I have been using Avast for more than a year now and have never had this happen before. Every 30 minutes or so, regardless of what I am doing on my laptop, a message will come up saying that a DCOM exploit was stopped.
A bit of background info may be of use:
The laptop was recently infected with Vundo
With the help of a kind member at MBAM forums we think we managed to sort it out with Combofix
Following the virus removal, AntiMalwareBytes deep scan comes back clean, and…
Windows Defender scan comes back clean, and…
Spybot Search and Destroy combes back clean (apart from a couple of relatively harmless cookies sometimes), and…
Avast deep scan and boot scan come back clean (apart from what I have been told is a false positive in C:\hp\bin\endprocess.exe)
Comboxfix scan comes back clean
I have since made the following alterations/additions:
Installed Online Armour firewall (and disabled windows firewall)
Installed Spyware Guard
Removed all old versions of Java and updated to latest
Added MVPS hosts file list
Updated all software mentioned above
Any ideas what may be causing it? What can I do to stop it from happening?
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.
Yes, but if you read the quote from DavidR, it appears that avast! beats the firewall to it...at least that is how I understand it.
So if you turn on your router firewall, you want see this ?
A good firewall shouldn’t be ‘beaten’ by an AV. (or it’s setup is faulty)
Or does the OP use AIS…? As he doesn’t refer to which program pops up with this message…
Is it avast after all…??
asyn
Won’t make a blind bit of difference as it doesn’t stop the external attempt (which the network shield willl detect, if not done by the firewall) as this is an internal tool.
Or maybe avast! is just that good
I presume that in OA, you could create a rule that blocks that port completely. That would do it I supppose…or the router firewall might, as Pondus suggests?
Or does the OP use AIS..? As he doesn't refer to which program pops up with this message...
Is it avast after all..??
asyn
I's guess either Free or Pro...since the OP says they have Online Armour installed.
The order things would run would I guess be down to windows and may or may not have to do with which was installed first, but it is a bit like black magic as there doesn’t appear to be any reasoning in it.
Blocking the port in OA would be the same as using decombobulator, since avast is getting in first it would alert before the OA block (or decombobulator) got a look in.
@ Mark2234
If you have avast 4.8 I would suggest now would be a good time to update to avast 5.0, if you already have avast 5.0 then, all I can suggest is that you leave OA installed and do a clean reinstall of avast:
This assumes you are using the free version of avast - Download the latest version of avast, 5.0.594 http://www.avast.com/free-antivirus-download and save it to your HDD, somewhere you can find it again (if you didn’t save your last download). Use that when you reinstall.
Download the avast! Uninstall Utility, aswClear5.exe find it here and save it to your HDD (it has uninstall tools for both 4.8 and 5.0).
Now uninstall (using add remove programs, if you can’t do that start from the next step), reboot.- 2. run the avast! Uninstall Utility from safe mode, first for 4.8 if previously installed and then for 5.0, once complete reboot into normal mode.- 3. install the latest version, reboot.
Thanks for your input everyone, and sorry for the delayed reply! Unexpectedly busy the last couple of days.
Anyway, I had the latest Avast, the free version currently (as well as all windows updates which I think I forgot to mention). I have uninstalled via David’s instructions and reinstalled. I will let you know if the DCOM exploit warnings continue!
Direct into the cable modem. I had used a router with FW in the past, but not right now. I will get hold of one and see if it makes any difference. Will it interfer with Online Armor? Or visa-versa?
Everything is right here. You can get DCOM popups even with FW installed.
I’ll shortly descibe how it’s possible: avast (in all versions Free/Pro/IS) contains a network driver module which detects network exploits (Blaster/Sasser/… viruses). This module behaves like a firewall (it scans some incoming network packets, blocks all dangerous packets or pass them to the system) - see, behavior is the same as the most firewalls behave. Now if you install a software firewall, you have two drivers which scan network traffic - and now it depends how both applications are installed, because of one them will scan network packets sooner. If avast → you’ll receive a DCOM popup, otherwise installed FW will block it anyway.
Network traffic path can be described as follows: [Internet] → computer’s network card → avast driver → firewall driver → [Web browser in Windows].
@ pk
Whilst your comment “Everything is right here. You can get DCOM popups even with FW installed.” is entirely correct. It is a pain in the rear and scares the horses when it is fired, where a standard firewall wouldn’t trigger an alarming alert message.
Is there any way to reverse this order if in the case of a third party firewall driver ending up behind the network shield driver ?
Either that or don’t display the DCOM exploits, etc. in the network shied or give the use the option (as was in avast 4.8) for the network shield to be silent. Though obviously not for all alerts, such as the malicious url alert.
This would be the same way as a software firewall doesn’t display any pop-up unless you put it into to some sort of paranoid mode.
yes, it’s possible, but it’s quite complex and there’re some interop issues with other network applications (ad blockers, etc)
Either that or don't display the DCOM exploits, etc. in the network shied or give the use the option (as was in avast 4.8 ) for the network shield to be silent.
There should be a checkbox to suppress showing that exploit popup window next time.