Could a legit program trigger a CMF warning?

[Guest]

[Ron_Mexico]

Hi,
First, I'd like to say that your company rocks... I've been running vista 64 for a while and I couldn't find a decent FW until i came across yours... If any 64 guys are reading this, my current combo of CFP + CMF + AVG anti spyware free + NOD32 has been working flawlessly for almost a month now..

At any rate, recently CMF halted my installation of "Brown Recluse",a data miner/web spider made by softbyte labs... I had scanned the crap out of the installer file(I sent it to virustotal.com), so I figured the block was a false positive... But before I install the thing, I'd like to know for sure.... Do i have anything to worry about? THanks in advance!

[Tyler Durden]

Hi. Buffer overflow doesn't linked to the legit/non-legit state of the programm. It's not an anti-virus or something, it detects remote (local) hacker attacks. But I think that this issue was just a programmers mistake of "Brown Recluse" (that's pretty common, e.g. we've helped to fix such issue in BitDefender allready, and so on)

[Tyler Durden]

Yep, the same issue as with BitDefender.
DisplayHeap log:

    Flags: 00000002
    Number Of Entries: 530
    Number Of Tags: 0
    Bytes Allocated: 000244f0
    Bytes Committed: 00027000
    Total FreeSpace: 00002b10
    Number of Virtual Address chunks used: 1
        Chunk[  1 ]: [00160000 .. 00260000) 00027000 committed
    Address Space Used: 00100000
    Entry Overhead: 8
    Creator:  (Backtrace00000)

Attack log:

---------------------------
Attack information
---------------------------
Process:      c:\programs\internet\br\BrownRecluse.exe
Process id:   0x25BC
Thread id:   0x2774
Attack type:   buffer overflow
Address:      0x0016DDF3
Memory type:   heap
---------------------------
ОК   
---------------------------

As you can see they're executing code from heap, and even without EXECUTE flag on it (more serious bug then in BitDefender's case, 'cause it's completly not compatble with DEP). Let's post them a bug-report...

[Ron_Mexico]

Thanks for the quick reply.. So let me get this straight... It's the sloppy programming of softbyte labs, not malicious code, that's causing the warning, right?...

If that's the case, would it be ok to install the program and manually override CMF? Thanks again!

[Tyler Durden]

Yes you're right. It's better to add it to the exclusion list then to w8 when they fix this bug (ppl doesn't like someone who finds bugs in their program actually )

P.S. In general malicious code doesn't 'cause any warnings from CMF. Hackers usually attack iexplore or some system services.

[3xist]

Locked.

Reason: Out-Dated post.

Josh

[Tags:]