I’ve been using Avast 4.6 (on dial up) for some time now but on Friday I got connected to broadband (plusnet) and now I keep getting the scanner message ‘DCOM Exploit - attack from 84.93.143.166.135/tcp’.
I never had this message before I connected to broadband.
Network Shield: blocked “DCOM Exploit” - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.
Strange that you get that warning if really running XP SP2 firewall?
In earlier XP versions, SP1 or even earlier the windows ICF firewall was not enabled by default !!!
The appearance of the DCOM-exploit warning just after connection to the internet is not unusual, because a lot of legit traffic is taking place then (like update processes) sothat the firewall has opened several ports.
If your windows is updated (security patches !), you have nothing to fear - if not, Avast takes care.
Sygate was bought by Symantec. In fact, we’re talking from now on about a Symantec product.
You can follow your own forum what the users thought about this.
I can’t recommend Sygate anymore
Sygate was bought by Symantec. In fact, we're talking from now on about a Symantec product.
You can follow your own forum what the users thought about this.
I can't recommend Sygate anymore Cry
You have told your opinions so many times Tech. Sure the message is heard.
I never even recommended Sygate 5.6, but 5.5 is good, what ever versions. That is if you are not using local proxies, WebShield excluded. At least when staying away from IE.
So I am not recommending to download free version or to buy Pro from above, but sure instead links in Sygate forum that is not mine, LOL.
It is wierd that you started that bashing on me Tech?
And giving your prejudiced opinions instead of facts.
Sure I called you ignorant in one of your messages when you had used SPF so long with proxy software, never bothered to learn the firewall enough to have noticed that loopback issue before.
Actually I tell why I dont use SPF 5.6. It is just cause of that DCOM warning from Avast. I tried that version and once it was late starting.
This might apply to Nicolas, cause he told in his reply that it is normal to see that warning when starting the system. To me it is not normal.
About earlier Sygate 5.5 versions, before 5.5.2710 and a few others, it was so that when the firewall service was not loaded, no internet connection was not possible, they changed it in later versions so that it is not so in free version. But with 5.5.2710 I have never seen this DCOM warning.
This might apply to Nicolas, cause he told in his reply that it is normal to see that warning when starting the system. To me it is not normal.
Well, I said “not unusual”. Especially in cable networks there are many infected computers causing this. When the computer is starting up there is already traffic with the main server to establish the connection. The firewall has to allow at least some legit traffic to make the internet connection possible at all. Unfortunately, malware then uses the same ports. You can see that on the traffic and security logs.
I can’t recommend a specific firewall, because I did not compare them in detail. The Sygate free product offers a lot of very useful features, usually not available in other free versions.
No Jarmo. I’m no bashing noboby. See this is a thread from Charmed. The user asked my suggestions about firewalls.
You jump here to defend the company you work for. I’m just an avast! user.
For me, you work with opinions. I work with my facts, the ones happened in my computer and my own experience.
You jump here to defend the company you work for. I'm just an avast! user.
No Tech, where did you get that idea?
I am just a Sygate free firewall user. Same as with Avast.
Though I wish sometimes they had given me a Pro version if they had thought my posts in that forum had helped anyone
Even Mats in that forum, Super Moderator is just a product user.
Sometimes I suspect RedJack working for them, cause he has sometimes posts that hint knowing a little what goes behind software.
You are as wellcome to post there as me, though they don’t accept much criticism about the product. Even some threads were removed cause of that Symantec takeover complaints. Just a fellow hint That forum is not as free in opinions as this one. Still there are good people who help if having problems, which is rare with many other firewalls. To my long gone Norman firewall, the support was non existent.
Do you really think you can call me ignorant?
You were that time you found out about loopback proxy issue.
Nicolas
I do recommend you that if you are using SPF 5.6 and even once experience the DCOM warning from Avast Network Shield that you go back to SPF 5.5. Just hope there is free version available, if you need one, to be found in posts with a keyword searc.
Jarmo, I had the same experience with these DCOM warnings with Sygate versions 5.5 and 5.6. People using Avast with other firewalls, report this too. All cases concern Win2k.
Avast loads very early, before the firewall. I could change that, but in my opinion the AV has most priority. The firewall opens several ports for initial traffic (like 137 and 138 for TCP) which may not be safe without AV. But DCOM uses port 135.
It would be best if both AV and firewall would be integrated in the OS, but we have to do with separate programs. How could the firewall block all ports before it is loaded (as you said) ?
This priority of either AV or firewall is certainly a problem. If AV goes first, this would imply that the system has no functioning firewall untill it is fully loaded. Could it be that your experience depends on XP, which firewall blocks at least incoming traffic ?
Jarmo, I had the same experience with these DCOM warnings with Sygate versions 5.5 and 5.6. People using Avast with other firewalls, report this too. All cases concern Win2k.
This is news to me. Thanks. I did not also expect those warnings to come with SP2 firewall.
But I use only Sygate 5.5 so I have no early protection from that SP2 firewall.
Needless to say, if it ever happens to me with 5.5.2710 I go back to SPF earlier version if I still have the installation file saved
I never suspected that problem to be there for 5.5.2710 ???
There are only those users that use some program like Avast’s network shield that are even aware there might be problems with firewall late starting. But I never heard the same problem was there with 2710 ??? You did not install 5.5 on top of 5.6, but did an uninstall first I hope?
How could the firewall block all ports before it is loaded (as you said) ?
I am not technically competent to give you an answer ‘how’. But if you go to Options(Security window of Sygate, there is greyed out and unchecked the options ‘Block all traffic while the service is not loaded’ and checked the box ‘allow initial traffic’. In free version.
But an earlier build, maybe 5.5.2516 did not allow internet at all, if smc.exe was not running. Some even complained about that feature, LOL.
It was an undocumented good feature.
Edit
I just uninstalled 2710 and unstalled 2516. There was not that behaviour I remembered. Maybe 2710 had made some more permanent changes in my windows registry or it was another build.
So now back to 2710.
But sure they removed that feature to be able to sell the Pro version
It depends what product you’ll install sooner - if firewall driver allows a packet, av driver will check it (av driver will identify the attacks if firewall didnt have a clever network-ids).
It would be best if both AV and firewall would be integrated in the OS, but we have to do with separate programs. How could the firewall block all ports before it is loaded (as you said) ?
It doesnt matter if firewall was integrated to the system or it’s a 3rd party product, their drivers are loaded with OS - same way when fw would be integrated in the OS.
Firewalls control all traffic - even if network drivers are not loaded, OS is not able to receive/send any packets; so it’s safe, all ports are “blocked” than all network drivers are loaded.
My idea was that possibly the later Sygate version disables the inbuilt XP firewall; maybe for compatibility reasons ?
The Sygate firewall is a typical product for the corporate network, computers running 24/7 and often Win2k Pro. Then startup problems are not a hot issue.
It doesnt matter if firewall was integrated to the system or it's a 3rd party product, their drivers are loaded with OS - same way when fw would be integrated in the OS.
But the startup sequence is a serial process, one after the other. It must be possible to configure this in such way that a temporary vulnerability is avoided. Unfortunately, this is not the case.
Only the last few days I also found DCOM-exploit during normal service: port 135 TCP was opened by an unknown process (remote 3882, 3404, 4970, all from the same infected computer inside the cable network). I have to find out why this happens.