Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: MikeBCda on March 25, 2008, 12:17:41 AM
-
The only alerts I've ever gotten from the Internet shield have related to DCOM attacks which it blocked. Two of them in less than 24 hours, after over 3 years since the last one.
Obviously if they've been blocked, no problem. But I'm wondering if my firewall (Comodo) let them slip through, otherwise avast should never have "seen" them at all, right?
No relation between the IPs of these last two ... all of them including those old ones ended in ":135", which I'd guess is the port.
Any suggestions as to firewall setup changes? Or should I just trust avast to do its thing?
-
I too would wonder why they got past Comodo as that really should be the first line of defence with the Network Shield as a back-up (thankfully).
Yes the :135 at the end of the IP is the port. Port 135 is often used for exploits in the hope that the system on the other end isn't fully patched and up to date. If it is up to date then it isn't vilnerable to the DCOM exploit, but that doesn't stop them trying.
It sounds like your firewall isn't stealthing your system, you can check out the ShieldsUp test at grc.com. See http://www.grc.com/port_135.htm (http://www.grc.com/port_135.htm).
-
Obviously if they've been blocked, no problem. But I'm wondering if my firewall (Comodo) let them slip through, otherwise avast should never have "seen" them at all, right?
Yes, if your firewall is working well, it should have block it.
I suspect that you've disabled Defense+ in Comodo. Without it, Comodo is not a good firewall.
-
Perhaps you (or a glitch) allowed by accident inbound connections to svchost.exe ???
Go to firewall -> advanced -> network security policy and check that inbound connections to system and svchost.exe from outside your network are blocked (or that your global rules are blocking incoming connections).
Tech, disabling Defense+ will affect only the leak protection, not the inbound/outbound protection.
-
Obviously if they've been blocked, no problem. But I'm wondering if my firewall (Comodo) let them slip through, otherwise avast should never have "seen" them at all, right?
Yes, if your firewall is working well, it should have block it.
I suspect that you've disabled Defense+ in Comodo. Without it, Comodo is not a good firewall.
For me it is a rather doubtful statement. E.g. previous version of Comodo (2.4) without any Defense+ was a rather good FW. The real problem is that default settings in Comodo 3.0 are written in such a way that effectively they can work only when Defense+ is enabled. E.g. svchost.exe can make any IN/OUT connections using ANY port etc. When user disables Defense+ he should write and use the own FW rules.
My preference - disabling any HIPS and using plain FW rules. The simpler is the better.
-
Tech, disabling Defense+ will affect only the leak protection, not the inbound/outbound protection.
Only that? Parental application control is a must have for a firewall and it's disabled without Defense+. One application uses another (allowed before into firewall settings) to connect. For me, Comodo 3 without Defense+ is a very poor firewall.
-
Thanks, all.
Yes, I'd disabled the Defense+, more trouble than it was worth. But if Tech's correct that there are (apparently undocumented) interactions between that and the firewall, I'll grit my teeth and set it back to Learn-with-Safe mode. One of the biggest problems I'd found was that it's almost impossible (for me, with my connection) to submit Pending List items to Comodo for analysis, and of course I'm reluctant to simply accord them Trusted status on my own.
And in the firewall, I've changed permissions for System and Svchost from the default in-Allow to in-Ask. Hopefully the contexts when it's necessary to decide will be clear enough.
-
Only that? Parental application control is a must have for a firewall and it's disabled without Defense+. One application uses another (allowed before into firewall settings) to connect. For me, Comodo 3 without Defense+ is a very poor firewall.
Parental application control is leak protection not outbound protection (according to Comodo's CEO leak protection is not included in outbound protection but others may disagree). Anyway it's well know that Comodo without Defense+ is not safe without another HIPS (but still better than Kerio 2.1.5 as Comodo have better outbound control for ICMP and better pseudo-SPI for UDP and ICMP).
Anyway the problem with open ports is independent from Defense+. The connections are allowed only if they are allowed by the application rules AND the global rules. The open ports problem is caused by global rules allowing inbound connections from everywhere (default mode, bad idea IMO) ANDapplication rules allowing inbound connections (user mistake or bug. The default alert level (low) does not help) as well.
The fix is either correct the application rules for svchost.exe and other programs OR correct the global rules (using the stealth port wizard or creating the rules directly) OR both.
-
It sounds like your firewall isn't stealthing your system, you can check out the ShieldsUp test at grc.com. See http://www.grc.com/port_135.htm (http://www.grc.com/port_135.htm).
I have been getting a flurry of DCOM Exploit messages from avast over the past several weeks (port 135). Searched the topic and found this thread. Followed the link to Shields Up, tested port 135, and it reports its status as "stealth". I am using Comodo v 2.4. Have XP and just recently updated to SP3.
Any ideas on why I keep getting the pop-up from avast on the DCOM Exploit? Checked my log activity on Comodo and I do not see anything to correspond to the avast message. I'm stumped.
Thanks for any assistance.
-
Well I don't know why comodo isn't getting in there first (it isn't a firewall I have ever used), but it may be a little different to this topic as you are using the earlier version 2.4 without the defence+ module.
It may simply be down to windows booting as there doesn't seem to be any set order in which it loads applications, so avast could be being loaded first.
You could try, uninstall avast, reboot, install, reboot.
It would probably be best to first Download the latest version of avast http://www.avast.com/eng/download-avast-home.html (http://www.avast.com/eng/download-avast-home.html) and save it to your HDD, somewhere you can find it again. Use that when you reinstall.
Then again you could also try using the latest version of the comodo firewall or reinstalling the one you have.
Obviously either of the above options could generate a lot of comodo pop-ups (less if you reinstalled avast) as comodo would have to built its permissions information again.
-
You could try, uninstall avast, reboot, install, reboot.
It would probably be best to first Download the latest version of avast http://www.avast.com/eng/download-avast-home.html (http://www.avast.com/eng/download-avast-home.html) and save it to your HDD, somewhere you can find it again. Use that when you reinstall.
Thank you for your response. I think I will proceed with an uninstall/reinstall of avast. I started using avast for the first time back in May. As I recall there was a license key involved. Not sure I can locate that number. Do I need that license key when I reinstall avast (i.e. does it track by IP address?)? Thanks again for the assistance.
-
Do I need that license key when I reinstall avast (i.e. does it track by IP address?)?
No, you can register again and use a new one.
For Home version there isn't a track back by IP.
-
You could try, uninstall avast, reboot, install, reboot.It would probably be best to first Download the latest version of avast http://www.avast.com/eng/download-avast-home.html (http://www.avast.com/eng/download-avast-home.html) and save it to your HDD, somewhere you can find it again. Use that when you reinstall.
Can I do an uninstall/reinstall while being offline or do I need to have an internet connection when doing this? I continue to get a getting a flurry of these DCom Exploit attacks and while I hope that Comodo will catch them if I uninstall Avast, I always like to play it safe. So in other words ... download and save Avast to my HD, go offline, uninstall avast, reboot, install, go online and then reboot. Will that work?
Thank you for your assistance.
-
***
At the end, I think you should reboot and then go online.
***
-
Get a router with a built in firewall such as Linksys BEFSX41 or D-Link DSL-2540B that will provide external protection.
-
Can I do an uninstall/reinstall while being offline or do I need to have an internet connection when doing this?
You can do it offline.
So in other words ... download and save Avast to my HD, go offline, uninstall avast, reboot, install, go online and then reboot. Will that work?
Yes.
-
Can I do an uninstall/reinstall while being offline or do I need to have an internet connection when doing this? I continue to get a getting a flurry of these DCom Exploit attacks and while I hope that Comodo will catch them if I uninstall Avast, I always like to play it safe. So in other words ... download and save Avast to my HD, go offline, uninstall avast, reboot, install, go online and then reboot. Will that work?
Not only can you uninstall/reinstall avast off-line, but that is the recommended action. You don't have to go on-line between the reinstall and reboot.
This is why I suggested getting the new version before uninstalling the old version, so you 'don't' have to go on-line unprotected to get the new version.
-
Thanks for the replies!
I did the uninstall/reinstall for Avast but that unfortunately did not resolve the issue. I'm still getting the same DCOM Exploit warnings from Avast (port 135) as I did before. The Comodo firewall continues to perform as intended and is stopping inbound violations including some at port 135. For some reason Avast is getting to just a select few before the firewall. I did a retest for firewall leaking and it checks out fine. It's bewildering why Comodo stops the vast majority of inbound violations except for a few where Avast seems to beat it to the punch.
Is there anyway to know if those select few DCOM warnings from Avast have leaked past Comodo?
I've been trying to think of what has changed on my system that corresponded to timing of these Avast warnings for DCOM exploits that I've never had in the past. Only thing I can think of is that I did an upgrade to SP3. Could that have messed up the ordering of AV and Firewall?
The silver lining is that nothing is penetrating as far as I know but it's bewildering that Avast would stop some port 135 intrusions before the firewall.
As to the recommendation for installing a router, wouldn't that be overkill? I have one computer with a direct link to DSL and don't need wireless. Wouldn't the firewall in a wired router be superfluous to the Comodo firewall? I'm not up to speed on what a router firewall would do that Comodo's firewall wouldn't? Any suggestions in that regard? I've also heard that routers can slow down connection speeds.
I suppose the next step is to upgrade to Comodo's version 3 to see if that will fix this issue but I really dread doing that.
Again, thanks for the assistance. It's much appreciated.
-
As to the recommendation for installing a router, wouldn't that be overkill? I have one computer with a direct link to DSL and don't need wireless.
Who is the manufacturer of the DSL modem and what is its model number?
My ISP supplied SpeedStream 6520 DSL modem has a built in firewall so I don't see any DCOM warnings from Avast.
Software based firewalls are a waste of system resources if you have a hardware based firewall according to MBAM developer 10 minute video:
http://www.besttechie.net/2008/08/20/malwarebytes-developer-interview
-
Is there anyway to know if those select few DCOM warnings from Avast have leaked past Comodo?
Good question. It's an egg/chicken problem between the antivirus and the firewall...
Only thing I can think of is that I did an upgrade to SP3. Could that have messed up the ordering of AV and Firewall?
Can't you install both from the scratch (uninstall/boot/install again/boot)?
Wouldn't the firewall in a wired router be superfluous to the Comodo firewall?
Yes, the software firewall should do the work.
I suppose the next step is to upgrade to Comodo's version 3 to see if that will fix this issue but I really dread doing that.
It's a good idea...