Various bugs

Discussion in 'ESET Smart Security v4 Beta Forum' started by qzex, Nov 30, 2008.

Thread Status:
Not open for further replies.
  1. qzex

    qzex Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    42
    I found a few bugs in this beta.

    Firstly, the new (I think it's new) SSL protocol scanning thing. When I was entering my advanced setup tree, I chose (under "Antivirus and Antispyware"/"Protocol filtering"/"SSL") "Always scan SSL protocol (excluded and trusted certificates will remain valid)", and "Ask about certificate validity" for both of the others. When I tried to reach an SSL encrypted site, Firefox displayed "Secure Connection Failed (Error code: sec_error_unknown_issuer)". This happened to me for every secure site I went onto. After a while I realized it was ESS and I disabled the SSL protocol filtering.

    EDIT: Here is an image of Firefox.
    http://img141.imageshack.us/my.php?image=sslfailub7.png


    Secondly, the SysInspector thing. I'm not really sure what it's intended to guide for, but to my knowledge it shows Windows-required processed and other software-required entries as high as Risk Level 6. Here is a list of some that I'm pretty sure are valid:

    "SECTION" = "Running Processes" ( 6: Unknown ) ;
    "Process" = "svchost.exe" 504 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Generic Host Process for Win32 Services ; Microsoft Corporation ;
    "Module" = "c:\windows\system32\sens.dll" ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
    "Process" = "csrss.exe" 1148 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
    "Module" = "\??\C:\WINDOWS\system32\csrss.exe" ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
    "Process" = "lsass.exe" 1236 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
    "Module" = "C:\WINDOWS\system32\LSASRV.dll" ( 6: Unknown ) ; LSA Server DLL ; Microsoft Corporation ;
    "Process" = "spoolsv.exe" 1896 ; NT AUTHORITY\SYSTEM ; ( 6: Unknown ) ; Spooler SubSystem App ; Microsoft Corporation ;
    "Module" = "C:\WINDOWS\system32\SPOOLSS.DLL" ( 6: Unknown ) ; Spooler SubSystem DLL ; Microsoft Corporation ;

    "SECTION" = "Network Connections" ( 6: Unknown ) ;
    "SUBSECTION" = "UDP Connections" ( 6: Unknown ) ;
    "lsass.exe" = "0.0.0.0:500" 1236 ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;
    "lsass.exe" = "0.0.0.0:4500" 1236 ; ( 6: Unknown ) ; LSA Shell (Export Version) ; Microsoft Corporation ;

    "SECTION" = "Important Registry Entries" ( 6: Unknown ) ;
    "SUBSECTION" = "Shell Execute Hooks" ( 6: Unknown ) ;
    "Key" = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" ( 6: Unknown ) ;
    "Multimedia File Property Sheet" = "mmsys.cpl" {00022613-0000-0000-C000-000000000046} ; ( 6: Unknown ) ; Control Panel Drivers Applet ; Microsoft Corporation ;
    "SUBSECTION" = "Log files" ( 6: Unknown ) ;
    "Key" = "HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\its" ( 6: Unknown ) ;
    "Microsoft InfoTech Protocols for IE 4.0" = "C:\WINDOWS\system32\itss.dll" {9D148291-B9C8-11D0-A4CC-0000F80149F6} ; ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
    "Key" = "HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its" ( 6: Unknown ) ;
    "Microsoft InfoTech Protocols for IE 4.0" = "C:\WINDOWS\system32\itss.dll" {9D148291-B9C8-11D0-A4CC-0000F80149F6} ; ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;

    "SECTION" = "Services" ( 6: Unknown ) ;
    "System Event Notification" = "c:\windows\system32\sens.dll" Automatic ; Running ; ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;

    "SECTION" = "Drivers" ( 6: Unknown ) ;
    "dmboot" = "c:\windows\system32\drivers\dmboot.sys" Disabled ; Stopped ; ( 6: Unknown ) ; NT Disk Manager Startup Driver ; Microsoft Corp., Veritas Software ;
    "Msfs" = "c:\windows\system32\drivers\msfs.sys" System ; Running ; ( 6: Unknown ) ; Mailslot driver ; Microsoft Corporation ;
    "TCP/IP Protocol Driver" = "c:\windows\system32\drivers\tcpip.sys" System ; Running ; ( 6: Unknown ) ; TCP/IP Protocol Driver ; Microsoft Corporation ;
    "Microsoft WINMM WDM Audio Compatibility Driver" = "c:\windows\system32\drivers\wdmaud.sys" Manual ; Running ; ( 6: Unknown ) ; MMSYSTEM Wave/Midi API mapper ; Microsoft Corporation ;

    "SECTION" = "File Details" ( 6: Unknown ) ;
    "File" = "c:\windows\system32\csrss.exe" ( 6: Unknown ) ; Client Server Runtime Process ; Microsoft Corporation ;
    "File" = "c:\windows\system32\drivers\dmboot.sys" ( 6: Unknown ) ; NT Disk Manager Startup Driver ; Microsoft Corp., Veritas Software ;
    "File" = "c:\windows\system32\drivers\msfs.sys" ( 6: Unknown ) ; Mailslot driver ; Microsoft Corporation ;
    "File" = "c:\windows\system32\drivers\tcpip.sys" ( 6: Unknown ) ; TCP/IP Protocol Driver ; Microsoft Corporation ;
    "File" = "c:\windows\system32\drivers\wdmaud.sys" ( 6: Unknown ) ; MMSYSTEM Wave/Midi API mapper ; Microsoft Corporation ;
    "File" = "c:\windows\system32\itss.dll" ( 6: Unknown ) ; Microsoft® InfoTech Storage System Library ; Microsoft Corporation ;
    "File" = "c:\windows\system32\lsasrv.dll" ( 6: Unknown ) ; LSA Server DLL ; Microsoft Corporation ;
    "File" = "c:\windows\system32\mmsys.cpl" ( 6: Unknown ) ; Control Panel Drivers Applet ; Microsoft Corporation ;
    "File" = "c:\windows\system32\sens.dll" ( 6: Unknown ) ; System Event Notification Service (SENS) ; Microsoft Corporation ;
    "File" = "c:\windows\system32\spoolss.dll" ( 6: Unknown ) ; Spooler SubSystem DLL ; Microsoft Corporation ;


    Thirdly, when I rebooted my computer after I installed the beta and configured my settings, it started an in-depth scan of my entire system. The only on-demand scan I saw in the scheduler was on Tuesday, and today is Sunday. Might just be a quirk in my PC or a bug in ESS.


    Fourthly, when I was downloading and EICAR test file, Firefox downloaded a file of 0 bytes and ESS displayed an alert, which was what I expected. However ESS displayed the alert three or four more times until it stopped. Also, when I downloaded the "eicarcom2.zip" which is the Eicar test file buried in two layers of ZIP, ESS also displayed an alert but Firefox downloaded the entire 308 bytes, and the file was still on my desktop until I unzipped it and ESS deleted it (without notification, I might add). I find this rather strange.

    Fifthly, when I opened the personal firewall log, it refreshed every time a new alert was detected. As the personal firewall log was loaded with "Detected DNS cache poisoning attack" 's which were apparently a bug from ESS3, and I was also downloading something, it kept trying to refresh a huge (3 MB at least) file and eventually I had to use the Task Manager to end it. I know this isn't specific to ESS4 but I felt I would just file it under my general bug report here.

    Finally, I noticed that none of the top antiviruses I tried would detect malicious batch file execution. This is also not specific to ESS4 but a general statement.
     
  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    You need to export the ESET_RootSslCert certificate from certmgr.msc Trusted Root CA store and import it manually to FF. Otherwise it won't work.

    No idea whether there's an API that'd make importing certificates into FF from third-party apps available.
     
  3. qzex

    qzex Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    42
    Okay, I've done that. All the new SSL encrypted sites I open are fine. However, when I open an SSL encrypted site I opened before I imported the certificate, Firefox reports another issue: Secure Connection Failed (Error code: sec_error_reused_issuer_and_serial)
    http://img175.imageshack.us/img175/4087/sslfail2kh7.png
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    NFC... I consider the entire handling of insecure/invalid/whatnot certificates in FF3 just horrible. :thumbd:

    Can you find the offending certificates in FF and delete them and try again?
     
  5. qzex

    qzex Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    42
    Okay, now the SSL Encryption check succeeds. However, now there is another problem that seems to be specific to Yahoo Mail. I tried several other SSL Encryption checks and they all succeeded, and Paypal also seems to give me a secure connection. However, I go to Yahoo Mail, and all I get is a blank screen. I've deleted the offending certificates but it still fails. Any idea why?
    (Note: Internet explorer fails too.
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I don't use Yahoo, sorry. Maybe someone else.
     
Thread Status:
Not open for further replies.