Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Lise on November 13, 2004, 08:43:36 PM
-
I keep getting this "avast! On Access Scanner Message DCOM Exploit - TCP Packet from 69.159.140.119:135" Is this someone trying to hack into my computer, or someone GETTING into my computer or just a bad setting somewhere??? PLEASE!!! I am starting to panic! This has been going on all day and I can't find any info on this!
Lise
-
The RPC/DCOM exploit is a vulnerability that allows an attacker to gain access to the destination machine by
sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.
Be back in a minute...
OK...Anyway, as VLK stated, the new NS in SP2 is blocking hacker attempts to gain access to your computer. Right now, not to worry.
I checked the URL provided in the message, and it is not now active and comes up invalid.
Hackers do this sometimes to "test" the waters and then take down the source computer.
The main thing is to always have a good firewall and antivirus in place AT ALL TIMES.
If the attacks persist, contact your ISP Administrator for assistance.
Good Luck.
-
This is the new Network Shield actively protecting you - appearently you're being attacked quite often. Fortunately your system is probably patched so the attack doesn't work. :)
-
Interesting. So if you have patched machine,Network Shield won't do anything (i mean won't even detect anything). I'm still trying to understand how Network Shield works so i might ask dumb questions ;D
-
Rej,
No dumb questions at all.
Read this article and you will get a good idea of how it works. It is basically a filter, but read the article for a good explanation.
http://www.networkitweek.co.uk/news/1155763 (http://www.networkitweek.co.uk/news/1155763)
:D
-
Techie, we're talking avast's Network Shield, not Microsoft's :P
But it's true that it works very similar to the thing described in the article (which IMHO doesn't exist yet - or at least doesn't ship yet).
Cheers
Vlk
-
Interesting. So if you have patched machine,Network Shield won't do anything (i mean won't even detect anything). I'm still trying to understand how Network Shield works so i might ask dumb questions ;D
You're not right, even if your system was patched, NetworkShield will scan incoming packets and warns you. It also detects when blaster virus is copied over tftp on your local machine (what's happend when the exploit was successful, and your computer downloads the virus).
-
So will Network Shield prevent any new(unknown) worm from spreading (lets say similar to Sasser) if it maybe matches the rules or it just detects those that are known today (MSBlast,Sasser and other similar known stuff)?
-
Of course even the "new". Its signatures are in the VPS :)
(otherwise, it wouldn't be of much use :P)
-
I meant like heuristic/generic matching. But fast VPS release should also do the job. Thx for explanation :)
-
Heuristic detection is even trickier for IDS than for an AV (I mean much trickier ;)). In fact, it's almost impossible (and frankly I'm not aware of any other such product).
There are some technical reasons for this.
-
It's not possible to do a heuristic scan; the exploit code must be known (there's no executable code) and its scanning must be really fast (otherwise it would slow down network traffic)
-
I would like to thank this group for your quick replies to my question about the DCOM Exploit. I didn't understand a whole lot of it except that it was someone TRYING to get in as opposed to having GOTTEN in, am I right? I have only one problem with the warning message....it just slides up and down too fast to record the numbers properly. It should STAY up til you click it, but when I mean I was being bombarded, I'm talking the whole day every 10 to 30 seconds I would get a new warning....sometimes they woulld number up 3 or 4 URL's high. I have a program called Slap which allows me to view the name belonging to the URL I managed to get 3 of them
Sudbury HSE ppp.398039.sympatico.ca
Quebec HSE ppp.215991qc.sypatico.ca
Kingston HSE ppp.3995655.sympatico.ca
I don't know what all that means but I sent a message to my ISP (Sympatico) and reported this as well, including these names, hoping they can do something with them. And, yes, I had to turn on my firewall, which is really a pain and sad that we can't enjoy ourselves without someone always trying to screw things up!! :'( But I gotta tell you, Avast is the BEST AV there is...I dumped useless Norton's and all it's bloat for this one and am spreading the word in all the groups I belong to.
Thanks again
Lise
-
You can disable showing of those NetworkShield warning (in the settings of NetShield provider), because it disturbs you while you're working ;). NetworkShield provider has a log viewer, so you can trace all attacks to your computer. Those IP addresses, you see in the log, are infected with a virus (mainly blaster, ...) and they try to infect your computer. Yes, firewall is a good choice ;).
-
VLK
Techie, we're talking avast's Network Shield, not Microsoft's :P
Forgive me. At times I have a Microsoft mind. ;D
-
NetworkShield will scan incoming packets and warns you
Not if the packages are already blocked by a firewall as is the case on my system ;D
-
NetworkShield will scan incoming packets and warns you
Not if the packages are already blocked by a firewall as is the case on my system ;D
Not if our driver is loaded before firewall's one ;D
-
I want to ask something.My version is 4.5.517 and i dont see network shield in the installed providers.Should it be there or my version is to old.This is stupid question bot... ::) ???
-
I want to ask something.My version is 4.5.517 and i dont see network shield in the installed providers.Should it be there or my version is to old.This is stupid question bot... ::) ???
You can update to 4.5.523 but it should be there.
Go to Control Panel > Add/Remove programs > avast! antivirus > Remove
Then choose Change function in the popup window
See if the providers are correctly added.
-
When i go to change and click next there is a message:Avast have been successful updated
???????l
-
Have you already rebooted?
-
Neron, you first need to update to the latest build.
It is not possible to add/remove the program components before this step.
-
OK.I am just waiting to see if the program update is working fine and when i update to version 4.5.523 everything should be installed automatic,right?Thanks! ;)
-
I did it but something is wrong(windows didn't restart it was busy and i clicked end task then windos rebooted),and then nothing.Tere were the same things- not network shield.And 1 more question.Should i see network shield in the on-access scaner in providers installed.
-
ooooops!Sorry my windows is 98-that's the problme :)
-
Can I ask a question Vlk. I also keep getting the DCOM Exploit message alot.
So Avast is keeping this from entering?I didn't get the message till it went to the 4.5.Also do I need a firewall with dial up?
-
Can I ask a question Vlk. I also keep getting the DCOM Exploit message alot.
So Avast is keeping this from entering? I didn't get the message till it went to the 4.5. Also do I need a firewall with dial up?
You did not receive this message before because earlier versions do not have Network Shield which is the provider giving you the DCOM exploit message.
You can disable the message and continue protected (see the provider settings).
About the firewall, you always need one ;). I suggest: Outpost, Sygate or ZoneAlarm.
-
Thanks for the help. :)
-
This thread might be old, but I just found it now so sorry ^_~
I thought NOD32 (ESET) claimed their AV product prevented Sasser through heuristics. Or, do they mean here that it didn't detect it coming through on the network, but the PC became infected and Nod32 cleaned it up? Since this is kind of contradicting to your statements on why heuristics won't work in network shield.
-
IMHO:
I'd say NOD32-Heuristics could detect the transferred Sasser-FILE(s)
- on-Access
- without specific new signatures
- AFTER the Exploit/attack succeeded and the worm-file was written to HD, but
- BEFORE the Worm was executed, so it would not install or spread
So a system protected by NOD32 was not "infected", but the initial network-attack could not have been blocked (as avast's Shield now does it)
;)
-
I had the same issue yesterday out of curiousity can anyone help me with something Looking up I had the same situation Avast warned me about the packet and said it had blocked it . Ironically enough it was because I had to shutdown Zonealarm for a moment and that popped up.
22.11.2004 17:38:24 DCOM Exploit attack
from 4.26.161.30:135
My question is Im on SP1 because SP2 has given me problems.....but I check regularly for any new critical and high priority updates and Im patched up to date so how could that effect me ?
-
Ironically enough it was because I had to shutdown Zonealarm for a moment and that popped up.
It's not ironical, just ZA was blocking this attack. Disabling it, avast! start to block.
My question is Im on SP1 because SP2 has given me problems.....but I check regularly for any new critical and high priority updates and Im patched up to date so how could that effect me ?
I think SP2 is a necessity and not a matter of opinion. Anyway, maybe you can solve your other problems (shutdown, etc.) and install it 8)
-
Call me thick if you want to, but I do not know how to disable this DCOM Exploit scanner message.
Can you spell it out for me please...I'm really sick of reading it every 30 secs or so.
Cheers TC
-
Just disable "Show warning messages" in the network shield provider.
Taken from the help:
Resident Protection: Network Shield - Settings
Show warning messages. When this options is on, avast! will display a warning message in the system area (above the system clock) every time it detects an Internet worm attack.
Logging. All attacks will be recorded into a log file so that you can inspect their history, frequency, etc. The last detected attacks will be displayed on the following page, Last attacks.
-
Where is the network shield provider ?
--
Emmanuel
-
Where is the network shield provider ?
--
Emmanuel
Left click on the 'a' blue ball in your system tray (next your clock)
The Network Shild provider is shown in a list with all other providers at the left of this window.
Click in it.
Click in the buttom 'Customize'.
Disable (uncheck) "Show warning messages" ;)
-
Hi!
I just popped in to get some info about this "new" network shield feature. It's seems to work quite well.
I get a lot of these DCOM attack warnings, but I can't find a log of all the blocked attacks. All I found are those 10 last attacks on the configuration screen.
Is there a way to log more than those 10 entries or am I only to blind to find the right option? ;)
I really want to send my ISP a list of those, maybe the are able and/or willing to something against it...
Thanks in advance...
-
Is there a way to log more than those 10 entries or am I only to blind to find the right option? ;)
C:\Program Files\Alwil Software\Avast4\Data\Log\nshield.log 8)
Welcome to avast forums!
You can search the board for DCOM or Network Shield and found a lot of information...
I posted too much about it last days ;)
For instance: http://forum.avast.com/index.php?board=2;action=display;threadid=9159
-
hi,
i have avery similar problem to lise.i get a network shield message saying "Dcom exploit blocked from an ip address 192.168.6.16:135/tcp".i am using the latest version of avast antivirus,and i have also updated my pc. i tried dcombulator but that does not work. i did close the the network shield warning as Pk said and that was a great help thanks pk.
but i have a another question and that is does blocking the exploit by avast is enough to stop somebody from hacking or getting into my pc.i have not installed a firewall yet but i am hoping to do so today.i never had this problem before but now for the past 3 - 4 days this problem is quite tormenting
thanxs
amna
-
I tried dcombulator but that does not work.
People misunderstand the efficience of Dcombulator... it disables the service (DCOM) but does not avoid attacks.
Does blocking the exploit by avast is enough to stop somebody from hacking or getting into my pc.i have not installed a firewall yet but i am hoping to do so today.i never had this problem before but now for the past 3 - 4 days this problem is quite tormenting
No, avast is not enough... You should have a full firewall and not only the 'light' one feature of avast! NetShield.