Jump to content
grahamperrin

2.0.15.2 On Xp: Immunet Protect Tray Client Crashed Following An Apparently Successful Rootkit Scan Whilst Tetra\profos.sys Was Quarantined

Recommended Posts

Understanding that use alongside Sophos is currently unsupported, but for the record:

 

1. upgraded 2.0.15.2 using my Extended Plus key

 

2. performed a rootkit scan

 

3. during the scan, Sophos Anti-Virus 9.05 (detection identities 302, HIPS rules 3.2.0, HIPS configuration 1.0.4) quarantined tetra\profos.sys

 

4. rootkit scan apparently completed without error, finding no threat

 

5. I closed Immunet Protect, probably by clicking x

 

6. some time (not too long) afterwards, before I dealt with what Sophos had quarantined, a crash occurred.

 

Screen shot at http://www.wuala.com/%23%23ClamAV/002?mode=gallery

 

Sorry, I didn't think to save a copy of the details from

C:\Documents and Settings\gjp22\Local Settings\Temp\

before sending … but I get this from MMC:

 

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date:		01/09/2010
Time:		16:48:13
User:		N/A
Computer:	2008-06-11
Description:
Faulting application iptray.exe, version 2.0.15.12, faulting module iptray.exe, version 2.0.15.12, fault address 0x0004e82b.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 69 70 74   ure  ipt
0018: 72 61 79 2e 65 78 65 20   ray.exe 
0020: 32 2e 30 2e 31 35 2e 31   2.0.15.1
0028: 32 20 69 6e 20 69 70 74   2 in ipt
0030: 72 61 79 2e 65 78 65 20   ray.exe 
0038: 32 2e 30 2e 31 35 2e 31   2.0.15.1
0040: 32 20 61 74 20 6f 66 66   2 at off
0048: 73 65 74 20 30 30 30 34   set 0004
0050: 65 38 32 62 0d 0a         e82b..  

Edited by Graham Perrin

Share this post


Link to post
Share on other sites

Generally, what's the etiquette for asking a vendor/developer (in this case, probably SophosLabs) to trust an executable a file (in this case profos.sys)?

 

 

Well, I guess that answers our question about Sophos and IMP Plus being compatible! I will mail the guys over at Sophos. Thanks Graham.

Share this post


Link to post
Share on other sites

Thanks Al

 

our question about Sophos and IMP Plus being compatible

 

Incidentally, I don't see this as an incompatibility; the preference to actively quarantine is a stray from the Sophos default. AFAICT it's more normal for HIPS in SAV to simply alert.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...