Results 1 to 11 of 11
  1. #1
    3 Star Lounger djmoore's Avatar
    Join Date
    Feb 2001
    Location
    New Jersey, USA
    Posts
    371
    Thanks
    21
    Thanked 1 Time in 1 Post

    Paranoid about Nyxem? Maybe...

    OK, so I might be overreacting. But better safe than sorry, as my mother always used to say.
    I recently started using Kerio Firewall - and thanks to everyone for all the feedback and suggestions I received in my thread on that - but I'm not sure if I have an actual problem or not. Some of it might lie in the fact that I have 4 users on my PC (XP Pro, SP2) and I'm not always prompted when I install software as to which users will have access to it. I would assume that firewall software would include all users by default - but one never knows.
    Anyway, recently (not sure exactly what day it started) my kids have been getting a Kerio popup whenever they open up IE. I've attached a screenshot.
    It may very well be that Kerio is starting at the extreme end of blocking everything until it is listed as an exception, but shouldn't it be that way for every user? I can use IE and my wife can, but neither kid can. And I'm pretty sure it's been ever since I installed Kerio. Nobody can say for certain when it began, though.
    And I also don't follow how the intrusion is described as a "Code Injection" if the source is Internet Explorer. An injection is something that is inserted INTO the body - or the PC - and IE is already in the PC. It's very confusing to me.
    And of course since the kids brought this to my attention right around the same time this supposed dread virus is due to be unleashed - I just wondered and decided to exercise maybe a little more caution than usual. Having just read the PC Magazine article about PC Security and all didn't help either.

    So - do any Kerio users think this is anything to be concerned about?

    Thanks -
    Have a cookie -

    Don

  2. #2
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Paranoid about Nyxem? Maybe...

    A screenshot of the full Details screen would be helpful here. <img src=/S/smile.gif border=0 alt=smile width=15 height=15> just the term Code injection isn't enough to go on.

    Edited by Doc to add...Take a look at this site for an explaination of Code Injection. It gets pretty deep if you don't understand coding and how it works. You might try to change the page that they initially log on to, assuming that they usually go to the same page first, and see if it's coming from that particular web page.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  3. #3
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Paranoid about Nyxem? Maybe...

    I'm no Kerio user, sorry.

    The screenshot shows Windows Explorer in C:Windows, not IE (iexplore.exe) in C:Program FilesInternet Explorer.

    The Kerio firewall seems to have a lot of tweaking possibilities, also in the Personal ver. Buffer overflow blocking and this Code Injection intrusion blocking. As with every firewall, there are more or less rules, exceptions, to make. I saw a short notice in some manual that this behaviour also could be used by legitimate applications, and thus sometimes necessary to create exceptions in the Configuration Dialog.

    Is this something you have looked at? Have you looked at their forum?

    I do understand that the odd thing here is the difference in behaviour depending on logged on user. As you say some programs do not install for every user, some programs may ask. But I would find it really odd if a firewall program did not run for every user, and run in the same way. Now I do not know if there is some very limited user account that can be set up in the PRO version but doubt that.

    Any more information you would like to share?

    P.S Thanks for the cookie! <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  4. #4
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Paranoid about Nyxem? Maybe...

    Argus stated....
    <center>
    <hr>the odd thing here is the difference in behaviour depending on logged on user.<hr>
    </center>

    From this site, scrolling down to the section "A Little Clarity" you will find the following....
    [i]"This code
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  5. #5
    3 Star Lounger djmoore's Avatar
    Join Date
    Feb 2001
    Location
    New Jersey, USA
    Posts
    371
    Thanks
    21
    Thanked 1 Time in 1 Post

    Re: Paranoid about Nyxem? Maybe...

    Here is the text from the Details section:

    Technical details about the intrusion attempt:

    Injector application: C:WINDOWSExplorer.EXE
    Description: Windows Explorer
    File version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    Product name: Microsoft
    Have a cookie -

    Don

  6. #6
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Paranoid about Nyxem? Maybe...

    Are your kids accounts restricted accounts while you & your wife's are admin accounts?

    Joe
    Joe

  7. #7
    3 Star Lounger djmoore's Avatar
    Join Date
    Feb 2001
    Location
    New Jersey, USA
    Posts
    371
    Thanks
    21
    Thanked 1 Time in 1 Post

    Re: Paranoid about Nyxem? Maybe...

    Not this time around. I got sick and tired of them needing to run something that required an account with admin privileges while I was at work. They're 12 and 14, and I figured I had sufficient protection on the AV and Firewall side. And I'm careful about what activity I allow on the PC, as a parent of teenagers. If you know what I mean. He says slyly, as if they would ever read what I'm writing in this forum. (Man, am I paranoid or what? )
    Have a cookie -

    Don

  8. #8
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Paranoid about Nyxem? Maybe...

    Thanks for that Information. It does help to clear up the situation. The only other information I can think of that might be pertinent is the version of Kerio you are running. I assume it's the latest.

    If the system is only a month or so old and, I assume, based on your level of parinoia, that you were running a firewall and AV program before you installed Kerio. Are you certain that the other firewall has been disabled ?? If not, check it and shut it down if it is running. Then test the kid's account connectability. If it's still not able to connect, I'm going to ask you to disable Kerio. Be certain that your AV and any spyware/malware programs are up to date and running before you do, and then try to connect on one of the kid's accounts. If you are able, then we can be fairly certain that the problem is a setting in Kerio. My reasoning on this is that you were able to connect before Kerio was installed and the injector application Kerio is identifying is Windows Explorer's .exe file which it is attempting to inject it's code into another .exe file and not run any .dll file that could execute malicious code. If you feel comfortable with my logic on this and are covered by AV and anti-malware programs, shut down Kerio and have a go at it. If you can connect, we'll have to find that setting or permission in Kerio.

    Added by Doc after research & before posting.... Check this cached Google page from July 2005 for some screenshots and discussion about Kerio & problems with Explorer.exe errors. The screenshots may help you to find a setting to change. Since I don't use Kerio, I can't check this out myself. <img src=/S/sorry.gif border=0 alt=sorry width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  9. #9
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Paranoid about Nyxem? Maybe...

    Of course your alert should show explorer, not IE the target, stupid of me. But I was writing that reply early morning the 4, then my PC went down, and I had to come back later.

    As you say, one should always think once or twice before making exceptions for an application with any firewall. In this case if the accounts have the same privileges, settings are the same ... I don't know. Some firewalls have a "learning period", are the settings in the firewall and else ware completely similar for every account?

    I do not say that you should make an exception in the exception dialog, especially it seems odd if it is working for your account, but; when reading their manual it seems that exceptions is sometimes inevitable?:
    <blockquote><hr>The Code injection technology is used by various legitimate applications

  10. #10
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Paranoid about Nyxem? Maybe...

    I don't know if this is significant or not, but my 13 year old son just trashed something in the firewall settings for his Norton Internet Security Suite and I had to put it back in training mode. When I attempted to access the internet via the Quicklaunch icon that leads to his personal preference of homepage, Norton warned that explorer.exe was attempting to access the internet. I gave permission always and was next warned that iexplore.exe was trying to access the internet. This was followed by a series of warnings for a number of other programs and processes I recognized and gave permission to. My point being that this sounds alot like the sequence you are experiencing and would guess that you should be safe giving this the OK.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  11. #11
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Paranoid about Nyxem? Maybe...

    First, I must say that again I'm no Kerio user so maybe I should stay out of the way. Just thought there were so few replies earlier. I have earlier, found some mentioning about Kerio on one web site, also mentioning ZoneAlarm et al, and I have not read through everything so I can tell if this good so to say. It talks mainly about all sorts of problems with different programs.

    Anyhow, it mentions two (3?) kind of modes to run Kerio in; if run in "advanced" mode there are, according to a review in PC Magazine, an unusually large number of confirmation popups initially.

    http://www.computergripes.com/keriofirewall.html

    http://www.pcmag.com/article2/0,1895,1866531,00.asp

    We do not know for how long you have had it installed, or "trained" running on different accounts. As I said earlier, there is a lot of tweaking possibilities so it seems, and with a lot of settings comes (maybe) a lot of exceptions?

    Doc, I did find that one too earlier, but there was talk about media files crashing explorer.exe etc, I don't know ... but otherwise about how to give permission (exception). Maybe thats it. They sure could need a good manual; that is one big firewall, not letting you view anything but a blank page.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •