I recently installed Sygate 5.5 after reading about it here.
It is doing it´s job very well, but I am puzzled as to what is going on. This started the first day I installed it, so I am also worried what might have happened before.

F30003 RPC DCOM buffer overflow attempt detected

What you are seeing in that message is a 'feature' that is becoming common in more and more end-user oriented software firewalls. It's starting to show up in Kerio, Sygate, NIS/NPF, and (I think) the latest versions of ZA Pro. It represents the extension of the software firewall product to also provide IDS (Intrusion Detection System) capabilities.

Classically, firewalls simply either permitted or denied communication to a specific local port. IDSs, on the other hand, were passive monitors of the content of the incoming communication attempt. If the communication attempt had a certain recognized 'signature', then the communication would be flagged as potentially hostile in nature (and most likely logged). As matters evolved, some IDSs quit being passive and became active; i.e., they would block potentially harmful communications. In other words, IDSs were becoming more and more like firewalls, so it's not surprising that firewalls are now starting to add IDS capabilities. (For the most part, IDS capabilities weren't there in the first place because they tended to place a serious processing burden on the CPU actually inspecting the packets. Consequently, the IDS monitoring was typically done in parallel to the main communication. Well, now CPUs are getting sufficiently fast that the burden is no longer prohibitive.)

To summarize: In your case, Sygate is blocking an unsolicited inbound communication (which it would probably do in any case), but it's also going further and telling you that the communication is potentially hostile -- and it's telling you the nature of the hostility. In a way, that's kind of neat -- as long as you don't get obsessed with poring over the logs. After all, the real purpose of a firewall is simply to protect you so that you can use the Internet safely, not to become a never-ending source of entertainment in and of itself.

Well, that's a bit too simplistic, in retrospect. You see, IDSs can pick up some threats that would not necessarily be picked up by a traditional firewall. For example, you may visit a website (thereby requesting output from that site to your web browser). The website may be malicious in nature (or it may simply have been subverted by our buddies in the black hats). A traditional firewall would allow the response through, but an IDS-enhanced firewall would, in all probability, block the communication attempt. The problem with IDS is that it requires a 'signature' previously identified in order to function; otherwise, it's worthless. In other words, it functions in very much the same way that anti-virus software does.

Hope that helps.

Thank you. It does help a bit. I have learned something about the features of my firewall. There is one more thing in there that puzzles me. Look at the IP and MAC addresses. At first all these came from one IP address corresponding with one MAC address, and I reported the attacks? to the abuse addy of his (also mine) provider.
When other IP´s joined in, I thought someone in that range is contaminating nearby computers with some virus and they were joining the strike-force. But after I saw the MAC addresses migrate from one IP to another, I didn't know what to think.
If this comes across stupid, I apologize, but it reflects my knowledge of these matters. :)

-{ Quote: " quoting: StAnger link=board=23;threadid=15737;start=0#msg98114 date=1067791411]... At first all these came from one IP address corresponding with one MAC address, ...
When other IP´s joined in, I thought someone in that range is contaminating nearby computers with some virus and they were joining the strike-force. But after I saw the MAC addresses migrate from one IP to another, I didn't know what to think." }-
First, it's extremely difficult to analyze what was happening here from this screen-based snapshot, because a lot of information is being truncated. (And that's why I like a more detailed utility that always provides full information on the captured events.)
Second, all of the displayed events are from what looks like a single IP subnet (unfortunately, as I type this, I can't see what that subnet is)
Third, yes, all of the displayed events seem to involve three distinct MAC addresses which migrate from one remote IP address to another. Each 'subset' shows four events, but two distinct remote IP addresses. That looks like you're on a dial-up or dynamically assigned DSL/Cable subnet. I further note that the change in remote IP address typically occurs over an interval of about one hour.
Consequently, I would assume that you're actually seeing three distinct machines that have been compromised on your ISP's subnet -- and that are looking for other vulnerable machines to attack.
If you don't have the vulnerability (and I suspect you do not), there's nothing to worry about. You can, of course, notify your ISP, which can then check which subscriber was using the designated IP addresses at the time based on its own usage logs and they will then take (or fail to take) whatever corrective action they feel is necessary.
I rather suspect that you are simply seeing compromised machines on your ISP's subnet that are looking for other vulnerable machines. In all probability, the owners of these machines have no idea of what has happened. That's why you should leave it to your ISP (or some service like www.mynetwatchman.com or www.dshield.org) to follow up on these intrusion attempts. I haven't bothered to look this particular intrusion up at www.incidents.org, so I'm uncertain as to what it might represent. But, again, this is something best handled either by your ISP or by MyNetwatchMan or DShield.

-{ Quote: " quoting: StAnger link=board=23;threadid=15737;start=0#msg98114 date=1067791411]
If this comes across stupid, I apologize, but it reflects my knowledge of these matters. :)
" }-

Nothing stupid about asking questions; that's what these forums are all about! In addition, who knows how many other people get to benefit from your asking this question and having answers posted ;D
I certainly learned something from Josephs answers.

-{ Quote: " quoting: Detox link=board=23;threadid=15737;start=0#msg98166 date=1067802139]. . . . Nothing stupid about asking questions; that's what these forums are all about! In addition, who knows how many other people get to benefit from your asking this question and having answers posted ;D
I certainly learned something from Josephs answers." }-

Detox,

I forgot to welcome you aboard! But thanks for the kudos.

My overly long responses are sort of a standing joke in the various NNTP newsgroups and UBB forums. Still, you've put your finger on part of the reason for their length (other than the fact that I'm just naturally long-winded ;D ). I don't write my responses solely for the original poster (OP), but also with a consideration of the 'lurkers'. It's been a while since I've checked the stats here at Wilders, but last time I did, the lurkers outnumbered registered users by two to one! These guys don't typically post, but they do read. I've always felt something of an obligation to answer the questions that don't quite get published explicitly.

Hence, your comment about 'there are no stupid questions' is doubly apropos. Some of the best questions (and responses) that I've seen in the various security newsgroups and forums were asked by people who were obviously concerned that they might be perceived as asking stupid questions. In many instances, a short answer will satisfy the OP, but a more extended answer can be more enlightening to the lurkers. (And, besides, that's what leads the lurkers to register! :) )

Then your answers are exactly the kind we need ;-)

Certainly, I don't mean to hijack the thread; but be sure to ask any question that comes to mind, StAnger and anyone else hangin' around! ;)

-{ Quote: " quoting: Detox link=board=23;threadid=15737;start=0#msg98247 date=1067823651]......and anyone else hangin' around! ;)
" }-

;D i am always hanging around in the firewall forum...especially if the topic involves Sygate.

StAnger - welcome to you, and thank you for your questions, as i have learned something new from the log you posted, and Joseph's answers (thank you Joseph!). Is this the pro version of Sygate you have? i have not installed the 5.5 yet, and had no idea there was a column that showed the MAC addresses. Firewalls just get more and more interesting!

Regards,

snap

I lurk everywhere on this board. :)
Try to help on the rare occasions I can, and ask when I need to. Most of the times you get a good and friendly answer here.

It's Sygate 5.5 Pro yes. By now I think that I am seeing some kind of virus spreading. That list gets longer everyday and no response from the ISP. Only an automated one that they received my mail.
The MAC addresses are nice, but confusing in this case. ???