qzex
November 30th, 2008, 04:57 PM
I found a few bugs in this beta.
Firstly, the new (I think it's new) SSL protocol scanning thing. When I was entering my advanced setup tree, I chose (under "Antivirus and Antispyware"/"Protocol filtering"/"SSL") "Always scan SSL protocol (excluded and trusted certificates will remain valid)", and "Ask about certificate validity" for both of the others. When I tried to reach an SSL encrypted site, Firefox displayed "Secure Connection Failed (Error code: sec_error_unknown_issuer)". This happened to me for every secure site I went onto. After a while I realized it was ESS and I disabled the SSL protocol filtering.
EDIT: Here is an image of Firefox.
http://img141.imageshack.us/my.php?image=sslfailub7.png
Secondly, the SysInspector thing. I'm not really sure what it's intended to guide for, but to my knowledge it shows Windows-required processed and other software-required entries as high as Risk Level 6. Here is a list of some that I'm pretty sure are valid:
"SECTION" = "Running Processes" ( 6: Unknown ) ;
"Process" = "svchost.exe" 504 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Generic Host Process for Win32 Services ; Microsoft Corporation ;
"Module" = "c:\windows\system32\sens.dll" ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
"Process" = "csrss.exe" 1148 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
"Module" = "\??\C:\WINDOWS\system32\csrss.exe" ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
"Process" = "lsass.exe" 1236 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
"Module" = "C:\WINDOWS\system32\LSASRV.dll" ( 6: Unknown ) ; LSA Server DLL ; Microsoft Corporation ;
"Process" = "spoolsv.exe" 1896 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Spooler SubSystem App ; Microsoft Corporation ;
"Module" = "C:\WINDOWS\system32\SPOOLSS.DLL" ( 6: Unknown ) ; Spooler SubSystem DLL ; Microsoft Corporation ;
"SECTION" = "Network Connections" ( 6: Unknown ) ;
"SUBSECTION" = "UDP Connections" ( 6: Unknown ) ;
"lsass.exe" = "0.0.0.0:500" 1236 ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
"lsass.exe" = "0.0.0.0:4500" 1236 ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
"SECTION" = "Important Registry Entries" ( 6: Unknown ) ;
"SUBSECTION" = "Shell Execute Hooks" ( 6: Unknown ) ;
"Key" = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" ( 6: Unknown ) ;
"Multimedia File Property Sheet" = "mmsys.cpl" {00022613-0000-0000-C000-000000000046} ; ( 6: Unknown ) ; Control Panel Drivers Applet ; Microsoft Corporation ;
"SUBSECTION" = "Log files" ( 6: Unknown ) ;
"Key" = "HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\its" ( 6: Unknown ) ;
"Microsoft InfoTech Protocols for IE 4.0" = "C:\WINDOWS\system32\itss.dll" {9D148291-B9C8-11D0-A4CC-0000F80149F6} ; ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
"Key" = "HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its" ( 6: Unknown ) ;
"Microsoft InfoTech Protocols for IE 4.0" = "C:\WINDOWS\system32\itss.dll" {9D148291-B9C8-11D0-A4CC-0000F80149F6} ; ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
"SECTION" = "Services" ( 6: Unknown ) ;
"System Event Notification" = "c:\windows\system32\sens.dll" Automatic ; Running ; ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
"SECTION" = "Drivers" ( 6: Unknown ) ;
"dmboot" = "c:\windows\system32\drivers\dmboot.sys" Disabled ; Stopped ; ( 6: Unknown ) ; NT Disk Manager Startup Driver ; Microsoft Corp., Veritas Software ;
"Msfs" = "c:\windows\system32\drivers\msfs.sys" System ; Running ; ( 6: Unknown ) ; Mailslot driver ; Microsoft Corporation ;
"TCP/IP Protocol Driver" = "c:\windows\system32\drivers\tcpip.sys" System ; Running ; ( 6: Unknown ) ; TCP/IP Protocol Driver ; Microsoft Corporation ;
"Microsoft WINMM WDM Audio Compatibility Driver" = "c:\windows\system32\drivers\wdmaud.sys" Manual ; Running ; ( 6: Unknown ) ; MMSYSTEM Wave/Midi API mapper ; Microsoft Corporation ;
"SECTION" = "File Details" ( 6: Unknown ) ;
"File" = "c:\windows\system32\csrss.exe" ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
"File" = "c:\windows\system32\drivers\dmboot.sys" ( 6: Unknown ) ; NT Disk Manager Startup Driver ; Microsoft Corp., Veritas Software ;
"File" = "c:\windows\system32\drivers\msfs.sys" ( 6: Unknown ) ; Mailslot driver ; Microsoft Corporation ;
"File" = "c:\windows\system32\drivers\tcpip.sys" ( 6: Unknown ) ; TCP/IP Protocol Driver ; Microsoft Corporation ;
"File" = "c:\windows\system32\drivers\wdmaud.sys" ( 6: Unknown ) ; MMSYSTEM Wave/Midi API mapper ; Microsoft Corporation ;
"File" = "c:\windows\system32\itss.dll" ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
"File" = "c:\windows\system32\lsasrv.dll" ( 6: Unknown ) ; LSA Server DLL ; Microsoft Corporation ;
"File" = "c:\windows\system32\mmsys.cpl" ( 6: Unknown ) ; Control Panel Drivers Applet ; Microsoft Corporation ;
"File" = "c:\windows\system32\sens.dll" ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
"File" = "c:\windows\system32\spoolss.dll" ( 6: Unknown ) ; Spooler SubSystem DLL ; Microsoft Corporation ;
Thirdly, when I rebooted my computer after I installed the beta and configured my settings, it started an in-depth scan of my entire system. The only on-demand scan I saw in the scheduler was on Tuesday, and today is Sunday. Might just be a quirk in my PC or a bug in ESS.
Fourthly, when I was downloading and EICAR test file, Firefox downloaded a file of 0 bytes and ESS displayed an alert, which was what I expected. However ESS displayed the alert three or four more times until it stopped. Also, when I downloaded the "eicarcom2.zip" which is the Eicar test file buried in two layers of ZIP, ESS also displayed an alert but Firefox downloaded the entire 308 bytes, and the file was still on my desktop until I unzipped it and ESS deleted it (without notification, I might add). I find this rather strange.
Fifthly, when I opened the personal firewall log, it refreshed every time a new alert was detected. As the personal firewall log was loaded with "Detected DNS cache poisoning attack" 's which were apparently a bug from ESS3, and I was also downloading something, it kept trying to refresh a huge (3 MB at least) file and eventually I had to use the Task Manager to end it. I know this isn't specific to ESS4 but I felt I would just file it under my general bug report here.
Finally, I noticed that none of the top antiviruses I tried would detect malicious batch file execution. This is also not specific to ESS4 but a general statement.
Firstly, the new (I think it's new) SSL protocol scanning thing. When I was entering my advanced setup tree, I chose (under "Antivirus and Antispyware"/"Protocol filtering"/"SSL") "Always scan SSL protocol (excluded and trusted certificates will remain valid)", and "Ask about certificate validity" for both of the others. When I tried to reach an SSL encrypted site, Firefox displayed "Secure Connection Failed (Error code: sec_error_unknown_issuer)". This happened to me for every secure site I went onto. After a while I realized it was ESS and I disabled the SSL protocol filtering.
EDIT: Here is an image of Firefox.
http://img141.imageshack.us/my.php?image=sslfailub7.png
Secondly, the SysInspector thing. I'm not really sure what it's intended to guide for, but to my knowledge it shows Windows-required processed and other software-required entries as high as Risk Level 6. Here is a list of some that I'm pretty sure are valid:
"SECTION" = "Running Processes" ( 6: Unknown ) ;
"Process" = "svchost.exe" 504 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Generic Host Process for Win32 Services ; Microsoft Corporation ;
"Module" = "c:\windows\system32\sens.dll" ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
"Process" = "csrss.exe" 1148 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
"Module" = "\??\C:\WINDOWS\system32\csrss.exe" ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
"Process" = "lsass.exe" 1236 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
"Module" = "C:\WINDOWS\system32\LSASRV.dll" ( 6: Unknown ) ; LSA Server DLL ; Microsoft Corporation ;
"Process" = "spoolsv.exe" 1896 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Spooler SubSystem App ; Microsoft Corporation ;
"Module" = "C:\WINDOWS\system32\SPOOLSS.DLL" ( 6: Unknown ) ; Spooler SubSystem DLL ; Microsoft Corporation ;
"SECTION" = "Network Connections" ( 6: Unknown ) ;
"SUBSECTION" = "UDP Connections" ( 6: Unknown ) ;
"lsass.exe" = "0.0.0.0:500" 1236 ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
"lsass.exe" = "0.0.0.0:4500" 1236 ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
"SECTION" = "Important Registry Entries" ( 6: Unknown ) ;
"SUBSECTION" = "Shell Execute Hooks" ( 6: Unknown ) ;
"Key" = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" ( 6: Unknown ) ;
"Multimedia File Property Sheet" = "mmsys.cpl" {00022613-0000-0000-C000-000000000046} ; ( 6: Unknown ) ; Control Panel Drivers Applet ; Microsoft Corporation ;
"SUBSECTION" = "Log files" ( 6: Unknown ) ;
"Key" = "HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\its" ( 6: Unknown ) ;
"Microsoft InfoTech Protocols for IE 4.0" = "C:\WINDOWS\system32\itss.dll" {9D148291-B9C8-11D0-A4CC-0000F80149F6} ; ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
"Key" = "HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its" ( 6: Unknown ) ;
"Microsoft InfoTech Protocols for IE 4.0" = "C:\WINDOWS\system32\itss.dll" {9D148291-B9C8-11D0-A4CC-0000F80149F6} ; ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
"SECTION" = "Services" ( 6: Unknown ) ;
"System Event Notification" = "c:\windows\system32\sens.dll" Automatic ; Running ; ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
"SECTION" = "Drivers" ( 6: Unknown ) ;
"dmboot" = "c:\windows\system32\drivers\dmboot.sys" Disabled ; Stopped ; ( 6: Unknown ) ; NT Disk Manager Startup Driver ; Microsoft Corp., Veritas Software ;
"Msfs" = "c:\windows\system32\drivers\msfs.sys" System ; Running ; ( 6: Unknown ) ; Mailslot driver ; Microsoft Corporation ;
"TCP/IP Protocol Driver" = "c:\windows\system32\drivers\tcpip.sys" System ; Running ; ( 6: Unknown ) ; TCP/IP Protocol Driver ; Microsoft Corporation ;
"Microsoft WINMM WDM Audio Compatibility Driver" = "c:\windows\system32\drivers\wdmaud.sys" Manual ; Running ; ( 6: Unknown ) ; MMSYSTEM Wave/Midi API mapper ; Microsoft Corporation ;
"SECTION" = "File Details" ( 6: Unknown ) ;
"File" = "c:\windows\system32\csrss.exe" ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
"File" = "c:\windows\system32\drivers\dmboot.sys" ( 6: Unknown ) ; NT Disk Manager Startup Driver ; Microsoft Corp., Veritas Software ;
"File" = "c:\windows\system32\drivers\msfs.sys" ( 6: Unknown ) ; Mailslot driver ; Microsoft Corporation ;
"File" = "c:\windows\system32\drivers\tcpip.sys" ( 6: Unknown ) ; TCP/IP Protocol Driver ; Microsoft Corporation ;
"File" = "c:\windows\system32\drivers\wdmaud.sys" ( 6: Unknown ) ; MMSYSTEM Wave/Midi API mapper ; Microsoft Corporation ;
"File" = "c:\windows\system32\itss.dll" ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
"File" = "c:\windows\system32\lsasrv.dll" ( 6: Unknown ) ; LSA Server DLL ; Microsoft Corporation ;
"File" = "c:\windows\system32\mmsys.cpl" ( 6: Unknown ) ; Control Panel Drivers Applet ; Microsoft Corporation ;
"File" = "c:\windows\system32\sens.dll" ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
"File" = "c:\windows\system32\spoolss.dll" ( 6: Unknown ) ; Spooler SubSystem DLL ; Microsoft Corporation ;
Thirdly, when I rebooted my computer after I installed the beta and configured my settings, it started an in-depth scan of my entire system. The only on-demand scan I saw in the scheduler was on Tuesday, and today is Sunday. Might just be a quirk in my PC or a bug in ESS.
Fourthly, when I was downloading and EICAR test file, Firefox downloaded a file of 0 bytes and ESS displayed an alert, which was what I expected. However ESS displayed the alert three or four more times until it stopped. Also, when I downloaded the "eicarcom2.zip" which is the Eicar test file buried in two layers of ZIP, ESS also displayed an alert but Firefox downloaded the entire 308 bytes, and the file was still on my desktop until I unzipped it and ESS deleted it (without notification, I might add). I find this rather strange.
Fifthly, when I opened the personal firewall log, it refreshed every time a new alert was detected. As the personal firewall log was loaded with "Detected DNS cache poisoning attack" 's which were apparently a bug from ESS3, and I was also downloading something, it kept trying to refresh a huge (3 MB at least) file and eventually I had to use the Task Manager to end it. I know this isn't specific to ESS4 but I felt I would just file it under my general bug report here.
Finally, I noticed that none of the top antiviruses I tried would detect malicious batch file execution. This is also not specific to ESS4 but a general statement.