Frequently Asked Questions

General Questions

• What is myNetWatchman?
• How does it work?
• How does myNetWatchman know the difference between a threat and a false alarm, and how does it respond?
• Does this affect my privacy — will anyone know who I am?
• What operating systems, routers and firewalls are supported by myNetWatchman?
• I do not have one of the supported routers. Can I still be an agent?
• I like it so far... what's the next step?
• Is there anywhere to get help, just in case I can't handle it myself?
• Is any private or personal information transmitted?

Specific Questions

• Can I force an upload?
• Why does my Last Upload Time under the status screen show up as "none:"?
• The agent status screen only shows information on the last upload, where's my upload history?
• I uploaded an attack report that I know is a false positive, what do I do?
• Why is there an incident opened for every event that I report?
• Why are so many incidents in an OPEN / No Response state?
• When/how should I clear my firewall log?
• I've configured the agent but it's not uploading anything?
• Where can I get more information about network security issues?
• What do the "Incident Status" codes mean?
• What does the "Incident Score" refer to?

Still have questions? Please submit them to: myNetWatchman.

Q: What is myNetWatchman?

A: myNetWatchman collects, analyzes and reports malicious access attempts to ISPs, who can then take action against the offending machines.

[Back to top]

Q: How does it work?

A: A small client-side application runs as a background application on your system; reading your firewall logs, and creating near-real-time reports that are relayed to the myNetwatchman servers for analysis.

[Back to top]

Q: How does myNetWatchman know the difference between a threat and a false alarm, and how does it respond?

A: When the analysis routine determines that a legitimate threat exists (based on reports from several agents), an automatic "Escalation Report" is sent to the abuse department of the offender's ISP. Any responses received from the ISP are also tracked.

[Back to top]

Q: Does this affect my privacy — will anyone know who I am?

A: myNetWatchman reports can be viewed by anyone who accesses their web-based reporting system. Although the reporting agent's "alias" is shown on the reports, there is no way to determine an agent's real identity or location. Click here to read myNetWatchman's complete privacy policy.

[Back to top]

Q: What operating systems, routers and firewalls are supported by myNetWatchman?

A: This software supports many popular operating systems, routers, and firewalls, including several versions of Windows and Linux, routers from DLink, Netgear and Linksys (to name a few), and firewalls such as ZoneAlarm, BlackIce Defender and others. Click here to see a complete list of compatible configurations.

[Back to top]

Q: I do not have one of the supported routers. Can I still be an agent?

A: If you use a hardware router that is not among the list of supported routers, you will need to configure your PC to run in the DMZ (exposing that machine directly to the internet), and install one of the supported software firewalls. WARNING: Running in the DMZ exposes a PC to risks not normally encountered when running behind a hardware firewall, so the decision to do this should be based on your knowledge of and access to effective software firewalls. In addition, I recommend this method be used with non-critical computers which are not connected to a network of other computers and do not contain sensitive material. As a software firewall, I prefer ZoneAlarm Free, because of its price, its ease of configuration and the fact that logs from ZoneAlarm are compatible with the myNetWatchman service.

[Back to top]

Q: I like it so far... what's the next step?

A: To use the myNetWatchman service, you must register as an "agent" by creating a user-id/password, and download and install a client-side application specific to your operating system. The only other piece of information you must provide is the name of your ISP. Once installed, you must allow the myNetWatchman program to send messages through your firewall.

[Back to top]

Q: Is there anywhere to get help, just in case I can't handle it myself?

A: Although the installation instructions are quite clear, but you can still get help from myNetWatchman's support, or from the mNW internet newsgroup dedicated to this product. (Those unfamiliar with newsgroups can find more help here).

Q: Can I force an upload? (credit Agent: CU)

A: Shouldn't be necessary, but yes.

Old versions of the agent had used to upload data nightly via FTP, so it was necessary to provide an "Upload Now" button. This allowed you to upload data on-demand. Starting with v1.12 of the agent, your firewall log is polled every 7 seconds and any new data is uploaded automatically.

If for some reason, your current log file wasn't uploaded properly (but the agent thinks it was), you can rewind the agent by modifying the following registry key:

HKEY_LOCAL_MACHINE/Software/myNetWatchman/LogHighWaterMark

Set the value of LogHighWaterMark to the byte offset in the file you would like to rewind to. If you want to resend the whole log file, set it to '0'.

Warning: Please use this with caution as I won't be a happy camper if you resend your log info from months ago!!

[Back to top]

Q: Why does my Last Upload Time under the status screen show up as "none:"? (credit Agent: CU)

A: If your firewall indicates that an event was logged, but myNetWatchman doesn't seem to be uploading, then re-check the file name and path that you have set on the 'Configure' screen. If you type in the wrong filename the agent will NOT report an error...it just won't upload anything.

When setting the file name, I suggest use Windows Explore to locate you log file, right-click on the file and select properties. Then highlight the the path information from the properties screen and select Edit/Copy. Then bring up your agent 'Configure' screen, paste in the path information and then all you need to do is add the file name.

I REALLY need to have a browse for file option to select the file...this is just a bit beyond my current programming skills.

[Back to top]

Q: The agent status screen only shows information on the last upload, where's my upload history?

A: I've tried to make the agent as "thin" as possible to minimize the impact on system resources. The status screen is NOT meant to serve as a user interface, but as a diagnostic tool to troubleshoot upload problems. To access details on the data you uploaded you need only access your personal report pages on the mNW website

[Back to top]

Q: I uploaded an attack report that I know is a false positive, what do I do?

A: Most escalations require multiple agents to report the same source IP address before any action is taken. Moreover, the escalation thresholds for services that generate a lot of false positives (e.g. streaming audio, file sharing, etc.) have been set to very high values.

Therefore, if you upload a false positive, don't worry about it, it will normally be filtered.

If you actually see something get escalated that shouldn't, then please send an email to support.

[Back to top]

Q: Why is there an incident opened for every event that I report?

A: An incident is created for every unique source IP address that is reported. An incident remains in an 'OPEN' state until sufficient evidence is collected to warrant escalation. So don't be alarmed because an obviously false attack is listed in an 'OPEN' incident...that does NOT mean that it will be acted upon.

[Back to top]

Q: Why are so many incidents in an OPEN / No Response state?

A: These are incidents that have been filtered (not escalated by the system) because insufficient evidence was collected to warrant escalation. Unless the incident has been escalated, the Response Code should be ignored (I know this creates some confusion and I'll eventually create a n/a response code).

Note: If you see an incident that you believe SHOULD have been escalated, please email support.

Eventually, we'll give agents the ability to manually mark incidents for escalation, as long as you've submitted a contributing event to the incident.

[Back to top]

Q: When/how should I clear my firewall log?

A: The mNW agent keeps track of the last byte of your log that has been uploaded.

This info is stored in the following registry key:

HKEY_LOCAL_MACHINE/Software/myNetWatchman/LogHighWaterMark

If you select 'Clear Attack List' (BlackICE) or 'Delete Log File' (Zone Alarm) your firewall log will be deleted. When the next attack occurs, a new file will be created and the file creation timestamp will reflect the current datetime. When the agent detects that a new file has been created, it resets LogHighWaterMark to 0, causing the agent to start uploading the log file from the beginning.

IMPORTANT: If you want to clear your log file, make sure you delete the file entirely. Do NOT edit the file using a text editor, delete the log lines, and then save the result. This will of course delete your log entries, but the agent will NOT detect this and will no longer upload data.

[Back to top]

Q: I've configured the agent but it's not uploading anything?

A: Try the following steps:

1) First check the agent status screen

If you're getting absolutely no status messages and error codes then check the log file name that you have configured on the 'Configure' screen. If it isn't entered exactly, the agent won't do anything (and won't report an error). Make sure you don't have any leading/trailing spaces in the file name.

If you are getting status messages, the follow the instructions in the message.

Possible error messages are:

mNWStatus: INVALID_AgentEmail - check Agent Configuration Screen

mNWStatus: INVALID_Password - check Agent Configuration Screen

mNWStatus: LOGLINE_TOOSHORT Len: nn - Ignored short log line

This is expected occassionally when comment lines or other short (non-event) lines are uploaded

mNWStatus: MISSING_FIELD - One or more log fields are missing...record skipped.

Log line was missing a field so it couldn't be parsed. Please e-mail sample to support for analysis.

mNWStatus: Format_MisMatch - check FormatID setting in Agent Configuration

You have FormatID set indicating a particular log format, however you're sending data that appears to be a different format.

mNWStatus: DATA_TOO_OLD - Log entires more than 72 hours hold are filtered. You may want to clear your firewall log at this time.

We now only accept event data that is at most 72 hours old. If you send older data it will be filtered. If you get this error and you believe you are sending recent events, then make sure your system clock is set correctly.

mNWStatus: DATE_IN_FUTURE - The attack date/time you are reporting is more than 5 minutes into the future...make sure your system clock is synchronized.

We now check the attackdatetime that you report against the current system time (on the mNW server). If you report an event that is more than 5 minutes into the future, your data will be filtered. If you get this error then your system clock is likely significantly inaccurate, please consider using an Network Time (NTP) client to automatically synchronize your time with an atomic clock.

mNWStatus: INVALID_FIELD - One or more log fields are invalid...record skipped.

This usually indicates that the attackdate field could not be translated into a valid date time. Please email log samples to support for analysis.

mNWStatus: REPORT_FILTERED

This will occur normally when your agent uploads log records which we do not want to insert into the database. For example, Zone Alarm logs contain Inbound, Outbound, and Application level events. For privacy reasons, we only record Inbound events into the database, all other events are filtered.

[Back to top]

Q: Where can I get more information about network security issues?

A: A good place to start would be the myNetWatchman Resource Center.

[Back to top]

Q: What does the "Incident Score" refer to?

The size attacks is based on a score that incorporates many factors, including the number of agents reporting the attack, frequency with which the attack is reported, the number of times each agent reports the attack, and the nature of the vulnerability being exploited.

[Back to top]