sf.bin

[superhacker]

PLEASE it is the file that have the cache info for files not related to services or anything else"avast related"
ask igor or vlk or just run a scan and see how it will pop up an alert
http://blog.avast.com/2010/04/25/how-to-make-the-full-system-scan-6x-faster-in-10-days/

[Unfolding]

I'm sorry to say that I actually switched product for this reason. I have posted this as a support ticket as well without any response in the same time.

[igor]

Well, I don't see what we can do about it.
Sf.bin is part of avast! antivirus engine... and it's executed e.g. when a suspicious file is detected (to perform some emulation).

If Outpost, or any other products, are unable to obey the rules you set for them... that certainly should be fixed by their makers. I guess it might be slightly tricky to set such a rule (the folder of the virus database keeps changing, and the file itself changes as well) - but still, there's nothing to do on our side.

[Unfolding]

I posted a query if this was expected behaviour - that Sf.bin wants access to Internet - and now finally I had a reply. Thanks.

[igor]

Well, what I'm saying is that executing Sf.bin is normal, the content of Sf.bin changing often (thus making it harder to create a rule for a 3rd party HIPS) is also normal.
Sf.bin connecting to Internet... is not, as far as I know.

[Asyn]

Sf.bin connecting to Internet... is not, as far as I know.

No connection attempts to the net here at all... Only the HIPS part of comodo (D+) pops up sometimes, but not for asking to allow, just telling it's doing something, as it's set to verbose here.
asyn

[Unfolding]

Igor, ZA notified me that Sf.bin wanted access to Internet and I blocked it at that time. Is there any reasonable explanation to that?


 

[spg SCOTT]

At a guess (I don't really know anything about this though), could it be the webshield using the code emulation?
That would cause a connection would it not?

[Asyn]

At a guess (I don't really know anything about this though), could it be the webshield using the code emulation? That would cause a connection would it not?

The webshield connects via AvastSvc.exe not Sf.bin
If Sf.bin would connect (or even try to connect) I would have an entry in the firewall log.
asyn

[Tsimmes]

Well, I don't see what we can do about it.
Sf.bin is part of avast! antivirus engine... and it's executed e.g. when a suspicious file is detected (to perform some emulation).

If Outpost, or any other products, are unable to obey the rules you set for them... that certainly should be fixed by their makers. I guess it might be slightly tricky to set such a rule (the folder of the virus database keeps changing, and the file itself changes as well) - but still, there's nothing to do on our side.

I have in fact given permission for sf.bin to run, both in Outpost Application Rules and Host Protection but because, as you point out, the folder and file keep changing the rules won't stick. So how on earth can this be fixed by Outpost. This problem started with v5.0.507.

[igor]

Igor, ZA notified me that Sf.bin wanted access to Internet and I blocked it at that time. Is there any reasonable explanation to that?

No, not really. Maybe some other program has installed system-wide hooks and is injecting itself into every created process? (just a wild guess)

This problem started with v5.0.507.

That's not possible... the Sf.bin executable, as well as other modules responsible for launching it, are fully contained in the "virus database & engine" and are completely independent of the program version. You may have an old version of the program, yet a brand new virus database - and it will behave exactly the same as with a new program build.

[DavidR]

Well, I don't see what we can do about it.
Sf.bin is part of avast! antivirus engine... and it's executed e.g. when a suspicious file is detected (to perform some emulation).

If Outpost, or any other products, are unable to obey the rules you set for them... that certainly should be fixed by their makers. I guess it might be slightly tricky to set such a rule (the folder of the virus database keeps changing, and the file itself changes as well) - but still, there's nothing to do on our side.

I have in fact given permission for sf.bin to run, both in Outpost Application Rules and Host Protection but because, as you point out, the folder and file keep changing the rules won't stick. So how on earth can this be fixed by Outpost. This problem started with v5.0.507.

Strange as I have Outpost Firewall Pro 2009 ver. 6.7.2 (3001.452.0718) and I have not had a single Outpost pop-up relating to sf.bin and it isn't in my Application Rules section of Outpost Firewall Pro.

[ktk8]

I'm still having problems with sf.bin popups - I'm using Sunbelt Personal Firewall. Any ideas on how to stop this? Much appreciated!

[rdmaloyjr]

Well, what I'm saying is that executing Sf.bin is normal, the content of Sf.bin changing often (thus making it harder to create a rule for a 3rd party HIPS) is also normal.
Sf.bin connecting to Internet... is not, as far as I know.

I have the latest version of ZA Pro and I never get pop ups wanting to allow Sf.bin.  This obviously due to the auto configuration at set up 0f ZA Pro (I guess Check Point is aware of the issue) .

the content of Sf.bin changing often

This explains why I get multiple entries of Sf.bin in ZA Pro

[otuatail]

this is another ip address from sf.bin

224.0.0.252 28th 19:00

ZA can't fight against millions of different IP address's