I have seen the light (and it is green)

Discussion in 'other anti-virus software' started by egghead, Feb 29, 2008.

Thread Status:
Not open for further replies.
  1. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    April will see Av tested on vista Sp1, we should see if it still misses some on a desktop.

    And I do not agree about the "it's not too bad" because while many people don't know or trust AV-C or Av-test or others, VB100 is actually something corporations and governement agencies look after(at least here).

    Aren't the virus included in the wildlist actually "in the wild"? Meaning you can get infected in real life as they are out there, and not just in a lab.
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    Another recent convert to the good Dr.
     
  3. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    426
    Location:
    None
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229

    Don't act so suprised my friend.:D
     
  5. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    187
    Location:
    Bangladesh
    Dr web cure it now detects pc tools firewall as malware . Hope this would be fixed soon .
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Does anyone know the approximate turnaround time for unknown malware?

    I know that about a year or so ago DrWeb had relatively fast response times for new malware. Now that I'm curious enough to try it again, all I seem to get is an automated response telling me my sample was received, and nothing beyond that. The old Virus Monitoring Service website also seems to have been pulled offline; I'm having trouble finding a link to it on the main page.
     
  7. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    strange,

    i just checked it via drweb 4.44 and recieved no detections for pc tools firewall.
     
  8. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    187
    Location:
    Bangladesh
    May be you just checked the installation package . Pc tools firewall has two resident processes . Firewallgui.exe and FWservice.exe . During the express scan cure it detected both these processes as malware and suspended them.
     
  9. AndreyKa

    AndreyKa Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    93
    Location:
    Russia
    I suppose it is Win32.SQL.Slammer :)
    It isn't false positive. It's real exploit packet of Win32.SQL.Slammer in the process memory.
     
    Last edited: Apr 21, 2008
  10. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    187
    Location:
    Bangladesh
    Yes it was . Thanks for the explanation . Can you explain more ? Why there is a exploit packet in pctools firewall process ? :doubt: :doubt:
     
  11. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    its the difference between a good flat-file scanner for testing, and proper protection :)

    in wont have anything to do with pctools, but the malware has reached your machine undetected using avast? ... and the malware has targeted your running processes, in this case.. your firewall.

    nasty stuff, did you let cureit cure it for ya?
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    SQL.Slammer is an internet worm that exists solely in computer memory. In fact, it's a small internet data packet that never touches the hard disk. What ostensibly happened was that your firewall blocked the attack, but DrWeb reported that SQL.Slammer data existed in your firewall's memory process.

    This is obviously a bad thing, because DrWeb triggered on an attack that had already been stopped, identified your firewall as the infection, and suspended your firewall. This is not a false positive per se, just poor handling of data.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes, Dr.Web has this problem with PC Tools and LnS firewalls.
    SQL Slammer is stopped by every firewall and it can't do any harm because it targets a server-only app (it doesn't exist on home setups) which has been patched in 2002.
     
  14. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    its not a problem,

    the firewall may block the threat, but its still in running memory processes.

    alot of AVs dont even scan memory, or efficiantly i should say.

    cureit was picking up on the threat, as it still resides in your memory.

    its not a problem, or an FP.
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    When it's blocked by a firewall, it's effectively neutered and completely harmless. Not so harmless, however, is your firewall being suspended by an antivirus because the antivirus believes that your firewall is a worm.

    Tell that to the people who got their firewalls killed thanks to DrWeb.
     
  16. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    nah, you just tell it to someone else instead ;)

    the fault goes to avast for not detecting the threat in the first place, drwebs cureit saw the threat and got rid of it. End of story.
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    When a firewall blocks a packet, it's discarded inmediately, so it doesn't reside in memory anymore. Without knowing the inner workings of Dr.Web, I'd say that Dr.Wen is detecting a "ghost" (i.e. something that doesn't exists but was present for a brief moment before the firewall dropped the connection), it's detecting something in the ruleset (i.e. any specific ruleset to block SQL Slammer) or it's detecting when the firewall logs the "attack" stopped.
    It's a problem of the memory scanner of Dr.Web or how they parse data (firewall ruleset or log)
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Thanks, but I'll pass. Telling other people it's not a problem, when it clearly IS a problem, doesn't sound quite right to me.
     
  19. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    well, whatever it is Lucas, its still detecting what is there, or ghosting there.

    sounds more of a problem with the Firewall, and not the AV for not discarding a threat completely that its 'supposed' to have dealt with.

    and lets not forget the avast failed detection too.
     
  20. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    maybe not to you it doesnt..... but nobody cares what you think though. ;)
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Chris, your personal attacks aren't worth much when it comes to taunting their intended target, or entertaining other readers; they're just stale.

    From what little I know of avast!'s Network Shield, it seems to act as an "invisible" proxy rather than traffic filtering at the network stack, meaning it picks up only what the firewall misses (in my experience: no reports when firewall is on, pages of Sasser/Slammer attack reports when firewall is off and my PC is put on DMZ). In other words, no mistakenly identifying and shutting down firewall processes as non-existent, already-blocked worms. :thumb:
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The firewall is the first in the chain of events, so none AV can detect a threat when it doesn't even reach them.
    A packet with the body of SQL Slammer comes in (highly unlikely event, BTW), it reaches the network stack at its lowest level (NIDS) when every firewall has its hooks, the packet is processed by the firewall engine and it's dropped because:
    - There's a specific rule (made by the user or shipped out of the box) to block SQL Slammer-like packets.
    - Stateful packet inspection drops it because its an inbound connection without any correlation to any open connection.
    - There's no application to receive the packet, because SQL Server isn't installed in 99.99 % of home machines.
    The AV can't stop what isn't even there.
     
  23. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    A lot of noise in your Internet neighborhood it seems. No Code Red, Nimda?
     
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    To be honest, I wouldn't know what avast! names those things as. Slammer and LSASS/DCOM exploits seem to form the majority of my Network Shield log entries. I turn off my firewalls and go to bed when I test it, so I usually have a page or two's worth of logs to parse in the morning.
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.