So many (techie) product questions...

  • 17 October 2014
  • 38 replies
  • 144 views


Show first post

38 replies

Userlevel 6
Hi@RussH,

I'm glad that everything worked as you've expected.
Regarding your port 0 attacks; does your router give you any more information on those packets?
How many packets did you receive in that time? And do they all come from the same IP? Perhaps you can also see why the packets end up at Port 0; as Port 0 isn't a valid port.
Userlevel 1
@ 
 
In response to your questions...
 
Started with: [DoS Attack: WinNuke Attack] from source: 188.165.236.154, port 0, Monday, October 20,2014 22:07:56
Last attack: [DoS Attack: WinNuke Attack] from source: 77.37.7.105, port 0, Tuesday, October 21,2014 00:52:30
 
167 individual attacks from 92 unique ips (there are a few within their own same sub-net range)
 
They were shown as several "types" by my router:
[DoS Attack: WinNuke Attack]
[DoS Attack: FIN Scan]
[DoS Attack: SYN/RST Scan]
[DoS Attack: ACK Scan]
[DoS Attack: NULL Scan]
[DoS Attack: Xmas Tress Scan]
[DoS Attack: IMAP Scan]
 
All to port 0 which: “Generally speaking port zero traffic can be indicative of a possible reconnaissance attack, and may be a precursor to more serious penetration attempts”
 
Attackers can use such abnormal traffic to fingerprint operating systems and network security devices, because different OSes and network equipment can respond differently to port zero traffic, the researcher said. “This can enable the attacker to make a more precise attempt to compromise a network.”
 
 
 
Userlevel 7
Hi RussH
 
Interesting but they have been stopped and if your router did not stop them then I strongly suspect that the Windows Firewall (assuming that you have not replaced that with a 3rd Party one) would do re. that sort of attack.
 
I have checked what I am seeing in terms of the context of your investigation and would ask as to whether you have a static IP Address from your ISP or more like the rest of us you get a random one from a range, attributed to that ISP, on a first connect first give basis?  Reason that I ask is that in my humble opinion you should congtact your ISP  with the informagtion and get them to see if they can do something about it...especially if it is a static address you have.  IF randomly allocated from a pool it coul;d be that you have been allocated an address that has in the past been used by another subscriber in a way that has gotten it to the attention of hackers, etc.
 
This happened to nme a few years back and I reported it to my ISP who was happy for the info and took steps accordingly.
 
Just a thought for you .
 
Regards, Baldrick
Userlevel 1
@ 
 
Yes I have only had these Port 0 attacks show up twice as I mentioned so it has not been a big issue if they persist I will obviously speak with my ISP. (I still find it odd that it only ever happened shortly after installing BitDefender and then again shortly after removing BitDefrender)
 
As to configuration my IP is configured as DHCP at the cable modem BUT... The cable modem is controlled by the ISP (including firmware version) and is serial number matched and locked with its physical MAC address to what is basically an externally static IP.
 
My router is configured to use the Modems provided local IP as DHCP so if I lose connection with my ISP(Internet) my local network (Intranet) is still functional and reverts back once the ISP is re-connected.
 
This seems to be a pretty safe configuration as the connection to the ISP is physically secured using the serial number and hardware MAC. Pretty hard to spoof something like that without having the actual Serial number and Physical MAC of the modem.
 
Even if something does get through the modem my router is then the second line of defense as I have Ping, FTP, uPNP, remote admin, wireless,  all turned off,  as well as having other specific address/site blocks set up on it.
 
Then if all of that fails each connected device still has its own firewall and anti-virus/anti-malware system installed and configured.
 
I feel I am likely much safer than many of the corporate/government networks that have outsourced their IT support... *cough* *cough* that's real safe...
Userlevel 7
@ wrote:
@ 
 
.........
 
 
I feel I am likely much safer than many of the corporate/government networks that have outsourced their IT support... *cough* *cough* that's real safe...
LOL!!!  Very good point 🙂
Userlevel 1
Well here are my thoughts on WSA.
 
Very nice and light weight, nothing extra running, but still very reactive to threats.
 
A minor issue with application version changes: IE: I am a programmer and when my software builds the version number is incremented to denote the new version, WSA then reverts to blocking the same application (all be it with a newer version) in the same location it has been told to allow prior.
I again have to tell WSA that it is okay to allow it to access the network... and then again also tell it that it is OK to access the copy buffer... (for instance I manually copy my router log to the copy buffer (ctrl+c) to then process in my application and then output the results based on type of entry and/or source IP)
Not a huge thing but a slight annoyance when you are a programmer.
 
Note: This does not seem to happen when you update a web browser like FireFox for instance (which is open source)
 
Beyond that I have had no problems with the functionality and it has passed all the tests I have put it through!
 
Thank you for doing what is needed and not forcing me to have "features" I would never use.
Userlevel 7
@ wrote:
Well here are my thoughts on WSA.
 
Very nice and light weight, nothing extra running, but still very reactive to threats.
 
A minor issue with application version changes: IE: I am a programmer and when my software builds the version number is incremented to denote the new version, WSA then reverts to blocking the same application (all be it with a newer version) in the same location it has been told to allow prior.
I again have to tell WSA that it is okay to allow it to access the network... and then again also tell it that it is OK to access the copy buffer... (for instance I manually copy my router log to the copy buffer (ctrl+c) to then process in my application and then output the results based on type of entry and/or source IP)
Not a huge thing but a slight annoyance when you are a programmer.
 
Note: This does not seem to happen when you update a web browser like FireFox for instance (which is open source)
 
Beyond that I have had no problems with the functionality and it has passed all the tests I have put it through!
 
Thank you for doing what is needed and not forcing me to have "features" I would never use.
Yes, when you manually allow a file, once the file is changed it reverts to blocked.  This is because each file has a unique "MD5" number.  This is basically a hash number, and again is unique.  The Allow/Block files works from the MD5, not the file name.  This is so that if a good file is altered by malware it of course will be detected and blocked.
 
As you say... a bit annoying for a developer, but very effective at the same time.
 
The major browsers are of course already set 'internally' in the Cloud to be allowed globally, as is much commercial software, so you do not need to change permissions when updating.  
 
I am glad you gave us your input, and I hope you are happy with it!  Any quetions or problems, come on back and we will be glad to try to help 🙂
Userlevel 1
Now I have more questions...
 
Seems that since I have done manual scans on my external drives and even cleaned a couple of threats off of them it seems the system scan continually attempts to access these drives, even when they are no longer attached...
 
I also had one detection on my local data drive which I resorted to simply deleting the file but now the system scans are also looking for that specific file even though it has been deleted and the free space on the drive wiped...
 
My original 14 second system scan has now become 3 Minutes and 27 seconds and it seems to keep getting longer... even with no external drives attached...
 
I could see where if I had added a bunch of new files or something but in the last scan it decided it needed to scan 27+K files when the original scan only wanted to scan 16+K... 10K more files = 3 minutes 13 seconds?
 
I am wondering if there is any way to purge the files/locations that WSA has decided it wants to scan in order to avoid these un-needed scan attempts? Or do these flagged scan locations fall away over time automatically? (if so how long does it take?)
 
Oh and another minor thing... There is now a "Personalized Security Report" pop up on every reboot?
 
Edit: The "Personalized Security Report" pop up has stopped...
 
Userlevel 1
Last scan: 4 Minutes and 3 Seconds...(yes I know still not "that" slow but on my SSDs?)
 
As I said it is slowly getting longer... and it is still looking for those external drives even when they are not connected (and none have been connected in 4+ days now)
 
Why are the removable/external drives even cached for future scans?
 
I mean really if I where to keep inserting USB sticks for instance?I can't even imagine how many now non-existent "drives" it would be trying to scan each time it runs... what gives?
 
And it is also still looking for that one local data drive file that flagged as a threat which has been deleted (and wiped)... it also no longer exists and yet each scan now keeps looking for it...
 
I have actually not even been on this box much this week busy with a new job etc...
 
Userlevel 1
So I guess here is my rub...
Not to mention I feel like this has turned into some bait and switch with the community responses (or lack there of) here... Remember the knowledgeable community here was one of my major reasons for purchasing this software in the first place...
 
Box #1 running an i7 with 12GB memory, dual SATA3 240GB SSD, single SATA3 1.5TB 10K RPM data drive, using 3 separate USB 3.0 external drives on occasion (but have not reconnected any of them since the original manual scan done on them)
Scans continue to look for files on these now removed (removable) drives and it is also till looking for a now deleted file that had flagged as a threat...
27,430 files scanned took 3:13...
 
 
Box #2 running an i3 with 8 GB memory single 1.5 TB 7200 RPM SATA3 drive...
54,640 files scanned took 1:19...
 
Both systems running Windows 7x64 Ultimate
 
Almost TWICE the files scanned in less than half the time on a SLOWER system???
 
WHY??? 
My SSD system is MUCH faster (other than the obvious issues with WSA attempting to access non-existent drives/files wasting a HUGE amount of time)...
 
HOW CAN I FIX THIS?...
How can I stop WSA from looking for non-existant devices/files??? (seems rather silly for it to continue looking after they are not found even once)
 
Userlevel 7
Hi RussH
 
Apologies if we have not been as responsive as you would like but most of us here are volunteers and therefore have day job too...and so our time available to come into the Community and help is can be irregular and sometimes limited (I knoe that my time recently has been more than I would like).
 
In terms of what yo are seeing the first thing that I would do is to review the Scan Log for each system and see if there are any significant difference in terms of the number of Good [g] and Unknown [u] files found on each...more [u]s wcan mean a longer scan time for reasons that are...well, obvious really.
 
IMHO the only option that you have is a Support Ticket so that the Support Team can investigate the make up of each system & the installation of WSA to determine is there is some conflict there.  They will most likely send you some system investigation tools and as you to gather logs and configuration details for analysis back at the ranch.
 
That is what I would do.
 
Hope that helps?
 
Regards, Baldrick
Userlevel 4
Badge +10
Creating a support ticket makes sense to find how to streamline WSA scans---or to put in a feature request for it. IDK what table or index the scan refers to and how it varies on other boxes but hope to hear more about this. No "bait and switch" tactics here. In this community, I found other inquisitive folks who care to help and are wise enough to know where to refer questions to. Like you, I wrote to potential internet security providers. For whatever reason, I did not get an answer from this community at the time. But in fairness, did not check for one--once I realized that WSA is the best thing available for Mac. Health permitting, I follow this community and learn. For most folks here it is probably time permitting. I appreciate the attitude and spirit of this community.
Userlevel 7
Hi practicality! 
 
Good to see you again!  Admittedly we can't always fix everything, but we do always do our best to try to help.  Sometimes the best we can do is figure out who or where to refer someone to :(
 
I have been on here a while obviously, but I still learn every day.  No one ever knows everything, but I learn a lot just by trying to help others out!

Reply