caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
 ·WebBand
4 edits | DrWeb FP shuts down 8signs firewall
I thought I'd try it to see what it was about, and yes I'd seen the posts from about a year ago about the FP's. But, supposedly most were fixed. This was D/L'd just yesterday from the official site.
However, I had no idea that seconds after opening the program it'd detect my 8signs firewall and kill it without so much as a "howdy maam". Worse, I have 8signs password-protected, and set to ask before shutdown...so how it was just shut down without a peep is a bit un-nerving and rude.
Thankfully, it didn't actually delete it, or I would have been super-PO'd. It just killed the running process for the firewall which is DFW.exe.
Made me click the disconnect for the DSL about as fast as you can imagine as I was online at the time. 
Just to be sure, I upped my DFW.exe to virustotal, and oddly, their DrWeb found it clean. Perhaps they had a newer definitions, but since mine was just downloaded..and they say it is current..I had no expectations of any hinkyness.
This was with 8signs 2.3 and DrWeb v.4.33.2 on 98SE.
Suffice to say, it won't be used again here..eesh.
-CaFF
*edited for the typo*
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
uid1307457
Premium
join:2005-12-30
Tempe, AZ
1 edit | so whats the hacker program in the first picture used for>? |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| said by uid1307457  :so whats the hacker program in the first picture used for>? What hacker program?
There isn't one.
I did mess up on the name of the virus scan website..it's VirusTotal, not totalscan. IDK where I got that name from, tired I guess.
One screenshot is of the »www.virustotal.com/ results showing my firewall exe is clean, one is of the DrWeb program showing my firewall being "disinfected" and shut down.
If you've never heard of 8signs..well here: »www.8signs.com
It used to be the Conseal firewall..very well known.
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| reply to uid1307457
VirusTotal Listing of Software Used |
Hacksoft (The Hacker)
»www.hacksoft.com.pe/
I don't know that program, bad description I guess. The site isn't in english as it's a south american software..perhaps someone knows? I doubt that a legit site like virustotal would use something bad though.
I can see why it might raise eyebrows. 
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
HA Nut
Premium
join:2004-05-13
USA
| reply to caffeinator
I am a pretty big booster of Dr. Web CureIT as a backup scanner. In many ways, it is a unique program. A complete, self contained malware scanner that's under 4MB. MUCH more powerful than say, McAfee's Stinger.
But since I use it as a backup, I always be set to Report on whatever it finds, not set to Cure (which is the default.) I want to decide how it handles anything it may find (which is what I do with my regular scanner.) Over time, Dr. Web has been known to be a bit aggressive and has had a fair number of FPs. But I believe that they are working to prevent them. I don't remember the 8signs FP from before but you might send them an email and alert them to it.
To be fair, all AVs have FPs from time to time. So Dr. Web isn't alone... |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
1 edit | Well yes, I was intending to try it as a backup scanner myself.
It had done nicely finding the WMF and other issues, and I wanted to see where it was at now.
It's actually a pretty good product for detections, but when it starts up and within seconds has killed my password-protected firewall process without a notice of any kind..I'm a wee bit annoyed.
I had no ability to configure it to Report..it had scanned my running processes and killed the firewall's process before I had barely seen the GUI load. Every Anti-Whatever I've ever used since F-Prot for DOS gave options on how to treat a discovery..NOT act blindly on their own.
If it had been some non-vital prog like HyperSnap-DX it had killed, I wouldn't have bothered to post. But mistaking a well-known firewall's executable for a SQL Slammer infection...on a 98SE box with no SQL?
That's just irresponsible, IMO.
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
HA Nut
Premium
join:2004-05-13
USA | If it was during the pre-scan, that would certainly be unacceptable to me too! I'd email a copy of the DFW.exe file to them and complain!!! |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| 
CureIT Startup Dialog |
I tried finding info. from their forums, but the only search result was in russian, which I don't know. Babelfish translation was of little help either.
The current cureIT is one file, that when run, shows the dialog I am posting...scan, or cancel. If I pick scan, I'm serving broiled 8signs. 
I submitted the following support email, and atttached the cueit.log showing what happened. Hopefully, they will get back to me. I'll post if they do.
email to DrWeb support:
Hello,
I tried your Dr. Web CureIT product intending it to be a backup scanner to see how my regular AV was doing it's job, but to my dismay, as soon as it launched, it killed my 8signs firewall's process! (DFW.exe)
There is only scan or cancel as options, if I choose scan, my firewall is terminated. There was no warning, no way to cancel the action.
I have a thread located on dslreports.com about it:
»DrWeb FP shuts down 8signs firewall
That thread has the detailed information, as well as screenshots.
This was with 8signs 2.3 and DrWeb CureIT v.4.33.2 on 98SE.
I'm attaching the log as well.
Your online scanners do not detect my 8signs executable as an infection, but the cureIT does as Win32.SQL.Slammer.376, and kills it, leaving my computer vunerable as I'm on DSL.
I hope this can be remedied, as the last FP I saw about this was two years ago and it shouldn't still be happening.
Thanks,
Mark J.
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
Technodrome
join:2003-05-20
BH
| reply to caffeinator
said by caffeinator :I thought I'd try it to see what it was about, and yes I'd seen the posts from about a year ago about the FP's. But, supposedly most were fixed. This was D/L'd just yesterday from the official site. However, I had no idea that seconds after opening the program it'd detect my 8signs firewall and kill it without so much as a "howdy maam". Worse, I have 8signs password-protected, and set to ask before shutdown...so how it was just shut down without a peep is a bit un-nerving and rude. Thankfully, it didn't actually delete it, or I would have been super-PO'd. It just killed the running process for the firewall which is DFW.exe. Made me click the disconnect for the DSL about as fast as you can imagine as I was online at the time. Just to be sure, I upped my DFW.exe to virustotal, and oddly, their DrWeb found it clean. Perhaps they had a newer definitions, but since mine was just downloaded..and they say it is current..I had no expectations of any hinkyness. This was with 8signs 2.3 and DrWeb v.4.33.2 on 98SE. Suffice to say, it won't be used again here..eesh. -CaFF *edited for the typo* I run DrWeb here and 8Sign firewall. DrWeb is not flagging dfw.exe as infected by Win32.Slammer. I am behind the router which blocks inbound connection.
I think what’s happening here is (and I guess you are not behind the router) DrWeb picking up a set of bytes in the log file that are similar to the signature of Win32.Slammer and reports it as infected. I’ve seen this happen with other antivirus programs. It only does this when dfw.exe is active in memory.
Your best bet is to exclude dfw.exe from any future scans.
tD |
|
Fredra
Undesirable Alien
join:2000-04-08
Nepean, ON
 ·Rogers Hi-Speed
| reply to caffeinator
Hi caffeinator
You could send the information to Dr. Web to get their response.
»support.drweb.com/request/
Just a suggestion.
Cheers
--
The Endless |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| said by Fredra :Hi caffeinator You could send the information to Dr. Web to get their response. » support.drweb.com/request/Just a suggestion. Cheers :) Actually, I already did :)
Here's the results.
It's a confirmed FP, and they updated the database to show it.
I had a logfile with a Total virus records: 116893
If you have that in your latest entry in your c:\DoctorWeb\CureIt.log
then it's the database that isn't updated yet.
The new version updated today is at »download.drweb.com/drweb+cureit/
It's working fine now as long as the firewall isn't loaded or I'm not connected..basically they can't tell the difference between stuff in the firewall's buffer, and behavior of the real Slammer. Must be a packet-filter thing...
Here's pertinent info. from the support tickets
(There were several)
Date:2006-04-23 20:00:29
Who:Ilyas Khasyanov
Action, new status:Add comment, User response needed
Data:Virus analysts confirmed that it is false alarm.
Please download again Dr.WEB CureIt! with updated virus database.
Date:2006-04-23 21:07:23
Who:Pavel Ershov
Action, new status:Add comment, User response needed
Data:Win32.SQL.Slammer - is an small Internet worm that affects Microsoft
SQL Server 2000. To get into victim machines the worm exploits a
buffer overrun vulnerability. The worm sends multicast packets. The
worm is memory only, and it spreads from an infected machine's memory
to a victim machine's memory. The worm does not drop any additional
files and does not manifest itself in any way.
In your case it turns out so, that packets with a worm-code get in the
buffer of reception of your firewall. Memory scanner cannot know,
whether really this code works or is "a dead cargo" in address space
of your firewall. So, if the worm-code is found in memory the process
(containing that code) - process will be cured by the scanner.
Workaround:
- empty (clear) the cashe of your firewall, or
- unload the firewall before check of memory by the scanner.
Anyways, I've spent too much time on this, hope it was useful to someone. :)
Peace,
CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
sheiny
join:2005-03-13
Turlock, CA
| said by caffeinator :It's working fine now as long as the firewall isn't loaded or I'm not connected..basically they can't tell the difference between stuff in the firewall's buffer, and behavior of the real Slammer. Must be a packet-filter thing... Good work, Caff. It sounds to me that you have discovered an important vulnerability in DrWeb. That is, certain packets can convince DrWeb to disable your firewall. When this happens is your connection still active? (DoS) |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
1 edit | said by sheiny :Good work, Caff. It sounds to me that you have discovered an important vulnerability in DrWeb. That is, certain packets can convince DrWeb to disable your firewall. When this happens is your connection still active? (DoS) I have 8signs set to block all traffic when the FW isn't running.
If there's a fault, really, it's that cureIT can't properly detect Slammer. Even after getting today's update, it still kills it about half the tries I did.
If you guys wish to test further, go ahead:
»www.8signs.com
»download.drweb.com/drweb+cureit/
I'm not going to worry about it. I'd bet it's because this box is 98SE and they hate antiques. 
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
