| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 14717 | 2002-01-16 23:18:00 | BlackICEDefender and the UPNP hole | Guest (0) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 31502 | 2002-01-16 23:18:00 | I have been involved recently in a three-cornered debate with NetworkICE and Paradise Net, with some input from an independent expert. I have been experiencing repeated RED alerts (normally very rare) on BlackICEdefender, claiming to reflect attacks on the well-known Microsoft PlugnPlay vulnerability. The overwhelming majority of these come from within the Paradise cable subnet, ie from the machines of other Paradise cable users and (I have been told by the company) Paradise staff. Paradise says: BID is over-sensitive: these events are harmless (they don't say clearly why they're occurring, but I assume it reflects the normal operation of PlugnPlay devices seeking out other PnP devices over the network.) They have certainly presented me with evidence that there is nothing in these packets anything like long enough to overflow the buffer, at least not in the events in my current log. NetworkICE says; we've every right to make it a red alert because it's very dangerous, and you never know when an event with a destructive payload may come along. Expert says: Yes, BID is being over sensitive, BUT the frequency of events indicates the 'attacking' systems are poorly configured. Any comment on this last part. Should I ask Paradise to get those (dozen or more) users to fix their systems? Or would I be considered a pest? I have, of course, applied the Miscosoft fix, AND, for good measure blocked ports 1900 and 5000, which are the relevant ports as I read the MS bulletin on the vulnerability. Still the alerts come. Can I depend on the fix as now having prevented my system entertaining anything really harmful in this line? In any event, I would like to stop the red flashes and exclamation marks, simply because they're annoying. Is there anything else I can do to remove them? I DON'T want to disable UPnP, as my system has enough trouble finding new devices even with its aid! Has anyone else had a similar experience? What did you do about it? AND, to forestall the obvious reply: Yes, I am really considering dropping BlackICEdefender, having read the GRC comments referred to above. However, I have also seen some bad reports about the effectiveness of ZoneAlarm, which most anti-BIDers recommend as alternative. I have the XP firewall, of course, but that's one of those annoying products that gives me no evidence it's working. I would prefer something that flashed up some warnings of real intrusion attempts, just for the sake of comfort! Any thoughts on further options? thanks, Steve B. PS: BID V2.9cap managed to get XP to blue-screen, repeatedly, which (MS tells everyone) is very difficult. I installed version caq, which NetworkICE said fixes the problem; but have had one bluescreen (in two days) since then. Is 2.9caq still unstable? |
Guest (0) | ||
| 31503 | 2002-01-17 01:17:00 | there is not a lot any isp can do about it apart from advise its customers. at the end of the day its up to end users to decide what access the net from there comp. why not uninstall UPnP, as far as i know it dosn't acctualy do anything at present. the catch here is getting the other users to disable it as well. blackice does what it is designed to do, its an intrusion detection prog not a firewall. there are now heaps firewalls around so if ZA dosn't take your fancy then have a look at tiny, sygate, norton..just to name a few. |
Guest (0) | ||
| 31504 | 2002-01-17 06:40:00 | 'I have the XP firewall, of course, but that's one of those annoying products that gives me no evidence it's working. I would prefer something that flashed up some warnings of real intrusion attempts, just for the sake of comfort!' Har har, that is why zone alarm is so popular, people just love clicking those buttons! 'boss, boss, a suspicious person looked at the house a bit funny, but I didn't open the door for them, just thought you'd like to know!' Disable UPnP? what a luddite! The farce is that disabling UPnP will give you no protection from the exploit anyway. It is the SSDP service at fault. |
Guest (0) | ||
| 1 | |||||