I keep getting this message from Avast 4 Pro:-
Network Shield: blocked “DCOM Exploit” - attack from 81.178.115.162:135/tcp
What does this mean and do I do anything about it or is the fact that it is being blocked mean I’m OK? I’ve had it several times since logging onto the internet 15 minutes ago. I’ve never seen that particular message before.
Further information - I’m running the Kerio firewall which should be blocking this without Avast coming up with error messages. And I have seen the other strand but because I am already running a firewall I am concerned about this issue.
The RPC/DCOM exploit is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.
And Avast has blocked that access. If you do not yet have a firewall, I strongly suggest you get one.
ps: and please use the search function prior to asking. This one has been answered already several times.
There must be definitely something wrong with your firewall setup as it should’ve been blocked.
Or you have incoming RPC traffic enabled? Check the firewall rules…
Sorry Vlk I’m out of my depth here I have no idea how you check for that in the free edition of the Kerio firewall. I’ve had a look round it but I have no idea where to look! I have set it to deny all incoming intrusions.
This is really weird, I’ve found the section in the Kerio firewall where the IP that’s causing the problem shows up - and it’s my ISP!!
I wonder if their server is running portscans or something and causing these alerts. Thank goodness Avast is spotting them.
And yes even though I’ve set Kerio to deny all intrusions these alerts are still coming up.
I attach a screenshot of the firewall details.
The screenshot doens’t show if the traffic is outgoing or incomming. If it is outgoing, your system is infected.
OK off to run a full system scan now.
By the way I only get these alerts when I am actually online.
OK I have run a full system scan with Avast, no viruses found. I had it set to high with scan archives checked. I then scanned with Spybot and Ad Aware, both found a few cookies but nothing more.
I rather think that if Avast is continually coming up with these alerts when I am online they are coming into the computer rather than going out from it. If Avast is blocking them as it obviously is, is it possible to turn these alerts off and if so would it be reasonable to do so? Avast would let me know at once anyway if something tried to run which had something it recognised as a virus.
As far as the Kerio firewall is concerned it is definitely working, I just don’t know why it’s not blocking this and what it is.
Also it seems to be happening almost every time I click on a link which suggests something to do with the server connection to my ISP. I am wondering if I should report this to them in case it’s a hacker.
If, as is often the case, your arrangement with your ISP is that you’re disconnected after however-long of inactivity, any chance it’s just them checking whether you’re currently active?
Gillie, if our driver is loaded before the firewall’s we see the exploit first and thus display these warning messages. You can switch them off in Network Shield provider. In all cases it when you see it, the possible attack is detected and stopped. So there’s no need to be nervous.
Lukas.
In answer to your first question, no I have an unlimited broadband account - there’s no time limit for being online.
In answer to the second point - how do I switch off the alerts? I’m perfectly happy that Avast is blocking these, great to have a little extra protection. I just don’t want these pop ups all the time.
I think the server is certainly doing something, what I don’t know but if Avast is protecting me - which it is - I don’t really need to know about it unless I have a virus of some kind:)
Not that nervous, I’ve been using puters since the early 1990s, have had my own since January 2001 and teach how to use Avast over at VU. I just wanted to be sure what this was before I switched something off I shouldn’t:) and I went all over the program last night but couldn’t see how to switch off the alerts and still have the network shield protection which is what I want to do. In fact I couldn’t find any access to the network shield at all.
r,click on blue ball then on access protection control then double click on network sheild That works for me 
;D ;D ;D
OK for me that was right click on the Avast ball, left click on On Access Protection Control, click on Network Shield, click on Customise and uncheck warning messages. I left the logs checked so that I’ll have some way of tracking these alerts.
Thanks so much for all the help!
my pleasure see ya again soon 
Gillie, if our driver is loaded before the firewall's we see the exploit first and thus display these warning messages. You can switch them off in Network Shield provider. In all cases it when you see it, the possible attack is detected and stopped. So there's no need to be nervous.
Hmmm - do you think so? 
I mean, the firewall should have closed the port in the first place (unless inbound RPC is allowed which is rarely the case).
Gillie, if our driver is loaded before the firewall's we see the exploit first and thus display these warning messages. You can switch them off in Network Shield provider. In all cases it when you see it, the possible attack is detected and stopped. So there's no need to be nervous.Hmmm - do you think so?
I mean, the firewall should have closed the port in the first place (unless inbound RPC is allowed which is rarely the case).
yes thats true. Just wanted to say that seeing this message does not necessary mean the firewall is not working and that it’s IDS features wouldn’t catch the attack later.
But you are right, having RPC (port 135) port opened on internet interface is considered dangerous.
Lukas.
OK I’ll try and find out how you close off ports and see if I can close this one on Kerio tonight that’s not a problem:)
More information about the 135: http://www.grc.com/port_135.htm
Thanks for that resource.
I just realised - I am using Avast 4 Professional at the moment and there is a version of Avast designed specially to work with the Kerio firewall. I’ll download the Kerio version of Avast tonight and let you know how things go.