Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Gillie2tat on November 16, 2004, 07:17:09 PM
-
I keep getting this message from Avast 4 Pro:-
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
What does this mean and do I do anything about it or is the fact that it is being blocked mean I'm OK? I've had it several times since logging onto the internet 15 minutes ago. I've never seen that particular message before.
-
Further information - I'm running the Kerio firewall which should be blocking this without Avast coming up with error messages. And I have seen the other strand but because I am already running a firewall I am concerned about this issue.
-
The RPC/DCOM exploit is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.
And Avast has blocked that access. If you do not yet have a firewall, I strongly suggest you get one.
ps: and please use the search function prior to asking. This one has been answered already several times.
-
There must be definitely something wrong with your firewall setup as it should've been blocked.
Or you have incoming RPC traffic enabled? Check the firewall rules...
-
Sorry Vlk I'm out of my depth here I have no idea how you check for that in the free edition of the Kerio firewall. I've had a look round it but I have no idea where to look! I have set it to deny all incoming intrusions.
-
This is really weird, I've found the section in the Kerio firewall where the IP that's causing the problem shows up - and it's my ISP!!
I wonder if their server is running portscans or something and causing these alerts. Thank goodness Avast is spotting them.
And yes even though I've set Kerio to deny all intrusions these alerts are still coming up.
I attach a screenshot of the firewall details.
-
The screenshot doens't show if the traffic is outgoing or incomming. If it is outgoing, your system is infected.
-
OK off to run a full system scan now.
By the way I only get these alerts when I am actually online.
-
OK I have run a full system scan with Avast, no viruses found. I had it set to high with scan archives checked. I then scanned with Spybot and Ad Aware, both found a few cookies but nothing more.
I rather think that if Avast is continually coming up with these alerts when I am online they are coming into the computer rather than going out from it. If Avast is blocking them as it obviously is, is it possible to turn these alerts off and if so would it be reasonable to do so? Avast would let me know at once anyway if something tried to run which had something it recognised as a virus.
As far as the Kerio firewall is concerned it is definitely working, I just don't know why it's not blocking this and what it is.
Also it seems to be happening almost every time I click on a link which suggests something to do with the server connection to my ISP. I am wondering if I should report this to them in case it's a hacker.
-
If, as is often the case, your arrangement with your ISP is that you're disconnected after however-long of inactivity, any chance it's just them checking whether you're currently active?
-
Gillie, if our driver is loaded before the firewall's we see the exploit first and thus display these warning messages. You can switch them off in Network Shield provider. In all cases it when you see it, the possible attack is detected and stopped. So there's no need to be nervous.
Lukas.
-
In answer to your first question, no I have an unlimited broadband account - there's no time limit for being online.
In answer to the second point - how do I switch off the alerts? I'm perfectly happy that Avast is blocking these, great to have a little extra protection. I just don't want these pop ups all the time.
I think the server is certainly doing something, what I don't know but if Avast is protecting me - which it is - I don't really need to know about it unless I have a virus of some kind:)
Not that nervous, I've been using puters since the early 1990s, have had my own since January 2001 and teach how to use Avast over at VU. I just wanted to be sure what this was before I switched something off I shouldn't:) and I went all over the program last night but couldn't see how to switch off the alerts and still have the network shield protection which is what I want to do. In fact I couldn't find any access to the network shield at all.
-
r,click on blue ball then on access protection control then double click on network sheild That works for me ;) ;D ;D ;D
-
OK for me that was right click on the Avast ball, left click on On Access Protection Control, click on Network Shield, click on Customise and uncheck warning messages. I left the logs checked so that I'll have some way of tracking these alerts.
Thanks so much for all the help!
-
my pleasure see ya again soon :D :D
-
Gillie, if our driver is loaded before the firewall's we see the exploit first and thus display these warning messages. You can switch them off in Network Shield provider. In all cases it when you see it, the possible attack is detected and stopped. So there's no need to be nervous.
Hmmm - do you think so? :P
I mean, the firewall should have closed the port in the first place (unless inbound RPC is allowed which is rarely the case).
-
Gillie, if our driver is loaded before the firewall's we see the exploit first and thus display these warning messages. You can switch them off in Network Shield provider. In all cases it when you see it, the possible attack is detected and stopped. So there's no need to be nervous.
Hmmm - do you think so? :P
I mean, the firewall should have closed the port in the first place (unless inbound RPC is allowed which is rarely the case).
yes thats true. Just wanted to say that seeing this message does not necessary mean the firewall is not working and that it's IDS features wouldn't catch the attack later.
But you are right, having RPC (port 135) port opened on internet interface is considered dangerous.
Lukas.
-
OK I'll try and find out how you close off ports and see if I can close this one on Kerio tonight that's not a problem:)
-
But you are right, having RPC (port 135) port opened on internet interface is considered dangerous.
More information about the 135: http://www.grc.com/port_135.htm
-
Thanks for that resource.
I just realised - I am using Avast 4 Professional at the moment and there is a version of Avast designed specially to work with the Kerio firewall. I'll download the Kerio version of Avast tonight and let you know how things go.
-
No, avast for Kerio is for Kerio MailServer or Winroute. It doesn't make any sense to install it on your machine...
-
OK Vlk thanks. I am going to have to do something about this because I just phoned my ISP and they told me "we don't block any ports on our server because it causes problems with our customers". So Port 135 must be wide open. And I'm running Windows XP so a lot of these fixes won't work and I don't want to go fiddling with the registry unless it's essential. A lot of that Microsoft page was way over my head and I only understood the bit about editing the registry.
Looks as if blocking it is something I should do with the registry rather than the Kerio firewall but I still need to know how to add these things to the Kerio firewall settings and see if that fixes it. Off to Kerio now and if anyone here has the answer to that one, I'd very much appreciate your assistance:)
-
Found this at the Kerio forum:-
http://forums.kerio.com/index.php?t=msg&goto=4190&S=57567ebfaa0646e48243ee6fce468b26#msg_4190
Will try that and let you know how I get on:)
-
OK I figured out how to block ports for Kerio and for good measure added Ports 137-139 to the list - I just blocked incoming for the moment and we'll see what happens. If necessary I can block incoming and outgoing.
I've reset Avast to produce alerts so I will know if this is working or not.
Thanks guys!
-
Sygate Firewall worked for me...
I stopped getting that kind of messages and closed two ports that were open.
-
All fixed and no more alerts. Thanks everyone!
Might be useful to know what Avast is blocking in the Network Shield that it doesn't protect you from in the standard virus protection, so that potential problems can be ruled out in future. - I mean it might be helpful to know what it's blocking so that you have some idea what you haven't got!
Also I thought it wasn't a good idea to run two firewalls at once? I know that's not what you're suggesting Tulio, I'm concerned at the idea of a second firewall within Avast. If it's here to stay you guys will presumably be enhancing it in future and in that case are there likely to be potential conflicts with the main firewalls?
-
Might be useful to know what Avast is blocking in the Network Shield.
Can you see? http://forum.avast.com/index.php?board=1;action=display;threadid=8831;start=msg73303#msg73303
Also I thought it wasn't a good idea to run two firewalls at once? I know that's not what you're suggesting Tulio, I'm concerned at the idea of a second firewall within Avast. If it's here to stay you guys will presumably be enhancing it in future and in that case are there likely to be potential conflicts with the main firewalls?
Network Shield is not a firewall and won't conflict with Windows internal firewall and/or thirdy party ones.
-
OK thanks!
-
r,click on blue ball then on access protection control then double click on network sheild That works for me ;) ;D ;D ;D
thx for the tip, i'd search where was the option for disabling this, but without success; i had the same problem, since the last avast update (1 hour ago), and all those infos were becomming annoying (considering that my system seems safe and that i check various things frequently)
As a sidenote, since i've discovered avast home ed. a few months ago, i've installed it on many computers, and would like to thank the people here who have made / contributed to such a good product.
-
Your regular firewall should have the option to add ports you want blocked to its list of protections. That's what I did and it worked a treat.
I've actually left the alerts back on now so that if something starts coming through that I need to block certain ports I can do so quickly:) frankly I'd rather know about these things than not.
-
I tried to use DCOMbobulator to limit attacks on port 135, but they continue to happen.
Why does it happen?
Dcombobulator is supposed to disable DCOM, so I shouln´t be getting the warnings, do I ?
When I disabled the firewall I kept getting the annoying attack warnings from avast.
-
Why does it happen?
It happens because there are unfortunatly a lot of people who didn't protected their system (correctly) and now have infected systems. Only way to stop the intrusion aatacks on your system is making every system in the world free from malware.
I tried to use DCOMbobulator to limit attacks on port 135
No need to use that. A good firewall and Avast is enough.
kept getting the annoying attack warnings from avast.
Why not just disable the warnings in the on-access control panle under the network shield provider?
-
I want to know if I would get a good result (not getting the warnings) without the need of installing a firewall.
That´s why I tried to use DCOMbobulator, since the warnings say DCOM Exploit on
135.
WHY??? WHy DCOMbob doesn´t help me with that Exploit!?!?!?! Why!?!? :-[ :-\