EventID 4226 Patcher

Discussion in 'NOD32 version 2 Forum' started by Fubie, Apr 10, 2005.

Thread Status:
Not open for further replies.
  1. Fubie

    Fubie Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    53
    Location:
    Rogersville, MO, USA
    Hello. Nod hasn't given me an issue with this patcher utility until the new 2.5 beta. I have used this patcher since WinXP SP2 came out without a problem nor have I seen anyone (on my p2p apps forums) have any claims of it being a malicious program. Now with Nod's beta I ran a full scan and it was tagged as a Win32/Tool.EvID4226
    Does anyone know if this program has been verified as malicious code?
    Oh, if you don't know, this program allows you to patch your WinXP SP2 tcpip.sys from 10 to 50 half-open connections allowing you to successfully use p2p apps. Otherwise XP chokes the program.
     
  2. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    http://www.virustotal.com/flash/index_en.html

    Antivirus Version Update Result

    AntiVir 6.30.0.7 04.10.2005 no virus found
    AVG 718 04.07.2005 no virus found
    BitDefender 7.0 04.11.2005 no virus found
    ClamAV devel-20050307 04.11.2005 no virus found
    DrWeb 4.32b 04.10.2005 no virus found
    eTrust-Iris 7.1.194.0 04.09.2005 no virus found
    eTrust-Vet 11.7.0.0 04.08.2005 no virus found
    Fortinet 2.51 04.09.2005 no virus found
    F-Prot 3.16a 04.11.2005 no virus found
    Ikarus 2.32 04.08.2005 no virus found
    Kaspersky 4.0.2.24 04.11.2005 no virus found
    McAfee 4465 04.08.2005 potentially unwanted program Tool-EvID4226 <-----
    NOD32v2 1.1055 04.11.2005 Win32/Tool.EvID4226 <------
    Norman 5.70.10 04.08.2005 no virus found
    Panda 8.02.00 04.10.2005 no virus found
    Sybari 7.5.1314 04.11.2005 no virus found
    Symantec 8.0 04.10.2005 no virus found

    /DaK/
     
  3. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    googling for "EvID4226" finds a number of AV sites referencing this as a threat - what is it?
     
  4. Fubie

    Fubie Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    53
    Location:
    Rogersville, MO, USA
    For most this doesn't seem like it should be an issue and for most they are right. But if you use p2p at all, any p2p app, is chocked because of the huge number of outbound connections that it must send to initiate connection to other users. My concern here is that NOD and apparently a few other programs see this patcher as a threat. The problem is that there are many legitimate patcher programs out there, Style XP, for one that can alter system files to allow the user freedom to change.
     
  5. ShunterAlhena

    ShunterAlhena Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    134
    Location:
    Szigethalom, Hungary
    Hello Fubie,

    Try unchecking "Potentially unwanted apps" and "Adware/Spyware/Riskware" in your AMON/NOD32 settings. See if NOD32 still detects it.

    Regards,
    SA
     
  6. Golden

    Golden Guest

    The EventID4226 Patcher is not malware but it does fit into the "what your admin doesn't want you messing with" catagory;)
     
  7. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    the average home P2P user might think it's a nice tool but I agree with you on this Golden. A definate no-no.
     
  8. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    A user would definitely get a serious talking to on my network...
     
  9. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    So i guess Eset is moving away from their statements in the past of "trying to keep the database clean and not clogging it up"...

    It was something of that sort anyway.

    This is not a virus, trojan, spyware or malware. But I agree it would be good to know about it from an network admin point of view. But then again so would a million other programs of various kind.

    /DaK/
     
  10. Fubie

    Fubie Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    53
    Location:
    Rogersville, MO, USA
    Thanks for the input, but no where have I said that I have used this or intend to use this at work. I am the admin at my work and you are right, I don't want users fiddling with my machines system files. But this is a must for home p2p users who have installed SP2. Before the horde out there goes off half cocked, a user must be aware of what they are changing and have appropriate security in place. But this patch doesn't even come close to allowing the connections out like the original XP Pro. I know I'm not thrilled about installing M$ patches as soon as they come out. Hell the majority of the time they break more than they fix.

    I'll recheck my settings and see if I can re-download the file.
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Without actually knowing for sure it is entirely possible a tool like this might intefere with IMON or be used to intefere with IMON either inadvertently or maliciously.
    And that is despite the fact it overcomes steps put in place specifically to help prevent (slow) the spread of particular viruses.
     
  12. Fubie

    Fubie Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    53
    Location:
    Rogersville, MO, USA
    You miss the point. XP and XP SP1 both had unlimited outbound connections or raw sockets. Read about it here.

    What I am hearing here is that M$ is to be praised for releasing a "fix" and yet again breaking hundreds of legitimate programs. I guess in your view all p2p apps are dangerous malware? Also by your reasoning NOD should clamp down on the operating system of pre-SP2 because it "...[doesn't] specifically...help prevent (slow) the spread of particular viruses." This patch gives you only 5 times the outbound connection after the "fix" provided by SP2. Not unlimited like SP2's predecessors.

    Other than the purist idea that you shouldn't mess with system files, which is fine, what is the issue? Are you any more of a security threat because of this patch? No. Especially in light of how many users and businesses that haven't applied SP2 and how many goofs out there aren't running security (AV software, Anti-Adware/Spyware/Trojan software, firewalls, etc) software. Can you, a home user, alter system files all you like as long as you are willing to pick up the pieces in case your system becomes unstable? Yes. Are you going to piss your system admin off if you try to install this? Hell yes. But what a poor admin you have if they haven't locked your system down to not allow regular users to install programs they feel like.
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I am aware of this. Are yesterdays shortcomings tomorrows excuses?
    p2p might be legal but is the content? I understand we're not talking about people using p2p in an office environment. None of the home users I know appreciate or enjoy being assigned an IP address from where somebody has previously used p2p - the flood of unrequested p2p related traffic is a crocaterd and often lasts for days.
    My reasoning was just that a tool that partially circumvents measures that help prevent the spread of viruses is counterproductive to measures that are designed to help eliminate the spread of viruses.
    Whether or not any particular user or PC is more of a security threat stands second in my mind to the responsibility those who know better have to provide a good example for the rest.
    Some of my local clients are running software systems provided by others. They have support from their software vendors (that they pay for) conditionaly on the basis that everything is configured specifically as the software vendor requests. Essesntially that amounts to the least possible security in most areas for example all the workstations automatically login to 2003 SBS with administrator privelidges. All I can do for them as local support independant of the software provider is inform them of these issues and then put in place other measures that do not alter or interfere with the vendor provided setup and configuration. It's a situation that really really sucks but my point is this - they could run or install ANYTHING they want and so long as they continue to use the software they do there'll be nothing anyone does about it.
     
Thread Status:
Not open for further replies.