I’m a reseller & am trying out the ADNM, so I can speak better to the functionality.
My client-side tasks (scan) are not going through - stuck as Status: Waiting.
My firewall is showing :
Type: Log
Action: Drop
Protocol: icmp
Source: AVAST_SERVER (vlan 1)
Destination: WINDOWS_PC (vlan 2)
Information: ICMP: Echo Request
ICMP Type: 8
ICMP Code: 0
Attack: Null Payload Echo Request
Attack Information: Null payload ICMP packet detected
SmartDefense Profile: Default_Protection
So, there’s nothing I can do – “SmartDefense” picks it up as suspicious & blocks it.
Thoughts?
Thanks!
Welcome to the forum.
I’m assuming that you’re using Check Point’s SmartDefense program? http://www.checkpoint.com/defense/advisories/public/overview.html
I don’t have any experience with that program, but I guess you could add an exception for the avast scanner in that program so that it allows the ICMP packets?
I could, but it’s allowing suspicious traffic.
If an exploit were ever to follow this pattern, I’d have purposely exposed it to my network.
The main question is - why the server not sending a true ICMP request?
I guess that would be a question for the all powerful programmers… I haven’t a clue. I’m just a user like you.
In all seriousness though, is there a way to add the exceptions just for the ADNM console and the client executable files instead of adding an exception for all null payload ICMP packets?
That way, it doesn’t just allow all packets, just ones that are generated by avast. I don’t think that would expose your network to any threats. I could be wrong though.
I thought about that – but other AV servers that I’ve used get sent a copy of the virus for quarantine (or upload to the mother ship). If that’s the case here, I’m exposing a server with known (quarantined?) viruses on it, to network security exceptions … :o
Thanks though!
Well, if it’s a known virus it wouldn’t get uploaded to avast at all. It would just be safely placed in the virus chest for further action.
The only time a virus is uploaded is when you manually tell it to do so. Even then, it’s done securely and won’t affect security in anyway that I can think of.
I can understand why you wouldn’t want to “downgrade” your security though. Hopefully some of the programmers can help you out in finding out why or what is using the null ICMP packets and can fix it.