EventID 4226 Patcher

Hello. Nod hasn't given me an issue with this patcher utility until the new 2.5 beta. I have used this patcher since WinXP SP2 came out without a problem nor have I seen anyone (on my p2p apps forums) have any claims of it being a malicious program. Now with Nod's beta I ran a full scan and it was tagged as a Win32/Tool.EvID4226
Does anyone know if this program has been verified as malicious code?
Oh, if you don't know, this program allows you to patch your WinXP SP2 tcpip.sys from 10 to 50 half-open connections allowing you to successfully use p2p apps. Otherwise XP chokes the program.

 

http://www.virustotal.com/flash/index_en.html

Antivirus Version Update Result

AntiVir 6.30.0.7 04.10.2005 no virus found
AVG 718 04.07.2005 no virus found
BitDefender 7.0 04.11.2005 no virus found
ClamAV devel-20050307 04.11.2005 no virus found
DrWeb 4.32b 04.10.2005 no virus found
eTrust-Iris 7.1.194.0 04.09.2005 no virus found
eTrust-Vet 11.7.0.0 04.08.2005 no virus found
Fortinet 2.51 04.09.2005 no virus found
F-Prot 3.16a 04.11.2005 no virus found
Ikarus 2.32 04.08.2005 no virus found
Kaspersky 4.0.2.24 04.11.2005 no virus found
McAfee 4465 04.08.2005 potentially unwanted program Tool-EvID4226 <-----
NOD32v2 1.1055 04.11.2005 Win32/Tool.EvID4226 <------
Norman 5.70.10 04.08.2005 no virus found
Panda 8.02.00 04.10.2005 no virus found
Sybari 7.5.1314 04.11.2005 no virus found
Symantec 8.0 04.10.2005 no virus found

/DaK/

 

googling for "EvID4226" finds a number of AV sites referencing this as a threat - what is it?

 

For most this doesn't seem like it should be an issue and for most they are right. But if you use p2p at all, any p2p app, is chocked because of the huge number of outbound connections that it must send to initiate connection to other users. My concern here is that NOD and apparently a few other programs see this patcher as a threat. The problem is that there are many legitimate patcher programs out there, Style XP, for one that can alter system files to allow the user freedom to change.

 

Hello Fubie,

Try unchecking "Potentially unwanted apps" and "Adware/Spyware/Riskware" in your AMON/NOD32 settings. See if NOD32 still detects it.

Regards,
SA

 

The EventID4226 Patcher is not malware but it does fit into the "what your admin doesn't want you messing with" catagory

 

the average home P2P user might think it's a nice tool but I agree with you on this Golden. A definate no-no.

 

A user would definitely get a serious talking to on my network...

 

So i guess Eset is moving away from their statements in the past of "trying to keep the database clean and not clogging it up"...

It was something of that sort anyway.

This is not a virus, trojan, spyware or malware. But I agree it would be good to know about it from an network admin point of view. But then again so would a million other programs of various kind.

/DaK/

 

Thanks for the input, but no where have I said that I have used this or intend to use this at work. I am the admin at my work and you are right, I don't want users fiddling with my machines system files. But this is a must for home p2p users who have installed SP2. Before the horde out there goes off half cocked, a user must be aware of what they are changing and have appropriate security in place. But this patch doesn't even come close to allowing the connections out like the original XP Pro. I know I'm not thrilled about installing M$ patches as soon as they come out. Hell the majority of the time they break more than they fix.

I'll recheck my settings and see if I can re-download the file.

 

Without actually knowing for sure it is entirely possible a tool like this might intefere with IMON or be used to intefere with IMON either inadvertently or maliciously.
And that is despite the fact it overcomes steps put in place specifically to help prevent (slow) the spread of particular viruses.

 

You miss the point. XP and XP SP1 both had unlimited outbound connections or raw sockets. Read about it here.

What I am hearing here is that M$ is to be praised for releasing a "fix" and yet again breaking hundreds of legitimate programs. I guess in your view all p2p apps are dangerous malware? Also by your reasoning NOD should clamp down on the operating system of pre-SP2 because it "...[doesn't] specifically...help prevent (slow) the spread of particular viruses." This patch gives you only 5 times the outbound connection after the "fix" provided by SP2. Not unlimited like SP2's predecessors.

Other than the purist idea that you shouldn't mess with system files, which is fine, what is the issue? Are you any more of a security threat because of this patch? No. Especially in light of how many users and businesses that haven't applied SP2 and how many goofs out there aren't running security (AV software, Anti-Adware/Spyware/Trojan software, firewalls, etc) software. Can you, a home user, alter system files all you like as long as you are willing to pick up the pieces in case your system becomes unstable? Yes. Are you going to piss your system admin off if you try to install this? Hell yes. But what a poor admin you have if they haven't locked your system down to not allow regular users to install programs they feel like.

 

I am aware of this. Are yesterdays shortcomings tomorrows excuses?

p2p might be legal but is the content? I understand we're not talking about people using p2p in an office environment. None of the home users I know appreciate or enjoy being assigned an IP address from where somebody has previously used p2p - the flood of unrequested p2p related traffic is a crocaterd and often lasts for days.

My reasoning was just that a tool that partially circumvents measures that help prevent the spread of viruses is counterproductive to measures that are designed to help eliminate the spread of viruses.

Whether or not any particular user or PC is more of a security threat stands second in my mind to the responsibility those who know better have to provide a good example for the rest.

Some of my local clients are running software systems provided by others. They have support from their software vendors (that they pay for) conditionaly on the basis that everything is configured specifically as the software vendor requests. Essesntially that amounts to the least possible security in most areas for example all the workstations automatically login to 2003 SBS with administrator privelidges. All I can do for them as local support independant of the software provider is inform them of these issues and then put in place other measures that do not alter or interfere with the vendor provided setup and configuration. It's a situation that really really sucks but my point is this - they could run or install ANYTHING they want and so long as they continue to use the software they do there'll be nothing anyone does about it.