Return-Path: Received: from post.thorcom.com (post.thorcom.com [195.171.43.25]) by mtain-mh02.r1000.mx.aol.com (Internet Inbound) with ESMTP id E826338000086; Tue, 24 Jan 2012 15:32:21 -0500 (EST) Received: from majordom by post.thorcom.com with local (Exim 4.14) id 1Rpmge-0006Xd-7T for rs_out_1@blacksheep.org; Tue, 24 Jan 2012 20:09:48 +0000 Received: from [195.171.43.32] (helo=relay1.thorcom.net) by post.thorcom.com with esmtp (Exim 4.14) id 1Rpmgd-0006XU-Dq for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 20:09:47 +0000 Received: from thalia-smout.broadpark.no ([80.202.8.21]) by relay1.thorcom.net with esmtp (Exim 4.63) (envelope-from ) id 1Rpmgb-0000dq-I7 for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 20:09:47 +0000 MIME-version: 1.0 Received: from ignis-smin.broadpark.no ([80.202.8.11]) by thalia-smout.broadpark.no (Sun Java(tm) System Messaging Server 7u3-15.01 64bit (built Feb 12 2010)) with ESMTP id <0LYB001MKJZHBA30@thalia-smout.broadpark.no> for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 21:09:17 +0100 (CET) Received: from RADIO1 ([84.48.211.154]) by ignis-smin.broadpark.no (Sun Java(tm) System Messaging Server 7u3-15.01 64bit (built Feb 12 2010)) with ESMTP id <0LYB00DCIJZEOS50@ignis-smin.broadpark.no> for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 21:09:17 +0100 (CET) From: Steinar Aanesland To: rsgb_lf_group@blacksheep.org References: <4F08AF8F.6080108@broadpark.no> <4F1C2EDA.6695.B772FA7@mike.dennison.ntlworld.com> <006301ccda2c$b174cda0$145e68e0$@broadpark.no> In-reply-to: <006301ccda2c$b174cda0$145e68e0$@broadpark.no> Date: Tue, 24 Jan 2012 21:09:14 +0100 Message-id: <004b01ccdad4$0b38b750$21aa25f0$@broadpark.no> X-Mailer: Microsoft Outlook 14.0 Thread-index: AQIS6QBssPj++3ddUY9GSwPZzj5dNwEh2FUeAUVtrTiVfJdWUA== Content-language: no X-Spam-Score: 0.0 (/) X-Spam-Report: autolearn=disabled,none Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Subject: RE: LF: A bit off topic X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on post.thorcom.com X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-SA-Exim-Scanned: Yes Sender: owner-rsgb_lf_group@blacksheep.org Precedence: bulk Reply-To: rsgb_lf_group@blacksheep.org X-Listname: rsgb_lf_group X-SA-Exim-Rcpt-To: rs_out_1@blacksheep.org X-SA-Exim-Scanned: No; SAEximRunCond expanded to false x-aol-global-disposition: G X-AOL-SCOLL-SCORE: 0:2:321672672:93952408 X-AOL-SCOLL-URL_COUNT: 0 x-aol-sid: 3039ac1d60d64f1f15553354 X-AOL-IP: 195.171.43.25 X-AOL-SPF: domain : blacksheep.org SPF : none Mike By the way , this "calling home" mechanism seems to be incorporated in the latest ROS version too . Same remote Address 88.14.57.81 , same remote Port 8001 and same remote host antiarrl.dyndns.org My advice is to install a firewall that checks outgoing traffic, such as zonealarm http://www.zonealarm.com/ when playing with this kind of software. LA5VNA S -----Original Message----- From: owner-rsgb_lf_group@blacksheep.org [mailto:owner-rsgb_lf_group@blacksheep.org] On Behalf Of Steinar Aanesland Sent: 24. januar 2012 01:11 To: rsgb_lf_group@blacksheep.org Subject: RE: LF: A bit off topic Hi Mike Thanks for your reply. I know the mechanism that allows Symantec to stop an unknown application, but I don't think this is the reason this time. As you probably know, Symantec 12.1 has a mechanism called sonar. Sonar analyzes applications as they are running and takes action once enough evidence has been gathered to convict the application of being malware, based upon its behavior. I think sonar was trigged by some strange network behavior. To test my theory, I turned off the sonar funktion, and made a packet sniffing on the network when Opera started. Opera made a connection to the following ip addresses: Cluster reporter: ----------- TCP Remote Address 176.31.252.203 Local Port 3739 Remote Port 8000 Local Host Remote Host Service Name Nameservers ns.dxfuncluster.com The Opera chat channel: ---------- TCP Remote Address 66.220.151.99 Local Port 1060 Remote Port 5222 Local Host Remote Host Service Name Reverse DNS jabber-03-01-tfbnw.net snc6. http://www.plotip.com/ip/66.220.151.99 The first two addresses may been explained by the cluster and chat function in Opera, but I can't find any connection in the software to the last address : ---------- TCP Remote Address 88.14.57.81 Local Port 3740 Remote Port 8001 Local Host Remote Host antiarrl.dyndns.org IP address country: Spain IP address state: Murcia IP address city: San Javier And why opera is trying to transfer the following string "1 #### #### ####" to "ANTIARRL.DYNDNS.ORG located some place in Spain is a mystery. My conclusion is to leave this software alone. 73 de la5vna Steinar -----Original Message----- From: Mike Dennison [mailto:mike.dennison@ntlworld.com] Sent: 22. januar 2012 16:44 To: Steinar Aanesland Subject: Re: LF: A bit off topic Steinar, I have only now read your message. Are you still having problems? My version of Norton/Symantec deleted Opera when I ran it. It decided that, because it did not know about the software, it was therefore suspicious. It is possible to configure Norton to ignore some files or folders, and that was my fix. If you need details I will try to remember how I did it. 73 de Mike, G3XDV ----------------------------- > I know this is a bit off topic, but is there anyone her using Symantec > Endpoint Protection ver 12.1 ? > > I am trying to use a new ham software but my antivirus see this > software as a risk. > > la5vna Steinar > > > > > >