Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Mark2234 on August 28, 2010, 08:04:55 PM
-
Hi,
I have been using Avast for more than a year now and have never had this happen before. Every 30 minutes or so, regardless of what I am doing on my laptop, a message will come up saying that a DCOM exploit was stopped.
A bit of background info may be of use:
- The laptop was recently infected with Vundo
- With the help of a kind member at MBAM forums we think we managed to sort it out with Combofix
- Following the virus removal, AntiMalwareBytes deep scan comes back clean, and..
- Windows Defender scan comes back clean, and..
- Spybot Search and Destroy combes back clean (apart from a couple of relatively harmless cookies sometimes), and..
- Avast deep scan and boot scan come back clean (apart from what I have been told is a false positive in C:\hp\bin\endprocess.exe)
- Comboxfix scan comes back clean
I have since made the following alterations/additions:
- Installed Online Armour firewall (and disabled windows firewall)
- Installed Spyware Guard
- Removed all old versions of Java and updated to latest
- Added MVPS hosts file list
- Updated all software mentioned above
Any ideas what may be causing it? What can I do to stop it from happening?
Thanks,
Mark
-
Hi Mark, welcome to the forum :)
From what I have read here, avast! is doing it's job, and preventing the attack from succeeding.
I will steal a more knowledgeable user's answer here:
You're welcome.
DCOM Attacks are speculative, not targeted and tries to exploit a vulnerability in out of date OS, if your OS is up to date then you aren't vulnerable to the exploit. That doesn't stop them (usually someone from the same ISP with an infected computer) trying to see if it can infect others.
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.
-Scott-
-
From what I have read here, avast! is doing it's job, and preventing the attack from succeeding.
Still the firewall should have blocked it before avast...!!
asyn
-
DCOMbobulator
http://www.grc.com/freeware/dcom.htm
-
From what I have read here, avast! is doing it's job, and preventing the attack from succeeding.
Still the firewall should have blocked it before avast...!!
asyn
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
-
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
So if you turn on your router firewall, you want see this ?
-
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
A good firewall shouldn't be 'beaten' by an AV. (or it's setup is faulty)
Or does the OP use AIS..? As he doesn't refer to which program pops up with this message...
Is it avast after all..??
asyn
-
DCOMbobulator
http://www.grc.com/freeware/dcom.htm
Won't make a blind bit of difference as it doesn't stop the external attempt (which the network shield willl detect, if not done by the firewall) as this is an internal tool.
-
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
A good firewall shouldn't be 'beaten' by an AV. (or it's setup is faulty)
Or maybe avast! is just that good ;)
I presume that in OA, you could create a rule that blocks that port completely. That would do it I supppose...or the router firewall might, as Pondus suggests?
Or does the OP use AIS..? As he doesn't refer to which program pops up with this message...
Is it avast after all..??
asyn
I's guess either Free or Pro...since the OP says they have Online Armour installed.
-Scott-
-
1. Or maybe avast! is just that good ;)
2. I presume that in OA, you could create a rule that blocks that port completely. That would do it I supppose...or the router firewall might, as Pondus suggests?
3. I's guess either Free or Pro...since the OP says they have Online Armour installed.
1. It sure is very good, as it blocks DCOM, which should have been blocked by the firewall.
But as said, the FW should block it first...!!!
2. True and yes.
3. Let's wait for a reply, I saw some rather confused users here already... ;)
asyn
-
The order things would run would I guess be down to windows and may or may not have to do with which was installed first, but it is a bit like black magic as there doesn't appear to be any reasoning in it.
Blocking the port in OA would be the same as using decombobulator, since avast is getting in first it would alert before the OA block (or decombobulator) got a look in.
@ Mark2234
If you have avast 4.8 I would suggest now would be a good time to update to avast 5.0, if you already have avast 5.0 then, all I can suggest is that you leave OA installed and do a clean reinstall of avast:
This assumes you are using the free version of avast - Download the latest version of avast, 5.0.594 http://www.avast.com/free-antivirus-download (http://www.avast.com/free-antivirus-download) and save it to your HDD, somewhere you can find it again (if you didn't save your last download). Use that when you reinstall.
- Download the avast! Uninstall Utility, aswClear5.exe find it here (http://www.avast.com/uninstall-utility) and save it to your HDD (it has uninstall tools for both 4.8 and 5.0). - 1. Now uninstall (using add remove programs, if you can't do that start from the next step), reboot.
- 2. run the avast! Uninstall Utility from safe mode, first for 4.8 if previously installed and then for 5.0, once complete reboot into normal mode.
- 3. install the latest version, reboot.
-
Thanks for your input everyone, and sorry for the delayed reply! Unexpectedly busy the last couple of days.
Anyway, I had the latest Avast, the free version currently (as well as all windows updates which I think I forgot to mention). I have uninstalled via David's instructions and reinstalled. I will let you know if the DCOM exploit warnings continue!
Thanks,
Mark
-
You're welcome, good luck.
-
Unfortunately I'm still getting a few of the messages! Any ideas?
-
Do you use a router w/firewall, or are you hooked directly to cable modem?
An external firewall might help, provided you don't already have one.
-
Do you use a router w/firewall, or are you hooked directly to cable modem?
An external firewall might help, provided you don't already have one.
Direct into the cable modem. I had used a router with FW in the past, but not right now. I will get hold of one and see if it makes any difference. Will it interfer with Online Armor? Or visa-versa?
-
Everything is right here. You can get DCOM popups even with FW installed.
I'll shortly descibe how it's possible: avast (in all versions Free/Pro/IS) contains a network driver module which detects network exploits (Blaster/Sasser/... viruses). This module behaves like a firewall (it scans some incoming network packets, blocks all dangerous packets or pass them to the system) - see, behavior is the same as the most firewalls behave. Now if you install a software firewall, you have two drivers which scan network traffic - and now it depends how both applications are installed, because of one them will scan network packets sooner. If avast -> you'll receive a DCOM popup, otherwise installed FW will block it anyway.
Network traffic path can be described as follows: [Internet] -> computer's network card -> avast driver -> firewall driver -> [Web browser in Windows].
-
@ pk
Whilst your comment "Everything is right here. You can get DCOM popups even with FW installed." is entirely correct. It is a pain in the rear and scares the horses when it is fired, where a standard firewall wouldn't trigger an alarming alert message.
Is there any way to reverse this order if in the case of a third party firewall driver ending up behind the network shield driver ?
Either that or don't display the DCOM exploits, etc. in the network shied or give the use the option (as was in avast 4.8) for the network shield to be silent. Though obviously not for all alerts, such as the malicious url alert.
This would be the same way as a software firewall doesn't display any pop-up unless you put it into to some sort of paranoid mode.
-
Is there any way to reverse this order if in the case of a third party firewall driver ending up behind the network shield driver?
yes, it's possible, but it's quite complex and there're some interop issues with other network applications (ad blockers, etc)
Either that or don't display the DCOM exploits, etc. in the network shied or give the use the option (as was in avast 4.8 ) for the network shield to be silent.
There should be a checkbox to suppress showing that exploit popup window next time.
-
Thanks pk, does that stick after a reboot ?