This is the first time I am using AVAST! home edition, to be exact from yesterday. Now a I try to browse or download (I use Firefox 3.0.6) something I get the following set of message:
25.02.2009 23:36:36 DCOM Exploit attack
from 59.xx.yy.209:135
25.02.2009 23:37:37 DCOM Exploit attack
from 59.xx.yy.209:135
25.02.2009 23:38:38 DCOM Exploit attack
from 59.xx.yyy.252:135
25.02.2009 23:46:34 DCOM Exploit attack
from 59.xx.y.0:135
25.02.2009 23:48:41 DCOM Exploit attack
from 59.xx.y.0:135
25.02.2009 23:48:50 DCOM Exploit attack
from 59.xx.yyy.138:135
25.02.2009 23:52:12 DCOM Exploit attack
from 59.xx.yyy.80:135
26.02.2009 00:00:21 DCOM Exploit attack
from 59.xx.yy.209:135
26.02.2009 00:01:49 DCOM Exploit attack
from 59.xx.y.0:135
26.02.2009 00:31:03 DCOM Exploit attack
from 59.xx.yyy.184:135
I have no idea what these messages mean. ???
I use broadband ADSL connection. And as far as I know that every time I dial and connect, a new set of ip is assigned to my connection. Now these ips start with the above numbers and I am quite sure that AVST! is reporting my own ip as the source of this attack. :-\
Now what am I supposed to do? I also find that the download speed, browsing speed are also slower. :
[*]My OS: XP Pro SP3 (updated to the current)
[*]Firewall: PCTools Firewall Plus
Please help
Thank you.
EDIT:
Two more questions about this Home Edition of AVST!:
Does this edition of Heuristic scanning capabilities?
Is it safe/ recommended to use PCTools Threatfire simultaneously with AVAST! AV?
First these DCOM attacks should really be intercepted by your firewall but the network shield only monitors certain ports, those commonly used for these types of exploit.
If your system is fully up to date then you shouldn’t be vulnerable to the DCOM exploit. That however, doesn’t deter these speculative (random) attacks, so they aren’t targeting you specifically.
avast uses generic and algorithmic signatures in this current version to help combat against previously unknown infection.
However, in its anti-rootkit scan it uses heuristic style detections also. It also has what is loosely called heuristics in the Internet Mail (pop3 email scanner). There will be further enhancements in version 5 where behavioural analysis will be added.
I wouldn’t as at the moment there is by all accounts a problem with their web scanner/protection conflicting with the avast web shield. This is meant to be fixed in an update of threatfire. You can try a forum search for threatfire as there have also been other issues (unrelated to avast) relating to add-ons in firefox.
I somewhat understood what you said, but why the source of the attack is my ip and what do I need to do regarding these notifications? ???
As I said that i am using PCTools Firewall (latest version), do you think that it is of adequate quality or should I migrate to some other firewall? I am a home user so a free one should suffice. I have used Comodo earlier, it is a very good firewall and at present installed beside AVAST! home in my sister’s PC. But there also I found that AVAST! is generating these notification and using the connection’s dynamic IP as the source of the attack. : :-\
Hi,
if i remember correctly, avast! network shield checks for Worms only on the incomming direction. So this does not mean your PC is actually sending these attacks, most probably the attacker is using fake source IP in the packet (in the same way as SPAM sometimes comes with your own e-mail address as the sender). As far as the attack is blocked (either by your already patched Windows system or by avast!) you are OK, but anyway it might be a good idea to perform a boot time scan from time to time.
Lukor has partially answered. But there is every possibility someone who uses your ISP could be infected and that system tries combinations of the IP range to infect other unpatched systems. I don’t know about faking the IP address (I didn’t know it was possible), lukor is much more knowledgeable in that area.
I frequently get spam email supposedly from me and that is designed to bypass security as most anti-spam tools would whitelist/allow the users email addresses. So this could be a similar method to try and bypass the firewall but it failed to get past the network shield.
The PC Tools firewall is used by many people in the forums, I have never used it the one I have used for over 5 years Outpost Firewall Pro isn’t free, but that is effectively the only one I have any practical experience of.
As you say it has happened with your sisters system with a different firewall, so there is no guarantee that the same wouldn’t happen in the next firewall since the attacks are speculative and random you can’t do much about those. Fortunately these don’t get past avast.
Thank you very much David and lukor for your explanation and help.
Anyways, I just clicked the option of “do not show this notification” so that AVAST! can do its inteded work silently. I trust AVAST! completely as my sister is using it for over 2 years, and it was I who installed it in her system.
Thank you very much for developing AVAST! and keeping it free for home users.
Personally I like to know what is going on in my system as, a) it alerts you something isn’t right and b) if you are browsing it alerts you to a problem related to that site, c) if you happen to be working on your system (but connected), it lets you know something possibly on your system is trying to access a malicious site.
So all of the above would require further investigation (via the forums, etc.) and without the alerts you would be totally unaware of a potential problem.
Well I’m not sure what there is left to discus, but if you are talking of investigation after a network shield alert, then that is what we have been doing.
There shouldn’t be any further action required (since you have a clean boot-time scan result) and by the nature of the network shield it blocks attempts to access the malicious site nothing should have got on to your system.
its a 2Mbps connection, ADSL type. It runs on PPPoE mode and in that you need to dial a connection with specific user name and password. I can also use the Bridge mode and configure my router to use the User Name and Password to automatically connect to net as soon as it is turned on.
Oh, you must have got it- I am using a router (to the best of my knowledge that is, I am not really a knowledgeable person when it comes to networking )
My Internet…
Wireless Router
8Mbps
Broadband ADSL
PPPoE Pretty Much… Same As Yours!
However!
and in that you need to dial a connection with specific user name and password.
I don’t need to do any of that ???
I just turn on my computers… And they are immediately connected to the Internet.
Meaning…
Avast, Windows, and anything else can update straight away.
And I just click on Firefox or IE7 to surf the web.
I can also use the Bridge mode
I don't know anything about - [b]Bridge Mode[/b]
I'm also not that experienced when it comes to Routers and Networking :-[
However!
and configure my router to use the User Name and Password to automatically connect to net as soon as it is turned on.
I think that's how Broadband usually works :-\
Using the Name and Password that was provided by your ISP .. In Your Router!
Unless Of Course…
You already know all this, but prefer to only be connected to the Internet when you wish to be :-\
You’ve Got Me A little Confused :-[
Because I’ve only ever heard of one other person having to Dial and use a Name and Password with Broadband.
I think that was because they were using a particular ISP and a Router I’d never heard of before.
Zoo … Or Something! :-\
As long as you know your Internet is OK
I just thought I’d mention it…
Just in case it would shed some light on your problem.
And Maybe… Help!
Well in Bridge Mode you need to create a new dial up connection in your PC so that you are only connected to the net only when you desire by dialing the connection. So it basically gives you control over your internet usage. And it also (somewhat) decreases the chances of getting attacked from outside.
Anyways, I had to uninstall PC Tools FW as it was really slowing my PC down considerably and I have enough RAM.
Now I am back to my trusted Comodo FW.
Well in Bridge Mode you need to create a new dial up connection in your PC so that you are only connected to the net only when you desire by dialing the connection. So it basically gives you control over your internet usage. And it also (somewhat) decreases the chances of getting attacked from outside.
Oh! … I See Now!
I had to uninstall PC Tools FW as it was really slowing my PC down considerably and I have enough RAM.
That would probably be due to - Enhanced Security Verification
Did You Try Turning ESV Off?
I’ve got PC Tools Firewall Plus on my Laptop and Desktop Computer … But with ESV - OFF
Note!
Starting Since Version 4 … PC Tools Firewall Plus … Now Comes With - Enhanced Security Verification ( ESV ) ESV … Is a relatively new feature that PC Tools have added to their Firewall … But It Has Problems :
Can Cause… High CPU Spikes, Manic Hard Drive, Freezes, Blue Screens :o So!
Even though - PC Tools Firewall Plus … Is a great little Firewall
Enhanced Security Verification … Is Best Left - OFF … Till they get it right!
)