Re: Why did a visit to Google install netbios.dll in my windows system folder?
From: David (geercon_at_alltel.net)
Date: 4 Jul 2003 14:30:59 -0700
"Duane Arnold" <firstname.lastname@example.org> wrote in message news:<57hNa.34442$926.3405@sccrnsc03>...
> > Why did a visit to Google install netbios.dll in my windows system
> > folder?
> > When "enable DLL authentication" is on I find new .dll files being
> > installed on my computer from Verio and then from Google, like the one
> > above. Anyone know if this is harmless?
> It's called a Website Drive By, where as, you access a Website and that
> Website starts sending dll's or other program elements like ocx, drv, vxd in
> the traffic and installs them on your machine without your knowledge and
> It's not a good thing!
> > I can't be spending all day here trying to determine which ones to allow
> or not and which ones to delete or not.
> The only way you should allow something like this is when you're installing
> an application yourself and it's laying down program elements during the
> install process.
> My solution to this issue is below. It's not 100% bullet proof, but it's
> better than nothing at all. My analysis of the was about IDS, which is
> being cut short on this posting.
> Malware test using Gator telling Gator to install from the Website:
> IE Security:
> IE stopped the download and I told it OK
> BlackIce Application control stopped the download reporting that
> *iegator.dll* wanted to use *iexplorer.exe* and I told it OK. BTW, I did an
> entire search of <C> looking for *iegator.dll* and it was not there, which
> means it was coming from the Website in the HTTP traffic.
> BlackIce Communication control detected that *iexplorer.exe* wanted access
> to the Internet, but of course it was *iegator.dll* who wanted access and I
> told it OK.
> BlackIce Application Control stopped *gatorsetup.exe* from executing and I
> told it OK. BTW, I searched for *gatorsetup.exe* on <C> and it was not
> there, which means it was coming from the Website in the HTTP traffic.
> BlackIce Communication control reported that *gatorsetup.exe* wanted access
> to the Internet and I told it OK.
> Sygate Pro:
> Sygate Pro after BlackIce detected everything upfront, indicated that Gain
> Setup was trying to connect to *gs.gator.com* using remote port 80 HTTP.
> My analysis of this is that BlackIce IDS is doing a detailed analysis of
> layer 7 (application) protocols such as HTTP, Telnet, etc and is looking at
> what is coming in the network traffic from a Website and stopping it. And
> BlackIce is checking its Application and Communication control database in
> real time based on its analysis of traffic in layer 7.
> Sygate is not doing an analysis of layer 7 and not stopping anything from
> coming from a Website. Sygate only knew to stop the outbound communications
> of *gatorsetup.exe*. Once Sygate has given approval of iexplorer.exe to
> communicate to the Internet, it doesn't have the means to stop a *dll*
> executing from a site using iexplorer.exe on its behalf.
> Conclusion is that BlackIce has better features with its IDS then Sygate pro
> in controlling program execution and communication to the Internet and is
> better at stopping malware on the machine. Not only is BlackIce looking at
> dll's, it is looking at exe, com, sys, drv, ocx too and BlackIce can be made
> to look at more sub component program types. You see an attack will not
> always come from a dll or exe trying to use IE, OE or Outlook the host to
> get out. Not only is BlackIce's IDS looking at what's executing and
> communicating at the machine level, but it is looking at the network traffic
> I like Sygate so don't get me wrong.
> But as far as what you're concerned with I don't think about it.
> Duane :)
OK, but here are some concerns if you wouldn't mind addressing them.
1) I heard a while ago that BlackIce is no longer secure of it's
ultimate parent company or some company change and now it actually
lets certain intrusions in?
2) What about Zone Alarm? I didn't get these messages with Zone Alarm.
Is that because zone alarm didn't allow the files in or didn't detect
3) Is there a free version of BID?