firewall Prevents hackers from using your computer as transit for undesired traffic

Antispam Blocks unwanted and bulk emails

Parental Control Hinders the young ones from visiting web sites with undesired content

Privacy Tools * Helps you to securely delete various log files containing per-sonal data, cookies and browser history

Intrusion Guard * Prevents malicious programs from intruding and infecting your computer

* This program is included in the Security Suite PRO version only.

The program suite is ready for use once you’ve installed it. The default configuration settings provide the protection you need, and you don’t have to run through the configuration options to make the pro-gram operational. However, it’s useful to have a perception of how things work and familiarize yourself with the basic functions. This manual aims at pointing out certain useful features and to provide some hints on how to get the most out of the program.

NOTE: You must run a wizard before you can start using the Personal Firewall. Please refer to the section ‘Installation Wizard’ on page 14 for more information.

Antivirus & AntispywareThis antivirus program monitors your computer for malicious software and potentially unwanted pro-grams, featuring two main scanners - the Automatic scanner and the Manual scanner - as well as dif-ferent scanning methods.

SandboxThe unique Sandbox provides proactive protection that identifies even unknown viruses. For more information on Sandbox, refer to ‘Appendix A’ on page 74.

Malware/virusesMalicious software is also referred to as malware or the generic term viruses. Malware are viruses, worms, trojans and other varieties of unwanted code.

SpywareExamples of spyware are keyloggers, hijackers, rootkits and other malicious software jeopardizing your privacy, identity or simply reducing computer performance. Spyware is not destructive like tradi-tional viruses, but the consequences of revealing personal information inadvertently could be just as damaging.

Potentially unwanted programsPrograms that you install for legitimate purposes may potentially expose your computer. Built-in fea-tures can send and receive data or execute command scripts, and perform actions similar to those common for purely malicious software. It is important that you have complete control over software residing on your computer, since the line between non-malicious and malicious software may be blurred. Scanning your computer for potentially unwanted programs goes beyond the normal scan for malware as it detects gray zone software - potentially unwanted programs.



Personal FirewallWhenever you’re connected to the Internet, reading email or surfing the web, you make connections to other computers all over the world—and they connect to yours. This is where the trouble starts. By breaking into your computer, hackers may access your private documents, use your computer for their own acts of evil, or even render your computer useless by deleting important system files.

This application is first and foremost hacker protection and controls incoming and outgoing traffic on your computer based on a security policy (a set of rules). These rules are established (automatically or self-defined) when you install the product.

The application’s rule wizard can automatically create rules for applications’ behavior with regard to accessing the Internet. You can create and change rules and view details for traffic and port activity, and easily toggle between wizard mode and advanced mode.

In addition, the advanced Personal Firewall offers:

● Launcher protection, that detects attempts from an application to launch itself through another application.

● Stealth launch protection, that uncovers malicious applications attempting to access the Internet via other applications. The Personal Firewall keeps track of all parent applications.

● Process hijacking protection, which prevents that malicious applications hijack a trusted process for .dll or thread injection.

● Full stealth mode, that ensures that all ports on the computer are completely invisible from the outside.

● Advanced svchost handling, where each svchost service has separate rules rather than one general rule to cover the grouping of services that each Svchost.exe session can contain. ◦ Svchost is a generic host process name for services in Windows XP/2003/Vista/7 that various

network and Internet processes employ to function correctly. This service can run many instanc-es simultaneously, each one necessary for the operation of the individual computer. The service has a legitimate need to access the Internet frequently, and like any other application connect-ing to the net, it is the personal firewall’s business to monitor and warn about this kind of activity. While many firewalls only has only one generic rule for svchost handling, often non-editable, this personal firewall distinguishes between the different instances and can identify if the process is known or unknown. In addition, there are configuration options for a number of svchost services in the application’s help files.

● Anti-pharming, implemented through protection of the hosts file and therefore eliminating the most common pharming attack method. ◦ The word Pharming is constructed from the terms phishing and farming (see Antispam below

for an explanation of phishing). It is called pharming when a hacker tries to redirect traffic from the web site you’re about to visit to another, bogus web site. Pharming can be carried out either by changing the hosts file on the target computer or by exploiting vulnerabilities in DNS server software. DNS (Domain Name Server) servers are responsible for resolving Internet names into their real addresses. In recent years both pharming and phishing have been used for theft of online identity information. Pharming has become of major concern to businesses hosting ecommerce and online banking web sites. Sophisticated measures known as anti-pharming are required to protect against this serious threat.



AntispamThe antispam application protects against unsolicited commercial and bulk emails (spam) that may contain threats to the system. Antispam blocks spam, phishing attempts, and other email-borne threats before they reach the computer. You can create block and allow lists to manage who you receive emails from, and what content you allow to pass through to your email client.

Like antivirus applications employ virus definition files to detect malware, antispam solutions use definition files to filter out unsolicited emails. Virus definition files accommodate virus signatures that decide whether a file is infected or not, while antispam definitions use a set of criteria to figure out the likelihood of an email being spam. The spam definition files base their analysis of an email on lan-guage, pictures, colors, links included in the mail, as well as the sender’s email and IP address. Still, it is not always possible to conclude with absolute certainty if an email is spam or not.

SpamUnwanted email, usually advertising for some product. Spam is generally harmless, but it can be annoying as well as time-consuming.

PhishingThe act of sending an email to someone, pretending to be a legitimate public or private enterprise in an attempt to capture private information that can be used for identity theft. The email directs you to a web site where you are requested to update personal information like credit card and bank account numbers - information that the real organization already possesses. The web site is of course fake, but appears to be the real deal and is set up for the sole purpose of stealing information. The term ‘phishing’ is derived from ‘fishing’, where the pun is based on the notion of throwing out bait with the hopes that some will swallow it.

Parental ControlThe Internet is not necessarily a good place to be, and there are some web sites we certainly don’t want the youngest of the family to visit. Unless children and teenagers are under constant surveil-lance, they are likely to visit web sites with undesired content—deliberately or not.

With Parental Control you can block access to certain categories of web sites, or even block all sites not explicitly approved. In addition you can restrict the time a user is allowed to surf on the net and specify what time of the day surfing is permitted.

In short, you can customize a profile for the individual user based on age or other criteria you wish to take into account.



Privacy ToolsWith Privacy Tools you can delete specific files in a secure manner. The contents of the files are per-manently erased and cannot be recovered. You can also configure the application to automatically delete various log files containing personal data, cookies and browser history. Deleting history logs does not affect the application’s settings and bookmarks.

Many applications, including the operating system itself, log user activity like which files are opened, web sites visited, and documents viewed. This is a user-friendly mechanism that makes it easier for users to perform repetitive tasks; visiting the same online newspaper or continuing to work on a text document.

Although this may be user-friendly, it is also a privacy concern. Other users of this computer, or other people inspecting your computer later on, may review these logs and discover things that you want to keep private. Even if you delete a file, it is not completely wiped out. Advanced tools can restore the file and hence compromise sensitive documents. Logs keep track of Internet browsing and files that are opened on your computer.

This functionality is of great concern to your privacy. It constitutes a potential risk of social engineering and identity or password theft. The acquired personal information can in turn be used with malicious intent.

NOTE: This program is included in the PRO version only.

Intrusion GuardThis is a host-based intrusion prevention system (HIPS) that can stop malicious applications from taking over control of your machine. The application offers a powerful reporting tool and protects pro-cesses, drivers, browsers and the hosts file. It is a platform for proactive thread protection intended for experienced users.

● Advanced System Reporter tool ◦ This powerful tool gives you control of installed applications, system filters, and suspicious mod-

ules, that are discovered on your computer. ● Powerful real-time features

◦ This functionality can be configured to log, warn and block intrusions. ● Processes protection

◦ Stops malicious applications from hijacking (taking control over) other applications and installing more malicious content on to your computer system.

● Driver protection ◦ Stops drivers from installing and protects against other malicious techniques that try to gain low-

level access to your computer system. ● Browser hijacking prevention

◦ Monitors your Internet Explorer settings and manages cookies. Can also log, warn, and block, attempts to install network filters, like LSP (Layered Service Provider) and BHO (Browser Helper Object).

● Hosts file protection ◦ Protects your hosts file from unauthorized modifications.

NOTE: This program is included in the PRO version only.

Norman Security SuiteUser Guide Installation


Installation

Retrieving the softwareA medium (CD or DVD) with the installer was delivered when you purchased this program, or a web page address for Internet download is included in your purchase papers.

CD/DVDIf you received a medium (CD or DVD), please use it to start the installation.

1. Insert the CD/DVD into your computers CD/DVD player. ◦ The CD/DVD runs automatically and a menu appears. On Windows Vista and 7 you may need

to accept to run Norman.exe. ◦ If a dialog menu does not appear within a minute or so, the Autorun feature may be turned

off. To start the menu manually, do either of the following: • Browse the CD/DVD content and double-click the root file Norman.exe.• Click Start > Run and enter D:\Norman.exe. Replace the D with the actual partition let-

ter of your CD/DVD player. Click OK.2. Choose language for viewing the CD/DVD menu.3. From the menu’s Install page choose the correct installer according to your 64 or 32-bits com-

puter. Proceed to point 4 of the Internet download section.

Internet downloadThe installer can be downloaded from the Internet. The Internet location and download procedure is described within the purchase order information. If not, follow the general instructions below to down-load the installer and to start the installation.

1. Open your Internet browser and enter the general web address for our software downloads: http://www.norman.com/downloads/

2. Select your product, version and language. Choose the correct installer according to your 64 or 32-bits computer.

3. Click Save (or click Run) ◦ If you click Save you are allowed to save the file on the computer and to start the installation

from there. An Internet connection is not required when you install from the computer. However, we do recommend Internet connection during installation for key validation and updating.• Browse for a folder location to save the installer and then click Save to confirm. Make a

note of the location where you save the installer.• Like the download window, the browser is no longer needed and may be closed too.• Locate the installer and double-click the file.• The installer may be deleted after a successful installation, or you may save it to an external

media for backup. ◦ Click Run to start the installation directly from the web. The installer downloads and then im-

mediately starts installing the product. If the installation fails, you must visit the download page again.

4. The InstallShield Wizard is launched.5. Read about ‘License key’ and proceed to ‘Installing’ on page 12.



License keyWhen you purchase our software you receive a product license key. The key is needed for the instal-lation to be updated. An antivirus software that is not updated on a regular basis does not fulfill its purpose.

I have a keyYou should enter the key during installation, when you’re prompted by the InstallShield Wizard. The application will then automatically search for updates as soon as the installation is finished.

I don’t have a keyYou can leave the license key field empty if you only want to evaluate the product. We recommend that you enter a trial key to make the most of the product during the trial period.

NOTE: If you don’t have a key, you can leave the license key field blank and still install the entire suite. However, the License Renewal Reminder will regularly prompt you for a key and the product(s) will not be updated. If required, the License Wizard will assist you in obtaining a key at a later point.

Enter a key after installation is finishedYou can activate the License Wizard from the application and paste the key in the appropriate field. Please refer to the section ‘View or change product key’ on page 68.



InstallingRun the installer program (InstallShield Wizard). Refer to ‘Retrieving the software’ on page 10 on how to obtain it. Follow the on-screen instructions. Click Back if you need to review or change the installation settings.

The default location for installation is C:\Program Files

1. The InstallShield Wizard welcome screen appears. Click Next.2. Read the license agreement and accept it to continue installing. Click Next.3. Enter a valid product license key. Click Next.

◦ The key holds information on the products you have purchased. ◦ If you don’t have a key, please refer to ‘License key’ on page 11.

TIP COPY AND PASTE THE LICENSE KEY. If you have a copy of your license key in an email or some other electronic format, the easiest way is to copy the key into the license key field. Highlight the key and press Ctrl+C, place the cursor in the license key field and click Ctrl+V to paste in the key. Make sure that there are no blank spaces included

4. Setup Type

Select a) Complete or b) Custom.

a) Selecting Complete will install all program features to the default location. Click Next. Proceed to the point ‘7. Ready to install’ below.

b) Select Custom to decide which products to install and/or to select another location than the default location. Click Next.

5. Custom setup

A list of products that you can install is displayed.

• Antivirus & Antispyware

- Screensaver Scanner

• Personal Firewall

• Privacy Tools

• Intrusion Guard

• Parental Control*

• Antispam*

* You need to manually select this product if you want to install it. Click the drop-down menu to the left and select to install this feature on local hard drive. Installing this product requires that it’s comprised by your license key, or part of a trial installation. You can install this product later on if you like.



◦ Click Space if you want to see the disk space required for the selected installations. • Click OK to return to the Custom Setup display.

◦ Click Next to continue.6. Destination folder

a) Click Next if you want to install the selected applications to the default location.

b) Click Change... to define another location.

• Select location from the drop-down list, add a new folder, or enter the path in the folder name input field.

• Click OK to confirm and return to the destination folder display.• Click Next

7. Ready to install ◦ Click Install to begin the installation.

8. Installing ◦ A dialog informing of that the application is now ready to launch and configure installed compo-

nents appears. Click OK to continue.9. The completed dialog appears. Click Finish to complete the InstallShield Wizard. The

installation will continue to run in the background for 5-10 minutes.10. Click Restart now when you are prompted to restart the computer. After the restart a customer

registration form and - if the Personal Firewall is installed - the Personal Firewall Installation Wizard is launched. ◦ Customer Information

• Please enter the required information and then click Submit. ◦ Installation Wizard

• Please refer to the next section.



WizardsThe wizards handle installation and basic product configurations.

● InstallShield Wizard

◦ This wizard enables you to install the program. The wizard is also known as the installer or setup file.

● Installation Wizard

◦ This is relevant when the Personal Firewall is installed. Once the program suite with Personal Firewall is installed, a wizard for setting up the Personal Firewall is launched. Please refer to the next section.

● License Wizard

◦ This wizard keeps track of your valid product licenses. Please refer to the section ‘View or change product key’ on page 68.

Installation WizardYou have now completed the installation (cf. ‘Installing’ on page 12), and Personal Firewall is one of the installed features. The Installation Wizard is launched automatically.

This wizard establishes basic rules automatically, such as granting Internet access for the relevant applications. The purpose is to identify programs with a legitimate need to access the Internet and to create rules for these applications. It is highly recommended that you run the installation wizard. You can always change automatically generated rules later, using the Rule Editor.

If you choose not to run the Installation Wizard, you may experience that the computer cannot connect to the Internet, and that important applications are not updated. Please refer to the section ‘Expert Tools’ on page 41.

● Introduction

Read the information on this page about the Installation Wizard and the purpose of it. Click Next to continue. If you click Finish the wizard will complete with default settings. The default security level is Normal mode.

● Step 1: Security level

Select level for handling Internet connections trying to access your computer (incoming), or ap-plications trying to connect to the Internet (outgoing). The information on this page is meant to be self-explanatory and therefore we present only a short summary of the options below.

◦ Silent mode. All traffic is allowed, unless there is a rule specifically blocking it. You will be protected against incoming attacks.

◦ Normal mode. You will be prompted for unknown traffic, for which to allow or deny, unless a permanent rule prevents the connection. You are protected against incoming attacks as well as unwanted ap-plications sending out data from your computer.

◦ Advanced mode. This is similar to Normal Mode, but Deep Process Inspection (DPI) will be enabled by default. This option is not recommended for low performance computers. You can disable DPI per rule in the advanced rule editor.

● Step 2:, 3:, 4: and 5: Follow the on-screen instructions in subject to adding other web browsers or email clients, configur-ing network resources, and allowing other known applications.

● Completed

Finally, click Finish to complete the wizard.

Norman Security SuiteUser Guide Getting started


Getting started

Application tray iconDuring setup, an icon is placed in the system tray in the lower right-hand corner of the screen. This icon confirms that Security Suite is installed on this computer.

Right-clicking the tray icon displays the Security Suite system tray menu.

The items in the list with an icon in front of them are copies of the items that appear on the Start > Programs > Norman Security Suite menu. This is a shortcut to the program suite’s main modules, as well as some typical tasks.

NOTE: The menu options differ depending on the installed products. For example, the option to Enable or Disable Personal Firewall is only visible when the Personal Firewall is installed.

● Internet Update

◦ Activate the Internet Update feature and update the installed products. ● Norman Security Suite

◦ Open the Norman Security Suite application. ● Disable Personal Firewall (Enable Personal Firewall)

◦ Toggles between enabling and disabling the Personal Firewall. ● Scan computer

◦ Start a manual scan of the entire computer. ● Stop automatic scanner (Start automatic scanner)

◦ Toggles between starting and stopping the automatic scanner.

NOTE: Stopping the Automatic scanner like this will only pause it. If you restart your computer or update the software, the Automatic scanner will start automatically. (This is different from enabling or disabling the Automatic scanner from the Antivirus & Antispyware main page or from Settings. In that case you must enable the Automatic scanner manually to activate it again.)

● Update status...

◦ View update status for the installed products. This function is also the originator of messages regarding outdated virus definition files, expiration of license period and other information.



Tray warning iconsThe tray icon also provides information regarding the state of your installation. Place the cursor on the tray icon for an explanation of any errors or messages.

CircleThis error icon denotes that some of the components currently running are outdated or in any way needs your attention. If the icon appears with a blinking symbol, place the pointing device on the icon to find out which component needs updating or if there are other error situations.

NOTE: During startup, this symbol is visible until all modules have started. The older and slower the machine, the longer it takes for all modules to load. However, the normal icon should appear after a maxi-mum of two minutes

!

TriangleThis warning icon, with a firm or blinking symbol, signifies that the automatic scanner has been manually disabled, the application is waiting for a restart, an installation error has occurred, or the definition files are outdated.

Firm - The automatic scanner has been manually disabled in the application’s settings. Please

refer to ‘Enable Automatic scanner’ on page 31. - The application is waiting for a restart. The Restart later option may have been se-

lected on a previous prompt. - A possible installation error has occurred. Try restarting your computer to solve the pos-

sible error.

Blinking - The virus definition files are outdated. This means they are at least ten days old. - The automatic scanner has been stopped (paused) from the system tray menu. Right-

click the system tray icon. Select Start automatic scanner. - The Personal Firewall has been disabled. Right-click the system tray icon. Select En-

able Personal Firewall.

CogwheelWhen the tray icon appears with a cogwheel, the Program Manager is working with the pro-gram, most likely an update. We do not recommend that you turn off your machine when the Program Manager is working, i.e. while this symbol is visible.

NOTE: An update shouldn’t take more than 5-10 minutes. If the cogwheel icon is present for a longer peri-od of time, something might be wrong with the installation. In that case, try to restart your computer. If this does not finish off the cogwheel icon, then try the repair option described in the section ‘Automatic repair’ on page 72.

Windows Security Center Symbol We are one of the antivirus vendors that the operating system detects. If the virus definition files are outdated, if the automatic scanner is not running, or if the firewall is disabled, you will also receive a warning from Windows that something is wrong. The Security Center symbol appears and you can click on it to view and edit the Windows settings.



Open the applicationYou can open the application via the system tray menu, or via the Windows menu. Right-click the application’s system tray icon and select Norman Security Suite from the pop-up menu. From the Windows menu, click Start and select All programs > Norman Security Suite > Norman Security Suite.

Product warning iconsSometimes, a yellow triangle appears on the application’s menu entry. Reasons for this may be that a product is disabled or outdated, the license is expired, a newly-installed software needs final configu-ration to finish its installation procedure, etc. Select the menu entry with warning to find out more.

NOTE: When you open the Security Suite for the first time a warning is issued for the Parental Control application. Please refer to the section ‘Parental Control’ on page 54

Application settingsThis application is installed with default settings that we recommend for everyday use. You can select Customize settings from the application’s main product pages to configure the products through a number of different options. When changing from one setting to the other, please notice the change of icon and that the settings lead texts switch place.

● Current settings: Recommended

◦ Default settings are effective, as recommended for everyday use. ◦ Click on Customize settings if you want to change the default settings.

● Current settings: Custom

◦ The default settings are, or can be, customized. ◦ Click on Use recommended settings to reset settings to default.

NOTE: Changing the default settings is not advisable unless you know how the changes affect the system. Make sure that the custom settings do not lead to inferior security level. If you are uncertain, remember that the default settings provide sufficient protection

Norman Security SuiteUser Guide Home


HomeOpen the Security Suite application to view status for the installed products. Please refer to ‘Getting started’ on page 15 on how to open the application.

Scan your computer, keep track of which products are installed, their status, and view some detailed information about them. Update all products, and switch on or off the automatic updates, with one click.

Click Scan Computer to start a manual scan of the entire computer. This scan employs the same settings as specified for the Manual scanner. See ‘Manual scanner’ on page 33.

Licensed products are those covered by your product license key. Please refer to ‘License key’ on page 11. The status icon indicates whether the installation is up to date and complete, if it needs updat-ing, or whether a product is not installed. The information to the right displays statistics data from the working applications or other status information.

NOTE: When you open the Security Suite for the first time a warning is issued for the Parental Control application. Please refer to the section ‘Parental Control’ on page 54

Update all productsUpdate all installed products in one simple click. For further settings and overview, please refer to ‘Install and Update’ on page 67.

Automatic update is On (Off)The products will be updated on a regular basis when automatic updates are on. Edit settings from ‘Select update method’ on page 69.

NOTE: We strongly recommend that automatic updates are always On

Norman Security SuiteUser Guide Antivirus & Antispyware


Antivirus & AntispywareOpen the Security Suite application and select Antivirus & Antispyware from the left-hand side menu. Please refer to ‘Getting started’ on page 15 on how to open the application and to ‘Antivirus & Antispyware’ on page 6 for a description of the application purpose and function.

This antivirus and antispyware application monitors your computer for malicious software, also referred to as malware, as well as potentially unwanted software. Viruses can be automatically removed from hard disks, removable media, email attachments, etc. The Antivirus & Antispyware application checks files when they are accessed, and possible viruses are removed automatically.

This product is shipped with pre-selected settings that we consider sufficient to protect you against virus attacks. The modules can be configured so that you can set up the application to suit your exact needs.

This chapter is about how you configure the two main virus scanners - the automatic scanner and the manual scanner - as well as how you manage quarantined files, schedule scans, activate the screen-saver scanner, and enable the antispyware feature.

Customize settingsClick this option to edit the default values. Please refer to ‘Settings’ on page 30. For general information on selecting recommended versus custom settings, please refer to ‘Application settings’ on page 17.

Scanning statisticsThe application’s main page displays a graphical representation of scanned and infected files over the past 24 hours. The statistical numbers reflect the combined activity of the manual and the automatic scanner.

Outbreak modeThis feature should only be temporarily activated in case of virus outbreaks and when connecting to unknown or insecure wireless networks. Enabling this option may affect performance and stability.



Disable automatic file scanningPlease refer to ‘Automatic scanner’ on page 31.

Scan computerPlease refer to ‘Scan computer’ on page 21.

QuarantinePlease refer to ‘Quarantine’ on page 24.

Quick scanWith one simple click you can scan the most important areas of your computer. The Manual scanner will start a scan based on a pre-defined area. From the scanner dialog box you can stop or pause the scan or edit the scan preferences. Please refer to ‘Scan computer’ on page 21 for scanner details and options.

Exclude ListPlease refer to ‘Exclude list’ on page 28.

Task EditorPlease refer to ‘Task Editor’ on page 26.

Enable Screensaver scannerPlease refer to ‘Other scanning methods’ on page 37.

Scan computerPlease refer to the next section.



Scan computerSelect this option to start a scan of your computer. This scan employs the same settings as specified for the Manual scanner. Please refer to ‘Manual scanner’ on page 33 on how you configure the manual scanner. From the scanner dialog box you can select area to scan, view the scan log, delete or repair infected files and add potentially unwanted program files to the exclude list.

You can also access the Scan computer option by right-clicking the system tray icon

If you want to configure or schedule a scan, use the ‘Task Editor’ on page 26.

When you have started a scan selecting Scan computer or if you run a scheduled task, the scan-ner dialog box appears.

Scan areaThe top level field displays the path for which area your scan is scheduled to search.

BrowseSelect which areas of your computer to scan.

Start/Pause/StopStart scanning, pause a running scan, or stop the scan process altogether.

RepairOpen the Repair Tool for further handling of infected or potentially unwanted program files. Repair is enabled only if infected files are found. The Detection log displays possible findings Please refer to the next section for details on this option.

SettingsThis option is available from the Advanced view only. From here you can configure settings for the scan task and set log preferences.

◦ Scan: Do not repair, Memory before files, Boot sectors before files, Network locations, Subfold-ers, Use Sandbox, Use Exclude List and Exclude.

◦ Log: Clear log before scan, Scroll log.Pointing the mouse cursor, in the program, to a Scan or Log option will display supplementary infor-mation to this option.



Advanced / BasicToggles between Advanced or Basic view. The basic view gives the minimum information you need. The advanced view keeps you posted in detail about the scan, allows you to configure settings and view the log in an external text editor.

View logOpen the scan log in an external text editor. Study the log or save it to a different location. If Clear log before scan is enabled from Settings, the log will be cleared when starting a scan. Remember to save the previous log before starting a scan, if you want to keep it and this option is selected.

Repair, delete or exclude files from scanningSelect Repair from the scanner’s main view to open this tool. From here you can handle infected or potentially unwanted program files. Select files to repair or delete, or add potentially unwanted pro-gram files to the exclude list.

NOTE: The Repair option will activate only if the scanner detects infected files or potentially unwanted programs.

Infected files can be repaired or deleted altogether. See also next section about Quarantine.

Potentially unwanted program files can be added to the exclude list, if you trust the detected program and you want to skip the file from being scanned in the future.

Detection logDisplays a list of infected files or potentially unwanted program files that were detected.

Select all infectedSelect all files, except potentially unwanted program files.

Deselect allDeselect all items in the detection log.

RepairSelect an item from the detection log and click this option to repair an infected file. You cannot repair potentially unwanted program files.



DeleteSelect an item from the detection log and click this option to delete an infected file.

Add to exclude listSelect a potentially unwanted program file item from the detection log and click this option to add it to the exclude list. The file is added to the Antivirus & Antispyware > Exclude List > Potentially unwanted programs exclude list. Files on this list is excluded from detection while scanning.

You can read more about ‘Potentially unwanted programs’ on page 6 and ‘Exclude list’ on page 28.

Start a scan with Command PromptYou can also start the Manual scanner from the Command Line interface. Go to Start > Run, enter nvcod and click OK or press Enter. A dialog with a scan menu appears. Select Quick scan or Full scan to start a default configured scan with the Manual scanner. If you select Custom scan, you can configure the scan from the appearing Manual scanner dialog. Please refer to ‘Scan com-puter’ on page 21 for details.



Quarantine

Quarantine

Quarantined filesInfected files that have been quarantined appear as a list in the Quarantined files dialog, provided that you have configured the program to do so. The antivirus application will try to repair infected files before they are deleted or quarantined (depending on your configuration). Quarantined files are either infected, or blocked by the Internet Protection feature.

NOTE: A copy of a deleted or blocked file is quarantined by default.

A copy of an infected and quarantined file is deleted, unless it resides in another folder, in which case it is moved to quarantine.

● When the automatic scanner detects that C:\eicar.com is infected, it is moved to quarantine. ● However, if the automatic scanner detects C:\Copy of eicar.com and this file is identical to eicar.com, it is not quarantined, but deleted.

● If Copy of eicar.com resides on C:\another folder\ it is, however, moved to quarantine because of the new location.

This method is implemented to avoid that the quarantine is crammed in a situation where a virus has written several copies of the same file to the same area of the disk drive.

A file may be quarantined because the antivirus application suspects it is infected.

On rare occasions, after a definition files’ update, the antivirus application may establish that a previ-ously quarantined file is clean after all. Since types and techniques both for making and detecting viruses are changing rapidly, the antivirus application will scan the quarantine after an update and after a restart of the machine.

If a quarantined file is ‘acquitted’ after such a check, it will be restored provided that there is a valid file path and that no other file with the same name exists. No user intervention is required, and you will not be informed about a possible restore of a quarantined file.



Settings

Keep files in quarantineSelect Customize settings to access the configuration options. Specify minimum and maximum time files should be held in quarantine, and how much disk space they are allowed to occupy.

● Minimum

Specify a period ranging from one day to one week. Files newer than the specified minimum time will never be deleted.

● Maximum

Specify a period ranging from one to four weeks. Files older than maximum time are deleted with-out warning.

● Maximum size of quarantine (% of partition)

Specify how much disk space of the current partition quarantined files are allowed to occupy.

NOTE: The maximum size can be exceeded in the case where quarantined files have yet to reach their specified minimum time

● Click Save to confirm your changes.



Task EditorSometimes it’s convenient to define tasks that should be performed several times and/or at regular intervals. Scanning for viruses is a good example of a task that needs to be carried out regularly, and the Task editor is the tool provided for that purpose.

You can create a task for scans that you wish to perform repeatedly, or special scans that you intend to run in certain situations. For example, if you download files from the Internet to designated areas, you can create a task that scans these areas only and run the task manually after downloads. In addi-tion, you can schedule the task to run at a preselected time.

All scheduled tasks are displayed as a list in the Task Editor dialog.

You can view, edit, run, delete, activate and deactivate your tasks from the Task Editor dialog. Deselect the Active check box to deactivate a task. Click the Run task column icon of a list entry to run that task, or click the task name to edit or view the task settings. To remove an entry, click the trash can icon. This will remove the entry without prompt.

To remove an entry, click the trash can icon. Note that this will remove the entry without prompt.

Create a taskFrom the Task Editor dialog you click Create a task. Enter a task name and make your selec-tions. Click Save to confirm and save your task.

EnableBy default, the task is set to enabled. You can remove the check mark to disable it.

Start at/ScheduleSelect frequency, date and time to run the scan. The suggested date and time is the current (accord-ing to your system information). You can select another date and time.



Scan entire computerSelect this option if you simply want to scan the entire computer.

Custom scanSelect this option if you want to select files and folders to scan.

NOTE: The option Select files and folders to scan and the scanning options are only available when you select Custom scan.

Select files and folders to scanClick the folder search symbol to browse for files or folders. All local drives are listed with a Windows Explorer-like functionality. Click on a drive letter to browse for directories or files. If you select specific drives or folders, all subfolders under the selected drive or folder are automatically selected.

You can also enter a path and file or folder name directly in the input text field. The asterisk (*) is accepted as wildcard.

Example:

◦ To scan the entire C: drive, enter C:\

◦ To scan all pdf files in the D: drive, enter D:\*.pdf

◦ To scan a specific folder in the E: drive, enter E:\foldername

Click OK to add the file or folder to the scanning list.

Scanning optionsThese options are all pre-selected. Remove the check mark if you want to leave out any of them. Apart from these possible selections, the Manual scanner options are used.

● Scan boot sectors

◦ When you select this option, the antivirus application will check the boot sector of the area(s) that are being scanned.

● Scan archives

◦ Select this option to include archived files in the scan. The following formats are currently sup-ported: ACE, ACE SFX, APPLE_SINGLE, ARJ, BZIP2, CAB, CAB SFX, CHM/ITSF, GZ, Inno Setup (Installer) LZH, MAIL/MIME, MSI, NULLSOFT (Installer), RAR2, RAR3, TAR, WISE SFX, ZIP, ZIP SFX and 7ZIP.

● Scan memory

◦ When you scan the memory area, the antivirus application looks for resident viruses. You should always make sure that no viruses exist in memory.

Click Create to confirm and save your task.



Exclude list

Exclude listFiles on the exclude list are not scanned. Reasons for not scanning certain files may be that they trig-ger false alarms, or they are too time-consuming to scan. Anyway, we recommend that you scan files on the exclude list regularly by running scheduled or manual scans.

NOTE: Exclude lists should be handled with great care, as they represent a potential security risk. Excluding files or areas from scanning is a decision at the expense of security.

Exclude files from scanning

Use the exclude listSelect this option to activate the Exclude list. The exclude list is used for excluding files that may conflict with the scanners, affecting your computer’s performance.

● Specify files, folders, or entire drives that you don’t want to scan for malware. Click the folder search symbol, if you want to browse for files and folders, or enter a file name, directory, or drive letter in the input field.Wildcards (*/?) are accepted. Place the wildcard at the beginning of the search term. Do not place the wildcard in the middle of the search term.

Examples

C:\Dir Excludes all files in the folder and subfolders

*.xyz Excludes all files with the extension .xyz

example.exe Excludes the specified file regardless of where it is found

C:\System\xyz.doc Excludes this particular file

NOTE: Do NOT use apostrophes “ or ‘ when you specify items for exclusion.

NOTE: This program does not check if the files, folders or drives added to the exclude list really exist. Be careful to enter the correct names and paths.

● Specify which of the scanners, if any, should use the exclude list. ● Click Add to list to include the entry in the exclude list



Network drivesYou can exclude network drives if you don’t want to scan shares that you have access to on remote computers. Specify for which of the scanners, if any. When you select this option the complete drive is excluded. You cannot exclude specific folders on a network drive.

Delete selectedTo remove an entry, click the trash can icon. Note that this will remove the entry without prompt.

NOTE: We recommend that you revise the exclude lists regularly.

Potentially unwanted programsIf the scanner detects potentially unwanted program files you will be asked if you want to add them to the potentially unwanted software exclude list. Files on the exclude list are not scanned. Reasons for adding files to this exclude list may be that you have identified them as originating from non-malicious software.

NOTE: The manual scanner does not know whether a program file is malicious or not. You must decide what files you want to exclude from scanning..

Add this file to Exclude ListFiles that you add to the exclude list will not be detected as potentially unwanted program files.

You can manually remove files from the exclude list, but you cannot add files manually.

To remove entries from the exclude list, select the entry and click Remove selected.

If no resource information is available for the listed entry, i.e. the file name, the columns for product name and version will contain the values Unknown or Not applicable.



SettingsFrom this section you can configure the automatic scanner, the manual scanner, the Internet Protection, and the Block attachments feature.

◦ ‘Automatic scanner’ on page 31 ◦ ‘Manual scanner’ on page 33 ◦ ‘Internet protection’ on page 34 ◦ ‘Block attachments’ on page 36 ◦ ‘Other scanning methods’ on page 37

Both the automatic and the manual scanner employ the Sandbox by default. Read more about the Sandbox in ‘What is a Sandbox?’ on page 74.

The Manual scanner settings are also relevant for the Scan computer option, the right-click scanner, the Screensaver scanner and the Command line scanner.



Automatic scannerThe Automatic scanner works in the background, monitoring the activity on the machine and checking files and applications when they are accessed.

Enable Automatic scannerThe Automatic scanner is default Enabled. It is an essential virus control component and should therefore be enabled at all times. If you clear the check box you Disable the Automatic scanner. No program warning is issued if the Automatic scanner is disabled this way. However, Windows’ Security Center will warn you. Read more about ‘Tray warning icons’ on page 16.

NOTE: We recommend that the Automatic scanner is Enabled at all times.

NOTE: Clearing the Enable Automatic scanner check box means the scanner remains disabled until it is manually enabled again.

● Stop Automatic scanner

From the system tray menu you can click Stop Automatic scanner to pause the scanner. This option toggles between Stop automatic scanner and Start automatic scanner. Click again to start the Automatic scanner.

If you stop the scanner like this it will be started automatically the next time the computer is re-started or when a program update is installed.

A blinking, yellow triangle appears on the system tray icon. See ‘Tray warning icons’ on page 16. In addition, Windows Security Center will warn that “Your computer might be at risk”.

NOTE: Stopping the scanner from the system tray menu is different from disabling the scanner from Settings. When you disable the scanner from Settings you must manually enable it again, or else it will stay deactivated, that is, turned off completely. When you stop the scanner from the tray menu you can click again to start it, or else it will start automatically the next time you restart your computer or update the program.

Automatically remove detected virusesThe scanner detects and repairs all types of viruses. Whenever possible, an infected file is repaired before the file is handed over to the application. Access to the infected file is denied if repair fails. A file is removed altogether if it contains nothing but malware.

Scan for potentially unwanted programsThis scan goes beyond the normal scan for malware as it detects gray zone software - potentially unwanted programs. Select this option to improve your control over installed software.



User modesThe user modes section is divided into the two modules ‘Local user’ and ‘Remote users’. Under nor-mal circumstances, a workstation runs in Local user mode, while a server runs in the Remote users mode. The default settings provide sufficient protection for most situations, and we do not rec-ommend that you change them unless you are fully aware of the consequences.

Local user ● Read/Execute

◦ Instructs the Automatic scanner to scan files before they are used. ◦ Example: When a user double-clicks a .doc file, the Automatic scanner checks the file as well as

the application which is being launched (in this instance, MS Word). ● Scan on both read and write

◦ Instructs the Automatic scanner to scan files that are opened for write, for example when a user downloads a file from the Internet.

◦ If you selected scan on Read/Execute, it is possible to download and save an infected file to disk. However, the Automatic scanner will detect the virus when you try to open the file.

Remote usersThis mode applies to any XP/Vista/Windows 7 machine that is logged off, and the machine theoretical-ly can act like a server. The selections you make here are whether you want to scan files before they are used and/or when new files are created, or when existing files are changed. In other words, you select a strategy for the automatic scanning that takes effect when you save downloaded files from the Internet, FTP servers, when another computer writes files to a network share on your computer, etc.

● Write

◦ Instructs the Automatic scanner to scan files that are saved to disk, for example when a user is saving a file on a server. In this case, the Automatic scanner on the server will scan the file.

● Scan on both read and write

◦ This is hopefully an option you won’t need. A scenario where this is an useful option is if a server has become infected, as a result of a missing scanner update, for example. Scan on both read and write in such a situation will prevent the infection from spreading further throughout the network.

Use SandboxThe Sandbox functionality is used to detect new, unknown viruses. Select this option if you want the scanner to look out for new virus variants. The Sandbox is particularly tuned to find new email-, net-work- and peer-to-peer worms and file viruses, and will also react to unknown security threats.

● Disabled

◦ The Sandbox feature is turned off. ● Normal

◦ Recommended scanning level. With this option enabled, the Sandbox checks all write opera-tions both for local users and for remote/services.

● Extended

◦ In a critical situation you can select this mode, for example if you have a virus outbreak on your system and no signature-based detection is available for a limited period of time. The Sandbox will then check on read as well as on execute. When this option is selected, scanning time will increase, but it is not likely to seriously affect system performance.



Manual scannerUse the Manual scanner to scan selected areas of your computer. Scanning an entire hard drive is a time-consuming exercise. For periodic scans of entire drives, selected folders or files, we encourage setting up scheduled scans. Use the Task Editor and enable the Screensaver scanner so that manual scans are performed automatically during periods of low activity or idleness. Finally, you can right-click a file system object to launch the Manual scanner. All these scanning methods employ the Manual scanner’s settings.

Use SandboxThe Sandbox functionality is used to detect new, unknown viruses. Select this option if you want the scanner to look out for new virus variants. The Sandbox is particularly tuned to find new email-, net-work- and peer-to-peer worms and file viruses, and will also react to unknown security threats. When this option is selected, scanning time will increase, but it is not likely to affect the system performance considerably.

Automatically remove detected virusesThe application will try to remove the virus from the infected file. Select this option to repair infected files automatically. Most viruses can be removed on the fly, except for boot sector viruses. A prompt for user intervention will always precede removal of a boot sector virus. Note that a file is deleted alto-gether if it contains nothing but malware.

Scan archivesSelect this option to include archived files in the scan. The following formats are currently supported: ACE, ACE SFX, APPLE_SINGLE, ARJ, BZIP2, CAB, CAB SFX, CHM/ITSF, GZ, Inno Setup (Installer) LZH, MAIL/MIME, MSI, NULLSOFT (Installer), RAR2, RAR3, TAR, WISE SFX, ZIP, ZIP SFX and 7ZIP.

Scan for potentially unwanted softwareThis scan goes beyond the normal scan for malware as it detects gray zone software - potentially unwanted programs. Select this option to improve your control over installed software.

Logging

Create log fileCreates a log file in the Logs folder each time you run a manual scan. If you deselect this option, no log file is generated for manual scans. This option is enabled by default. The Logs folder is default located at this program’s root folder.

Detailed loggingGenerates a detailed report, specifying each file that was scanned, scanning time per file, status, etc.



Internet protectionThis filter protects against viruses that spread through Internet mail and news readers. The majority of viruses reported today use mechanisms that enable them to spread through email. This filter mod-ule is designed to intercept incoming and outgoing mail and news, and to strip or block all infected attachments with undesired content. It is both capable of scanning emails for known viruses as well as blocking file attachments depending on content and file extensions.

Use SandboxThe Sandbox functionality is used to detect new, unknown viruses. Select this option if you want the scanner to look out for new virus variants. The Sandbox is particularly tuned to find new email-, net-work- and peer-to-peer worms and file viruses, and will also react to unknown security threats. When this option is selected, scanning time will increase, but it is not likely to affect the system performance considerably. You can read more about the Sandbox in ‘Appendix A’ on page 74.

Traffic to scanSelect which elements of the Internet traffic you want to scan. The default is to scan all.

● Incoming email

◦ Scans all e-mail that you receive from others. Again, even your best friend or closest business associate may be ignorant of a virus infection.

● Outgoing email

◦ Scans all e-mail that is sent from your system. If your machine is infected by malware which you are unaware of, you could unintentionally send infected mails to friends and business associ-ates, for example.

● Newsgroups

◦ Scans the traffic generated between your computer and the other participants in the group/fo-rum you are active in.

● Instant messaging (received files)

◦ Scans file transfer traffic during instant messaging sessions with MSN Messenger and Windows Messenger. When this option is selected, incoming files are scanned for malware. If a file is infected, a pop-up message will warn about the incident. Only file transfers are scanned, so infected links still pose a threat.

Note that the transferred files are scanned when they are written to the directory ...\Temporary Internet Files. If malware is detected, it is probably a TMP file that is quarantined. To restore a quarantined TMP file, select the desired file, choose the Save as option from the right-click menu and save the file with its original name and extension. See ‘Quarantine’ on page 24.



Attachment listThe block attachment feature is particularly useful when email worms are roaming and the worm can be identified by file name. Attachment blocking is also a useful feature to stop file types that you do not want to receive in your mailbox. When an attachment is blocked, it is moved to the quarantine area rather than deleted. You can block attachments by name or extension by entering the exact infor-mation. See also ‘Block attachments’ on page 36.

● Block all attachments

◦ All attachments are blocked. ● Block files with double extension

◦ Many worms and email viruses apply a technique where an additional extension is added, for example Filename.jpg.vbs. Most email clients will hide the last extension so that the attach-ment appears to only have the extension JPG. However, this feature is not only used by viruses — legitimate files with names like Myfile.hlp.zip and Todolist_20.dec.doc are both treated as double extensions.

● Block attachments with CLSID file type

◦ Some recent worms and email viruses apply a CLSID technique to fool email scanners and blocking software. They take advantage of a feature in Windows which makes it possible to re-place an .exe extension with a {...} extension and thus evade blocking of EXE files. Since there is no reason for legitimate attachments to use this type of extension, this behavior is blocked by default.

● Block encrypted attachments

◦ Depending on the tools used, compressed and encrypted files are generally harder to scan for viruses than plain file attachments. Therefore the antivirus application offers the option of block-ing such attachments altogether.

PortsAmong the numerous protocols for communication between computers, there are some that are vital for Internet use. For standardization reasons, protocols have pre-assigned port numbers.

Port numbersSome of the protocols for communication between computers are vital for Internet use. For standard-ization reasons, protocols have pre-assigned port numbers. In the Traffic to scan section you selected which Internet traffic you wanted to scan. This identifies the protocols needed for sending and receiv-ing email, for example, and the corresponding port number on the computer, according to the industry standard.

You may have assigned different port numbers to one or more of the supported protocols listed here. If that is the case, you must enter the actual port number for the affected protocol(s).

The protocols below are those presently supported. The list will be updated when necessary. The port numbers and functions are already specified in the dialog:

● Incoming e-mail (POP3)

(Port 110) POP is short for Post Office Protocol.

● Outgoing e-mail (SMTP)

(Port 25) SMTP is short for Simple Mail Transfer Protocol.

● Newsgroups (NNTP)

(Port 119) NNTP is short for Network News Transfer Protocol



Block attachmentsUse this function to explicitly select attachments you want to block - or certify. You can enter the exact name of an attachment, or use wildcard (*) to block certain extensions.

● Block all attachments, except those listed below

◦ All names that you save to the list are ACCEPTED. ● Block all attachments listed below

◦ All names that you save to the list are BLOCKED.

NOTE: It is very important to distinguish carefully between these two options, as they represent two extremes: BLOCK all on the list, or ACCEPT all on the list.

Input fieldEntries that you add appear in the list box, where you later can edit or remove it.

For example, enter *.exe to block or allow all attachments with an EXE extension. Place the wildcard at the beginning of the search term. Do not place the wildcard in the middle of the search term. Click Add to save the entry to the attachment list.

Select the Attachment list drop-down menu to select one or more entries; All or None, or Invert selection.

Remove entriesSelect one or more entries and click Delete selected.

Please refer to the application’s help file for further information on this subject.



Other scanning methods

Screensaver scannerThis is a screensaver with scanner performing a virus scan of the system when your computer is idle. Idle time is a period where there is no activity on the system, i.e. neither keyboard strokes nor mouse movements. If the Screensaver scanner is enabled, a screensaver will launch during idle periods dis-playing the scan progress continuously.

NOTE: The Screensaver scanner is default installed with this program and will be activated when your computer is idle. If you deselected the Screensaver scanner at installation, you must enable it from the operating system’s screensaver dialog.

Enable Screensaver scanner

● Go to Antivirus & Antispyware and select Enable Screensaver scanner. ◦ Your operating system’s screensaver settings dialog appears.

● Select Screensaver scanner from the Screen saver drop-down list. ● Click OK to confirm.

Next time the system is idle the screensaver will activate and the manual scanner will start a virus scan. A mouse move or keyboard stroke terminates the screensaver and thus the scanning process. If the scan did not finish, it will continue scanning from where it was stopped the next time it is activated.

NOTE: A screensaver scan employs the same settings as specified for the Manual scanner.

Right-click scanThis is the manual scanner starting a scan of selected file or folder via the Windows right-click pop-up menu.

● Right-click a file or folder, for example in Windows Explorer or on the desktop. ● Select Scan for viruses from the pop-up menu. ● The Manual scanner dialog appears (see ‘Scan computer’ on page 21).



Command Line ScannerThe Command Line Scanner is an alternative to the GUI-based scanner and offers the possibility of running batch jobs and other scanning tasks from the command line. The command line scanner is a good alternative for those familiar with this environment.

The command line scanner has the same basic functionality as the menu-driven scanners and is not dependent on any other modules. It can also be run from batch files.

Starting the Command line scanner1. Start a command prompt session.

◦ Go to Start > Run. ◦ Enter CMD and click OK or press Enter.

2. Go to the directory where the Antivirus & Antispyware application resides. ◦ The default location is [program root folder]\nvc\bin\

3. Enter the desired parameters and press Enter. A space must precede each parameter that you use. The syntax is:

• nvcc [drive]:[path] [/parameters] [Enter]

For a list of available paramnvceters, enter:

• nvcc /?

Norman Security SuiteUser Guide Personal Firewall


Personal FirewallFinish the installation wizard (see ‘Installation Wizard’ on page 14). Open the Security Suite applica-tion and select Personal Firewall from the left-hand side menu. Please refer to ‘Getting started’ on page 12 on how to open the application and to ‘Personal Firewall’ on page 7 for a description of the application purpose and function. Refer to ‘Installation Wizard’ on page 14 on how to initialize the Personal Firewall.

This chapter is about configuring the personal firewall application, creating rules controlling incoming and outgoing applications, viewing traffic, and more. The application offers to switch between two user modes. In Wizard mode the user will be guided by an installation wizard, and in Advanced mode the user will be allowed to perform detailed configuration of the advanced settings.

Customize settingsClick this option to edit the default values. Please refer to Personal Firewall ‘Settings’ on page 48. For general information on selecting recommended versus custom settings, please refer to ‘Application settings’ on page 17.

StatisticsThe statistics displays information about blocked incoming and outgoing connections and port scans.

● Blocked # incoming connections.Someone has tried to connect to your machine but was blocked, possibly because you don’t have the required software installed. Such connections are hardly of a malicious nature, but most likely legitimate server requests.

● Blocked # outgoing applications.The number of outgoing applications that have been blocked by one or more rules. If many outgo-ing applications are blocked, you should check if the relevant rules are correct.

● Blocked # port scans.Shows how many systematic attempts there have been to scan for open ports. Sometimes viruses scan for open ports in an attempt to propagate, but it could just as well be an legitimate action per-formed by administrative software.

Disable Personal Firewall (Enable)Clicking the link toggles between enabling and disabling the Personal Firewall. You can enable or dis-able the Personal Firewall from the application’s main page or from the system tray menu.



● Go to the Personal Firewall’s main page and select Disable Personal Firewall.

NOTE: Windows’ Security Center issues a warning when the firewall is disabled.

or ● Right-click the system tray icon and select Disable Personal Firewall.

NOTE: This option is not available on Windows Vista, where you must disable and enable the Personal Firewall from the console.

LockClicking the link toggles between locking and unlocking all access to the network, the Internet includ-ed. You may want to use this function if you leave the computer on while you are away.

Clear session rulesSelect this option to delete temporary firewall rules created since the last restart of your computer. Temporary firewall rules are created during a session, i.e. between two computer restarts, when you select applies to this session from the firewall pop-up dialog. This dialog pops up when an action requires you to decide whether to allow or deny it. An action is, for example when a program tries to connect to the Internet. You will be prompted to confirm removal of the rules.

Clear block rulesIf you are unable to connect to the Internet/network, the reason may be that a rule blocks the connec-tion. Click on this option to remove all blocking rules. You will be prompted the next time you try to access the Internet.

Expert ToolsPlease refer to ‘Expert Tools’ on page 41.



Expert ToolsWith these tools you can manage the advanced aspects of this application. The expert tools are meant for an expert user, except from the Rule Editor in wizard mode, which is perfect for the inexpe-rienced user. You can switch between wizard mode and advanced mode in the Rule Editor dialog.

You can edit or establish rules using the rule editor. Firewall rules are necessary to allow Internet access to programs that you trust, and to block unreliable connections. The firewall also employs advanced stealth techniques that make the computer invisible and undetectable from the Internet. You can monitor computer activities using the real-time log utility and the advanced ports viewer.

◦ ‘Rule Editor’ on page 42. ◦ ‘Real-time Log Utility’ on page 45. ◦ ‘Advanced ports viewer’ on page 46. ◦ ‘Export Personal Firewall rules’ on page 47. ◦ ‘Import Personal Firewall rules’ on page 47



Rule EditorRules are necessary to allow Internet access to programs. The Personal Firewall established rules for installed programs when you ran the Installation Wizard. However, you may have programs installed that wasn’t recognized or were acquired after you installed the firewall. When such a program tries to connect to the Internet, the Personal Firewall produces a pop-up that informs about the action and let you decide if you will allow or deny the action.

The Personal Firewall does not allow you to create incoming rules. Incoming rules are handled by the Personal Firewall’s Server Mode awareness, which dynamically and automatically creates incom-ing rules based on Server Privileges. This is an intelligent mechanism in the firewall that evaluates attempts from the outside to listen on a set of ports. Legitimate requests are granted access only for the relevant ports, and they are automatically closed when they are no longer needed.

The Rule Editor differs between the user experience modes Wizard mode and Advanced mode.

TIP SWITCH USER MODE: At the lower right-corner of the Rule Editor dialog there is an option to select user mode. This option toggles between Switch to wizard mode and Switch to advanced mode.



Wizard modeGo to Personal Firewall > Expert Tools > Rule Editor.


Create ruleFrom the Rule Wizard select I want to create a new rule and click Next.

● Select application to assign a rule.

A list of eligible applications is presented. Click an application to select it. Select Show My Com-puter to browse your computer for programs missing from the list. Click Next to continue.

● Action for this application?

Select to Allow or Deny this application to access the Internet. Click Next to continue. If you selected Deny, go to Summary.

● Is this a server application?

Determine if this is a server application or not. Server applications hold ports open and visible— making the computer behave like a server—allowing other computers to connect. Select No if you are uncertain. Click Next to continue.

TIP The firewall will prompt later if the application is requesting server privileges. A rule can always be changed at a later time.

● Summary

A summary dialog appears. Click Finish to generate the rule. The rule takes effect immediately after it has been generated.

Edit ruleFrom the Rule Wizard select I want to modify or delete an existing rule and click Next. On the following pages click to select the rule you want to modify or delete and next, what you want to change. Click Finish to confirm your changes.



Advanced modeGo to Personal Firewall > Expert Tools > Rule Editor.


Traffic RuleThis tabbed dialog lists existing rules and their status. From here you can edit or delete existing rules or create new rules. For a detailed description of all fields, please refer to ‘Advanced Rule Editor Settings’ on page 79.

Trusted ApplicationsThis list has nothing to do with traffic, but a trusted application is not considered “parent” when anoth-er application tries to go online. Certain Windows applications are automatically trusted and appears in gray on the list. You cannot delete or edit these. If misc.exe is a trusted application, it is allowed to start iexplore.exe without triggering a pop-up warning that misc.exe is trying to go online through iexplore.exe. Since misc.exe is trusted it is permitted to take certain liberties when it starts IE (Internet Explorer). For example, it is permitted to start a remote thread within IE without any warnings from the Personal Firewall because it is an expected and approved behavior.

The Trusted Applications list is shared with the one used by Intrusion Guard (see ‘Trusted processes’ on page 64) and therefore identical.



Real-time Log UtilityThe Personal Firewall employs advanced stealthing techniques that make your computer invisible and undetectable from the Internet. You can keep an eye on computer activities using the Real-time Log Utility and the Advanced Ports Viewer (see the next section). The realtime log utility pro-vides log information for outgoing traffic and server privilege requests.

Go to Personal Firewall > Expert Tools > Real-time Log Utility. Right-click an entry to view details and possibly change the configuration for this application.

Outgoing trafficThe log specifies at what Time an Application contacted the Internet, the program name and from which Port, stating the Remote machine’s IP address, Port and Action. Action is either Allowed or Denied. Reason is either because a permanent rule or a session rule exists for this action/appli-cation, if it’s defined in Advanced Configuration or user prompt time-out.

Server privilege requestsThe log specifies at what Time an Application contacted your computer from the Internet, at which Port, stating the Remote machine’s IP address, Port and Action taken by the Personal Firewall. Action is either Allowed or Denied. Reason is either because a permanent rule or a session rule exists for this action/application, it’s defined in Advanced Configuration or there is no listening application. The most common reason for not allowing server privilege requests is that your machine does not have the required software to interpret the enquiry. In other words; no matching server privi-leges request.

To receive data from another machine on the network, an application opens one or more listening ports. Note that server privilege requests are not established connections, but requests for connec-tions. However, sometimes the application also opens a listening port in order to receive an answer from a machine it sends data to. The Personal Firewall automatically permits such answers. A mecha-nism in the Personal Firewall determines if an application has opened a port deliberately, or if the application receives an unsolicited request as if it were a server. The Personal Firewall then prompts the user to confirm that the application should be granted privileges as a server.



Advanced ports viewerThe Advanced Ports Viewer presents an overview of all activity on the current machine’s ports. You should use this utility to manually check that no malware infects your machine.

Go to Personal Firewall > Expert Tools > Advanced Ports Viewer.

Explanation of the port status is displayed in the tool’s panel. Ports open to the Internet appear in red and should receive your full attention, as the firewall cannot protect an open port. Server software like FTP and web servers have a legitimate use for open ports. But if an unknown application is active on an open port, there is reason for concern.

Terminate ApplicationTo stop an application, highlight an entry and click Terminate Application. The application is ter-minated immediately, even though it may appear in the list for about one minute after.

Open ConfigurationHighlight an entry and select the Open Configuration option. To change an application’s con-figuration from allow to deny, clear the check box and click OK. Alternatively, select the check box to allow a denied application access to the Internet.

NOTE: The Terminate Application and Edit Associated Rule applies only to entries ‘handled by rule’. The Open Advanced Configuration option is only available for ‘advanced configuration’ handled rules.



Export Personal Firewall rulesBackup your Personal Firewall rules. Select Export Personal Firewall rules and specify the loca-tion. Save the file to an external media for safekeeping.

Import Personal Firewall rulesRecover your Personal Firewall rules. Select Import Personal Firewall rules and specify the location from where you want to recover the backup file.



SettingsFrom this dialog you can view and edit the application’s configuration.

Select Customize settings at the top most part of the dialog to change the defaults, or select Recommended settings to switch back to the default configuration.

NOTE: We recommend that only advanced users change the default settings.

Configure Personal FirewallDuring setup several rules were created automatically, including rules for the most common browsers, mail clients, MSN and other programs that need to connect to the net.

Go to Personal Firewall > Settings > Configure Personal Firewall. To view or edit existing rules, please refer to the ‘Rule Editor’ on page 42.

Firewall OperationSelect how the firewall should handle traffic on your computer.

● Silent Mode

Allow all traffic, unless there is a rule specifically blocking it.

● Normal Mode

Prompt for all unknown traffic.

● Advanced Mode

Prompt for all unknown traffic and enable Deep Process Inspection (DPI).

NOTE: If you select Silent Mode or Normal Mode the options System, DLLs and Services will not be avail-able when editing rules.

Server PrivilegesSome applications without rules may try to accept connections from the internet. In this dialog you can decide how the personal firewall should handle these applications. The default setting is Prompt. When prompted you can evaluate if an application should accept an invitation from the net. The alter-native is Deny, in which case all programs, without a permanent or session-based rule, will deny invitations from the net.

NOTE: In the Edit Rule dialog there is an option that allows you to grant or deny server privileges for an application. The concept server privileges is also explained in the topic Rule Editor.

Outgoing ApplicationsSome applications without rules may try to connect to the internet or the local area network. In this dialog you can decide how the personal firewall should handle these applications. The default setting is Prompt. When prompted you can evaluate an application that tries to go online and define a rule, for example. The alternative is Deny, in which case all programs, without a permanent or session-based rule, are denied access to the net.



Advanced SettingsThe technical nature of these configuration options requires a certain expertise if you intend to change default settings. As a rule of thumb, do not change any setting unless you know what it means and are aware of the consequences. The default settings are sufficient for the average user.

Parts of the Firewall Operation is described below. For further explanations, please refer to the appli-cation and the descriptive text for each option.

Switching user modeThere are two ways of switching between Wizard mode and Advanced mode.

1. From Personal Firewall > Expert Tools > Rule Editor click Switch to wizard mode, or if wizard mode is enabled, Switch to advanced modeor,

2. Go to Personal Firewall > Settings > Advanced setting, and then scroll down to the section Firewall Operation. Select or deselect Use advanced rule editor.

The difference between the user modes is the degree of assistance available when creating new rules or changing existing rules. Please refer to ‘Rule Editor’ on page 42 for further information on how to cre-ate rules in the two different modes.

Norman Security SuiteUser Guide Antispam


AntispamOpen the Security Suite application and select Antispam from the left-hand side menu. Please refer to ‘Getting started’ on page 15 on how to open the application and to ‘Antispam’ on page 8 for a descrip-tion of the application purpose and function.

This application protects you against unsolicited commercial and bulk emails (spam) that may con-tain threats to your system. This chapter is about how you customize the spam filter, create block and allow lists, manage filtered emails, view filtered emails, update intervals, and spam management options.

Spam statisticsThe graphical view displays the amount of captured spam and phishing attempts that the application has blocked per day over the past two weeks.

Customize settingsClick this option to edit the default values. Please refer to Antispam ‘Settings’ on page 53. For general information on selecting recommended versus custom settings, please refer to ‘Application settings’ on page 17.

Block/AllowPlease refer to ‘Block/Allow’ on page 52.

SettingsPlease refer to ‘Settings’ on page 53.

View filtered email messagesSee the next section.



View filtered email messagesFrom your email application, for example Microsoft Office Outlook, Windows Outlook Express or Windows Mail, you can view the email messages filtered as spam. The NAS Spam folder is created when you install the Norman Security Suite, or when you install one of the mentioned email clients and Norman Security Suite is already installed on your computer.

Open your favorite email client and locate the NAS Spam folder and the Antispam application menu.

● Report Spam

◦ Reports emails as spam. Select an email message from the Inbox and click Report Spam from the toolbar. The message is moved to the NAS Spam folder.

● Not Spam

◦ Marks emails as not being spam. Select one or more emails from the NAS Spam folder and click Not Spam.

● Block/Allow

◦ Block or allow emails. Selecting this option opens the Antispam application. Enter one or more email addresses to Block or Allow.

● Remove Spam

◦ Clears the complete content of the NAS Spam folder. To delete one message at a time right-click an entry and select Delete from the pop-up menu.

● Scan Folder

◦ Scans incoming emails for spam. Select one or more folders and click Scan Folder to start a manual scan. This option toggles between Scan Folder and Stop Scan. Click Stop Scan to stop scanning for spam messages.

Please refer to ‘Spam management’ on page 53 to specify if you want to delete spam automatically.



Block/AllowYou can manage individual email addresses using the Block/Allow list to inform the application about addresses that always should be allowed or denied. The antispam filtering method will never overrule your manual specification of an address (Block or Allow). You can manually enter email addresses that you wish to block or allow. Enter an email address and specify if it should be blocked or allowed by selecting the relevant radio button.

Block or allow email addressesEmail addresses appear in a list in the lower part of the dialog. When you enter a new address, the Block option is default to prevent an unintentional approval of an address that should be blocked. Alternatively, select Allow to accept email from this sender. You can at any time edit details in the list of email addresses.

● Enter one or more email addresses, separated with comma, or enter an entire domain.Examples

◦ [email protected]

◦ [email protected], [email protected]

◦ phoneysales.com

● Select Allow or Block (default option). ● Click Add to save new addresses or domains to the list.

NOTE: Do not add your own domain to avoid spoofed emails.

You can always change from Allow to Block or the other way round at a later point. Click Save to confirm any changes.

Remove selectedSelect one or more addresses and click Remove selected.



SettingsLike antivirus applications employ virus definition files to detect malware, antispam solutions use defi-nition files to filter out unsolicited emails. While virus definition files accommodate virus signatures that decide whether a file is infected or not, antispam definitions use a set of criteria to figure out the likelihood of an email being spam. The spam definitions base the analysis of an email on language, pictures, colors, links included in the mail, as well as the sender’s email and IP address. Still, it is not always possible to conclude with absolute certainty if an email is spam or not.

Configure filter strictnessIf you use the slider and set the strictness level to low (0), the antispam application will examine emails whith maximum suspicion and consequently tag fewer emails as spam. Similarly, if the slider is positioned at high (100), a laxer interpretation of the spam criteria results in a lower spam score.

When there is little or no doubt that a mail is spam, for example when the sender is on a blacklist or in an online database, it will be stopped regardless of the slider bar’s position. We consider the default setting medium (50) as appropriate for filtering out unwanted emails.

The antispam filtering method will never overrule your manual approval of an email address.

Update spam definitionsSelect frequency for the spam definition update; every five minutes, once a day, or once a week. The recommended setting is Every five minutes.

Spam managementThis option allows you to select when to delete emails that the spam filter has stopped, depending on age or amount. The default settings are Delete all spam after [10] days, and Delete spam if total exceeds [500] filtered email messages.

Remember to click Save to confirm any changes.

Norman Security SuiteUser Guide Parental Control


Parental ControlOpen the Security Suite application and select Parental Control from the left-hand side menu. Please refer to ‘Getting started’ on page 15 on how to open the application and to ‘Parental Control’ on page 8 for a description of the application purpose and function.

Initial accessBefore using this application for the first time an information message ‘Administrator not created!’ will appear on the Home page, and a yellow warning triangle appears on the application’s menu entry.

1. Create administrator

You must create an administrator user before you can access this application. Enter a password which you confirm.

NOTE: The administrator password cannot be reset. Make sure you choose a password that you can eas-ily remember. The password is case sensitive.

2. Select default profile

The default fallback profile should be the lowest rated user profile that you want to establish. I.e. if you are going to create a Child profile then the default fallback profile should also be Child. Only the administrator should be able to edit users and configure their settings such as scheduling Internet access time and create block and allow lists. The administrator would normally be a parent.

3. Click Save to continue.These settings can be changed later from Parental Control > Settings.

4. Administrator login

When an administrator user is created the login page appears. Log in with the administrator’s user-name and password to access the application.

System tray iconA system tray icon indicates that the Parental Control is installed. Moving the mouse cursor over the icon displays a status text, for example ‘Parental Control: ‘Administrator’ is logged in’.



This application blocks access to certain categories of web sites, and it restricts and schedules Internet access for users. This chapter is about creating, configuring and managing users, as well as viewing the log and scheduling Internet access. Log in with the administrator’s username and pass-word to access the application.

SettingsClick this option to edit the default values. Please refer to Parental Control ‘Settings’ on page 59 .

StatisticsFrom the main page you can follow up on the statistics for blocked and scanned elements.

User ConfigurationPlease refer to ‘User Configuration’ on page 56.

Log ViewerPlease refer to ‘Log Viewer’ on page 59.



User ConfigurationCreate users and assign user profiles. Existing users are listed in this dialog with user name and the profile they have been assigned.

There are three user profiles, Adult, Teenager, and Child. The latter is completely restrictive and only allows access to web sites manually entered by the administrator in the allow list.

Adult No restrictions.

Teenager Categories filter restriction.

Child Completely restricted.

CategoriesCategories are based on a wide range of terms and expressions that enable the application to iden-tify a web page as predominately sex oriented, for example. The terms are not accessible for view-ing or editing. Parental control applies a technique that requires the presence of a set of conditions for a web page to be classified as belonging to one of the categories. For the Teenager profile there are four available categories that will block access to web pages with contents of the types Sex, Gambling, Weapons and Drugs. All categories are by default on, but the administrator can dese-lect the one(s) that should be allowed.

Block/Allow listFor the Child profile users an allow list must exist, since only the web addresses on this list are pos-sible to view. For the Teenager profile users it is optional to create both a block list and an allow list. See sections ‘Default Child profile’ on page 57 and ‘Default Teenager profile’ on page 57.

NOTE: Both the allow list and the block list affect all users within the group.



Web address formatURL (Uniform Resource Locator) is the technical term for a web address. Wildcards (*/?) are not sup-ported in the web addresses. Wild cards are replacements for unknown characters. Valid formats are:

● http://www.newspaper.com

● www.newspaper.com

● newspaper.com

A given web address allows you to visit sub domain levels, but never to visit the parent level. For example, granting access to www.newspaper.com/kidsstuff does not permit access to the parent level www.newspaper.com. However, if newspaper.com is added, all sub domain levels of this web address are allowed, like news.newspaper.com, cartoon.newspaper.com, etc.

NOTE: If a user follows a link from an allowed page, it is permitted regardless of where the link is leading. However, it is not possible to open yet another page unless the referrer is explicitly allowed.

Default profile settingsThe Adult profile has no restrictions. The profiles Child and Teenager are subject to restrictions, and thus can be configured. Actually, if a user assigned to the Child profile is to access the Internet at all, a web page must be specified. The profile settings apply to all members of the user profile. To configure a separate member, please refer to ‘Create user’ on page 58.

Default Child profileRemember that the changes you make to this default profile affect all members of the profile, not only the individual user. Because all web pages for the Child profile are blocked unless they are explicitly permitted, there is no blocklist or category for this profile user.

● Add

Enter one or more web addresses, separated with a comma, in the Add address to list field. Click Add to save.

● Remove

Select one or more addresses and click Remove selected.

Default Teenager profileRemember that the changes you make to this default profile affect all members of the profile, not only the individual user. For this profile web pages are restricted by Categories and the Block/Allow list.

● Categories

All categories are by default selected, i.e. web pages with a certain content are blocked for the Teenager profile according to these settings. The categories are Sex, Gambling, Weapons and Drugs. The administrator can remove the check mark to allow web pages in that category. Alterna-tively, add one or more web pages to the Allow list. Click Save to confirm any changes.

● Block/Allow list

Web pages for the Teenager profile are blocked according to settings in Categories. You can add one or more web pages to grant access to otherwise blocked pages.

◦ Add

Enter one or more web addresses, separated with a comma, in the Add address to list field. Select Block or Allow. Click Add to save.

◦ Remove

Select one or more addresses and click Remove selected.



Create userSelect Create user from Parental Control > User configuration.

1. Type in a name for the new user and enter a password that you must confirm.2. Select default profile to base the new user on.

◦ When you assign a profile to a user you decide what kind of web pages the user can view:• Adult

No restrictions. The user can access any web site.• Teenager

In principle no restrictions. However, the default Categories settings will block web pages with undesired topics or content.

• ChildOnly allowed to view the web pages that the administrator enters manually to the Allowlist.

3. Click Save to confirm. ◦ Before you click Save to create the new user, you should check that the profile selected is cor-

rect for this user.The new user is added to the list of users. Click on a username to configure that user.

Change passwordChange the name and password for the selected user.

CategoriesThis selection only applies to the Teenager profile user. To allow one or more categories for a Teenager profile user, clear the relevant categories check boxes. For further information, please refer to the section ‘Categories’ on page 56 and ‘Default Teenager profile’ on page 57.

Block/Allow listThis selection only applies to the Teenager profile user. From here you can allow or block web addresses for the user. For further information, please refer to the sections ‘Block/Allow list’ on page 56 and ‘Default Teenager profile’ on page 57.

AllowlistThis selection applies to the Child profile user. From here you can allow web addresses for the user. Please also refer to the section ‘Default Child profile’ on page 57.

SchedulerThe administrator can decide what time of the day for each day in the week that a user can surf on the Internet. The default setting is that all periods are allowed (green).

1. To block Internet access for a specific time, place the cursor in the desired period and click on it.2. Click and drag the cursor upwards/downwards or sideways right/left in one whole movement

to extend the period you wish to deny. Likewise, click and drag to change from Deny (gray) to Allow (green).

3. Click Save to confirm changes.



Log ViewerThe tool automatically logs blocked web pages for Teenager and Child profile users. The logs do not show which pages a user has visited.

The log can show blocked pages for up to one week old. There is one log per day of the week, and you can only select a weekday - not a date. The application will suggest the current weekday as default.

The columns in the log show date, time, user, reason for blocking and the blocked URL.

If the User column is blank, the system has been in fallback mode with no logged on user.

SettingsYou can avoid that an unattended machine with a logged on adult user is being accessed by a child user (i.e. if you forget to log off or need to leave the computer all of a sudden). The default fallback profile is activated after the specified idle time.

Idle time before changing to default profileIdle time is a period where there is no activity on the system, i.e. no keyboard strokes and no mouse movements.

● From the drop-down menu, select when the application should fall back to the default profile when the computer is idle.

● Click Save to confirm.

Set the default fallback profileYou can select Teenager or Child as the profile the application should fall back to after the specified idle period.

● ChildAll web pages are blocked for the Child profile, except those you enter manually to the Allowlist. This means that until you have added a web page for the Child user, no Internet access is avail-able.

● TeenagerWeb pages with a certain content are blocked for the Teenager profile according to settings in Cat-egories (i.e. Sex, Gambling, Weapons, and Drugs).


Change administrator passwordThe administrator password cannot be reset, but you can change it provided you know the old one. If you change the administrator password, you may want to write it down and keep it in a safe place.

NOTE: Please be aware that the password is case sensitive

Norman Security SuiteUser Guide Privacy Tools


Privacy Tools This program is included in the Security Suite PRO version only.

Open the Security Suite application and select Privacy Tools from the left-hand side menu. Please refer to ‘Getting started’ on page 15 on how to open the application and to ‘Privacy Tools’ on page 9 for a description of the application’s purpose and how it works.

With this application you can perform a secure deletion of specific files. The contents of the files are permanently erased and cannot be recovered. You can also configure the application to automatically delete various log files containing personal data, cookies, and browser history. Deleting history logs does not affect the application’s settings and bookmarks.

Delete a user’s program historyThe username list displays all registered users of this computer and lists programs that you can delete history logs from.

● Select one or more usernames and programs to delete history for. ● Click the Delete history now button to confirm.

Delete history manually or automaticallyYou can delete the history logs manually, or you can configure the application to delete them automati-cally at specified intervals.

● Manually History logs will only be deleted when you click Delete history now.

● Every 10 minutes or Every hour History logs will automatically be deleted at the selected frequency.


NOTE: If you select to delete history Manually, the logs will only be cleared if you click Delete history now. They will NOT be deleted automatically.

Norman Security SuiteUser Guide Privacy Tools


Secure DeleteWith this application you can perform a secure deletion of specific files. The contents of the files are permanently erased and cannot be recovered.

You can start the secure delete process of files by right-clicking on it, simple. You will be prompted to confirm the deletion. The deletion progress is displayed, and a summary appears when the deletion process is complete. This is how you securely delete files:

◦ Select one or more files that you want to delete. ◦ Right-click the file(s). ◦ Select Norman Secure Delete from the pop-up menu. ◦ Click OK to confirm. ◦ Click OK to close the summary dialog.

The contents of the files are now permanently erased from your computer.

NOTE: Deleting a file using the secure delete method is much more time-consuming than common file deletion. This is because each part of the file is overwritten multiple times to prevent any traces of the origi-nal content to be recovered.

If you stop the delete process once it has started, the file will still be destroyed, but not as securely as intended.

Some files may not be deleted. This is either because the user has no write permission to the files, or because the file is protected by the operating system and cannot be deleted.

Norman Security SuiteUser Guide Intrusion Guard


Intrusion Guard This program is included in the Security Suite PRO version only.

Open the Security Suite application and select Intrusion Guard from the left-hand side menu. Please refer to ‘Getting started’ on page 15 on how to open the application and ‘Intrusion Guard’ on page 9 for a description of the application purpose and function.

This application is a host-based intrusion prevention system (HIPS) intended for experienced users. Inexperienced users should keep the recommended configuration settings unchanged, which primarily allow and log events. High risk events that are rarely used by legitimate applications are blocked by default.

Customize settingsClick this option to edit the default values. Please refer to ‘Settings’ on page 62. For general information on selecting recommended versus custom settings, please refer to ‘Application settings’ on page 17. We recommend that only advanced users customize these settings (i.e. change the default settings).

Advanced System ReporterThis is a tool intended for experienced users. It can detect unknown spyware and rootkits by search-ing your computer for abnormalities. Please refer to ‘Appendix B’ on page 75

SettingsFrom this dialog you can view and edit the application’s configuration. Select Customize settings at the top most part of the dialog to change the defaults, or select Recommended settings to switch back to the default configuration.

NOTE: We recommend that only advanced users change the default settings.

Drivers & MemoryDrivers are computer programs that operate on a low level; the ‘kernel level’. Drivers are typically writ-ten to access and control hardware, such as your display monitor, keyboard, printer and network card. In order to access hardware connected to your computer, the drivers need full system access. For this reason the same techniques are used when writing malicious applications. You can modify the driver installation configuration to control which applications should be allowed to install drivers on your com-puter.



There are two malicious techniques to achieve the same privileges as drivers get. Both of these tech-niques circumvent the security mechanisms of the operating system. It is highly recommended to keep the settings for both as Deny.

● Prompt

You will be asked each time an attempt is made.

● Allow

Attempts will only be logged.

● Deny

No application, legitimate or malicious, will be able to install kernel level drivers.



ProcessesWhen an application, legitimate or malicious, is installed on your computer, it will most often want to start automatically each time your computer is started. A program that wants to start automatically can instruct the operating system to auto-start itself with the same privileges as the current user, or it can install a background service that will run with elevated privileges. The intrusion prevention application can stop attempts of this nature.

● Prompt

You will be asked each time an attempt is made.

● Deny

No application, legitimate or malicious, will be able to install itself to automatically start when the computer is started.

A program can also inject code into other processes running on your machine, and it can hijack pro-cesses by other means. This is common behavior for malicious applications, but some legitimate pro-grams also use such techniques, for example to extend the user’s desktop, or to offer other advanced features to the operating system or third party applications. You can configure the application to deny or prompt each time an attempt like this is made.

Trusted processesYou can edit a list of trusted applications to include legitimate applications with a similar behavior. To do so, click Trusted processes under the Process Protection part in this dialog.



User-defined trusted applications will appear with a check box. You can select one or more user-defined trusted applications and click Delete selected to delete them.

Note that predefined trusted applications appear in gray and cannot be removed. This list is shared and therefore identical to the Trusted Applications list in the Personal Firewall’s Rule Editor. See ‘Rule Editor’ on page 42.

For further information on hidden processes, please refer to ‘Operating System Internals’ on page 76.



NetworkBy adding filters to network modules in your operating system, malicious applications can steal per-sonal data, such as social security numbers, credit card details, and passwords. Adware can modify network data sent trough those filters. It can change results in search engines and show unwanted advertisement on your desktop and embedded in web pages you visit.

A BHO (Browser Helper Object) is an extension to Microsoft’s Internet Explorer. This and other Internet Explorer plug-ins, like toolbars, have full control over network traffic to and from Internet Explorer, and they can interact with the user interface.

An LSP (Layered Service Provider) is a generic filter in the network stack in Windows. It has full con-trol over all network traffic on your computer.

When you access a web site through its name (web address) it is translated into an IP address. Then the data is sent to and from the remote server. Your computer will first look for the name in your hosts file. This means that hosts file entries overrides any IP address that the name resolves to. Malicious applications may change your hosts file and thus redirect the network traffic to a malicious web site (so called Pharming).

● Prompt

You will be asked each time an event occurs.

● Deny

Stops all attempts to modify your system and hosts file and to install a BHO or an LSP.

Norman Security SuiteUser Guide Install and Update


Install and UpdateOpen the Security Suite application and select Install and Update from the left-hand side menu. Please refer to ‘Getting started’ on page 15 on how to open the application.

The Install and Update menu displays, among other options, a list of all available products in the Security Suite. From this menu you can add or remove products, initiate updates, activate the License Wizard and change language of the program installation.

NOTE: Changes to this page may require a system restart before taking effect.

Customize settingsClick this option to edit the default values. Please refer to ‘Settings’ on page 69. For general information on selecting recommended versus custom settings, please refer to ‘Application settings’ on page 17.

Licensed productsThe list of licensed products displays what products are installed, their status and when the license expires. From this page you can add or remove products or components in the list. If you clear a check box, the corresponding product will be uninstalled altogether. If and when new products or components are added they are downloaded automatically. All selected products are automatically updated through the Internet Update function.

NOTE: If you clear a product check box, the deselected product will be uninstalled and hence never updat-ed.



Update all productsFrequent updates are provided for the virus definitions and the program files. Update is done via the Internet or the internal network. Once Internet Update has downloaded a package, the actual update will be installed automatically. After an update, the program may prompt you to restart your computer.

● Click Update all products once to update the entirety of this program.

Enable/Disable automatic updateAutomatic updates are by default on. This means the product installations are updated whenever there are components or definition files to update them with. To change the automatic update settings, please refer to section Settings > Select update method.

NOTE: Antivirus software must be frequently updated to efficiently discover and remove malware.

Product languageYou can change the language you selected during installation. Select the preferred language from the Product language drop-down menu and click Save. The change will take effect after the next update.

View or change product keyIf you select this option, a license wizard dialogue appears. Enter your valid authentication key (prod-uct key) and click Next to view your license information. From the next dialog you can view informa-tion about installed products and license expiry dates. A valid key is necessary to update the installa-tion.



Settings

Select update methodThis option allows you to choose between manual and automatic updating. We recommend the auto-matic update method, as it is of the utmost importance to keep the software updated at all times.

Update manuallySelect this option if you prefer to start Internet Update manually from the Install and Update main page (Update all products). You can also select Internet Update from the system tray menu.

NOTE: The option Update manually requires a forced start of the Internet Update function. Selecting this option means the system is NOT updated automatically. It is highly recommended to update the soft-ware frequently. Updating manually is not a recommended method for everyday use, as executing the update may easily be forgotten.

Automatically at set intervalsSelect this option to make the program take care of downloading and updating automatically. Select a time interval in the list next to Automatically at every to set the desired interval. This option requires a permanent connection to the Internet.

NOTE: The option Automatically at set intervals means the system is updated automatically. This is the recommended update method. If Internet Update has not been run for 24 hours, the program automatically checks for updates at start-up.

Wait for dial-up connectionIf you use a modem to connect to the Internet, select this option for daily checks for updates at the product servers. You just access the Internet like you normally do, and the program will figure out if updated files are available. If you connect to the Internet several times a day, the update mechanism checks for updates the first time you connect only. If you connect to the Internet once a week, for example, the program will check once as soon as you’re connected.



Proxy settingsA proxy server is an intermediary computer residing between the user’s computer and the Internet. It can be used to log Internet usage and block access to web sites. The firewall at the proxy server may also be used to block access to certain web sites or web pages.

If a firewall or proxy server protects your computer, you must enter the required proxy information.

● Go to Install and Update > Settings > Proxy settings

● Select Use proxy server and enter a proxy address and port. ● Select Log on to proxy server and enter username, password and domain (for Windows NT

Challenge/Responses), if applicable. ◦ Windows Challenge/Response Authentication is the format used for connecting to either Win-

dows 2000 Server or Exchange. ◦ The user account has the following format: [NT/2000domainname]\[accountname]

Norman Security SuiteUser Guide Support Center


Support CenterOpen the Security Suite application and select Support Center from the left-hand side menu. Please refer to ‘Getting started’ on page 15 on how to open the application.

The Support Center offers information on where to obtain further assistance than the product documentation and online help can supply. It also contains an automatic repair function that may be of help if you experience problems with the installed software.

Help and troubleshootingClicking the Help and troubleshooting link brings you to our website, which offers a range of useful resources that in most cases will help you out. On this web site you’ll find:

● Support ● Security center ● Support Forum

If searching these resources does not solve the problem, please contact your local dealer or us.

Contact informationThis page provides phone numbers and addresses so you can get in touch with our local office/repre-sentative. This information is also available on the last page of this document.

http://www.norman.com/support/

http://www.norman.com/security_center/

http://forum.norman.com/

Norman Security SuiteUser Guide Support Center


Automatic repairIf you experience any problems with your installed version of the program, you could always try to run an automatic repair before you contact support personnel.

When you click Automatic repair, a process is started in the background which checks your installation and if necessary updates files or components. You’ll see the cog symbol in the tray menu while automatic repair is running. See ‘Tray icons’ on page 17 for an explanation of icons that affect the program.

If you don’t have access to a graphical user interface, you can run Delnvc5.exe from [program root folder]\npm\bin and choose the Repair option.

Messaging Log ViewerThis is a feature that monitors this application and displays various message information, like alarms, warnings and errors, including type, originator, time and date, application, and details.

Norman Security SuiteUser Guide Uninstalling


UninstallingTo uninstall the program, two methods are available. One is to use the Windows Add or Remove pro-grams feature. The other is to use the program’s uninstall application.

1. From Windows operating system: ◦ Select Start > Control Panel > Add or Remove programs.

• On Vista you select Programs and Features. ◦ Scroll to find and select this program. ◦ Select the Remove option.

• When the program is removed, restart the computer.

2. Using the uninstall application: ◦ Select Start > Run and enter the location of Delnvc5.exe

• The default location is [program root folder]\npm\bin\Delnvc5.exe.

◦ Select the Remove option.• When prompted, restart the computer.

Norman Security SuiteUser Guide Appendix A


Appendix A

What is a Sandbox?Sandbox is the term that best describes the technique that is used to check if a file is infected by an unknown virus. The name is not randomly picked, because the method allows untrusted, possible viral code to play around on the computer – not in the real computer, but in a simulated and restricted area within the computer. The Sandbox is equipped with everything a virus expects to find in a real computer. This is a playground where it is safe to let a virus replicate, but where every step is carefully monitored and logged. The virus exposes itself in the Sandbox, and because its actions have been recorded, the cure for this new perpetrator can be generated automatically.

Today, a new email worm can infect tens of thousands of workstations in a matter of seconds. The Sandbox functionality can prove to be a valuable tool for trapping new destructive code.

Norman Security SuiteUser Guide Appendix B


Appendix B

Advanced System ReporterThis is a tool intended for experienced users. It can detect unknown spyware and rootkits by search-ing your computer for abnormalities. Suspicious entries such as hidden processes, unknown auto-start processes, unknown system filters, etc., may unveil malicious applications.

Operating System InternalsView and edit details for hidden processes and drivers, registry entries, installed filters, and injected DLLs.

Select Internet Explorer View and edit details for settings, plug-ins, and cookies.

ProcessesView and edit process details for auto-start, services and other processes.

Even though the experienced user will find these options self-explanatory, clicking the What is ...? link at the bottom area of the Advanced System Reporter dialog will provide more information on vari-ous subjects



Operating System Internals

Hidden ProcessesA hidden process is not visible in usermode, although it is currently running on the computer. A pro-cess that is hidden from usermode is hidden by a rootkit. Most often it is a driver that hides a mali-cious usermode process making it invisible to standard antivirus software.

If you discover hidden processes on your computer, it is most likely that one or more suspicious entries are located under the category Installed Filters. These entries are the rootkit itself.

Registry EntriesThe registry interprets differently in usermode and kernel mode. This means that some techniques hide registry entries from usermode antivirus applications. Any registry entry that matches such tech-nique is considered suspicious.

Installed FiltersA filter is a driver, or a DLL that can plug into an application, that can modify data before it reaches an application.

● LSP (Layered Service Provider)An LSP is a network filter that is loaded into all applications when they load WinSock, which is the common method for applications to access the network. Such network filters can modify and block incoming and outgoing network traffic on your computer. This technology is often used by personal firewalls and parental control products.Malicious network filters can modify search results, spy on your network traffic, display unwanted ads, and redirect you to malicious sites.

● SSDT (System Service Dispatch Table)This special driver modifies the SSDT to filter operations performed by all applications, like open-ing or reading a file, or starting a new application. This technique is commonly used by security vendors to prevent malicious applications from making harmful changes to your computer.However, a malicious SSDT driver can gain powerful rootkit capabilities. If you have an unknown SSDT driver on your machine and you see one or more hidden processes, this indicates a high probability of a rootkit presence.

Injected DLLsA DLL (Dynamic Link Library) is a program module, that is stored in a separate file in order to share it between different applications or to provide extensions to existing applications. A DLL is loaded by the associated application when it is needed.

It is possible to force an application to load a DLL from a third party. This is done even if the vendor of the application did not intend for this to happen and does not explicitly load the DLL. This technique is widely used for malware, because the code module inside the DLL can get complete control over the application. It can also perform operations on behalf of the application, tricking the operating system and security software to believe that the application performed the operation.

There are a few legitimate uses for injecting DLLs into other applications. For example, for debugging an application when it has crashed. Generally speaking, however, an application that injects DLLs into other applications is either poorly designed or malicious.

You should take special care if you find injected DLLs on your system. Any DLL that is not from a vendor that is completely trusted should be removed. Even software that you have downloaded and installed from the Internet can in fact be a trojan.

Hidden DriversA hidden driver is not visible in usermode, although it is currently running on the computer. A driver that is hidden from usermode has rootkit functionality. The driver hides its files on the hard disk, its registry entries, or its memory space.



Internet Explorer

SettingsView and edit the settings for Microsoft Internet Explorer.

Plug-insA browser plug-in offers additional features like toolbars and search enhancements, but it can also offer unwanted ads and even spy on your surfing habits and passwords.

● Browser Helper ObjectA Browser Helper Object (BHO) is an Internet Explorer plug-in that modifies incoming and outgo-ing traffic from your browser. This type of plug-in is very commonly used by spyware applications, because it easily captures all data to and from your browser.

● ToolbarA Toolbar is an Internet Explorer plug-in that creates new entries in the browser toolbar pane. Ad-ware applications use this type of plug-in to display ads.

● URL Search HooksA Search Hook redirects typed in web addresses and assists in resolving incorrect or incomplete addresses. For example, ourweb.com will be translated by default to http://www.ourweb.com. Adware applica-tions use this type of plug-in to redirect you to other websites.

● OtherOther plug-ins can add menu options or user panels to the browser. Adware applications use this type of plug-in to display ads.

NOTE: Technically, all plug-ins are able to modify traffic and spy on user data, even though the specific plug-in is not intended for that purpose.

CookiesA cookie is a small file that is placed in the temporary internet files folder when you visit web pages.

● MisconceptionsA normal misconception about cookies is that they are malicious, generate pop-ups and unwanted ads, and can harm your computer. Indeed some anti-spyware vendors list them as spyware and even generate alarms on some cookies. This is especially the case for so called ‘tracking cookies’. Cookies are NOT DANGEROUS and cannot harm your computer. Thus, the cookies displayed in this dialog are of no threat. However, if you like you can remove them.

● Use of cookiesWeb servers use cookies to distinguish between users and to keep the state. If you delete a cookie you loose your user preferences, shopping charts, and the system remembering your login creden-tials - even across multiple visits. You will, for example, be required to log in again.

● Tracking cookiesSome websites use third-party cookies to track your site movements. Some feel that this is invading their privacy. The web servers you visit can also perform cross site communication directly between servers, and therefore do not need to rely on tracking cookies.Our tool does not distinguish between tracking cookies and normal cookies, since the only differ-ence is that the tracking cookie is maintained by a third-party. Neither is more or less dangerous from a malware point of view.



Processes

Auto StartWhen an application, legitimate or malicious, is installed on your computer, it will most often want to start automatically each time your computer is started. A program that wants to start automatically can instruct the operating system to auto-start itself with the same privileges as the current user, or it can install a background service that will run with elevated privileges. The intrusion prevention application can stop attempts of this nature.

NOTE: The auto-start feature does not cover the auto-run feature for CDs or USB sticks.

ServicesA service is a background process that is started each time the computer is started. This is normal behavior.

Norman Security SuiteUser Guide Appendix C


Appendix C

Advanced Firewall

Advanced Rule Editor SettingsSome of the fields in this dialog are rather advanced. You should therefore be careful changing set-tings that may have unpredictable effects.

At the lower right-corner of the Rule Editor dialog there is an option to select user mode. This option toggles between Switch to wizard mode and Switch to advanced mode.

Highlight a rule and click Edit to change it. You can also right-click a rule to view the shortcut pop-up menu and select Edit from there.



DescriptionThis is an editable field where you can enter your own description of the rule. The description appears in the Rule Editor’s main view and in the logs.

Applies toFrom the drop-down menu you can choose between the following options:

● Application

● Trusted Vendor

● System *

● DLLs (by RunDll32) *

● Services (svchost.exe) *

* System, DLLs and Services are only available in Advanced Mode. Select mode from Settings > Configure Personal Firewall > Firewall Operation.

You can either type in the name or click Browse to look for the relevant file. If you select Trusted Vendor and browse to select a file that is digitally signed and with a valid certificate, the name of signer (for example Microsoft Corporation) will automatically appear in the file name field.

Microsoft Corporation and trusted partners (like VeriSign) approve applications and issue digital signa-tures and valid certificates. If a signature or certificate is misused or used with malicious intent, it will immediately be withdrawn. Therefore, applications that are approved are most likely applications that you can trust.

In addition to typing the full path the following variables are supported:

%NORMANROOT% is resolved to the root folder of this program or any other path you have installed the program to using NrmQueryNormanPath(NPATH_ROOT).

%NORMANBIN%is resolved to [program root folder]\nvc\bin or any other path you have installed the program to using NrmQueryNormanPath(NPATH_BIN).

%NORMANNVCBIN% is resolved to [program root folder]\nvc\bin.

%NORMANNPFBIN%is resolved to [program root folder]\npf\bin.

All environment variables can also be used depending on what is defined on your machine, for instance is

%WINDIR% typically resolved to C:\windows or C:\winnt, and

%PROGRAMFILES%is typically resolved to C:\Program Files or a name that corresponds with the installed language version of Windows.

NOTE: No sanity checks are made for this field. If you write a path with forward instead of back slashes, or have a spelling error in your path, the rule will not work.

ActionThis field mainly consists of a drop-down list with the options; Allow, Deny and Listen only. If a pop-up has created a rule for listen, the action field will be set to Listen only since the rule only applies to server privileges. You can also choose if traffic honoured by this rule should be logged or not, and disable the rule by deselecting the Rule is active check box.



Allow to access the Internet and/or network through other applications? To grant such permission for an application select this option and click Show List to configure. Enter the name of the other application in the input field, or click Browse to search for the relevant pro-gram file. Click Add to include an application in the list.

This option is only available if Trusted Vendor is selected on the Applies to: drop-down menu.

Disable Deep Process InspectionDeep Process Inspection is an advanced mechanism to locate the code inside an executable that is initiating a network access attempt. The code is mapped to modules (DLLs or EXE files). If you enable DPI for svchost.exe then rules will be honored per individual service running in the context of Microsoft’s generic host process - giving the user more control over the system.

DetailsProtocolThere are three protocol options, TCP, UDP and Custom. It is possible to create a rule for both UDP and TCP, but a rule where Custom is selected will have the other check boxes disabled. If Custom is selected, the listen mode (Grant server privileges?) is not available.

Local port/External portFrom the drop-down menu you can choose between the following options:

● Selected port(s)Enter a port number or a port range in the input field to the right. The field can contain either a single port number, or two port numbers separated by a hyphen (-). No other input is allowed to eliminate the risk of entering too many ports.

● GroupIf this option is selected, the pop-up dialog Edit Groups is displayed where you can select a group or define a new group of ports.

● Any Allows all ports.

External addressFrom the drop-down menu you can choose between the following options:

● Selected address Enter the IP address you want to use in the field to the right. Only valid IP addresses in the format xxx.xxx.xxx.xxx (where ‘x’ denotes a digit) are accepted. Asterisk (*) is accepted to substitute any field in the address, so 192.168.0.* is a valid address.

● Selected domain Enter the domain address you want to use in the field to the right, like www.google.com. Click on Show IPs to view a dialog box with the IP addresses associated with the given domain name. You will receive a warning if you try to save a rule with a domain address that does not resolve. However, you can choose to use the domain name anyway if you for example are temporarily with-out an internet connection at the time.

● Selected subnet Enter an IP address and a subnet mask in the two fields to the right. A typical input for allowing all IPs in a class C network is 192.186.0.1 with subnet mask 255.255.255.0, but more advanced input is also possible.

● Local Area Network The rule will apply to all traffic to your Local Area Network (LAN). The IP address will set to a group consisting of all subnet masks for all IP addresses you have associated with your machine. All this is performed “under the hood” and you simply select LAN as the destination IP address.

● IP Group... If this option is selected, the pop-up dialog Edit Groups is displayed where you can select a group or define a new group of IP addresses.

● Any Allows all IPs.

External portSee Local port above.



Server PrivilegesGrant server privileges?This option toggles between Grant server privileges? and Also allow incoming over this protocol?. From the drop-down menu you can choose between the following options: Allow, Deny and Not set.

● AllowActivates the Advanced Privileges button. (See the next section.)

Also allow incoming over this protocol?When Protocol is customized, you can select to allow incoming traffic over the specified protocol.

Advanced Server PrivilegesWhen Allow is selected from the Grant server privileges? drop-down menu, the Advanced Server Privileges button is activated. To receive data from another machine on the network, an application opens one or more ports for Listen. However, sometimes the application also opens a port for Listen in order to receive an answer from a machine it sends data to. The Personal Firewall automatically permits such answers. A mechanism in the Personal Firewall determines if an applica-tion has opened a port deliberately, or if the application receives an unsolicited request as if it were a server. The Personal Firewall then prompts the user to confirm that the application should be granted privileges as a server.

ProtocolThere are two protocol options: TCP and UDP. The application is only allowed to open the selected protocol for listen, otherwise the attempt will result in a prompt.

Local portThe application is only allowed to open the specified port(s) for listen mode. Attempts to open addi-tional ports will result in a prompt.

External addressWhen an application opens a port for listen, as it is allowed to by this rule, it will only receive data from the address(es) specified here. The application is unaware of this limitation and believes it can receive data from everywhere. However, the Personal Firewall will block all attempts from other machines to access this machine. The stateful inspection is not affected by this and the application will still receive responses to data it sends out. The Personal Firewall only blocks data the application receives when listening.

External portWhen an application opens a port for listen, as it is allowed to by this rule, it will only receive data from the port(s) specified here. The application is unaware of this limitation and believes it can receive data from everywhere. However, the Personal Firewall will block all attempts from other machines to access this machine. The stateful inspection is not affected by this and the application will still receive responses to data it sends out. The Personal Firewall only blocks data the application receives when listening.

See the section ‘Details’ on page 81 for information on the various drop-down menu options.

DenmarkNorman Data Defense Systems A/SBlangstedgårdsvej 1, DK-5220 Odense SØTel: +45 7025 3508Fax: +45 6590 5102Email: [email protected] Web: www.norman.com/dk

Norman Data Defense Systems A/STuborg Boulevard 12, 3. salDK-2900 HellerupTel: +45 7025 3508Fax: +45 6590 5102Email: [email protected] Web: www.norman.com/dk

GermanyNorman Data Defense Systems GmbHZentrale, Gladbecker Str. 3, D-40472 DüsseldorfTel: +49 0211 586 99-0Fax: +49 0211 586 99-150Email: [email protected] Web: www.norman.com/de

Norman Data Defense Systems GmbHNiederlassung München, Ludwigstr. 47 D-85399 HallbergmoosTel: +49 0811 541 84-0Fax: +49 0811 541 84-15Email: [email protected] Web: www.norman.com/de

SpainNorman Data Defense SystemsCamino Cerro de los Gamos 1, Edif.1, 28224 Pozuelo de Alarcón MADRIDTel: +34 917 90 11 31Fax: +34 917 90 11 12Email: [email protected] Web: www.norman.com/es

NormanOffices

Norman ASA is a world leading company within the field of data security, internet protection and analysis tools. Through its SandBox technology Norman offers a unique and pro active protection unlike any other competitor. While focusing on its proactive antivirus technology, the company has formed alliances which enable Norman to offer a complete range of data security services.

Norman was established in 1984 and is headquartered in Norway with continental Europe, UK and US as its main markets.

Copyright © 1990-2011 Norman ASA

FranceNorman France8 Rue de Berri, F-75008 ParisTel: +33 1 42 99 95 09Fax: +33 1 42 99 95 01Email: [email protected] Web: www.norman.com/fr

ItalyNorman Data Defense SystemsMilano San Felice, Strada 2, Torre 120096 Pioltello (MI)Tel: +39 02 7030 5479Fax: +39 02 7030 5480Email: [email protected] Web: www.norman.com/it

NetherlandsNorman SHARK B.V.Postbus 159, 2130 AD HoofddorpTel: +31 23 78 90 222Fax: +31 23 56 13 165Email: [email protected] Web: www.norman.com/nl

NorwayNorman ASA Headquarter and sales NorwayHovedkontor og salg NorgeVisit: Strandveien 37, Lysaker Mail: PO Box 43, N-1324 LysakerTel: +47 67 10 97 00 Fax: +47 67 58 99 40Email: [email protected] Web: www.norman.com/no

SwedenNorman Data Defense Systems ABNorrköping Science ParkS-602 86 NorrköpingTel: +46 11 230 330Fax: +46 11 230 349Email: [email protected] Web: www.norman.com/se

SwitzerlandNorman Data Defense Systems AGMünchensteinerstrasse 43CH-4052 BaselTel: +41 61 317 25 25Fax: +41 61 317 25 26Email: [email protected] Web: www.norman.com/ch

United KingdomNorman Data Defense Systems (UK) LtdCBXII, West Wing 382-390 Midsummer BoulevardCentral Milton Keynes, MK9 2RGTel2: +44 1908 847413Fax: +44 870 1202901Email: [email protected] Web: www.norman.com/en-uk

United StatesNorman Data Defense Systems Inc.9302 Lee Highway, Suite 950A, Fairfax, Virginia 22031Tel: +1 703 267-6109Fax: +1 703 934-6368Email: [email protected] Web: www.norman.com/en-us

www.norman.com

http://www.norman.com

Documents

Norman Security Suite 9.00 - User guide [English]