Imon is or is not important?

Discussion in 'NOD32 version 2 Forum' started by angelo_lopes, Mar 17, 2004.

Thread Status:
Not open for further replies.
  1. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    On my firm, some servers started with random reboots. Event viewer reads: Event ID: 6008 The previous system shutdown at h:mm:ss AM on d/mm/yyyy was unexpected.

    Since Eset does not reply the questions I pose them on their support web form, I asked their resseller, and they replied him:

    we have discovered that the problem occurs on multiprocessor systems (mostly server editions with DC) running NOD32 with IMON enabled. The only workaround is either to disable the Hyper-threading feature in BIOS, or turn off IMON if you don't use it for checking email until we come out with a fix.

    since you don't use any mail client on the server, it's not risky. I
    estimate we will come out with a fix within next week.

    Not riskyo_O What do you say about this screen shot taken from my RA console (dozens of Virus alerts triggered buy module IMON)?
    How come Eset saying to disable IMON is not risky, when more than 95% of worm attacks are detected by IMON in my firm?
     

    Attached Files:

    • ra.JPG
      ra.JPG
      File size:
      69.8 KB
      Views:
      1,145
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Angelo, they are saying it is not risky because the resident scanner AMON will spring into action upon detection of a virus...

    Hope this helps.

    Cheers :D
     
  3. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    IMON alerts say "attack from computer 213.22.xxx.xxx - Win32/Exploit.DCOM worm" for example
    AMON will not "spring into action" upon this, am I wrong?

    Thanks,
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Only on the infected PC that should also have Nod installed on it.
     
  5. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    Sorry Blackspear, but I don't understand your words. You wrote "Only on the infected PC". Only on the infected PC, what? Amon will not be triggered? If this is what you meant, why won't it "spring", please?

    I must say 40% plus of our computers are laptops. When they are "inside" our LAN, no problem. When people brings them home, next day the Remote administrator console displays lots of warnings. But those are only attacks, and IMON reports for action "connection terminated".

    Do you think those computers are all infected with virus or worms?

    Right know, I also have those warnings, and I think my desktop computer is not infected... Please take a look at the log

    Time   Module   Object   Name   Virus   Action   User   Info
    18/03/2004 20:57:59   IMON   Attack   source: 195.23.108.76   Win32/Lovsan worm   connection terminated      
    18/03/2004 20:43:20   IMON   Attack   source: 195.23.96.111   Win32/Lovsan worm   connection terminated      
    18/03/2004 20:27:17   IMON   Attack   source: 195.23.108.17   Win32/Lovsan worm   connection terminated      
    18/03/2004 19:51:18   IMON   Attack   source: 195.23.96.21   Win32/Lovsan worm   connection terminated      
    18/03/2004 19:19:48   IMON   Attack   source: 195.23.108.205   Win32/Lovsan worm   connection terminated      
    18/03/2004 18:55:31   IMON   Attack   source: 195.23.109.214   Win32/Lovsan worm   connection terminated      
    18/03/2004 18:55:17   IMON   Attack   source: 195.23.109.214   Win32/Lovsan worm   connection terminated      
    18/03/2004 18:55:11   IMON   Attack   source: 195.23.109.214   Win32/Lovsan worm   connection terminated      
    18/03/2004 18:31:37   IMON   Attack   source: 195.23.108.165   Win32/Lovsan worm   connection terminated      

    Your help is greatly appreciated.


    Note:
    Sorry for my poor English... please "try" to understand me.
    Feel free to ask me to write you in perfect Portuguese :)
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You have Lovsan on your network, your machines are not up-to-date with Windows, see: http://vil.nai.com/vil/content/v_100547.htm

    I would suggest updating Windows on every machine, running a scan with Nod32 fully up-to-date on EVERY PC, and make sure EVERY PC connected to your network has Nod32 installed on it.

    Hope this helps...

    Cheers :D
     
  7. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    No my dear Blackspear, no chance for lovesan here :)

    All machines have DCOM patched with all M$ updates, of course including the oldies MS03-026 and later MS03-039. Actually our computers are *all* up to date with M$ patches. Also no msblast here.

    NOD32 virus logs never found lovesan. It's only IMON reporting attacks.

    Back to my question, it is for me hard to understand why Eset writes "disable IMON, its not risky when you don't have e-mail". How will I be protected from those attacks?

    Best regards,
     
  8. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    If you are up to date on your patches, then... no.. you currently don't need it.. However, there will be more features to IMON than mail scanning and exploit detection. When did you get that advice? The exploit-detection is still somewhat new.

    Also, on a local network it shouldn't be as important.. however.. that raises another important question... in your screen capture, all clients have local IP-adresses... Can they be reached from the outside? If not, it's a machine with access to your local LAN that is sending the attacks.

    Double-click the alert, and check which IP is shown as "Source" in the "Name" column.. if that's a local machine, find it!

    Best regards,
    Anders
     
  9. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    As I wrote previously in this thread, 40% plus of our computers are laptops. When they are "inside" our LAN, no problem. When people brings them home, next day the Remote Administrator console displays lots of warnings.

    > When did you get that advice?
    Maybe I don't understand this question. What advice? To quit IMON?
    This was from an e-mail ESET sent to the Portuguese reseller.
    If you mean when do I get those warnings, laptops outside my network, (when they are at home) are exposed, receive the attacks, and RA reports them on the console next time they are connected to the network.

    > Can they be reached from the outside?
    Not a chance. They don't have a public address, and I have the firewall (obviously) between the internet and the network. It's a Linux box, also with qmail and KAV checking and relaying e-mail to my Lotus Domino server.

    The attacks always come from the outside, not 192.168.xxx.xxx

    So I think it is heedless to receive, from Eset:
    "since you don't use any mail client on the server, it's not risky."
    But does IMON only protect a computer from evil e-mails? What
    about worm attacks? Say someone wilth a laptop will connect to my network an infected machine. Will AMON be enough?

    Best Regards,
     
  10. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Ah, my bad.

    At the moment, IMON does two things. Scans POP3 traffic, and detects some exploits used by worms. If a computer is vulnerable to some "packet exploit", AMON will probably not be enough, since the worm code would most likely be injected directly into memory.

    I do not know which, or how many exploits are detected, however, if you have the latest security updates from Microsoft, you are not vulnerable to the attacks that IMON detects, so.. with the latest updates, disabling IMON should not make you more vulnerable. However, in the future, there might for example be a protection added for an exploit there is no patch for yet...

    Before, however, IMON only scanned POP3-traffic. Back then, there was no risk in disabling it.

    Personally, I suggest that (nowadays) IMON is always enabled for most users. If you don't want it to scan emails, just disable the mail scanning, but leave the rest of it running.

    Best regards,
    Anders
     
  11. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    Easy to say. My servers with hyperthreading enabled are rebooting
    randomly. Event ID: 6008 the previous system shutdown at hh:mm:ss was unexpected.
    Between installing another AV and disabling IMON, I go for the second.
    What would you do before ESET comes out with a fix?
     
  12. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Disable IMON of course. :)

    Also make sure that Eset has as much information about the problem as possible.

    Send them (support@nod32.com) a detailed description of the problem, including the NOD32 information (NOD32 Control Center -> NOD32 System Tools -> Information), and the log from Belarc Advisor (http://www.belarc.com) or some similar program.

    You should also make sure that you have the latest version.. if you are able to test it, uninstall nod32, restart, and download the version available on the website, install it, and restart again. If possible, also try changing the compatibility level for IMON (NOD32 Control Center -> IMON -> Setup -> Setup)

    Best regards,
    Anders
     
  13. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    :)Looks like we studied in the same school :)

    Eset is aware about this hyperthreading problem.
    I sent them Belarc's Computer Profile Summary (where did heard you about this usefull tool?)
    I have the latest version, no doubt
    I stepped down Imon to Maximum compatibility and even excluded
    everything extra like HB Anywhere (Fiber channel), Power path (Fail-over
    and load balacing), and Navisphere (Agent to dialog with my DAS (CX600).
    Anyway they are aware. They wrote:
    /"we have discovered that the problem occurs on multiprocessor systems (mostly server editions with DC) running NOD32 with IMON enabled. The only workaround is either to disable the Hyper-threading feature in BIOS, or turn off IMON if you don't use it for checking email until we come out with afix."/

    I have done this and I started this thread to know how risky it would be not to have Imon enabled.

    Thank you *Very Much*
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi all,
    to whom having the problem with lsass and random reboots on multiprocessor or HT-based systems - please contact support@nod32.com for a fixed version of imon.dll
     
  15. angelo_lopes

    angelo_lopes Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    145
    Location:
    Porto, Portugal
    Nearly 3 weeks and Event ID: 6008 (The previous system shutdown at <time> on <date> was unexpected) is over. So far so good.
    Will this imon.dll be included (or was it already included) in a future program component upgrade?

    Regards,
     
Thread Status:
Not open for further replies.