• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
  • 0
Sign in to follow this  
Followers 0
wbenton

wbenton - Firewall alerts

Question

For over a week now, my firewall has been giving off the following errors:

01/14/2012 11:07:20.848 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 68.232.45.119, 80, WAN -
172.16.31.4, 1040, WLAN -
01/14/2012 11:07:57.640 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1196, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:11:43.112 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1088, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:11:51.448 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1091, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:12:01.304 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1094, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:12:15.240 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1096, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:12:32.784 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1098, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:13:24.656 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 28799, WAN -
TCP scanned port list, 28804, 28811, 28807, 28681, 28794
01/14/2012 11:15:42.384 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1028, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:16:00.864 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1030, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:18:24.384 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1095, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:19:15.320 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1097, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:19:34.720 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1099, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:20:05.064 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1101, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:21:27.880 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1105, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:21:33.880 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 29064, WAN -
TCP scanned port list, 29083, 29088, 29075, 28839, 28843
01/14/2012 11:24:46.208 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1028, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:01.896 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1030, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:15.576 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1033, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:35.192 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1035, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:25:52.448 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1037, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:26:05.864 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1039, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:26:15.608 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1041, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:26:35.176 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 29139, WAN -
TCP scanned port list, 29148, 29144, 29188, 29135, 29192
01/14/2012 11:27:08.880 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1046, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:28:24.624 - Alert - Intrusion Prevention - Possible port
scan detected - 68.232.45.119, 80, WAN - xxx.xxx.xxx.xxx, 29144, WAN -
TCP scanned port list, 29192, 29195, 29209, 29135, 29139
01/14/2012 11:32:55.624 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1028, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:33:08.128 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1030, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:38:32.384 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1189, WLAN -
68.232.45.119, 80, WAN -
01/14/2012 11:55:37.880 - Alert - Security Services - Gateway Anti-Virus
Alert: Suspicious#RLPack (Worm) blocked - 172.16.31.4, 1381, WLAN -
68.232.45.119, 80, WAN -

Notice the repetitive "Suspicious#RLPack (Worm) blocked" activity as
well as the numerous port scans discovered in between as well.

Also note that this happens while trying to download the AdAware latest signature file updates.

Shortly after the firewall gives off this message, the AdAware update abruptly terminates with no error what so ever.

172.16.31.4 is the address of the PC and the xxx.xxx.xxx.xxx is the edited out global IP address of my firewall!

Something's fishy.

Are you sure your sig files are not corrupt with a worm?

And why does your update go to 68.232.45.119? I cannot currently find anything about this IP.

FWIW
4 people like this

Share this post


Link to post
Share on other sites

4 answers to this question

  • 0
Hi wbenton,

68.232.45.119 belongs to EdgeCast Networks according to http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=68.232.45.119 and other companies uses EdgeCast Networks for delivering files, see http://en.wikipedia.org/wiki/EdgeCast_Networks . I have not confirmed it with Lavasoft but I guess that Lavasoft has started to use them for hosting update servers or something similar.

RLPack is a packing program/method used by both good programs and malicious programs, see http://answers.microsoft.com/en-us/protect/forum/protect_scanning/packedrlpack-removal/eeb31769-15bd-416f-b8a7-d4132bdb7270?msgId=d8a194c0-63bd-4564-9633-03d18ea5c338 and http://www.woodmann.com/collaborative/tools/index.php/RLPack Of course, signature files don't contain any worms. It is a false alarm of your firewall.

When the update program notices that its communication is stopped, it tries with other ports and therefore the firewall believes it is a port scan that takes place.

Share this post


Link to post
Share on other sites
  • 0
[quote name='CeciliaB' timestamp='1326587093' post='132140']
Hi wbenton,

68.232.45.119 belongs to EdgeCast Networks according to [url="http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=68.232.45.119"]http://www.dnsstuff....p=68.232.45.119[/url] and other companies uses EdgeCast Networks for delivering files, see [url="http://en.wikipedia.org/wiki/EdgeCast_Networks"]http://en.wikipedia....geCast_Networks[/url] . I have not confirmed it with Lavasoft but I guess that Lavasoft has started to use them for hosting update servers or something similar.

RLPack is a packing program/method used by both good programs and malicious programs, see [url="http://answers.microsoft.com/en-us/protect/forum/protect_scanning/packedrlpack-removal/eeb31769-15bd-416f-b8a7-d4132bdb7270?msgId=d8a194c0-63bd-4564-9633-03d18ea5c338"]http://answers.micro...33-03d18ea5c338[/url] and [url="http://www.woodmann.com/collaborative/tools/index.php/RLPack"]http://www.woodmann....ndex.php/RLPack[/url] Of course, signature files don't contain any worms. It is a false alarm of your firewall.

When the update program notices that its communication is stopped, it tries with other ports and therefore the firewall believes it is a port scan that takes place.
[/quote]

In other words, the packaged file turns up as a false positive, but it seems to be turning up as a false positive on numerous systems, not only my firewall.

Thus my recommendation is to re-package it again such that it's packged contents turn up as other than false positive.

It may or may not be a false positive, I don't know for sure, but several systems are turning it up as false positive.

Thus re-packaging it so that it doesn't turn up as a false positive seems to be the quickest way rather than wait for all the other security systems to modify their sigs!

Share this post


Link to post
Share on other sites
  • 0
[quote name='wbenton' timestamp='1326602221' post='132177']


In other words, the packaged file turns up as a false positive, but it seems to be turning up as a false positive on numerous systems, not only my firewall.

Thus my recommendation is to re-package it again such that it's packged contents turn up as other than false positive.

It may or may not be a false positive, I don't know for sure, but several systems are turning it up as false positive.

Thus re-packaging it so that it doesn't turn up as a false positive seems to be the quickest way rather than wait for all the other security systems to modify their sigs!
[/quote]I will inform my contact person at Lavasoft tomorrow, when he is back in the office.

I will also separate your posts and my answers to them to a separate topic since it's another issue than the general update problem during the beginning of January.

Share this post


Link to post
Share on other sites
  • 0
Above posts have been moved from the topic: http://www.lavasoftsupport.com/index.php?/topic/32053-web-update-fails-and-extremely-slow-downloading/page__view__findpost__p__132186

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0