Help With Firewall log & utorrent ***FIXED***

[admsupport]

Hi, I am new here.

I have little knowledge of port/tcp-ip, etc, so it is difficult to interpret a firewall output.

XP Pro sp3
Eset Smart Security 3
Malwarebytes
ADLS, Nat router: IP 192.168.11.1, PC IP 192.168.11.2

Issue: When I use utorrent.exe, the pc freezes. utorrent connection are not affected, but I have a load of connections that seem not related to utorrent.exe (case of no download and very little upload). I guess someone is using my DSL connection through utorrent.exe (?) AV checks are negative, combofix: negative. When I stop utorrent.exe, all comes back to normal. What could it be? It is like a plague.

Here are the system message:
http://img152.imageshack.us/img152/5494/aaaaasg1.png

Here is the ESET FW log for the current day:
http://img104.imageshack.us/img104/6276/91982589fn0.png

PS: how to I show the photos in the message? I tag the links with [img][/img] but they show up as hyperlinks??


***************UPDATE******************
I found the answer there:

http://forum.utorrent.com/viewtopic.php?id=34527

It is fixed now, not even an attack, I guess too many connections where transfered to ekrn.exe for analyze and that froze everything (what stupid advanced settings to solve the problem?! as if nobody where using utorrent..., could be a default setting "user uses torrent"). but what about the firewall log? is it normal? I have read in another thread DNS poisoning attacks where not relevant. So what to believe now?

For a first time with ESET, it is a kind of a cold shower in winter.

[funkydude]

They are not attacks just ignore them, I get them too, I personally think it shouldn't be logged as it's just normal data flow.

Also, do not disable web access protection, follow the advice on the first post, that is the correct way to do it, I made a post there highlighting that.

Filtering is only triggered when an app uses HTTP traffic, seeing as it only started happening since 1.8.1 I would assume they added some kind of communication accessing the HTTP protocol.

[admsupport]

Quote:

Originally Posted by funkydude

They are not attacks just ignore them, I get them too, I personally think it shouldn't be logged as it's just normal data flow.

Also, do not disable web access protection, follow the advice on the first post, that is the correct way to do it, I made a post there highlighting that.

Filtering is only triggered when an app uses HTTP traffic, seeing as it only started happening since 1.8.1 I would assume they added some kind of communication accessing the HTTP protocol.

Hi funkydude,

Thanks for the answer. I found your post on the other forum. Nice of you to have registered to advice. Please confirm the following:

Q.1 I excluded utorrent in the Web Browser (red cross) - what's the difference anyway bettween an empty square and a red crossed square? - AND I in the exclusion I put the path C:\Program Files\...\utorren.exe. Is that Correct/Incorrect/why?

Q.2 [...]They are not attacks [...] in the FW log I have provided, at least 2 types of "attacks" figure in the log, does your advice worth for both of them? Mainly 2 types showed below, and I would say the first is genuine? (I already made a rule in the FF to block this external IP 213.186.117.142)

1) 2009-01-18 3:08:55 PM Detected Reverse TCP Desynchronization attack - 213.186.117.142:80 - 192.168.11.2:2537 - TCP
2) 2009-01-16 3:19:00 PM Detected DNS cache poisoning attack - 192.168.11.1:53 - 192.168.11.2:55656 - UDP


ESET rocks (I am reading the user manual) but the settings could be more explicit in my point of view, i.e. better definitions/help text in a windows with a clear explanation of the function when we hoover over it. Until ESET definition of what's a Web browser... it was for me only FF, IE, etc.

[funkydude]

Hello admsupport,

1.
TICK = Full scanning, all data communication from that program is scanned
NOTHING = Normal scanning. The app will only be scanned if it uses one of the ports designated in the HTTP ports.
RED X = No scanning, even if the app uses HTTP ports.

Usually "nothing" is the best for non-browsers and "tick" is the best for browsers.

2.
Don't worry about them, in the case of 1) It's usually just bad packets and the case of 2) tends to be routers sending useless data, ignore both.

[admsupport]

funkydude,

Alright, so I guess I do not have to include utorrent.exe in the EXCLUSION (only the red cross is enough). Okay I need time!

I have ended up the PDF manual, it is pretty light.
Where can I have a detailed explanation of the functions/settings?

Do you have a link? I mean is there a link with practical demos, cases, etc. The movies on the ESET page are kiddy stuff. There is no useful info.

I use xplorer2 (from Nikos Bozinis) as file management, the site has a nice blog and really great demo ! it makes the product easy to understand and interesting.

[funkydude]

Actually I have "NOTHING", no tick or X and it works fine for me. I'm not sure about documentation it's not a thing I pay much attention to.

[Minus]

Actually, I think you have only half addressed the problem. Getting the false warning messages on utorrent may be one thing but the windows event error 4226 tells another story.

Error 4226 is seen when you have too many half open connections. Starting with with XP SP2 Microsoft limited the half open connections to only 10 (xp1 and earlier were over 65,000) This was one of their attempts at combating the spread of worms, and while in practice good for most computer users, alot of power users or people using P2P apps get bent by the change. You have options to either limit the half open connections in utorrent which will most likely hinder your speed or you could consider patching the tcpip.sys file. During many windows updates this file will be patched back to a native state so the hex edited patches aren't really the best method. The new best method I have seen is called TCP-Z available at http://deepxw.blogspot.com/ The patch will allow you to monitor all your connections/bandwidth in real time as well as make a patch to the tcpip.sys file in memory in real time. No hex editing, no worrying about patches and no upsetting windows file protection. Sorry for the long wall of text but If I can clarify things any further or be of assistance don't mind asking.

lurked too long around here... finally first post.

[admsupport]

@funkydude: thanks for ESET proper settings explanation. So where does your information comes from, the forum?

@Minus: This is precious! really great and unexpected link. Thanks for sharing

Do you use the patch yourself? If so some questions:

1) 2 patches (up: memory patch/down: file patch) do you need to patch ONE of these or BOTH (XP/Vista)?


2) Patch Memory: I select 200 is that the correct value?

3) There is also concurent download limit in IE (limit at 2 or 3?), it can be modified in the registry:

Code:

MaxConnectionsPer1_0Server”=Dword:0000000a
“MaxConnectionsPerServer”=Dword:0000000a 

Is this patch related to this setting (the down part: file patch) or is it completely different (which I believe) ?

[Minus]

Yes, I do use the patch when working with torrents. The very nature of torrents makes using the patch very beneficial.

1. You only need to patch one or the other. The first patch only makes the patch to the file in memory, whether you reset it manually or just reboot the computer the file will be untouched and set back automatically to the default setting of 10. The lower option basically hex edits the file and is permanent till the next windows update in which MS will probably reset it anyways.

2. Many people will tel you different settings, myself I set it around 100. The kind of settings will also be determined on how many concurrent torrents you want to have downloading/seeding etc.

3. This patch has nothing to do with any IE settings that I am aware of.

Another thing of note is when using this patch it may be beneficial to change the settings inside of utorrent. Under preferences> advanced scroll down for a setting called net.max_halfopen and change the value (default I believe is 8.) with a setting of 100 half open connections i usually set it to 90, which when set will appear as *90 in that field. (part of the idea here is to let it know it can use more connections while at the same time leaving you with enough to avoid the problems you had before patch, which is why the number is lower than my set allowance of 100 for example) Most likely you will not only see an increase in speed on your downloads, but your net surfing will seem to be a bit less problematic. Your settings may need to be different but watching the TCP-Z in action will let you see just where you need to tweak for your own usage.

Just as with AV software or anything else, there are no "best" or most optimal settings for all users so I am just trying to help anyone who has seen this problem. Any further questions I will do my best and sorry it took so long for the reply.

[admsupport]

Quote:

Originally Posted by Minus

I am just trying to help anyone who has seen this problem. Any further questions I will do my best and sorry it took so long for the reply.

Help much appreciated, and for the clear explanations.

[Minus]

I'll take that as an official fixed at this point?

[admsupport]

Indeed