DCOM exploit messages

[MediaMagician]

I've been running avast! successfully for a number of months with no issues. Just recently I'm getting regular messages regarding a DCOM exploit attack with various IP addresses but all located in my country. I've run a virus check and none come up.

Should I be worried?

[Lisandro]

Messages like:
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

Which firewall do you use?
And, most important, is your operational system updated?

You could get this free program from Steve Gibson's site.  This small program will test your PC to see if it's vulnerable.  The link below also explains what DCOM is all about.

Microsoft's DCOM security patch leaves DCOM running...
http://www.grc.com/freeware/dcom.htm

It will also shut down any further occurrence.

[sharon_brownlie]

I am completely computer illiterate...I .....i am getting DCOM messgae from avast. I used to have a secure landlind connection but now use the wireless connection. Is this why I am getting message and am I now vulnerable to attacks?

If so how do I resolve the issue?

I have tried to read the topics on this but I really do not understand all the jargon

[MikeBCda]

Hi,

I don't know if wireless changes the situation, but generally there's been agreement here that if avast is successfully blocking the DCOM things, don't worry too much about them.

I get those warnings from time to time too.  Supposedly the firewall should block them before avast even "sees" them, but I haven't yet figured out how to get my Comodo to do that properly.  Maybe I need to change its security mode, not just try to block the IPs, but if avast is catching and blocking the exploits then that's probably good enough for me.

[DavidR]

Start be answering Tech's questions as they are relevant to how you would best resolve the problem.

The DCOM attacks are speculative in the hope that your OS is out of date and as such vulnerable to exploit.

If it is up to date it isn't vulnerable, that however, doesn't stop the speculative attacks. Your firewall should be your first line of defence and it should stop these DCOM attempts and you shouldn't see the Network Shield (a second line of defence) pop-up these alerts.

So I hope you can see why these questions need answered.

[Lisandro]

I have tried to read the topics on this but I really do not understand all the jargon

Answer this please...

Which firewall do you use?
And, most important, is your operational system updated?

This could help also.

You could get this free program from Steve Gibson's site.  This small program will test your PC to see if it's vulnerable.  The link below also explains what DCOM is all about. http://www.grc.com/freeware/dcom.htm

[sharon_brownlie]

Thank you all for your replies.

As far as I know I have Windows firewall. I appear to be updated BUT for some reason the Windows xp SP3 will not fully update..........microsoft trying to help me with this.............unsuccessfuly so far.............they say it should not affect anything.

I also have windows vista, same wireless connection and am free from these DCOM message.

[Lisandro]

Strange, if Windows XP firewall is on and your XP get updated with SP3... you shouldn't have been seen that messages...
Anyway, avast is protecting you.

[DavidR]

<snip>
As far as I know I have Windows firewall. I appear to be updated BUT for some reason the Windows xp SP3 will not fully update..........microsoft trying to help me with this.............unsuccessfuly so far.............they say it should not affect anything.

I also have windows vista, same wireless connection and am free from these DCOM message.

You're welcome.

Personally the windows XP firewall provides limited protection (but it should be able to cope this these DCOM ones) as it doesn't have outbound protection. Vista's firewall does, but it is disabled by default and when enabled isn't very friendly.

Whilst the windows XP (and Vista) firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

####
- You could also enable the outbound protection of the Vista firewall, but it isn't very friendly, is rule based and you have to create the rules, check this out. - Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

[GrizeBar]

I use use Sygate firewall and recommend it highly.

[DavidR]

Well it is old and no longer supported and doesn't handle localhost proxies at all well, which could drive a coach and horses through your security.

Fortunately the web shield proxy is limited to specific browsers.

[alanrf]

This thread has caught my interest. 

In the interests of research I have turned on the logs I know of and exposed this system to the Internet with the Windows XP firewall as the sole firewall defense.  I am running the current version of avast with the Network Shield active.

I am fully up to date (which alas sharon_brownlie does not appear to be) with Windows XP SP3.  So I want to see what happens if/when I am the subject of a port 135 intrusion.

I will report back in this thread.

[sharon_brownlie]

This thread has caught my interest. 

In the interests of research I have turned on the logs I know of and exposed this system to the Internet with the Windows XP firewall as the sole firewall defense.  I am running the current version of avast with the Network Shield active.

I am fully up to date (which alas sharon_brownlie does not appear to be) with Windows XP SP3.  So I want to see what happens if/when I am the subject of a port 135 intrusion.

I will report back in this thread.

I am going to be very interested if and when you have problems with it. Then maybe I can resolve this. As I stated Windows xp will not load fully it won't install a number that begins with KB9.....

I am going to add another firewall. I am glad that you have all reassured me that avast is doing its job!!!!

[DavidR]

You are not so much going to add another firewall as there should only be one running, the usual procedure when a third party is installed is that is disables the Windows Firewall.

[GrizeBar]

Well it is old and no longer supported and doesn't handle localhost proxies at all well, which could drive a coach and horses through your security.

Fortunately the web shield proxy is limited to specific browsers.

True. Sygate was gobbled up by Norton and incorporated into it's Internet Security package. I hate Norton and refuse to yield to it's expensive yet shoddy corporate rape of a formerly fine firewall system. I still retain the free version which works for me without revision.