Discussion in 'LnS English Forum' started by Frederic, Nov 12, 2004.
Is EVID4226 the workaround for running P2P-applications using the WinXP-SP2 ?
FO5_xx is for Copycat type detection.
If some of FOx_yy are missing perhaps it's because the ActivatedSoon flag is not enabled .
Another possibility is: no check were performed yet in the driver against possible usage of the vulnerabilities. You should try to start Copycat to see if FO5_xx is appearing or not in the console, or start PCAudit2 to get some FO4_xx.
Thanks. The second case is the cause.
After starting copycat and pcautit v6 after windows startup and then asking for the driver logs, I get
So the pcaudit driver fails as expected, since my WinInet.dll is updated to latest patch. The "cumulative IE updates" starting from February 8th update the WinInet.dll to versions that make the pcaudit driver fail.
Hmm. Who tried simply downgrading this file? Would that break my system?
My WinInet.dll version is 6.0.2900.2861 (3 Mar 2006) and I have FO4_Ok in my driver logs. So maybe the problem is fixed?
Well, EVID4226 is control how many half-open connections. (WinXP2)
in WinXP, WinXPSP1, no define of half-open, maybe 16M connections.
but WinXPSP2, it's default value is tight to 10 only.
many of P2P want to open as many as possible to "exchange" information,
so.....half-open connection limit at 10 is not enough.
Interesting, it wasn't working a while ago, but it's working just fine now. Perhaps a Windows Update? This does leave concerns about patching the file to allow something through.
Yes this is interesting
Thanks for the report.
wininet 6.0.2900.2904 (10 May 2006)
...and the problem still return ...
Sometimes MS updates like to change the connections back to 10. So you may have to run EVID4226 again if you aren't getting the same P2P performance all of a sudden. But be sure to never set it higher than 100. More than 100 can be a security risk and anything higher is not needed.
Yep. Now audit 2 is blocked again. I tested version 4.01 and version 6.33.
My wininet.dll is from the cumulative Internet Explorer update from the June patch day (6.0.2900.2904 - 10.05.2006). It blocks the test and in the console it displays UFO4_OK.
Again the line just displays in the console after having started the audit2 leaktest. It wouldn't be displayed otherwise (and my computer is freshly set up).
Great that microsoft (wanted or unwantet) solved your problem. I hope that you didn't spend too much development time for this one.
BTW, wininet.dll (6.0.2900.2861 - 04.03.2006) was released on April 11th, monthly patch day.
Strange that alfa1 hasn't the same result with the same wininet.dll version. Or might the copycat protection be disabled otherwise on his computer?
Separate names with a comma.