NOD32 suddenly messing up outgoing HTTP requests?

Discussion in 'ESET NOD32 Antivirus' started by Sunfox, Feb 7, 2008.

Thread Status:
Not open for further replies.
  1. Sunfox

    Sunfox Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    5
    I noticed just in the last couple of hours, that I've having trouble with outgoing requests to websites. If I fill out a form, about 75% of the time not all of the form elemants will make it to the server, and instead I get an error about missing data. I run my own site, so I was able to actually check into this, and most of the time not all of the parameters are making it to the server.

    I also now get occasional broken images on webpages, I've seen an advertisement IFrame that said "Method not implemented" and in my website's error logs I see the occasional line such as:

    Thu Feb 7 00:09:58 2008] [error] [client #.#.#.#] Invalid method in request FGET /images/background.gif HTTP/1.1

    ...However if I disable NOD32 (621) everything works perfectly. I've enabled/disabled it several times now to confirm what's causing the problem. Since I haven't seen this before I suspect it might have been caused by the last update (2854)?

    Any suggestions?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you provide us with an example of a website where this problem is occurring?
     
  3. Sunfox

    Sunfox Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    5
    I've noticed it mostly on my own site, which is the one I spend the most tiem on and would prefer not to give out right now, but I do have further information:

    1) It happens in IE7 but not Firefox.

    2) It only appears to happen on POST forms. It does not happen on all forms all the time; it's hard to figure out why.

    3) I can fix the problem by turning off HTTP checking in NOD32.

    4) I can fix the problem by placing an X on the Internet Explorer line in programs (however it occurs whether ticked or unticked).

    5) Generally the first item in the form is garbled/missing, for example on script.cgi?name=Bob&country=USA the program would only receive "USA" and not "Bob".

    6) The IFRAME problem with "bad method" or "FGET" only occurs on pages generated following a bad form submission.

    7) I've found that I can fix the problem (at least it seems to be fixed) by changing the ENCTYPE on these POST forms to "multipart/form-data". Normally they have no specific ENCTYPE named.
     
  4. Sunfox

    Sunfox Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    5
    More information:

    If I add a "dummy" value to the beginning of the form then I can get the rest submitted - however I noticed that on my favorite test page (favorite because it's guaranteed to cause the error) the very last character of the form input is a question mark. Which is URL-encoded to %3F. And when I submit the form using the dummy value, what I get back of the good data ends in no question mark, but instead just %3.

    Remember how I mentioned the error lines about "FGET"? I think that's where the "F" is coming from - the end of %3F is somehow getting mangled into the next HTTPD request. And I think that's what's happening to the beginning... perhaps the first character of a POST form is being dropped or corrupted.
     
Thread Status:
Not open for further replies.