MEssage: Detected covert channel exploit in ICMP packet Eset v5.0.95.0

[gslabbert5119]

I just upgraded to ESET security suite V5.0.95.0
I keep keep getting this warning "Detected covert channel exploit in ICMP packet"
OS Windows 7 Pro SP1 64bit

I looked up the message and I am told that I should have personal firewall version newer than "1047", well I have version "1071" as per the modules so that should not be an issue.

I have opened up a ticket but I cant wait 24 hours for a response, for this message every 3 minutes is really annoying.

Thanks for the help

My modules are as follows ...
Virus signature database: 6772 (20120106)
Update module: 1037 (20110921)
Antivirus and antispyware scanner module: 1333 (20111215)
Advanced heuristics module: 1121 (20111208)
Archive support module: 1138 (20111214)
Cleaner module: 1052 (20111129)
Anti-Stealth support module: 1026 (20110628)
Personal firewall module: 1071 (20110912)
Antispam module: 1019 (20111213)
ESET SysInspector module: 1221B (20110623)
Self-defense support module: 1018 (20100812)
Real-time file system protection module: 1006 (20110921)
Translation support module: 1034 (20111214)
HIPS support module: 1026 (20110725)
Internet protection module: 1025 (20110929)
Web content filter module: 1009 (20110705)
Advanced antispam module: 1019 (20111202)
Database module: 1016 (20110726)

[Marcos]

The detection is correct. You must have software installed that exploits ICMP for transmitting non-standard data. A Wireshark pcap log with the communication captured may shed more light.

[gslabbert5119]

I did not get this until this morning when I upgraded from v4 to v5.

[Cudni]

Quote:

Originally Posted by Marcos

The detection is correct. You must have software installed that exploits ICMP for transmitting non-standard data. A Wireshark pcap log with the communication captured may shed more light.

Could you also post few software that use that tactic? It might help user to narrow it down.
as in
http://www.wilderssecurity.com/showp...0&postcount=19

[Marcos]

For instance, Battlefield 3. For this one, we'll make an exception in the next build of the firewall module.

[gslabbert5119]

I dont play any computer games on any of my computers, I am just not a gamer, the computer is strictly work related, and the software on the computer is either a Microsoft product, SQL Server or an Oracle product related to OBIEE. I have a computer and a laptop, each running the same software, on the PC I have CS5.0.94.0 and I am not having any issues, on the laptop I am running CS5.0.95.0 and am having this issue.

I run Google Talk on both computers and that is the only 3rd party software that is used.

[adza]

Maybe I can be of assistance.

Written with Delphi 2007 and Indy's TIdICMPClient

xttp://www.jvxp.com/temp/EsetPingProject1.exe

This project simply puts out a ICMP request through to Google's server 8.8.8.8

Very simple (Threw together in seconds) so doesn't even display the result - but it should raise the red window that you see.

Hope this is of help...

Adza

[RonS]

Quote:

Originally Posted by gslabbert5119

I just upgraded to ESET security suite V5.0.95.0
I keep keep getting this warning "Detected covert channel exploit in ICMP packet"
OS Windows 7 Pro SP1 64bit

I looked up the message and I am told that I should have personal firewall version newer than "1047", well I have version "1071" as per the modules so that should not be an issue.

I have opened up a ticket but I cant wait 24 hours for a response, for this message every 3 minutes is really annoying.

Thanks for the help

My modules are as follows ...
Virus signature database: 6772 (20120106)
Update module: 1037 (20110921)
Antivirus and antispyware scanner module: 1333 (20111215)
Advanced heuristics module: 1121 (2011120
Archive support module: 1138 (20111214)
Cleaner module: 1052 (20111129)
Anti-Stealth support module: 1026 (2011062
Personal firewall module: 1071 (20110912)
Antispam module: 1019 (20111213)
ESET SysInspector module: 1221B (20110623)
Self-defense support module: 1018 (20100812)
Real-time file system protection module: 1006 (20110921)
Translation support module: 1034 (20111214)
HIPS support module: 1026 (20110725)
Internet protection module: 1025 (20110929)
Web content filter module: 1009 (20110705)
Advanced antispam module: 1019 (20111202)
Database module: 1016 (20110726)

I upgraded to ESS about 10 days ago but just experienced the same thing today ...after a brief power outage , (at which time my UPS came on ). After poking around in ESS setup I found that for some unknown reason ESS became reconfigured...possibly because of the power outage...and it changed the "Computer protection mode in network" from "Allow sharing" to "Strict protection." As soon as I changed it back to "Allow sharing I stopped getting the warning for all computers, printer and external hard drive on my network.

[S3curityPlu5]

Yes this message is usually when other networked or workgroup computers try to link up to your computer with eset set on this Strict option. I also just realized the same problem, and i have a SOHO network that I use for sharing, well I did not change the option but it must have changed itself since I just rebooted.

[adza]

For me I have eset set to allow sharing - yet the problem still occurred with other pinging apps.

[foneil]

Please note that we have updated the ESET Knowledgebase article for this issue:

• Why did I get a “Detected covert channel exploit in ICMP packet” message in the firewall logs?

There are two solutions.

Use solution 1 if you want to disable notifications so that you no longer receive pop-ups each time an attack is detected.

Use solution 2 if this issue is preventing a network-aware application or game from functioning properly and your Personal firewall module is up to date.