A-squared IDS alerting on K-Meleon

Discussion in 'other anti-trojan software' started by pcalvert, Sep 29, 2005.

Thread Status:
Not open for further replies.
  1. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Hi,

    I just installed a trial of A-squared Personal yesterday. Today, when I tried to run K-Meleon 0.9, I got two a2 Guard alerts. Anyone else run across this?

    I was thinking that this is probably just a false positive, and that the behavior is normal for K-Meleon. If that's the case, then I figured that a Google search would turn up previous discussions about this. Well, I couldn't find any, so that has me wondering if the problem isn't with K-Meleon, but something else. In other words, something else is exploiting K-Meleon and that's what's triggering the alert.

    Phil
     
  2. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    I thought I would elaborate on this by posting some screenshots. Here's the first alert:
     

    Attached Files:

    Last edited: Sep 29, 2005
  3. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Here's the second alert, which I received after clicking the "Allow progam once" button:
     

    Attached Files:

  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    IMHO, it's an FP. I am a long-time user of K-mel 0.9 as well as K-Ninja. I installed A² several months ago & got initial alerts on K-mel, same as you. After a scan of K-mel & K-Ninja with 3 different programs proved them to be clean, I simply instructed A² to exclude those programs.

    A²'s Guard's IPS is aggressive, which I like. I'm pretty sure it's something K-mel does that seems *suspicious* to A² -- NOT a signature.
     
  5. que sera

    que sera Guest

    I like the a-squared IDS beeing aggressive, too. To avoid those "alerts" with K-Meleon (and Firefox) it should not be necessary to add them to the a-squared exclusion list. Just go to the a-squared Guard Configuration, open the General tab and in Malware-IDS mode choose "Activate intelligent false alerts reduction".

    Regards,
    qs
     
  6. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    That option does not exist in the version of A-squared Personal that I am using.

    Phil
     
  7. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    Its not a FP, its actually telling you the program attributes and letting you decide if you know/want the program to operate. Its like installing a new firewall and going though all the program access popups.

    If you know K-Meleon and trust it then hit the "Always allow program" button and all will be fine.
     
  8. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Thanks for the replies. I should mention that I also tried that I also tried Mozilla Firefox and IE 5.5. The a2 Guard also alerted on Firefox, but not on IE. So I suspect that this is related to the server that the GRE (Gecko rendering engine) sets up. Even so, I don't like guessing when it comes to something like this, so I will probably submit the files for analysis.

    Phil
     
  9. mrsquiggle

    mrsquiggle Guest

    The alerts suggest it is detecting suspicious network activity. LAN bypass trojans are those which connect OUT so as to establish a connection. It can't be ONLY alarming on that, and that was the second alert anyway not the first. You are right to send the file for analysis so they can look at what it does and what triggers the alert. Maybe they can make things work better and not detect this file
     
  10. [ah]

    [ah] Guest

    Its a feature that is introduced with a-squared 1.7 which is currently flagged as beta.
     
Thread Status:
Not open for further replies.