There are two parts to the DeepSight Analyzer service. The first part involves DeepSight Extractor, which is an application the user needs to download and install on their computer system. DeepSight Extractor works in conjunction with your firewall or intrusion detection system to send events that are being observed by your security product. The second part of the service called DeepSight Analyzer is a web based reporting and tracking tool, which allows the user to view and analyze the events sent to their account by the DeepSight Extractor tool they installed on their system. In order to send data with Extractor and also to peruse the website the user requires a username and password.

• Who can sign up for DeepSight Analyzer?
• How do I register to open my DeepSight Analyzer account and become a member?
• What are the benefits of using DeepSight Analyzer?
• How secure is my log and account information?
• Can I update my account information?
• What firewall and IDS systems does DeepSight Analyzer support?
• What defines an attack, an event, and an incident?
• How do I know that I'm not seeing and reporting false positives?
• Do I have to notify offenders of their attacks to my system?
• Why can't I see any events when I log into my account on Analyzer?
• I get a daily email but it never shows any events or says my "time of last upload" is never. Why?
• What is the DeepSight Analyzer service? And will it help me protect my system?
• When I try to install Extractor I'm told I need to have administrator privileges to continue, what should I do?
• Is there a version of Extractor for Windows Me or 98?
• I have a question about another Symantec product or I'm not able to update my definitions or have some question about LiveUpdate, can I contact analyzer@symantec.com for help?
• I have a question about my subscription or a renewal. Can you help me?
• My firewall (such as Norton Internet Security) shows lots of blocked attacks and other traffic but nothing is being reported in my Analyzer account. Why?
• I'm being asked for a username and password, can you tell me where I'm supposed to get one?
• My firewall is showing attacks on my system, what should I do?
• Does Analyzer protect my computer from attacks?
• How can I unsubscribe from the DeepSight Analyzer Daily Summary reports?
• A Trojan or virus has infected my computer, what can I do?
• How much do DeepSight Extractor and DeepSight Analyzer cost?
• How can I uninstall DeepSight Extractor and stop getting daily reports?
• How much resource does DeepSight Extractor use and what is the impact on the system?
• Where can I get help to set up Norton Personal Firewall 2003 or Norton Internet Security 2003 to work with DeepSight Extractor?
• Is Norton Personal Firewall 2004 or Norton Internet Security 2004 supported by Extractor?
• I have lost my username and password. How can I retrieve them or reset my password?
• I'm using a Norton Firewall and I see many Trojan and various worm attacks being reported so why are none of these events showing up in my Analyzer account?
• I used to receive daily reports but they have suddenly stopped. What happened to them?
• May I use multiple copies of DeepSight Extractor with my different firewall and intrusion detection systems and send all of my logs to my account?
• Do I have to clean my IP address and other identifying information out of my firewall and IDS logs before sending them to DeepSight Analyzer?
• Can I control the frequency with which my firewall and IDS logs are parsed, cleaned and uploaded using DeepSight Extractor?
• Is there a limit to the number of logs I can submit to DeepSight Analyzer?
• How long are my logs available to me for viewing, notifying and reporting?
• Where do my logs go after 60 days?

A. Anyone running a firewall or IDS system supported by DeepSight Extractor can submit logs to the DeepSight Analyzer database.

Q. How do I register to open my DeepSight Analyzer account and become a member?

A. Simply fill out all of the required fields in the DeepSight Analyzer Member Registration Form . We do not require you to submit any personal information, such as Name, Street Address or Company Name. However, we do require you to fill in all of the anonymous demographic fields. We will use this non-identifying information in our statistical analysis of global incidents, so please fill in accurate information.

Q. What are the benefits of using DeepSight Analyzer?

A. Users who create an account and submit their logs have the following benefits:

• Download DeepSight Extractor 4.x - free. This tool can automatically parse, anonymize and upload firewall and IDS logs. Furthermore, you can download as many copies as you like and store all of your incidents reported in one web-based location for easy access.
• Report incidents. We look up the appropriate contacts for the offending organization and their upstream provider, allow you to select which incidents you wish to report, and draft a report for you with all the pertinent information.
• Access descriptions about what the attack was that your firewall or IDS spotted. This includes links into the Bugtraq database where appropriate, as well as articles and exploit code so you can see if the compromise was successful or not.
• See how many other DeepSight users your attacker has attacked. This can help you determine whether or not you are being targeted for individual attack, in case that factors into your decision on whether to report or not.
• Track your incidents through our system. You can keep track of which attacks a particular IP has used against you.
• Correlate reports from different firewall and IDS brands. This is especially helpful when you utilize more than one type of firewall or IDS.

Q. How secure is my log and account information?

A. Symantec has designed the DeepSight system so that your account information is stored separately from the firewall and IDS logs you submit for analysis. We use secure technology: a secure login to protect account access, privacy protection controls, physically and electronically secure servers, and restrictions on employee access in order to safeguard your personal information. We will apply the latest security service patches to our system as soon as they are published. Please read our Privacy Policy to see how committed we are to your privacy.

Q. Can I update my account information?

A. You may update your account information any time you wish by choosing Settings from any DeepSight Analyzer screen.

Q. What firewall and IDS systems does DeepSight Analyzer support?

A. A complete list of supported systems can be found on the Requirements page. For answers to which versions are supported and which operating systems they run on, please read the DeepSight Extractor 4.0 Requirements documentation available from the Download Extractor link on the DeepSight Analyzer homepage.

Q. What defines an attack, an event, and an incident?

A. Symantec takes each attack description that comes out of each firewall and IDS system, and correlates those all to a central attack description or firewall diagnostic or security event description of our own creation. Then, for each of those, we make a judgment call on whether it is something that should be reported or not. The majority of reports we get are classified as events or probes, things you should not report on. They are not attacks in and of themselves. There are other attempts that, were the victim vulnerable to what was being checked for, they would just have been penetrated. These attempts we classify as incidents.

Q. How do I know that I'm not seeing and reporting false positives?

A. The experts at Symantec are well aware of which attack signatures have a high false positive rate and mark them as such clearly in our attack descriptions. We strongly suggest that DeepSight Analyzer users do not report such attacks or incidents.

Q. Do I have to notify offenders of their attacks to my system?

A. You always have the choice of whether or not you wish to notify offenders regarding their attacks on your system. Certain types of attacks show false positives and are not appropriate to notify about. The DeepSight Analyzer Notification Wizard will help you make decisions about whether it is appropriate or worthwhile to send a notification on a particular attack.

Q. Why can't I see any events when I log into my account on Analyzer?

A. If you don't see any events in your Analyzer account then please make sure you meet the following requirements:

• Your firewall or intrusion detection system must be supported by Extractor to see events in Analyzer. For Norton security products only Norton Personal Firewall 2003 and Norton Internet Security 2003 are supported. Please make sure you comply to the requirements as specified on this page: http://analyzer.symantec.com/Requirements.aspx. The Analyzer service is not designed to work with Norton Anti-Virus or other non-firewall or IDS software.
• Extractor 4.x is only supported on Windows NT/2000/XP and is not designed to work on Windows 98 or Me. If you are running Extractor on an incompatible system then you will not see any events uploaded to you Analyzer account.
• If you have a router on your network then the amount of traffic reaching your desktop is likely very limited (depending on your router configuration) and your desktop firewall won't pick up much malicious traffic. In this case Extractor might be configured properly but you're not seeing any events reported because the firewall is simply not seeing anything to report.

Q. I get a daily email but it never shows any events or says my "time of last upload" is never. Why?

A. Please see the previous answer and refer to http://analyzer.symantec.com/Requirements.aspx to ensure compliance to the requirements. If you do not have a firewall or intrusion detection system that is supported by Extractor then no events will be sent to your Analyzer account. Also note that anti-virus events are not reported to DeepSight. This service is strictly for use with supported firewall and intrusion detection systems.

Q. What is the DeepSight Analyzer service? And will it help me protect my system?

A. Although Analyzer does not actively protect your system, as a firewall would do, it's a valuable tool for analyzing firewall or intrusion detection activity. DeepSight Extractor is typically configured on your system to upload your firewall or intrusion detection system data to the DeepSight Analyzer servers. You will then be able to log into the DeepSight Analyzer website to view your statistics as well generate reports based on your uploaded data. The Analyzer website provides graphical views of events seen by your system and provides a wealth of information on the particular attacks or activity you are seeing on your system. Another excellent feature of Analyzer is the daily reports sent to you via email that list the most active events over the last 24 hour period. If you have a supported firewall or IDS (please refer to the website for the latest list of supported devices) encourage you to upload data for some time and peruse the Analyzer website to see how it works. Also if you don't think you'll be logging in everyday to look at your data then we recommend you turn on daily reports. You can access the DeepSight Analyzer website at http://analyzer.symantec.com/. For more information on the benefits and usage of Analyzer please refer to the online help at: http://analyzer.symantec.com/Help/analyzer/analyzer.htm .

Q. When I try to install Extractor I'm told I need to have administrator privileges to continue, what should I do?

A. Extractor includes a service component that requires administrator privileges to be installed properly. Only a user with such privileges can successfully install Extractor. To see a list of users and their privileges go to the Windows Control Panel and double click on "User and Passwords" on Windows 2000 and "User Accounts" on Windows XP. There you will see a list of users and the groups they belong to. In order to install Extractor you need to be logged in as a user in the "Administrator" group. Please refer to the Windows help files for more information.

Q. Is there a version of Extractor for Windows Me or 98?

A. Due to the nature of the service DeepSight Extractor is only available for Windows NT/2000/XP. There are no plans to implement a version for Windows 98 or Me.

Q. I have a question about another Symantec product or I'm not able to update my definitions or have some question about LiveUpdate, can I contact analyzer@symantec.com for help?

A. Please note that queries to analyzer@symantec.com are for issues concerning DeepSight Extractor and Analyzer only. If you have questions or concerns regarding any other Symantec products please visit the Symantec Support Website at the following address: http://www.symantec.com/techsupp/ . On that website you can find information and seek help on a wide range of Symantec home and office products as well as Subscriptions renewals and LiveUpdate issues.

Q. I have a question about my subscription or a renewal. Can you help me?

A. Please refer to the previous answer. For questions and information about Symantec subscription or renewals please refer to: http://www.symantec.com/techsupp/subscribe/

Q. My firewall (such as Norton Internet Security) shows lots of blocked attacks and other traffic but nothing is being reported in my Analyzer account. Why?

A. Extractor must support your firewall or security device so that events can be extracted and reported to your Analyzer account. If your firewall is not supported then although it might be reporting attacks, Extractor has no way of reporting those events to Analyzer. Please refer to other entries in this FAQ for more detailed information about supported firewalls and intrusion detection systems. Also note that in some cases not all attacks reported by a supported security product will be reported in Analyzer. This is the case with Norton Internet Security and Norton Personal Firewall which both have an intrusion detection engine that is separate from the firewall engine. Attacks (such as Trojan Attack Alerts) reported by the intrusion detection engine are not reported to Analyzer in this case.

Q. I'm being asked for a username and password, can you tell me where I'm supposed to get one?

A. In order to upload your security event data to your Analyzer account and be able to log into your account on the website you are required to have a username and password. You can register for an account on this page: http://analyzer.symantec.com/register.aspx

Q. My firewall is showing attacks on my system, what should I do?

A. If DeepSight Extractor and Analyzer support your firewall you can upload your attacks to your account then track and report attacks on your system. However if you are not able to use the Analyzer system because your firewall or operating system is not supported then please refer to your firewall vendor documentation or other security related references on best practices for reporting and mitigating attacks on your system.

Q. Does Analyzer protect my computer from attacks?

A. No. DeepSight Analyzer is a service designed to work in conjunction with your existing security program to allow tracking and analysis of attacks. DeepSight Extractor and Analyzer do not offer any more protection than is already being provided by your firewall or intrusion detection system. It is meant as an informational tool. For more information on the benefits and usage of Analyzer please refer to the online help at: http://analyzer.symantec.com/HELP/analyzer/analyzer.htm .

Q. How can I unsubscribe from the DeepSight Analyzer Daily Summary reports?

A. Log into your Analyzer account then click on "Settings" and at the bottom of the "Account Settings" page you can disable or enable the Daily Summary.

Q. A Trojan or virus has infected my computer, what can I do?

A. The DeepSight Analyzer service is designed to work with your firewall or intrusion detection system to help track and report on events seen by your security device. If your system becomes infected then you should consult your anti-virus documentation or other resources such as Windows Security Bulletins (if that is your platform - http://www.microsoft.com/security/) or Symantec Security Response (http://securityresponse.symantec.com/). Please note that queries to this email address are for technical support issues concerning DeepSight Extractor and Analyzer only. For more information on removing a virus or Trojan please visit the Symantec Security Response page concerning removal tools: http://securityresponse.symantec.com/avcenter/tools.list.html . On this page you will find online tutorials on how to use the removal tools.

Q. How much do DeepSight Extractor and DeepSight Analyzer cost?

A. Both services are free of charge. Please review the Terms of Use: http://analyzer.symantec.com/Terms.aspx

Q. How can I uninstall DeepSight Extractor and stop getting daily reports?

A. DeepSight Extractor can be easily uninstalled from the Windows "Add/Remove Programs" control panel applet. The uninstall program will remove all files associated with Extractor but it will not disable your DeepSight Analyzer account. If you have enabled daily summary email reports for your account then they will continue to be delivered until you disable the daily email in your account. Uninstalling the application will not automatically disable the daily summaries. To disable daily reports log into your Analyzer account then click on "Settings" and at the bottom of the "Account Settings" page you can disable or enable the Daily Summary.

Q. How much resource does DeepSight Extractor use and what is the impact on the system?

A. Extractor is designed for minimal impact on your system. The majority of Extractor's work is done when it parses and uploads your firewall or intrusion detection log files. The interval between uploads is set by the user and we recommend uploading every 5 to 15 minutes. This allows timely access to your data on the website as well reducing the amount of data which needs to be parsed between uploads so the impact is minimal. Extractor is installed in one directory with no other files being placed elsewhere. When you uninstall Extractor all files are removed and not further action is required to remove traces of Extractor from your system.

Q. Where can I get help to set up Norton Personal Firewall 2003 or Norton Internet Security 2003 to work with DeepSight Extractor?

A. The help file, which accompanies Extractor, has instructions on how to setup a profile for these firewall systems.

Q. Is Norton Personal Firewall 2004 or Norton Internet Security 2004 supported by Extractor?

A. Yes. NIS/NPF 2004 are supported as of Extractor version 4.3 and above.

Q. I have lost my username and password. How can I retrieve them or reset my password?

A. Currently there is no way for the user to retrieve their username or password automatically using the Analyzer website. The username and password are stored locally on the users system in the Extractor configuration file. The file is called ConfigFile.ini. On Windows the file is located in the same directory as the Extractor executable (by default: C:\Program Files\Symantec\DeepSight Extractor\ConfigFile.ini). Open this file with any text editor (such as Notepad) and look for two lines which contain the username and password:

				AnalyzerUsername="myusername"
				AnalyzerPassword="mypassword"
				

If you are unable to login using your username and password found in the ConfigFile.ini file then please send an email to analyzer@symantec.com and include your username and the email address with which you signed up.

Q. I'm using a Norton Firewall and I see many Trojan and various worm attacks being reported so why are none of these events showing up in my Analyzer account?

A. Norton Personal Firewall and Norton Internet Security both have an intrusion detection component that alerts on specific malicious software activity. DeepSight Extractor does not support the intrusion detection component of Norton Personal Firewall or Norton Internet Security and so these events are not reported to your Analyzer account. Extractor only reports firewall activity from these products.

Q. I used to receive daily reports but they have suddenly stopped. What happened to them?

A. DeepSight Analyzer relies on a continuous stream of event data being sent by the user. If for any reason you're account is not receiving data then daily reports will automatically stop after 30 days of not receiving data. To continue receiving reports please configure DeepSight Extractor to upload data to your account, making sure it's configured correctly and meets all requirements. Then login to your account on the DeepSight Analyzer website and enable Daily Reports on the "Settings->Account Settings" page.

Q. May I use multiple copies of DeepSight Extractor with my different firewall and intrusion detection systems and send all of my logs to my account?

A. Yes, you may download as many copies of DeepSight Extractor as you wish. You may also send logs from multiple system profiles to your account.

Q. Do I have to clean my IP address and other identifying information out of my firewall and IDS logs before sending them to DeepSight Analyzer?

A. You always have the choice of how much information you wish to send. You may decide to strip address information when cleaning logs in DeepSight Extractor.

Q. Can I control the frequency with which my firewall and IDS logs are parsed, cleaned and uploaded using DeepSight Extractor?

A. Yes. You choose how often DeepSight Extractor parses, cleans and uploads your logs to your account, either manually or through a scheduled task.

Q. Is there a limit to the number of logs I can submit to DeepSight Analyzer?

A. There is no limit to the number of logs you can submit to your account.

Q. How long are my logs available to me for viewing, notifying and reporting?

A. Your logs are available for your use up to 60 days after submission.

Q. Where do my logs go after 60 days?

A. Symantec will permanently archive your logs after 60 days in our DeepSight Analyzer Database. These logs, which are only associated with your non-identifying demographic information, cannot be linked back to you and will be used with aggregate data supplied by other DeepSight users to run statistical analysis.