DCOM Exploit

[Nicolas]

Jarmo, I had the same experience with these DCOM warnings with Sygate versions 5.5 and 5.6. People using Avast with other firewalls, report this too. All cases concern Win2k.

Avast loads very early, before the firewall. I could change that, but in my opinion the AV has most priority. The firewall opens several ports for initial traffic (like 137 and 138 for TCP) which may not be safe without AV. But DCOM uses port 135.
It would be best if both AV and firewall would be integrated in the OS, but we have to do with separate programs. How could the firewall block all ports before it is loaded (as you said) ?
This priority of either AV or firewall is certainly a problem. If AV goes first, this would imply that the system has no functioning firewall untill it is fully loaded. Could it be that your experience depends on XP, which firewall blocks at least incoming traffic ?       

[Jarmo P]

Jarmo, I had the same experience with these DCOM warnings with Sygate versions 5.5 and 5.6. People using Avast with other firewalls, report this too. All cases concern Win2k.

This is news to me. Thanks. I did not also expect those warnings to come with SP2 firewall.
But I use only Sygate 5.5 so I have no early protection from that SP2 firewall.
Needless to say, if it ever happens to me with 5.5.2710 I go back to SPF earlier version if I still have the installation file saved

I never suspected that problem to be there for 5.5.2710
There are only those users that use some program like Avast's network shield that are even aware there might be problems with firewall late starting. But I never heard the same problem was there with 2710 You did not install 5.5 on top of 5.6, but did an uninstall first I hope?

How could the firewall block all ports before it is loaded (as you said) ?

I am not technically competent to give you an answer 'how'. But if you go to Options(Security window of Sygate, there is greyed out and unchecked the options 'Block all traffic while the service is not loaded' and checked the box 'allow initial traffic'. In free version.

But an earlier build, maybe 5.5.2516 did not allow internet at all, if smc.exe was not running. Some even complained about that feature, LOL.
It was an undocumented good feature.

Edit
I just uninstalled 2710 and unstalled 2516. There was not that behaviour I remembered. Maybe 2710 had made some more permanent changes in my windows registry or it was another build.
So now back to 2710.
But sure they removed that feature to be able to sell the Pro version

[pk]

Avast loads very early, before the firewall. I could change that, but in my opinion the AV has most priority.

It depends what product you'll install sooner - if firewall driver allows a packet, av driver will check it (av driver will identify the attacks if firewall didnt have a clever network-ids).

It would be best if both AV and firewall would be integrated in the OS, but we have to do with separate programs. How could the firewall block all ports before it is loaded (as you said) ?

It doesnt matter if firewall was integrated to the system or it's a 3rd party product, their drivers are loaded with OS - same way when fw would be integrated in the OS.

Firewalls control all traffic - even if network drivers are not loaded, OS is not able to receive/send any packets; so it's safe, all ports are "blocked" than all network drivers are loaded.

[kalip]

I too am experiencing the same problem with DCOM Exploit
It has only just started a few days ago.
I am wondering if this is a new feature of AVAST

[Nicolas]

My idea was that possibly the later Sygate version disables the inbuilt XP firewall; maybe for compatibility reasons ?
The Sygate firewall is a typical product for the corporate network, computers running 24/7 and often Win2k Pro. Then startup problems are not a hot issue.

It doesnt matter if firewall was integrated to the system or it's a 3rd party product, their drivers are loaded with OS - same way when fw would be integrated in the OS.

But the startup sequence is a serial process, one after the other. It must be possible to configure this in such way that a temporary vulnerability is avoided. Unfortunately, this is not the case.

Only the last few days I also found DCOM-exploit during normal service: port 135 TCP was opened by an unknown process (remote 3882, 3404, 4970, all from the same infected computer inside the cable network). I have to find out why this happens.

[Nicolas]

Only the last few days I also found DCOM-exploit during normal service: port 135 TCP was opened by an unknown process (remote 3882, 3404, 4970, all from the same infected computer inside the cable network). I have to find out why this happens

This DCOM warning is - as could be expected - due to a service: a svchost.exe instant.
PID420, remote host the infected computer and remote port 4970. Status FIN_WAIT2
There is a coincidence in time with an update of Acrobat Reader (including update manager). Now port 135 is made inaccessible and the AC Reader updater disabled, but the details of this intrusion have not yet been found.

[Lisandro]

You jump here to defend the company you work for. I'm just an avast! user.

No Tech, where did you get that idea?

http://forum.avast.com/index.php?topic=15720.msg132598#msg132598

But, you've explained that you're just an user.
I really sorry for this misunderstanding. Shame they don't give you a Pro version license due to your work there
About freedom to post (opinions and criticism about the product), it's a pity. They won't get it better without listening them.
Threads removed removed cause of Symantec complaints? It's a shame again. I respect Symantec for almost everything except antivirus and firewall.
Systemworks is good. I've used NAV but it's a hog...

Do you really think you can call me ignorant?

You were that time you found out about loopback proxy issue.

Maybe an English problem... translation ignorant to my language it will be stupid, idiot or even mad, crazy, or something worse.

Just hope there is free version available

Will Symantec share a free version of SPF? Will NIS be the only firewall from them?

[neal62]

I am on a cable supplied ISP. My cable modem has a standby switch. When this switch is activated no packets,  incoming /outgoing can pass through the modem into the pc and out again.
  I usually leave the modems standby switch in the standby mode until AFTER I have booted up my pc, which by then my software firewall I use is already armed and ready to go. Then, I take the modem out of standby and access the Internet. Seems to work fine for me.

[Nicolas]

I am on a cable supplied ISP. My cable modem has a standby switch. When this switch is activated no packets,  incoming /outgoing can pass through the modem into the pc and out again.

What modem are you using ? Does it allow connection to the DHCP server only (to obtain an IP) or is it completely blocking all traffic on standby ?
The problem here is that after startup has taken place a simple "ipconfig/renew" is not sufficient to configure the network connection. Otherwise, we could simply switch on the modem when needed. Hence my question ! The modems used here are Terayon and Docsis. 

[Nicolas]

I found that Avast does give a DCOM-exploit warning, in spite of the Sygate firewall blocking port 135.
The attacks are initiated by several outside computers, but there are also svchost processes running that are listening for them for only short periods of time. I'm still searching for the origin of this. 

[pk]

if sygate blocked port 135, it means avast driver is installed before sygate one (and scanning is done than we pass a packet to the sygate driver). The reason why some applications uses DCOM for communication is not bad, that's why it was designed. Blame attackers (e.g. if they were on the same LAN with you).

[Nicolas]

if sygate blocked port 135, it means avast driver is installed before sygate one (and scanning is done than we pass a packet to the sygate driver).

This is obviously the case.

Behind the DCOM-exploit is a Remote Procedure Call (Win32 share_process, autostart):
Win32\svchost -k rpcss. This is also used by legit Microsoft processes, but in this case file not found All scans (including Avast boottime scan) are negative. Therefore I assumed there is a temporary vulnerability during startup due to the firewall not yet functioning. But since Avast blocks the exploit and moreover the OS is patched, there is no security issue for this particular attack.

I'm not blaming Avast ! This is not a false positive (and if so: always better than a false negative).

[neal62]

The brand name of my cable modem is "Arris". It completely blocks ALL  traffic when in standby mode. I like the modem for this reason. My modem is also Docsis compatible. I did have the option of using a "Toshiba" modem my cable company offered but it doesn't have the standby switch function. Please see HERE for information on the "Arris" modem. The small "white" button on top of it is the standby switch.

[pk]

As I said: there's no temporary vulnerability during startup, because if all network drivers are not loaded, no incoming packet will get to the system. Firewall driver loads rules during its startup.

Avast driver does not check if there's a listening application which uses port 135 (if it was opened) - but fw driver can do that, and if there's no such app, it'll block the packets by default.

[Nicolas]

Thanks neal63 for the modem info.

Thanks pk for your message.

I'm closing down now.

Nicolas