Re: Why did a visit to Google install netbios.dll in my windows system folder?

From: David (geercon_at_alltel.net)
Date: 07/04/03


Date: 4 Jul 2003 14:30:59 -0700


"Duane Arnold" <notme@notme.com> wrote in message news:<57hNa.34442$926.3405@sccrnsc03>...
> > Why did a visit to Google install netbios.dll in my windows system
> > folder?
> >
> > When "enable DLL authentication" is on I find new .dll files being
> > installed on my computer from Verio and then from Google, like the one
> > above. Anyone know if this is harmless?
>
> It's called a Website Drive By, where as, you access a Website and that
> Website starts sending dll's or other program elements like ocx, drv, vxd in
> the traffic and installs them on your machine without your knowledge and
> permission.
>
> It's not a good thing!
>
> > I can't be spending all day here trying to determine which ones to allow
> or not and which ones to delete or not.
>
> The only way you should allow something like this is when you're installing
> an application yourself and it's laying down program elements during the
> install process.
>
> My solution to this issue is below. It's not 100% bullet proof, but it's
> better than nothing at all. My analysis of the was about IDS, which is
> being cut short on this posting.
>
> *********
> <snip>
>
> Malware test using Gator telling Gator to install from the Website:
>
> IE Security:
>
> IE stopped the download and I told it OK
>
> BlackIce:
>
> BlackIce Application control stopped the download reporting that
> *iegator.dll* wanted to use *iexplorer.exe* and I told it OK. BTW, I did an
> entire search of <C> looking for *iegator.dll* and it was not there, which
> means it was coming from the Website in the HTTP traffic.
>
> BlackIce Communication control detected that *iexplorer.exe* wanted access
> to the Internet, but of course it was *iegator.dll* who wanted access and I
> told it OK.
>
> BlackIce Application Control stopped *gatorsetup.exe* from executing and I
> told it OK. BTW, I searched for *gatorsetup.exe* on <C> and it was not
> there, which means it was coming from the Website in the HTTP traffic.
>
> BlackIce Communication control reported that *gatorsetup.exe* wanted access
> to the Internet and I told it OK.
>
> Sygate Pro:
>
> Sygate Pro after BlackIce detected everything upfront, indicated that Gain
> Setup was trying to connect to *gs.gator.com* using remote port 80 HTTP.
>
> My analysis of this is that BlackIce IDS is doing a detailed analysis of
> layer 7 (application) protocols such as HTTP, Telnet, etc and is looking at
> what is coming in the network traffic from a Website and stopping it. And
> BlackIce is checking its Application and Communication control database in
> real time based on its analysis of traffic in layer 7.
>
> Sygate is not doing an analysis of layer 7 and not stopping anything from
> coming from a Website. Sygate only knew to stop the outbound communications
> of *gatorsetup.exe*. Once Sygate has given approval of iexplorer.exe to
> communicate to the Internet, it doesn't have the means to stop a *dll*
> executing from a site using iexplorer.exe on its behalf.
>
> Conclusion is that BlackIce has better features with its IDS then Sygate pro
> in controlling program execution and communication to the Internet and is
> better at stopping malware on the machine. Not only is BlackIce looking at
> dll's, it is looking at exe, com, sys, drv, ocx too and BlackIce can be made
> to look at more sub component program types. You see an attack will not
> always come from a dll or exe trying to use IE, OE or Outlook the host to
> get out. Not only is BlackIce's IDS looking at what's executing and
> communicating at the machine level, but it is looking at the network traffic
> too.
>
> <snip>
>
> I like Sygate so don't get me wrong.
>
> But as far as what you're concerned with I don't think about it.
>
> HTH
>
> Duane :)

OK, but here are some concerns if you wouldn't mind addressing them.
1) I heard a while ago that BlackIce is no longer secure of it's
ultimate parent company or some company change and now it actually
lets certain intrusions in?
2) What about Zone Alarm? I didn't get these messages with Zone Alarm.
Is that because zone alarm didn't allow the files in or didn't detect
them?
3) Is there a free version of BID?



Relevant Pages

  • Re: Why did a visit to Google install netbios.dll in my windows system folder?
    ... > Why did a visit to Google install netbios.dll in my windows system ... It's called a Website Drive By, where as, you access a Website and that ... BlackIce Application control stopped the download reporting that ... Sygate Pro after BlackIce detected everything upfront, ...
    (comp.security.firewalls)
  • RE: Experiences with company nCircle and their IP360 product
    ... since I installed it for myself I have helped to install it at ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • Re: i might be hacked if...
    ... Buy a new HD and a retail copy of XP for a clean install ... > The Tech" feature at their website that got me very ... > professional security tech after having given up on email ... > chat back in late december and having to accept an activeX ...
    (microsoft.public.windowsxp.security_admin)
  • Re: BlackIce security questions
    ... Blackice IP address result I get this sometimes? ... Re-apply power to the PC and install in regular ... > The Application Protection window will pop up. ... > Options, then Enable Install Mode. ...
    (comp.security.firewalls)
  • Re: Driver problems on new system.
    ... > Have you checked for an updated BIOS at Asus's website? ... > drivers on their site too. ... > I'd also suggest testing the RAM. ... >>I'm cool with doing a total new install, ...
    (microsoft.public.windowsxp.general)