Could a legit program trigger a CMF warning?

Ron_Mexico · February 14, 2008, 6:07am

Hi,
First, I’d like to say that your company rocks… I’ve been running vista 64 for a while and I couldn’t find a decent FW until i came across yours… If any 64 guys are reading this, my current combo of CFP + CMF + AVG anti spyware free + NOD32 has been working flawlessly for almost a month now…

At any rate, recently CMF halted my installation of “Brown Recluse”,a data miner/web spider made by softbyte labs… I had scanned the ■■■■ out of the installer file(I sent it to virustotal.com), so I figured the block was a false positive… But before I install the thing, I’d like to know for sure… Do i have anything to worry about? THanks in advance!

Tyler_Durden · February 14, 2008, 1:21pm

Hi. Buffer overflow doesn’t linked to the legit/non-legit state of the programm. It’s not an anti-virus or something, it detects remote (local) hacker attacks. But I think that this issue was just a programmers mistake of “Brown Recluse” (that’s pretty common, e.g. we’ve helped to fix such issue in BitDefender allready, and so on)

Tyler_Durden · February 14, 2008, 1:40pm

Yep, the same issue as with BitDefender.
DisplayHeap log:

Flags: 00000002 Number Of Entries: 530 Number Of Tags: 0 Bytes Allocated: 000244f0 Bytes Committed: 00027000 Total FreeSpace: 00002b10 Number of Virtual Address chunks used: 1 Chunk[ 1 ]: [00160000 .. 00260000) 00027000 committed Address Space Used: 00100000 Entry Overhead: 8 Creator: (Backtrace00000)

Attack log:

--------------------------- Attack information --------------------------- Process: c:\programs\internet\br\BrownRecluse.exe Process id: 0x25BC Thread id: 0x2774 Attack type: buffer overflow Address: 0x0016DDF3 Memory type: heap --------------------------- ОК ---------------------------

As you can see they're executing code from heap, and even without EXECUTE flag on it (more serious bug then in BitDefender's case, 'cause it's completly not compatble with DEP). Let's post them a bug-report...

Ron_Mexico · February 14, 2008, 5:00pm

Thanks for the quick reply… So let me get this straight… It’s the sloppy programming of softbyte labs, not malicious code, that’s causing the warning, right?..

If that’s the case, would it be ok to install the program and manually override CMF? Thanks again!

Tyler_Durden · February 14, 2008, 5:28pm

Yes you’re right. It’s better to add it to the exclusion list then to w8 when they fix this bug (ppl doesn’t like someone who finds bugs in their program actually :))

P.S. In general malicious code doesn’t 'cause any warnings from CMF. Hackers usually attack iexplore or some system services.

system · May 31, 2008, 9:27am

Locked.

Reason: Out-Dated post.

Josh