Author Topic: DCOM Exploit (Read 5202 times)

leebee · « **on:** February 07, 2007, 06:05:46 AM »

Can any tell me what this DCOM Exploit is that i get as Avast is running I have just put sunbelt kerio personal firewall on as well.

Glass · « **Reply #1 on:** February 07, 2007, 08:08:45 AM »

I used to get it with Jetico firewall as well.

But not with Comodo firewall. Not sure if it is something to do with the effectiveness of the firewall.

Sesame · « **Reply #2 on:** February 07, 2007, 08:36:51 AM »

A quick forum search will reveal its a popular topic.

You are using Kerio and getting DCOM Exploit message from Avast? Then, you seem to have not updated Windows and have configured Kerio in a wrong way. For the explanation of DCOM and how to deal with it, try grc.com's DCOMbobulator. The tool will deal with DCOM vulnerability.

As for Firewall, I am not using Kerio but please check if you allowed svchost.exe at local port 135. This doesn't depend on Kerio or Jetico but on if you configured them properly or not. Any decent personal firewall should be able to deal with it even if it may have some other weaknesses. Comodo is relatively an out-of-box type firewall and is a good choice if you keep the infamous port open.

FreewheelinFrank · « **Reply #3 on:** February 07, 2007, 09:36:38 AM »

Application rules in Kerio should look something like this:

http://forum.avast.com/index.php?topic=17635.msg151014#msg151014

Unless you know an applications needs to accept incoming connections, you should block incoming requests- the red pop-up.

http://www.geocities.com/dontsurfinthenude/kerio_setup.htm

polonus · « **Reply #4 on:** February 07, 2007, 09:49:26 AM »

Hi FwF and leebee,

This story tells me one thing, that leebee has not installed ServicePack 2 on Win XP.
That is why it is important to state what OS you are on. ServicePack 2 is invulnerable to the DCOM issue. The reason why the service packs aren't there is a guess?

polonus

Glass · « **Reply #5 on:** February 07, 2007, 09:51:23 AM »

Well, I had SP2 installed and had this DCOM attack with Jetico being there as well!

Sesame · « **Reply #6 on:** February 07, 2007, 09:54:25 AM »

Did you check your system with DCOMbobulator?

If so, it would be your configuration with Jetico since you are OK with Comodo.

Glass · « **Reply #7 on:** February 07, 2007, 10:14:56 AM »

Must be, they were default configurations on both the firewalls.

leebee · « **Reply #8 on:** February 07, 2007, 12:47:07 PM »

thanks for the help all ... I downloaded the dcombobulator . hope this does the trick .i do have Sp2. iam just a beginner so i need all the help . would some one tell me if they have tried comodo firewall and is it better than Sun belt Kerio.

mauserme · « **Reply #9 on:** February 07, 2007, 01:52:02 PM »

SP2 can't stop an attempted DCOM exploit - that comes from outside your computer. Its just that SP2 isn't vulnerable to the attack.

Quote from: leebee on February 07, 2007, 12:47:07 PM

would some one tell me if they have tried comodo firewall and is it better than Sun belt Kerio.

I've never used Keio so I can't say if Comodo is better or not. But I can tell you that I never get any DCOM warnings with Comodo. Well, I'm behind a hardware firewall too, so its hard to say ...

DavidR · « **Reply #10 on:** February 07, 2007, 03:13:16 PM »

As mauserme states the attacks are speculative and the attacker doesn't know or care if you have SP2 installed, they are hoping there are enough that won't have it installed.

I feel that with a good 3rd party firewall installed it should intercept these DCOM attacks, but if not Network Shield is there as a back-up to your firewall. I too never get any DCOM warnings from Network Shield when running the Outpost Pro firewall.

Sesame · « **Reply #11 on:** February 08, 2007, 08:55:12 AM »

XPSP2 comes with a built-in firewall. Although it doesn't have any outbound protection, the inbound protection including local port 135 is decent. However, if you install another firewall, you have to disable the built-in firewall to avoid conflicts. Therefore, even if you have XPSP2, if you install a third party firewall, your protection depends on it.

Comodo, ZoneAlarm, Kerio, Jetico and Outpost are all well-reputed firewalls. However, if you address yourself as a beginner and want outbound protection, then, ZoneAlarm and Comodo would be good choices.

leebee · « **Reply #12 on:** February 09, 2007, 08:21:15 AM »

the DCOM Exploits dont seem to be comming up .DCOMBOBULATER did the trick and yes i did disable XP fire wall . I will try zone alarm or comodo if the problem comes up again.thanks for the help from this Aussie Grannie

DavidR · « **Reply #13 on:** February 09, 2007, 02:24:09 PM »

DCOMBOBULATER will have absolutely no impact whatsoever in the arrival of DCOM exploits as has been said they are speculative. All it does is disable the DCOM effectively blocking the exploitation of the DCOM vulnerability, which XP SP2 already does, closes the vulnerability but it doesn't stop someone trying.

What you are experiencing is purely co-incidental in not receiving more DCOM exploit attempts.

Sesame · « **Reply #14 on:** February 09, 2007, 03:30:36 PM »

DCOMbobulator is to disable DCOM (Personally, I disabled DCOM support in this way, though). Firewalls including XPSP2 firewall are to cover the port 135. This would be a simple enough "explanation" to the majority including myself. Also, the grc site explains the possible side effects by disabling DCOM.

However, if more technically sophisticated people are unhappy with the oversimplification, I'll leave a link.

Author Topic: DCOM Exploit (Read 5202 times)

leebee

DCOM Exploit

Glass

Re: DCOM Exploit

Sesame

Re: DCOM Exploit

FreewheelinFrank

Re: DCOM Exploit

polonus

Re: DCOM Exploit

Glass

Re: DCOM Exploit

Sesame

Re: DCOM Exploit

Glass

Re: DCOM Exploit

leebee

Re: DCOM Exploit

mauserme

Re: DCOM Exploit

DavidR

Re: DCOM Exploit

Sesame

Re: DCOM Exploit

leebee

Re: DCOM Exploit

DavidR

Re: DCOM Exploit

Sesame

Re: DCOM Exploit