Problem with OP2.5 & Ad-Aware SE Pro

Published by: cfz 2009-01-09

I have a problem with OP2.5 & Ad-Aware SE Pro latest build1.05
When I run a scan Outpost component control blocks all my outgoing connections, due to ad-aware.exe
I have set to trust ad-aware in outpost.
:(
Any help?

OS Name Microsoft(R) Windows(R) Server 2003, Enterprise Edition Version 5.2.3790 Build 3790
Outpost Firewall Pro ver. 2.5.370.4626 (370) Component control level: normal & Open Process Control: On
Ad-Aware SE Professional, build 1.05. Definitions file SE1R22 13.12.2004 Note! - Problem only occurs when I "Scan all" using Ad-Aware's integrated Process-Watch console & NOT during normal system scan.
:evil:Well, guess what. If I do that, CC gets me too. Make that 4. Since I rarely use Process-Watch I won't let it bother me much but I'll fool with it for a while.

Just so you can see, here's my Alerts Tracker log when I did. It knocked me off my browser and I had to find this thread again:
12:44:16 AM Process network access blocked AD-AWARE.EXE modified memory of AVGCC.EXE
12:44:13 AM Process network access blocked AD-AWARE.EXE modified memory of WINWORD.EXE
12:44:09 AM Process network access blocked AD-AWARE.EXE modified memory of EXPLORER.EXE
12:44:09 AM Process network access blocked AD-AWARE.EXE modified memory of OUTPOST.EXE
12:44:05 AM Process network access blocked AD-AWARE.EXE modified memory of OUTLOOK.EXE
12:44:04 AM Process network access blocked AD-AWARE.EXE modified memory of PDEXPLO.EXE
12:44:04 AM Process network access blocked AD-AWARE.EXE modified memory of MAXTHON.EXE

Edit: Just to make sure I blocked my self twice.

Thinking about this a little more. It's likely that this is expected behavior and everything is normal. I'm not 100% sure what Process Watch exactly does but the help file says:
Scan all: This will scan the executable files for all processes. Using this function deactivates the filtering. If any suspected processes are found, they will be listed in red
It's very likely that Ad-Aware is modifying the memory and hence OP component control kicks in. So, I'm going to say for now that such behavior is most likely normal. That's my story and I'm sticking to it until I figure out otherwise. :D

This is a Lavasoft question and I made it at their forum: http://www.lavasoftsupport.com/index.php?showtopic=54612

Probably but you know computers. It works right on 999 identical computers and messes up on 1.
Well I can see at least three people in this thread with the same problem & not one.
Also see attached pictures:
http://www.tibsworld.co.uk/images/adaware1.JPG
click on Process Watch
http://www.tibsworld.co.uk/images/adaware2.JPG
now click on scan all and see what happens.

Ok maybe 1 in 1000 wasn't a good analogy. Should have been 3 in 31,000 :D:D:D
Did you add that excellent suggestion in the online support form that Manny mentioned?
Regards,
Chris

Hi all,
Yes it's got nothing to do with the rules for Ad-aware se. I completely removed Ad-awre SE professional from my PC & re-installed it, now under normal scan everything is OK, but as soon as I click on the process-watch button and do a scan all Outpost will block all the programs connected to the Internet one by one. In the log under alerts tracker I would find the whole list where it states that AD-Aware.exe modified the memory of such&such.exe so the process of network access was blocked for that exe. This happens for my spam blocker program too when it tries to bounce a message, OP process control will block it.

Verilog Laboratory Exercises::
File Format: PDF/Adobe Acrobat - View as HTMLLet’s begin this section by considering a simple problem of how to design an .. Op2=5. • sub=0. • mode=1. and setup a “$monitor” command to track the
http://ftp.csci.csusb.edu/schubert/csci610/CSCI_598_Labs_Main.pdfHOME

Mailing list archives::
Call Op1() 4) Call Op2() 5) Everything works well Is Axis2 client doing anything with the SSL session? I don't think this is a problem with HTTPClient,
http://mail-archives.apache.org/mod_mbox/ws-axis-user/200708.mbox/<4D5B2B10F692A84187E5912DF9257097036BC3FC@G3W0066.americas.hpqcorp.net>HOME

This problem was never there with ver 2.1. I guess it's got something to do with the new hidden process control of OP 2.5
:confused:

I find it disturbing that some people do not see this problem and I should like to have a little survey.
If anyone is interested in doing so post here your OS, OP version, whether or not you have the issue with Ad - Aware, Ad - Aware version and whether you have Open Process Control On or Off (Options > Application > Components > Open Process Control)

XP SP2 / OP2.5.370 / Yes / SE 1.05 / OPC On

I would like to see Open Process Control have a user controlled white list so I could allow legitiimate processes as exceptions.Quite right. I agree with you generally and I've also made that specific trusted list suggestion. It would carry more weight if you made it here: 1

Hey Xion -- I'm still looking into this with my copy of Ad-Aware SE. Let me know if you find anything out, I'll do the same.

Win98 SE, Ad-aware 1.05 SE Plus, no issues.

Windows Xp Pro{SP2} Outpost Pro V2.5/370
Ad-aware Pro SE{SE1R22 13.12.2004 definitions}
Not A Single Issue Or Problem

Well I just went to Agnitums suggestion form as Manny suggested and asked for exception handling in OPC. Let's hope it happens! It's a nice feature, but no good if you have to turn it off to let other apps work!

That doesn't happen to my version of Ad-Aware. It's not normal. My suggestion is the same, delete your rules and start over. You will then rebuild the component list.

If you already tried that and CC continues with Open Process Control popups it means that Ad-Aware was modified by another process. Most likely this is due to malware altering Ad-Aware's code, known as code injection or copycat vulnerability, while running in memory. A new FAQ on Component Control in Outpost 2.5 (http://outpostfirewall.com/forum/showthread.php?t=12233) goes into further detail on this.

An Overview of C++ Function and Class Templates Steve Jacobson ::
5); (gdb) s int Multiply<int> (op1=3, op2=5) at temp-ex1.cpp:10 10 return op1 * op2; (gdb) l 7 template <class Type> 8 Type Multiply (Type op1,
http://www-cs-students.stanford.edu/~sjac/c-to-cpp-info/cpp-templatesHOME

Untitled::
File Format: PDF/Adobe Acrobat - View as HTMLM42A2 MASKS OP1 OP2-5. 25 25. FACEPIECE ASSY OP1 OP2-5. 2000 1000. PROPOSAL REVISIONS ARE REQUIRED TO BE SUBMITTED NLT NOON, 20 JUL 01.
http://aais.ria.army.mil/AAIS/award_web_01/DAAE2001D00850000/DAAE2001R0010/0003.pdfHOME

Suspect malware and take a structured approach in cleaning your system.

It's possible to make Ad-Aware SE run with no problems with OP2.5. Mine does.

Please delete all your rules for Ad-Aware. Then while running in the wizard mode, run Ad-Aware and answer the prompts. That should take care of it. I currently have six different update sites listed in my rules for Ad-Aware. Generically they look like: TCP > Outbound > Remote Host > Remote Port HTTP > Allow.

As a general rule, for better security, please don't set anything up as trusted. Almost all applications should be able to follow rules. Your problem may be due to a blocked Component of Ad-Aware. Removing the rules will let you start again.

I've had this same problem and have taken to disconnecting from the net and shutting down OP before running Ad-Aware scans.
Ad-Aware has definately not been tampered with and it seems that OP is throwing up a false-positive because of the way ad-aware scans memory.
It is strange though how some people do not see this issue. I've played with lots of ad-aware settings in order to correct this and nothing seems to affect the issue.
By bumping this thread I hope it catches the eye of someone who feels qualified to make sensible comment. (I'm not in any way saying that the previous posts were not sensible!)

I do not have Process Watch and get the above results when doing any Ad-aware scan. Thus it is incorrect to assume that Ad-awares process watch is the cause.

Probably but you know computers. It works right on 999 identical computers and messes up on 1.

Tentatively I say: Could we be seeing a trend here? Anyone else?

I use XP SP2 and the new version of Outpost -- as well as the new version of Ad-Aware with no problems at all. I also have component control set at maximum and have not even seen anything close to what you who problems describe. Just my 2 cents.

OK thank you very much. I actually had already tried the method of removing the rules and starting over. The only prompts it gives me is for connecting to the lavasoft server to update the definitions. After that it goes on its own with the process control alerts. I also tried rebuilding the shared components list manually by going to the appropriate place through the Outpost GUI and that didn't change anything either.

I'm currently having an issue with this new version of Outpost and explorer.exe. (I was a die-hard 2.1 user and had to go on hiatus due to BSOD's) I don't know if that should be addressed here b/c it might be an unrelated topic but after a bit more searching to see if it's already addressed I'm going to start a topic on it if I don't find anything. Long story short, I'm one of the few who needs/wants UPnP to work - and as such have allowed the rules to do so. Explorer.exe needs access to the router only at boot-up for the solid connection to be made that allows port-forwarding, etc. For some reason, Outpost 2.5 blocks this, and where it shows up in the blocked section of the log, it cites explorer.exe rule #1 as the reason for blocking, when the funny thing is that rule #1 is speficially allowing explorer.exe access through port 1900 to the 239.255.255.250 internal IP that its blocking. driving me crazy right now.

Anyway, thanks for your help -- this should fuel the fire of any paranoidiacs out there, b/c I'm one too and consider myself decently strict with all the security programs I have (more than 1/2 of my desktop icons -- all solid reputable programs) and I only allow a few exceptions to this strictness, one of them being that I choose to use UPnP itself. However despite the strictness, apparently there is a decent chance my ad-aware itself is eff'd with, which I didn't even think was a possible problem. Deep scans ahead. Thanks again.

It does have something to do with OP 2.5. It's detecting something that 2.1 didn't. I also have Ad-Aware SE PRO 1.05. I can assure that nothing like this happens on my PC. I can scan all day long and there are no complaints from OP. If AD-AWARE.EXE is modifying memory then something is wrong.

This problem could be due to the realtime scanner included in AdAware SE Pro. If it attempts to gain write access on any processes involved in network access then Outpost will block them. See the Known Issues section of Outpost 2.5 - what to expect (http://www.outpostfirewall.com/forum/showthread.php?t=11836) for more details and some workarounds.I use the Ad-Watch scanner on my XP Pro SP2 machine without problems. Ad-Watch mainly monitors registry entries but does not write to the registry.

Malware is afoot here.

Hi...thanks for answering that question, but the solution doesn't work. Perhaps because I'm not sure you understood the question.

I am having the same problem. The issue is not with creating rules for updating the Ad-Aware SE definitions...that part is easy enough. But the problem is with the process memory control of Outpost.

Upon running Ad-Aware SE, the process memory control of Outpost goes crazy blocking everything including outpost.exe from network access filling the "alerts tracker" with "process network access blocked" warnings, that all begin with the following:

"AD-AWARE.EXE modified memory of "

After running ad-aware for two seconds, literally, here are the variables in my logs (in reverse order of being blocked):

explorer.exe
alg.exe
svchost.exe
outpost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe

Nobody else with this problem? Perhaps our copies of Ad-Aware are spyjacked? Thanks in advance for any helpful replies.

I think we'll probably see more and more of this type of conflict as "firewalls" add new features, along with other security related apps doing the same. Viruscan Enterprise 8.0i adds buffer overflow protection to key Windows components and also has firewalling and file/folder protection features built in and simply does things that it never did before as it's features and protection advance.

There's going to be conflicts as these programs start to overlap each other or use techniques normally used by hostile apps. It becomes difficult for security apps to know when a normally harmful approach is legit or not by another security related application.

I would like to see Open Process Control have a user controlled white list so I could allow legitiimate processes as exceptions.

When I downloaded the newer version 1.06 I got this same thing. As soon as I tried to scan. Outpost and Process Guard noticed the odd behaviour. I quickly uninstalled and got a fresh version from a different location and the problem disappeared. Infected copy or just corrupted?

I use Ad-Aware SE Plus 1.05 (Plus, not Pro) and do not have any problems with it, but I also have Open Process Control turned off. Open Process Control doesn't like what VirusScan Enterprise 8.0i does upon boot and shuts off access to my LAN/Net connection.

.... and whether you have Open Process Control On or Off (Options > Application > Components > Open Process Control)......

I do not have Process Watch and get the above results when doing any Ad-aware scan. Thus it is incorrect to assume that Ad-awares process watch is the cause.
Jah, I had that problem first, but then I completely uninstalled Ad-aware & any ad-dons, cleared the registry & OP's settings from ad-aware. Restarted the system & re-installed Ad-aware, so now the problem only occurs during process scan. I can live with that as I too, rarely use that scan.

Did you add that excellent suggestion in the online support form that Manny mentioned?
Regards,
Chris
Yes I did it yesterday, awaiting reply from OP.