Imon is or is not important?

On my firm, some servers started with random reboots. Event viewer reads: Event ID: 6008 The previous system shutdown at h:mm:ss AM on d/mm/yyyy was unexpected.

Since Eset does not reply the questions I pose them on their support web form, I asked their resseller, and they replied him:

we have discovered that the problem occurs on multiprocessor systems (mostly server editions with DC) running NOD32 with IMON enabled. The only workaround is either to disable the Hyper-threading feature in BIOS, or turn off IMON if you don't use it for checking email until we come out with a fix.

since you don't use any mail client on the server, it's not risky. I
estimate we will come out with a fix within next week.

Not risky What do you say about this screen shot taken from my RA console (dozens of Virus alerts triggered buy module IMON)?
How come Eset saying to disable IMON is not risky, when more than 95% of worm attacks are detected by IMON in my firm?

 

Hi Angelo, they are saying it is not risky because the resident scanner AMON will spring into action upon detection of a virus...

Hope this helps.

Cheers

 

IMON alerts say "attack from computer 213.22.xxx.xxx - Win32/Exploit.DCOM worm" for example
AMON will not "spring into action" upon this, am I wrong?

Thanks,

 

Only on the infected PC that should also have Nod installed on it.

 

Sorry Blackspear, but I don't understand your words. You wrote "Only on the infected PC". Only on the infected PC, what? Amon will not be triggered? If this is what you meant, why won't it "spring", please?

I must say 40% plus of our computers are laptops. When they are "inside" our LAN, no problem. When people brings them home, next day the Remote administrator console displays lots of warnings. But those are only attacks, and IMON reports for action "connection terminated".

Do you think those computers are all infected with virus or worms?

Right know, I also have those warnings, and I think my desktop computer is not infected... Please take a look at the log

Time   Module   Object   Name   Virus   Action   User   Info
18/03/2004 20:57:59   IMON   Attack   source: 195.23.108.76   Win32/Lovsan worm   connection terminated      
18/03/2004 20:43:20   IMON   Attack   source: 195.23.96.111   Win32/Lovsan worm   connection terminated      
18/03/2004 20:27:17   IMON   Attack   source: 195.23.108.17   Win32/Lovsan worm   connection terminated      
18/03/2004 19:51:18   IMON   Attack   source: 195.23.96.21   Win32/Lovsan worm   connection terminated      
18/03/2004 19:19:48   IMON   Attack   source: 195.23.108.205   Win32/Lovsan worm   connection terminated      
18/03/2004 18:55:31   IMON   Attack   source: 195.23.109.214   Win32/Lovsan worm   connection terminated      
18/03/2004 18:55:17   IMON   Attack   source: 195.23.109.214   Win32/Lovsan worm   connection terminated      
18/03/2004 18:55:11   IMON   Attack   source: 195.23.109.214   Win32/Lovsan worm   connection terminated      
18/03/2004 18:31:37   IMON   Attack   source: 195.23.108.165   Win32/Lovsan worm   connection terminated      

Your help is greatly appreciated.


Note:
Sorry for my poor English... please "try" to understand me.
Feel free to ask me to write you in perfect Portuguese

 

You have Lovsan on your network, your machines are not up-to-date with Windows, see: http://vil.nai.com/vil/content/v_100547.htm

I would suggest updating Windows on every machine, running a scan with Nod32 fully up-to-date on EVERY PC, and make sure EVERY PC connected to your network has Nod32 installed on it.

Hope this helps...

Cheers

 

No my dear Blackspear, no chance for lovesan here

All machines have DCOM patched with all M$ updates, of course including the oldies MS03-026 and later MS03-039. Actually our computers are *all* up to date with M$ patches. Also no msblast here.

NOD32 virus logs never found lovesan. It's only IMON reporting attacks.

Back to my question, it is for me hard to understand why Eset writes "disable IMON, its not risky when you don't have e-mail". How will I be protected from those attacks?

Best regards,

 

If you are up to date on your patches, then... no.. you currently don't need it.. However, there will be more features to IMON than mail scanning and exploit detection. When did you get that advice? The exploit-detection is still somewhat new.

Also, on a local network it shouldn't be as important.. however.. that raises another important question... in your screen capture, all clients have local IP-adresses... Can they be reached from the outside? If not, it's a machine with access to your local LAN that is sending the attacks.

Double-click the alert, and check which IP is shown as "Source" in the "Name" column.. if that's a local machine, find it!

Best regards,
Anders

 

As I wrote previously in this thread, 40% plus of our computers are laptops. When they are "inside" our LAN, no problem. When people brings them home, next day the Remote Administrator console displays lots of warnings.

> When did you get that advice?
Maybe I don't understand this question. What advice? To quit IMON?
This was from an e-mail ESET sent to the Portuguese reseller.
If you mean when do I get those warnings, laptops outside my network, (when they are at home) are exposed, receive the attacks, and RA reports them on the console next time they are connected to the network.

> Can they be reached from the outside?
Not a chance. They don't have a public address, and I have the firewall (obviously) between the internet and the network. It's a Linux box, also with qmail and KAV checking and relaying e-mail to my Lotus Domino server.

The attacks always come from the outside, not 192.168.xxx.xxx

So I think it is heedless to receive, from Eset:
"since you don't use any mail client on the server, it's not risky."
But does IMON only protect a computer from evil e-mails? What
about worm attacks? Say someone wilth a laptop will connect to my network an infected machine. Will AMON be enough?

Best Regards,

 

Ah, my bad.

At the moment, IMON does two things. Scans POP3 traffic, and detects some exploits used by worms. If a computer is vulnerable to some "packet exploit", AMON will probably not be enough, since the worm code would most likely be injected directly into memory.

I do not know which, or how many exploits are detected, however, if you have the latest security updates from Microsoft, you are not vulnerable to the attacks that IMON detects, so.. with the latest updates, disabling IMON should not make you more vulnerable. However, in the future, there might for example be a protection added for an exploit there is no patch for yet...

Before, however, IMON only scanned POP3-traffic. Back then, there was no risk in disabling it.

Personally, I suggest that (nowadays) IMON is always enabled for most users. If you don't want it to scan emails, just disable the mail scanning, but leave the rest of it running.

Best regards,
Anders

 

Easy to say. My servers with hyperthreading enabled are rebooting
randomly. Event ID: 6008 the previous system shutdown at hh:mm:ss was unexpected.
Between installing another AV and disabling IMON, I go for the second.
What would you do before ESET comes out with a fix?

 

Disable IMON of course.

Also make sure that Eset has as much information about the problem as possible.

Send them (support@nod32.com) a detailed description of the problem, including the NOD32 information (NOD32 Control Center -> NOD32 System Tools -> Information), and the log from Belarc Advisor (http://www.belarc.com) or some similar program.

You should also make sure that you have the latest version.. if you are able to test it, uninstall nod32, restart, and download the version available on the website, install it, and restart again. If possible, also try changing the compatibility level for IMON (NOD32 Control Center -> IMON -> Setup -> Setup)

Best regards,
Anders

 

Looks like we studied in the same school

Eset is aware about this hyperthreading problem.
I sent them Belarc's Computer Profile Summary (where did heard you about this usefull tool?)
I have the latest version, no doubt
I stepped down Imon to Maximum compatibility and even excluded
everything extra like HB Anywhere (Fiber channel), Power path (Fail-over
and load balacing), and Navisphere (Agent to dialog with my DAS (CX600).
Anyway they are aware. They wrote:
/"we have discovered that the problem occurs on multiprocessor systems (mostly server editions with DC) running NOD32 with IMON enabled. The only workaround is either to disable the Hyper-threading feature in BIOS, or turn off IMON if you don't use it for checking email until we come out with afix."/

I have done this and I started this thread to know how risky it would be not to have Imon enabled.

Thank you *Very Much*

 

Hi all,
to whom having the problem with lsass and random reboots on multiprocessor or HT-based systems - please contact support@nod32.com for a fixed version of imon.dll

 

Nearly 3 weeks and Event ID: 6008 (The previous system shutdown at <time> on <date> was unexpected) is over. So far so good.
Will this imon.dll be included (or was it already included) in a future program component upgrade?

Regards,