Dr.Web,Look-n-stop and Win 32 SQL slammer

Discussion in 'other anti-virus software' started by BrainWarp, Sep 3, 2004.

Thread Status:
Not open for further replies.
  1. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    287
    I did a full scan with Dr.Web and came up with this

    Process in memory: looknstop.exe Win 32.SQL slammer 376 eradicated


    I see that it was in my memory--but was it active--spider did not catch it
    Does this mean that this virus was in the logs of looknstop?Just wanting to understand.

    thx
     
  2. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Im glad to see I am not the only one getting this. I used Look N Stop 2.05 and was also getting this occasionally during memory scan. The pain is that it deletes it and then the firewall dies. I had to do a restart to bring it back up. Since it just deletes it there is nothing to send to DrWEB to let them investigate. I figure it is probably some kinda false positive but I got so tired of it I finally downloaded Sygates free version 5 firewall for now. I really like LnS though and hope to figure this out soon. :doubt:
     
  3. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    287
    Thats the same thing that happened to me--it could be a false positive!But i am concerned over it--i like looknstop ,but if this continues i may have to install another firewall
     
  4. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Have you only just started to receive this 'message' with the latest version/update of Dr Web? I run the same combination on a Win XP Pro box here with no problems so far ( I do not run Spidermail ).

    Dr Web seem to have this Internet Worm covered; http://www.dials.ru/english/inf/virus.php?id=186 and state that they are " the only AV capable of detecting this virus in memory"

    Have you both confirmed with another scanner that this is a false positive e.g Stinger http://vil.nai.com/vil/stinger/. This AV tool seems to have all of the variants of the Slammer worm covered.

    If confirmed, have you tried placing the looknstop.exe in the exclude of Dr Web?

    You could report this probable false positive to the Dr Web people, but at the present time, this could be low down on their list of priorities.

    Sorry, I was not much help but on this machine, touch wood, the good Doctor and Look'n'Stop sit well together.

    May be worth dropping Frederic a line to see whether he knows of this conflict http://www.looknstop.com/En/support2.htm or simply posting here at Wilders over in the Look'n'Stop Forum where he or some other LNS expert may see the post.
     
  5. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
  6. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    287
    It makes me feel better now to see that it is a false positive--atleast i hope it is.

    thx guys
     
  7. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Well try to remember that slammer is only memory resident and can be killed by a simple reboot. It doesn't drop any files, and just spreads by jumping from the memory of one computer to the memory of another. This worm only effectively targets unpatched SQL Server 2000 and MSDE 2000, and has been patched in 7/17/02 AND again in Jan 2003. So it is quite unlikely that it is a positive detection.
     
  8. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Hey Blackcat, I tried your suggestion and put LnS's exe in the exclude list and gave it a few days. No more SQL Slammer finds in the memory scan. I'm back to the nearly impenetrable team of DrWEB and Look N Stop. Now to sit back and see what other anomalies come up to deal with...... ;)
     
  9. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    287


    Same here--so far so good.
     
  10. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Glad to hear that the problem seemed to be a false positive and that the exclude works.
     
Thread Status:
Not open for further replies.