Intrusion Detection

Intrusion Detection, first introduced in v.3.0, will identify port scans and has the ability to Autoblock the source IP address for 30 minutes once the scan is detected and blocked. Scans to the Trojan Horse Settings will also trigger this.
(Note: Even if you have removed the default Trojan rules and replaced them with you own final block rules as shown in Trojan Horse Settings, these will still trigger the Autoblock feature. This only applies to inbound final block rules. A custom final block rule for outbound will not trigger this feature.) Autoblock is enabled by default. A log entry is made of the blocked port scan noting the IP has been blocked and the alert notification in the system tray icon is activated. If the Autoblock feature is disabled, the Intrusion Detection still identifies and blocks the port scan, but will not Autoblock the source IP address.

For those interested in more detailed information concerning all scans and connection attempts to their system, you might want to consider disabling Autoblock as this will allow all blocked communication to be logged and provide a more accurate accounting of events.

There is also an Exclusion option for IP addresses you may not want to be Autoblocked. Unsolicited traffic is still blocked by the firewall for systems entered here.

Remember to check the Autoblock list as part of any trouble shooting process.

In NIS2002 Pro v4.5 IDS (Intrusion Detection System) was introduced and goes beyond just port scan detection and utilizes a signature base for common Windows exploits/attacks. Indications are that this IDS will be a core component in all future releases of NIS and is included in NIS2003 v6.0.

In the Pro version and NIS/NPF2003, there is also an Exclusion option that allows for excluding certain signatures if desired.

Symantec's Security Response site has a list and description of the Attack Signatures. The number of signatures differs between v4.5 and v6.0, with the latter having the larger database.

CrazyM

Technical Note: Autoblock
Please note that Autoblock blocks communication to and from a computer identified as an attacker, not just communication from that computer, as the manual states.

Techinical Note: Intrusion Detection System
Norton Internet Security Professional includes a new Intrusion Detection System (IDS). By default, the IDS monitors a small number of signatures that are most likely to correspond with threats you might encounter.

If you run an enterprise-level IDS testing tool against this product, you may be concerned that it is not responding to all of the attacks. This is because the IDS only monitors attacks that can be used to exploit Windows computers. Even if the IDS does not notify you of an attack, the Norton Personal Firewall component of Norton Internet Security Professional protects you from those attacks.

This design choice was made for performance reasons.