SQL Slammer and DrWeb

Discussion in 'LnS English Forum' started by Mongol, Nov 15, 2004.

Thread Status:
Not open for further replies.
  1. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    I have been using Look N Stop for 3 years now and been a very happy camper. DrWeb and I became software friends about 11/2 years ago. Both are terrific programs but it seems that occasionally when I open DrWebs scanner it will find SQL Slammer and remove it. This ends up killing the firewall. I have tried adding the Look N Stop driver to DrWebs exclude list which seems to help reduce these hits a bit but they still occasionally happen. Any suggestions out there?. Maybe shut down the firewall for a minute before opening the scanner?. Whatever it is it seems to be memory resident. o_O
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Could you explain what happens exactly when "This ends up killing the firewall" ?
    Do you get an application crash ? or the application is just stopped as if you manually stopped it ?
    What happens if you set a password ? is the application also killed ?

    Thanks,

    Frederic
     
  3. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Sorry I couldnt get back sooner but I was called into work on short notice. What happens is that DrWeb does a memory scan when you open the scanner and occasionally I get the message that DrWeb has eradicated SQL Slammer when it sweeps the Look N Stop.exe. I put the driver in the ignore list. After this happens the firewall closes down. Kinda weird eh?. I havent tried setting a password is that an option?.
     
  4. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Frederic, I may of found the solution to the problem myself. The driver I added to DrWeb's exclude list was the LookNStop.exe in the Windows prefetch folder. It just dawned on me shouldnt it be the lnsfw1.exe in the Windows/system32 drivers folder?. o_O
     
  5. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Not sure to understand your last sentence. Is there still an issue ?

    Frederic
     
  6. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Mongol,

    The LooknStop.exe in the Windows prefetch folder, is not the actual LnS exe. It just helps Windows to load LnS faster. The looknstop.exe you should probably be adding to the exclude list is the one in the LnS Program Folder (eg. C:\Program Files\Soft4Ever\loonstop\looknstop.exe)
     
  7. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    To Frederic and Defenstration, yes I finally found the correct exe file to add to the exclude list. No more of those win32 sql slammer has been eradicated messages...finally. Thanks for your help - all is running well here. Just waiting for the next crisis.... :D
     
  8. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Glad to hear you've sorted the problem.
     
  9. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    The saga continues. To clarify what happens, when DrWeb does a memory scan such as when you open the program or it does its weekly scan it pops up with the message "LnS win32sql.slammer eradicated" and the program in the task bar crashes. The firewall is still running in my task manager though so it doesnt kill the firewall. I have the Look N Stop exe in the exclude list. Any ideas on how to make this annoying behavior stop??. Both programs are so good I hate to have to make a choice which may have to go..... o_O
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    I don't understand why Look 'n' Stop is detected by DrWeb as "LnS win32sql.slammer".
    Did you contect DrWeb support to have an explanation about that ? and also why the exclude list doesn't work ?

    I don't think something can be done at the Look 'n' Stop level :(

    Frédéric
     
  11. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    I am puzzled too. I wonder if I should add the lnsfw1 driver to the exclude list? Anyway, I did send DrWebs customer support folks an email and will let you know how it goes. Yah never know when someone else may have this happen to them eh?. :cool:
     
  12. shorty1

    shorty1 Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    97
    Location:
    Vermont
    I have no explanation but something is weird because I have used Dr Web and Look N Stop together for close to two years with no problems at all. In that time I have used both with many different configurations but have never seen what you describe. I have to believe it is something unique to your computer/setup. Have you tried, for troubleshooting purposes, temporarily disabling the memory scan in Dr Web to see if that stops the problem?
    You're using xp, I assume? Also, what are the scan settings in SpiDer Guard i.e. are you using "Smart" scan?
    Maybe try uninstalling/reinstalling one or both of the programs ( if you haven't already)
     
  13. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
  14. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    I do have XP and use smart scan settings. It only comes up when the scanner is opened and it does memory scan. It happens occasionally, not always. I emailed DrWeb to pick their brains but have heard nothing back yet. I really like both programs and this is more of a nuisance than anything. When sql slammer is eradicated it knocks LnS out on the task bar but the firewall is still running as indicated in task manager...very odd..o_O
     
  15. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    My ultimate solution may be to just disable the memory scan eh?, I'll see what response I get from the Dr's office... :eek:
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Interesting, Dr.Web after all this time still detecting Looknstop.exe as Win32.SQL.Slammer.376 :rolleyes:
     

    Attached Files:

  17. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi
    I recently began using LNS, but have been using Dr Web since the beginning of the year, and I have not seen those results.
    As a side note of information (not comparing programs here).... another reliable firewall strongly suggests that ANY AV be instructed NOT to scan their firewall folder (name witheld to prevent any flaming)...lol :D
    So I decided to check, and I attach my 'exclude" list for Dr Web.
    As you will notice, I have excluded not only the parent folder, but also all sub-folders.
    In Dr. Web Scanner Settings...>paths, the same folders and sub-folders are replicated.
    If the above does not work, can you set the "settings" in the scanner to "report" only, and send the file to Dr. Web here so that they can check it and update their databases, not to find it in the future.
    Shorty is more adept with the inner workings of Dr. Web as he has helped me in the past.
    I hope this helps... just my meager input. :doubt:
    Cheers :)
     

    Attached Files:

    Last edited: Oct 2, 2005
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    You would not reproduce those results if you using exclude feature anyways, but who’s to say I’m (or all the others) in favour of using exclude feature.

    I know if I’m developer of the product, and it is legit, and I know about reports of AV systems detecting my legit software as viruses ‘I’ would be quick enough to take actions and get whatever removed and save future users from annoyances/scares…

    As for ‘another reliable firewall strongly suggests that ANY AV be instructed NOT to scan their firewall folder’, any developer suggests to exclude their products installed location are condoning opening user to probable infection in the future, and especially if in reference to firewall products.
    ;)
     
  19. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    I will NOT argue or disagree with your logic... I see your point and concur. :D
    My suggestions were of a trouble shooting process. If after excluding, it didn't detect it, then using the reports feature and sending it off to Dr. Web for them to do the analysis and in future updates of their databases it would not happen again.
    IMHO it would seem to be prudent for the user to prevent it happening on a temporary basis, until a response is provided by Dr. Web.
    I apologize if I was misunderstood. :blink:
    Cheers :)
     
Thread Status:
Not open for further replies.