Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Charmed on September 03, 2005, 05:27:18 PM
-
I've been using Avast 4.6 (on dial up) for some time now but on Friday I got connected to broadband (plusnet) and now I keep getting the scanner message 'DCOM Exploit - attack from 84.93.143.166.135/tcp'.
I never had this message before I connected to broadband.
Does anyone have any ideas what this?
-
Messages like:
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.
In other words, do you use a firewall or not?
-
The only firewall I have is the one in windows.
-
What firewall would you recommend? :-\
-
Outpost is a dam good one. Just takes some setting up. BUT they do have a lot of help in there forums :).
-
Strange that you get that warning if really running XP SP2 firewall?
In earlier XP versions, SP1 or even earlier the windows ICF firewall was not enabled by default !!!
-
The appearance of the DCOM-exploit warning just after connection to the internet is not unusual, because a lot of legit traffic is taking place then (like update processes) sothat the firewall has opened several ports.
If your windows is updated (security patches !), you have nothing to fear - if not, Avast takes care.
-
What firewall would you recommend? :-\
ZA (free), Outpost (free), Kerio (trial then free) 8)
-
With Kerio the situation is the same as with Sygate.
Well maybe there is still develoment with Sygate.
Kerio is stopped:
http://www.wilderssecurity.com/showthread.php?t=95880
-
Well maybe there is still develoment with Sygate.
Sygate was bought by Symantec. In fact, we're talking from now on about a Symantec product.
You can follow your own forum what the users thought about this.
I can't recommend Sygate anymore :'(
-
Sygate was bought by Symantec. In fact, we're talking from now on about a Symantec product.
You can follow your own forum what the users thought about this.
I can't recommend Sygate anymore Cry
You have told your opinions so many times Tech. Sure the message is heard.
I never even recommended Sygate 5.6, but 5.5 is good, what ever versions. That is if you are not using local proxies, WebShield excluded. At least when staying away from IE.
http://smb.sygate.com/products/spf_standard.htm
So I am not recommending to download free version or to buy Pro from above, but sure instead links in Sygate forum that is not mine, LOL.
It is wierd that you started that bashing on me Tech?
And giving your prejudiced opinions instead of facts.
Sure I called you ignorant in one of your messages when you had used SPF so long with proxy software, never bothered to learn the firewall enough to have noticed that loopback issue before.
-
Actually I tell why I dont use SPF 5.6. It is just cause of that DCOM warning from Avast. I tried that version and once it was late starting.
This might apply to Nicolas, cause he told in his reply that it is normal to see that warning when starting the system. To me it is not normal.
About earlier Sygate 5.5 versions, before 5.5.2710 and a few others, it was so that when the firewall service was not loaded, no internet connection was not possible, they changed it in later versions so that it is not so in free version. But with 5.5.2710 I have never seen this DCOM warning.
-
This might apply to Nicolas, cause he told in his reply that it is normal to see that warning when starting the system. To me it is not normal.
Well, I said "not unusual". Especially in cable networks there are many infected computers causing this. When the computer is starting up there is already traffic with the main server to establish the connection. The firewall has to allow at least some legit traffic to make the internet connection possible at all. Unfortunately, malware then uses the same ports. You can see that on the traffic and security logs.
I can't recommend a specific firewall, because I did not compare them in detail. The Sygate free product offers a lot of very useful features, usually not available in other free versions.
-
It is wierd that you started that bashing on me Tech?
No Jarmo. I'm no bashing noboby. See this is a thread from Charmed. The user asked my suggestions about firewalls.
You jump here to defend the company you work for. I'm just an avast! user.
And giving your prejudiced opinions instead of facts.
For me, you work with opinions. I work with my facts, the ones happened in my computer and my own experience.
Sure I called you ignorant in one of your messages when you had used SPF so long with proxy software, never bothered to learn the firewall enough to have noticed that loopback issue before.
Do you really think you can call me ignorant?
-
You jump here to defend the company you work for. I'm just an avast! user.
No Tech, where did you get that idea?
I am just a Sygate free firewall user. Same as with Avast.
Though I wish sometimes they had given me a Pro version if they had thought my posts in that forum had helped anyone ;)
Even Mats in that forum, Super Moderator is just a product user.
Sometimes I suspect RedJack working for them, cause he has sometimes posts that hint knowing a little what goes behind software.
You are as wellcome to post there as me, though they don't accept much criticism about the product. Even some threads were removed cause of that Symantec takeover complaints. Just a fellow hint ;) That forum is not as free in opinions as this one. Still there are good people who help if having problems, which is rare with many other firewalls. To my long gone Norman firewall, the support was non existent.
Do you really think you can call me ignorant?
You were that time you found out about loopback proxy issue.
Nicolas
I do recommend you that if you are using SPF 5.6 and even once experience the DCOM warning from Avast Network Shield that you go back to SPF 5.5. Just hope there is free version available, if you need one, to be found in posts with a keyword searc.
-
Jarmo, I had the same experience with these DCOM warnings with Sygate versions 5.5 and 5.6. People using Avast with other firewalls, report this too. All cases concern Win2k.
Avast loads very early, before the firewall. I could change that, but in my opinion the AV has most priority. The firewall opens several ports for initial traffic (like 137 and 138 for TCP) which may not be safe without AV. But DCOM uses port 135.
It would be best if both AV and firewall would be integrated in the OS, but we have to do with separate programs. How could the firewall block all ports before it is loaded (as you said) ?
This priority of either AV or firewall is certainly a problem. If AV goes first, this would imply that the system has no functioning firewall untill it is fully loaded. Could it be that your experience depends on XP, which firewall blocks at least incoming traffic ?
-
Jarmo, I had the same experience with these DCOM warnings with Sygate versions 5.5 and 5.6. People using Avast with other firewalls, report this too. All cases concern Win2k.
This is news to me. Thanks. I did not also expect those warnings to come with SP2 firewall.
But I use only Sygate 5.5 so I have no early protection from that SP2 firewall.
Needless to say, if it ever happens to me with 5.5.2710 I go back to SPF earlier version if I still have the installation file saved :(
I never suspected that problem to be there for 5.5.2710 ???
There are only those users that use some program like Avast's network shield that are even aware there might be problems with firewall late starting. But I never heard the same problem was there with 2710 ??? You did not install 5.5 on top of 5.6, but did an uninstall first I hope?
How could the firewall block all ports before it is loaded (as you said) ?
I am not technically competent to give you an answer 'how'. But if you go to Options(Security window of Sygate, there is greyed out and unchecked the options 'Block all traffic while the service is not loaded' and checked the box 'allow initial traffic'. In free version.
But an earlier build, maybe 5.5.2516 did not allow internet at all, if smc.exe was not running. Some even complained about that feature, LOL.
It was an undocumented good feature.
Edit
I just uninstalled 2710 and unstalled 2516. There was not that behaviour I remembered. Maybe 2710 had made some more permanent changes in my windows registry or it was another build.
So now back to 2710.
But sure they removed that feature to be able to sell the Pro version :P
-
Avast loads very early, before the firewall. I could change that, but in my opinion the AV has most priority.
It depends what product you'll install sooner - if firewall driver allows a packet, av driver will check it (av driver will identify the attacks if firewall didnt have a clever network-ids).
It would be best if both AV and firewall would be integrated in the OS, but we have to do with separate programs. How could the firewall block all ports before it is loaded (as you said) ?
It doesnt matter if firewall was integrated to the system or it's a 3rd party product, their drivers are loaded with OS - same way when fw would be integrated in the OS.
Firewalls control all traffic - even if network drivers are not loaded, OS is not able to receive/send any packets; so it's safe, all ports are "blocked" than all network drivers are loaded.
-
I too am experiencing the same problem with DCOM Exploit
It has only just started a few days ago.
I am wondering if this is a new feature of AVAST
-
My idea was that possibly the later Sygate version disables the inbuilt XP firewall; maybe for compatibility reasons ?
The Sygate firewall is a typical product for the corporate network, computers running 24/7 and often Win2k Pro. Then startup problems are not a hot issue.
It doesnt matter if firewall was integrated to the system or it's a 3rd party product, their drivers are loaded with OS - same way when fw would be integrated in the OS.
But the startup sequence is a serial process, one after the other. It must be possible to configure this in such way that a temporary vulnerability is avoided. Unfortunately, this is not the case.
Only the last few days I also found DCOM-exploit during normal service: port 135 TCP was opened by an unknown process (remote 3882, 3404, 4970, all from the same infected computer inside the cable network). I have to find out why this happens.
-
Only the last few days I also found DCOM-exploit during normal service: port 135 TCP was opened by an unknown process (remote 3882, 3404, 4970, all from the same infected computer inside the cable network). I have to find out why this happens
This DCOM warning is - as could be expected - due to a service: a svchost.exe instant.
PID420, remote host the infected computer and remote port 4970. Status FIN_WAIT2
There is a coincidence in time with an update of Acrobat Reader (including update manager). Now port 135 is made inaccessible and the AC Reader updater disabled, but the details of this intrusion have not yet been found.
-
You jump here to defend the company you work for. I'm just an avast! user.
No Tech, where did you get that idea?
http://forum.avast.com/index.php?topic=15720.msg132598#msg132598
But, you've explained that you're just an user.
I really sorry for this misunderstanding. Shame they don't give you a Pro version license due to your work there
About freedom to post (opinions and criticism about the product), it's a pity. They won't get it better without listening them.
Threads removed removed cause of Symantec complaints? It's a shame again. I respect Symantec for almost everything except antivirus and firewall.
Systemworks is good. I've used NAV but it's a hog...
Do you really think you can call me ignorant?
You were that time you found out about loopback proxy issue.
Maybe an English problem... translation ignorant to my language it will be stupid, idiot or even mad, crazy, or something worse.
Just hope there is free version available
Will Symantec share a free version of SPF? Will NIS be the only firewall from them?
-
I am on a cable supplied ISP. My cable modem has a standby switch. When this switch is activated no packets, incoming /outgoing can pass through the modem into the pc and out again.
I usually leave the modems standby switch in the standby mode until AFTER I have booted up my pc, which by then my software firewall I use is already armed and ready to go. Then, I take the modem out of standby and access the Internet. Seems to work fine for me.
-
I am on a cable supplied ISP. My cable modem has a standby switch. When this switch is activated no packets, incoming /outgoing can pass through the modem into the pc and out again.
What modem are you using ? Does it allow connection to the DHCP server only (to obtain an IP) or is it completely blocking all traffic on standby ?
The problem here is that after startup has taken place a simple "ipconfig/renew" is not sufficient to configure the network connection. Otherwise, we could simply switch on the modem when needed. Hence my question ! The modems used here are Terayon and Docsis.
-
I found that Avast does give a DCOM-exploit warning, in spite of the Sygate firewall blocking port 135.
The attacks are initiated by several outside computers, but there are also svchost processes running that are listening for them for only short periods of time. I'm still searching for the origin of this.
-
if sygate blocked port 135, it means avast driver is installed before sygate one (and scanning is done than we pass a packet to the sygate driver). The reason why some applications uses DCOM for communication is not bad, that's why it was designed. Blame attackers (e.g. if they were on the same LAN with you).
-
if sygate blocked port 135, it means avast driver is installed before sygate one (and scanning is done than we pass a packet to the sygate driver).
This is obviously the case.
Behind the DCOM-exploit is a Remote Procedure Call (Win32 share_process, autostart):
Win32\svchost -k rpcss. This is also used by legit Microsoft processes, but in this case file not found All scans (including Avast boottime scan) are negative. Therefore I assumed there is a temporary vulnerability during startup due to the firewall not yet functioning. But since Avast blocks the exploit and moreover the OS is patched, there is no security issue for this particular attack.
I'm not blaming Avast ! This is not a false positive (and if so: always better than a false negative).
-
The brand name of my cable modem is "Arris". It completely blocks ALL traffic when in standby mode. I like the modem for this reason. My modem is also Docsis compatible. I did have the option of using a "Toshiba" modem my cable company offered but it doesn't have the standby switch function. Please see HERE (http://www.arrisi.com/product_catalog/listers/index.asp?id=320) for information on the "Arris" modem. The small "white" button on top of it is the standby switch.
-
As I said: there's no temporary vulnerability during startup, because if all network drivers are not loaded, no incoming packet will get to the system. Firewall driver loads rules during its startup.
Avast driver does not check if there's a listening application which uses port 135 (if it was opened) - but fw driver can do that, and if there's no such app, it'll block the packets by default.
-
Thanks neal63 for the modem info.
Thanks pk for your message.
I'm closing down now.
Nicolas
-
Go to www.grc.com and download a free program called DCOMbobulator. The program checks to see if the DCOM is patched or vulnerable. It will verify then exit. You can then disable the program if you wish.
-
Yes, this program of Steves, works very well. Have it on my pc and DCOM is disabled. Program works. :)
-
I am not running a windows or anyother firewall. My computer is hooked right into my DSL modem. Today I have gotten this warning from avast 3 times. Is this something that is on my system or is this someone trying to attack me?
(http://armedwarriorsonline.com/downloads/avast.jpg)
-
Why not install a free firewall, zone alarm works fine I do not have experience with other firewalls.
you can download it here http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?dc=34std&ctry=EU&lang=en&lid=zassskulist2_trial
Just use the free one, most right on the screen, it will be a lot safer..
Jan Paul
-
I am not running a windows or anyother firewall.
Then you could be asking for trouble. Does your DSL modem provide a firewall/router function if not you are vulnerable to a number of attacks.
You also need outbound protection as well so even if your DSL modem does have a firewall, it is unlikely to provide any outbound protection. So you also need a 3rd party firewall Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php.
As has been said in other posts if your OS is fully up to date you are unlikely to be troubled by this exploit. However, that doesn't stop infected systems trying to infect others.