NIS 2006 Blocking System Restore

This is a follow up from my original post located at
http://www.windowsbbs.com/showthread.php?t=52960

I have done further investigating regarding the system restore checkpoint. The only system restore checkpoint that was made was when I 1st setup my new computer. Then I installed NIS 2006 and no restore points have been created since then. So I looked into NIS logs and saw that is has been blocking the windows\system32\restore\rstrui.exe, which I am assuming is the .exe that creates the restore points. This sounds awful stupid to me that if that is the correct assumption, that Norton's would "Access Denied" a critical windows operating system.

NIS 2006 has some very good benefits over previous versions. But I think all of my problems not being able to click on a link outside of IE and the system restore problem is being just a little too aggressive. And finding information on Symantec website is like looking for a needle in a haystack.

So how do I set NIS 2006 to allow referers? I did a manual program scan and hopefully this will solve the problem of the system restore checkpoints, but it did not resolve the issue of accessing a link from outside of IE (such as add/remove programs, when click on the link for more information it opens up a blank page, or a link in email also, although Outlook and OE is set to allow hyperlinks).

Any suggestions are greatly appreciated. If I don't find answers soon NIS 2006 will be history on my computer, so any recommendations for a good firewall/virus program would also be greatly appreciated.

 

I don't have NIS so I can't tell you for sure how to do this. But, until somebody comes along with an answer have a look at this page from Symantec. It's from Jan 2005 so hopefully things will be fairly close to what you have. It talks about referrers but it's not real clear to me how to change the settings. From what I read on that page and a couple pages that it links to, it would seem the settings available for referrers are in the advanced options under the privacy tab. Have a look there and see what you find. I know you should be able to add web sites you don't want them sent to and also sites you do want them sent to. Perhaps it allows you to turn the feature off completely there too.

http://service1.symantec.com/SUPPORT/nip.nsf/docid/2000031311301136

As for system restore, it may be that something is running (NIS or a part of it perhaps) that makes it appear to the system that it's always busy. You might try shutting down NIS completely and use XP's built in firewall for a couple days and see if it will create a restore point then. If it does, you could then try to figure out which part of NIS is causing it. If it still doesn't create a restore point I'd then start disabling other programs that run at startup to see if one of them is the cause.

I'm not really sure what you're seeing as far as it logging that it has blocked system restore. Maybe post the line in the log that states this so we can see what it says exactly?

Until you get the system restore thing figured out you can get a script here that you can run to create one manually. Save it to your desktop, double click on it and a restore point is made. Saves you the trouble of having to go through the start menu to do it.

http://www.dougknox.com/xp/xp_fixes.html

Look on the right side for "single click system restore point ".

 

I don't run NIS either, but from my reading, it incorporates behavior blocking - process control or application firewall. Zone Alarm and Kerio have this feature now as well. NIS at some point may have asked you if you wanted to allow/deny rstrui.exe and not knowing what it was, you blocked it or NIS took it upon itself to default block it.

There should be a page in NIS for this, look first in the page where the program permission options are - ie, programs allowed to connect to the internet.

Regards - Charles

 

I read the post and it didn't help. There is an option to allow active x controls and java applets to run, which is the default action and is set to allow them.

Here is one of the logs from NIS that made me believe that it was preventing the system from creating a system checkpoint.

Event Details:
Time 3/25/2006 4:53:49AM
Actor: C\Windows\Explorer.exe (PID=304)
Target: C:\Windows\system32\restore\rstrui.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

As far as the referrers, there is no option that relates to that.

Also in Advanced Firewall Settings General Rules are the following default settings (these are just the ones that are blocked by default all others are permitted)

Default Inbound NetBIOS
Block, Direction: Inbound, Computer: Any, Adapter: Any, Communications: Specific, Protocol: UDP

Block access to secure sites
Block, Direction: Outbound, Computer: Any, Adapter: Any, Communications: Specific, Protocol: TCP, Tracking: Create a log

Default Block Inbound and Outbound ICMP
Block, Direction In/Out, Computer: Any, Adapter: Any, Communications: Any, Protocol: ICMP

Block Windows File Sharing
Block, Direction: Outbound, Computer: Any, Adapter: Any, Communications: Specific, Protocol: TCP and UDP, Tracking: Create a log entry

Default Block Microsoft Windows 2000SMB
Block, Direction: Outbound, Computer: Any, Adapter: Any, Communications: Specific, Protocol: TCP and UDP, Tracking: Create a log entry

Default Block EPMAP
Block, Direction: Outbound, Computer: Any, Adapter: Any, Communications: Specific, Protocol: TCP and UDP, Tracking: Create a log entry

Some of these I can understand why they are blocked and some I have no idea what they are, but I don't understand why it would block access to secure sites.

 

It never ask me that, before I allow or deny anything I make sure I know what it is. If I don't then I google for an answer.
NIS 2006 has a new feature called Learning in which it supposedly teaches itself what to allow and what not to allow. I don't think it learns very well With it's "intelligent" learning it only added a few programs to the allowed list. When I turned it off and did a program scan it came up with almost 200 programs, a lot were OS programs including windows update, and even NIS live update was not in the allowed programs until I did a manual scan.
I will try turning it off and using Windows firewall and see what happens. But even when I turn it off I cannot click on links outside of IE, still will get a blank page.
I thought that Windwos was suppose to create a system checkpoint everytime you started the computer. That's not happening.

 

Every 24 hours (approx - don't set your clock to it) and provided there is some idle time.

Look up SR in Help and Support on the start menu - an over view and specifics.

Set one manually, see if that works. Also see if the Service is enabled - scroll down to System Restore.

Regards - Charles

 

Service IS enabled and there is plenty of idle time. Yes I can set a manual restore point, buttttttt, I gave that a try just for the heck of it and it wouldn't restore my computer. Nothing was wrong with anything, just testing SR and it came back with "your system could not be restored ". Keep in mind that this all started after installation of NIS 2006.
I have sent a support request to Symantec, but because it is OEM trial I doubt they will be of much help. Their lose, because if I don't get an answer they will have lost a long standing customer.

 

Try this, you have no restore points to go back to anyway:

Shut SR off: My Computer > Properties > System Retore tab > Check "Turn off System Restore on all drives ".

Reboot.

Go back and re-enable SR - will create an initial restore point.

After re-establishing SR, a way to test the Restore function:

Take any executable file ( extension .exe) , and burn it out and/or move it to the My Documents folder and delete it from it's original location. SR does not monitor files in My Documents folder regardless of file type.

Then restore to the initial restore point created by the system; the deleted executable should be back in it's original location. Afterwards, you can delete the copy in My Documents.

If you can't do a restore at that point, yes I would say its NIS.

Regards - Charles