Agnitum Outpost firewall

[Eds]

I have Outpost running on my XP machine, but still managed to get the
blaster worm. It may have been disabled for a short time, so I can
understand how it got in, but turning it on did nothing to stop the worm,
and I couldn't find a way to block specific ports. Could anyone familiar
with Outpost inform me whether it's an OK or lousy product?

Thanks

Eds

 

[Ian.H [dS]]

I have Outpost running on my XP machine, but still managed to get the
blaster worm. It may have been disabled for a short time, so I can
understand how it got in, but turning it on did nothing to stop the
worm, and I couldn't find a way to block specific ports. Could anyone
familiar with Outpost inform me whether it's an OK or lousy product?

Thanks

Eds

As far as bolt-on firewalls go, IMO, it's one of the best ones for
windoze.. but the reason you haven't patched your box is?



Regards,

Ian

 

[Eds]

As far as bolt-on firewalls go, IMO, it's one of the best ones for
windoze.. but the reason you haven't patched your box is?

I don't have the same variant that everyone else seems to have got. It
doesn't show up on any virus scans, but it was blocking the patch and
windows update, as well as doing the 60 second shutdown thing. Can't find it
in the registry or task manager either. I did install the patch, by opening
the exe in winrar, so I don't get the shutdown message anymore. In fact
everything appears normal, except I know I haven't killed it so what will
happen tomorrow (attack MS day) is anyone's guess...

I just wanted to know whether I should be expecting Outpost to stop the worm
doing its thing, once infected? If port whever it was was blocked, could the
worm still trigger the auto shutdown thing?

[Really up on my terminology today ;-)]

Eds

 

[Ian.H [dS]]

I don't have the same variant that everyone else seems to have got.
It doesn't show up on any virus scans, but it was blocking the patch
and windows update, as well as doing the 60 second shutdown thing.
Can't find it in the registry or task manager either. I did install
the patch, by opening the exe in winrar, so I don't get the shutdown
message anymore. In fact everything appears normal, except I know I
haven't killed it so what will happen tomorrow (attack MS day) is
anyone's guess...

Hmm.. this sounds like you might have another trojan or something
separate to MSB.

Have you checked the following registry key:


HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default)


This should be just:


""%1" %"


I have a suspicion you might have a trojan there that is affecting the
opening of .exe files (Sub7 for example used this technique).

Also, goto:


Start menu->run


type:


command.com


cd to your windows / winnt directory (IIRC) and type:


copy regedit.exe regedit.com


Then run:


regedit.com


to access the registry editor, as if I'm right (or it is indeed
something else that affects all .exe files), this will prevent any crash
as the file is no longer handled by that exefiles regkey (.com, .exe,
..scr etc are all types of executable extension).

I just wanted to know whether I should be expecting Outpost to stop
the worm doing its thing, once infected? If port whever it was was
blocked, could the worm still trigger the auto shutdown thing?

It can of course trigger the shutdown part, as it's now inside / local.
What it _will_ prevent, is if you have all the MSB ports closed, further
attacks on your box.

[Really up on my terminology today ;-)]

HTH Eds =)



Regards,

Ian

 

[Eds]

Hmm.. this sounds like you might have another trojan or something
separate to MSB.

Have you checked the following registry key:


HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default)


This should be just:


""%1" %"

Seems Ok though there is an * at the end ...

I have a suspicion you might have a trojan there that is affecting the
opening of .exe files (Sub7 for example used this technique).

Also, goto:


Start menu->run


type:


command.com


cd to your windows / winnt directory (IIRC) and type:


copy regedit.exe regedit.com


Then run:


regedit.com


to access the registry editor, as if I'm right (or it is indeed
something else that affects all .exe files), this will prevent any crash
as the file is no longer handled by that exefiles regkey (.com, .exe,
.scr etc are all types of executable extension).

Not having problems with any other exe files.

It can of course trigger the shutdown part, as it's now inside / local.
What it _will_ prevent, is if you have all the MSB ports closed, further
attacks on your box.

So it does close all other ports?

[Really up on my terminology today ;-)]

HTH Eds =)

Thing is I don;t really understand all this networking stuff. I get that the
worm was put onto my PC through a loophole in WinXP, and presume it wasn't
blocked by Outpost because I was breaking in a new p2p app (Soulseek), and
as Outpost has a tendency to grab all my CPU when lots of users are in my
queue, I tried disabling it to see if it helped things. It was probably only
disabled for a few minutes.

I kept getting the shutdown message, and eventually twigged on about the
worm, but none of the fixes worked. As i said, I found a way to install the
MS patch and now no more problems, but I assume that the worm, whetever my
version is called, is still on my machine, but unable to do its thing
because of the patch.

Have I understood the sitch?

Because an alternative reading of all the info I've seen is that I don't
actually have the worm on my machine, and that the shudown messages were my
system's response to attempts by outside PCs to infect me. This would be
supported by the total absence of any known variant on my machine. Doesn't
explain why the patch wouldn't run, though.

Still in puzzlement...

Eds