I have KAV 6 at a few client's offices, about 500 PCs total. The versions varies from 6.0.2.678 and 6.0.3.837. Admin kit is 6.0.1572.
Very few of the computers have a problem (10 total maybe), some locations have more than others (1 client has 5-7 who get it). Other locations may just reboot and not tell me, which fixes it.
The problem is every week or 2 a computer will lose it's mapped drives, internet connection, printers, etc. A reboot always fixes it. I finally found out that the reasons was I couldn't ping a server only from the computer with the issue, all other devices are pingable. At the largest client who has this issue the IP that gets blocked is the DNS server which stops their internet connection, printers, shared files, etc. A backup dns server has fixed that, but still the server is unpingable and I can't access files/printers from it when the problem arises.
I didn't think it was KAV right away until I start a constant ping to the server (ping -t 192.168.1.x) and every ping says "Request Timed Out". I then exit KAV and it starts pinging fine instantly.
I had no idea what was going on until I checked the Events on the problem computer in the admin kit and noticed this error everytime the problem arises:
Intrusion.Win.LSASS.exploit! Attacker's IP address: 192.168.0.12. Protocol/service: TCP on local port 139. Time: 12/12/2007 9:59:12 AM
It seems KAV thinks the server has LSASS and is attempting to infect this computer, so the anti-hacker shuts down TCP connection to the server, thus blocking file access. This server is only a file server, not the admin server or anything else. It also has KAV for servers installed (Windows 2003) and has no viruses on it.
That error is the same at all my clients with this issue. Also the same server at each client is what's getting blocked, although they provide different functions (some are just file server, some is the admin server, some are SBS servers).
Any clues on how to fix this without disabling anti-hacker, or is it a known bug?
Thanks!
Full Version: KAV Anti-Hacker blocking server
QUOTE(AOsborn @ 7.01.2008 10:25) 
I have KAV 6 at a few client's offices, about 500 PCs total. The versions varies from 6.0.2.678 and 6.0.3.837. Admin kit is 6.0.1572.
Very few of the computers have a problem (10 total maybe), some locations have more than others (1 client has 5-7 who get it). Other locations may just reboot and not tell me, which fixes it.
The problem is every week or 2 a computer will lose it's mapped drives, internet connection, printers, etc. A reboot always fixes it. I finally found out that the reasons was I couldn't ping a server only from the computer with the issue, all other devices are pingable. At the largest client who has this issue the IP that gets blocked is the DNS server which stops their internet connection, printers, shared files, etc. A backup dns server has fixed that, but still the server is unpingable and I can't access files/printers from it when the problem arises.
I didn't think it was KAV right away until I start a constant ping to the server (ping -t 192.168.1.x) and every ping says "Request Timed Out". I then exit KAV and it starts pinging fine instantly.
I had no idea what was going on until I checked the Events on the problem computer in the admin kit and noticed this error everytime the problem arises:
Intrusion.Win.LSASS.exploit! Attacker's IP address: 192.168.0.12. Protocol/service: TCP on local port 139. Time: 12/12/2007 9:59:12 AM
It seems KAV thinks the server has LSASS and is attempting to infect this computer, so the anti-hacker shuts down TCP connection to the server, thus blocking file access. This server is only a file server, not the admin server or anything else. It also has KAV for servers installed (Windows 2003) and has no viruses on it.
That error is the same at all my clients with this issue. Also the same server at each client is what's getting blocked, although they provide different functions (some are just file server, some is the admin server, some are SBS servers).
Any clues on how to fix this without disabling anti-hacker, or is it a known bug?
Thanks!
Very few of the computers have a problem (10 total maybe), some locations have more than others (1 client has 5-7 who get it). Other locations may just reboot and not tell me, which fixes it.
The problem is every week or 2 a computer will lose it's mapped drives, internet connection, printers, etc. A reboot always fixes it. I finally found out that the reasons was I couldn't ping a server only from the computer with the issue, all other devices are pingable. At the largest client who has this issue the IP that gets blocked is the DNS server which stops their internet connection, printers, shared files, etc. A backup dns server has fixed that, but still the server is unpingable and I can't access files/printers from it when the problem arises.
I didn't think it was KAV right away until I start a constant ping to the server (ping -t 192.168.1.x) and every ping says "Request Timed Out". I then exit KAV and it starts pinging fine instantly.
I had no idea what was going on until I checked the Events on the problem computer in the admin kit and noticed this error everytime the problem arises:
Intrusion.Win.LSASS.exploit! Attacker's IP address: 192.168.0.12. Protocol/service: TCP on local port 139. Time: 12/12/2007 9:59:12 AM
It seems KAV thinks the server has LSASS and is attempting to infect this computer, so the anti-hacker shuts down TCP connection to the server, thus blocking file access. This server is only a file server, not the admin server or anything else. It also has KAV for servers installed (Windows 2003) and has no viruses on it.
That error is the same at all my clients with this issue. Also the same server at each client is what's getting blocked, although they provide different functions (some are just file server, some is the admin server, some are SBS servers).
Any clues on how to fix this without disabling anti-hacker, or is it a known bug?
Thanks!
As work around you can disable settings 'block the attacking computer for' in 'settings: intrusion detection system' when any attack will be blocked but attacker IP address will not be blocked.
when any computer will constantly generate 'network attack detection' events you must create KL1 logs and send it to techsupport.
when any computer will constantly generate 'network attack detection' events you must create KL1 logs and send it to techsupport.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.