Blink 3.5 Feedback

Outlook downloads fail; blinksvc at 99%

Howard — Thu, 18 Oct 2007 13:30:43 GMT

Outlook POP downloads appear to timeout and blinksvc cpu is at 99%. Can't shutdown Blink. After reboot all looks ok. Start Outlook and it hangs again on download with same symptoms. Reboot and all is ok. Shutdown Blink and started Outlook which downloaded 5 emails with no hangs. One of the emails had a 5MB wmv video attachment and appears to be the cause. Started Blink and scanned wmv for viruses; none found.

I never encounterd this symptom with Blink 3.2.

Right Click on Demand AV Scanning (Not working for CDROM/DVDROM discs)

Blue1978 — Tue, 11 Dec 2007 05:01:38 GMT

The option of being able to right click on an object and scan it for viruses seems to be working fine except for one thing. In the past (with other AV products) I have been able to right click on my CDROM or DVD ROM Drive and scan the disk. For example I like to scan any CDROM or DVDROM disc(s) that I put in my drives (especially if I am installing a new game).

I tried to do this with Blink, it opens up the Blink Anti-virus scanner window and it does not do anything other than say Scan Finish. It does not say it actually scanned any files or anything. The number of files scanned stays at zero.

Granted Blink will be checking the files and such when I try to install something, however, in my opinion having this feature is suppose to allow you to scan something before you attempt to access or write it to disk in the first place.

Just something that I wanted to point out that may need to be fixed.

Issue with Photoshop?

Brent — Thu, 01 Nov 2007 20:18:39 GMT

Anyone recieving a suspicious system call error:

Application protection : Application alert

11/1/2007 1:13:59 PM

Event ID:	BLINK-APP-100
Severity:	High
Description:	Blink detected a suspicious system call.
Reason:	KERNEL32.DLL!GetProcAddress
Action:	Terminate Process
Program:	C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
Alert:	Yes
Note:	Blink detected an abnormal behavior in one of the monitored applications. It is very likely that you are witnessing an attempt to exploit a known or unknown buffer overflow vulnerability in this application. The best course of action is to update this application to the latest version available from its vendor. Also, please report this issue to eEye to be investigated further. If you are sure that this is not an attack, you can disable the Application Protection layer for this application by editing the apiex.ini file in the Config folder under the Blink installation directory. To add an exclusion for this application, open the file in notepad or your favorite text editor and add a line in this format: PROCESS_NAME;;Kevlar;0 Replace the PROCESS_NAME entry above with the .exe name reported above in this event. For example, to exclude notepad.exe create an entry like this: notepad.exe;;Kevlar;0

3.5.4 Not detected by Windows Security Centre and an update problem

PaulField — Sun, 06 Jan 2008 10:59:36 GMT

Hi All

I've been successfully using Blink for sometime, but have just had to reinstall following a hard drive failure. Once it had completed updating to 3.5.4 I have two problems

1) Windows Security Centre is not detecting Blink as present on the system- Its still running the Windows Firewall (which I can turn off manually) and declaring that no AV is present. I know blink firewall is running as I'm getting messages and alerts, while the AV declares itself as running in the logs

2) Following autoupdate the installation declares itself as 3.5.4, but checking with a manual update still decides it needs blink 3.5.4 and install the following
             eEye Auto-Update 2.4.17
             Application Bus 2.3.4
             Blink AntiVirus Engine 1.0.289
             Blink 3.5.4

which it does but decides it still needs them after both Blink and system restarts

I've reinstalled even with resetting the config but the behaviour is consistent

I'm happy I'm protected but would prefer it if the install was properly detected by Windows

Any ideas welcomed

System is XP home SP2, Blink Personal

Blink 3.5.4 - Where is that malware coming from?

thompson.rob — Sun, 06 Jan 2008 20:04:09 GMT

I keep getting a warning that I have VNC found on my computer. While I do actually use VNC, it is not quarantining MY copy of it, but I keep getting a quaranting of VNC. Many different instances, at least 20 of them. Ranging in size from 535 to 890 bytes...

I would like to be able to tell where they are being pulled off of my computer from. I am only given a choice to delete or restore them. I can not see where it came from, so I can figure out how it got there.

Any advice or if this requires a feature enhancement, it would be greatly appreciated. If I actually have a problem here, which I am beginning to wonder, I would like to be able to proactively handle it, versus reactively catching it in scans.

Malware discovered. Reporting & Information

JayEff — Tue, 16 Oct 2007 14:26:45 GMT

I keep getting blink complaining about malware (so far hasn't found the real malware only many false positives) and I think this is a false positive.

The file is wb.ini This is a simple text file placed by stardock products. in the windows directory. It's being reported as SAFENET which only BLINK and SUNBELT report as questionable.

So, I need more details. I have unquarantined this file and examined it. But...

What is safenet? Why are you and SUNBELT the only two complaining about it. SUNBELT has as history of paranoia products is BLINK another paranoid product.

Secondly I've noticed 2700 connections with very little data in each to connect to 66.161.39.205 on port 21690. Is there any way to:

A) See this information short of capturing our own sniff of the nic? I use Wireshark to capture these sessions since BLINKS captures are unreadable (and pointless feature at least for those of us who aren't buying retina @ $1400+ a box), but Why can't BLINK show us this? Also can you reduce the traffic for this um, feature? Personally I'm just dropping this traffic. Looks like spyware itself.

B) Provide better resources to determine the accuracy of malware. Norman is both paranoid against some products and ignores valid malware in other cases. I'll let you visit the norman forums for further details on this claim.

C) Get decent error messages, or at the very least a error reference document.

D) Get a clue as to what type of protection I get from BLINK. I mean is this a professional tool or is this a consumer tool? If the former, you need to start providing MUCH MORE DETAIL. If the latter then let's make this simpiler and easier to configure. Like a ONE RULE system to allow simple filesharing.

Scanning incomming email

rocketman — Tue, 27 Nov 2007 18:53:57 GMT

I wrote this question here http://forums.eeye.com/forums/t/402.aspx and have not received a satisfactory answer as yet therefore please could somebody shed some light on it please. I am using the 3.5.3. version and on the whole find it very good apart for this problem

Unstable 3.5.1

JayEff — Fri, 16 Nov 2007 01:15:50 GMT

I have been receiving Application Errors on ONE box. The other is fine. The error is thus:

BLINK.EXE Application Error

The exception Floating-point stack check.

(0x0000092) occured in the application at location 0x033e3d81

Since upgrading from the beta on the weekend, this is the first crash. It could be due to scanning, but I have had several successful scans without crashes.

This error generated two (of the same) messages.

After restarting, I noticed the following log message:

Event ID:	BLINK-ENG-601
Severity:	High
Description:	The Scheduler module enountered an error.
Alert:	No
Error Message:	Scheduled task 'MalwareScan' did not finish within 28800 seconds

Resolving a Networking issue?

Brent — Sat, 27 Oct 2007 19:22:53 GMT

Ok this is driving me nuts.... pretty much since starting to use BLINK I have had a local networking problem.

It is such a simple network but it seems no matter what I do or disable or try - I cannot get it to work..

The Network is: LAPTOP - NAS - ROUTER - DESKTOP

Both laptop and desktop are running the latest version of BLINK - both have windows firewall disabled...

Both the laptop and desktop can see the NAS but cannot see eachother.

Here is the slightly tricky part.

I use the laptop at my work and on that network also - Thou both my home and work networks have the same workgroup name..

I have to be missing something...

Any ideas ....

Blink v3.5.4 now available to 3.2.2 users via auto-update!

Spunner — Sat, 01 Dec 2007 19:10:21 GMT

My test system finally updated itself to 3.5.x!

As I said before, I kept this system with 3.2.2 to see if it would update itself without having to uninstall/reinstall.

Now I don't have to call all the people I told about Blink and tell them how to update it manually.

Thank you, eEye! :)

Install Error 1326

millertime — Wed, 24 Oct 2007 16:29:53 GMT

I got this message when trying to install the 3.5 beta. The complete error message is as follows.

Error 1326. Error Getting File Security: C:\windows\system32\msxml.dll GetLastError:5

It looks like this file is locked up by some other program and so maybe it cant update? I do not know what program so I cant end it. Everything that was obviously running has been shut down, but hidden apps? When it hits the error, the install rolls back and I am back to where I started. Any help would be appreciated.

3.5.1 - Installed...

Brent — Fri, 02 Nov 2007 04:33:03 GMT

Installed and working well so far....

New Updates Today?

Brent — Wed, 14 Nov 2007 03:27:48 GMT

So with the new updates today - what changes might we have been given?

Blink Personal Version 3.5.1, Rule version 1426
AntiVirus Version 1.0.260
Vulnerability Scanner version 5.8.10, Audits version 1775

I know there was an update for the Antivirus Engine - but it seems that the BLINK engine was also updated.

W32/PurityScan.BIZ ?False Positive?

digger16309 — Thu, 15 Nov 2007 23:23:29 GMT

I did a Google search on this and came up empty. A filed called GmailFS.dll was flagged for this adware/malware.

It should not have been. The GmailFS.dll file is necessary to run the Gmail Drive program which allows one to use their Gmail account as online storage in Explorer.

I switched it over to trusted, but now the entirety of W32/PurityScan.BIZ is trusted when all I want to do is trust the dll file Blink flagged.

eventID blink-eng-601

billyboy71459 — Mon, 12 Nov 2007 19:06:02 GMT

This happen on 9,10,11 Nov 07 at 3:01 a.m. Event ID:	BLINK-ENG-601
Severity:	High
Description:	The Scheduler module enountered an error.
Alert:	No
Error Message:	SyncIt failed.

When I try to update the summary says the eEye update server is down at this time for scheduled maintenance. Can the server be down 3 days in a row. Need help.

Thanks

I would like to see...

bierdopje — Tue, 13 Nov 2007 14:13:09 GMT

1) keyboard copy & paste from the Vulnerabiliby Assessment Report
2) mouse gestures to go back and forward

~~I was also wondering if there is a list to compare the 'personal' version with the 'professional' version of Blink?~~
Found it here: "http://forums.eeye.com/forums/t/25.aspx".

Thanks,
bierdopje

Latest Beta Release Problem

hgfire — Tue, 06 Nov 2007 17:52:53 GMT

Latest beta release has created the following error: Blink service failed to start. Please perform a Blink Repair from the add/remove programs applet.

After performing suggested repair, same issue exists. Before auto update, all was running smoothly. Earlier versions work but of course are useless

because they are out of date.

Thanks for listening Eeye team

KEYLOG.CJN

Striiker — Tue, 06 Nov 2007 01:00:50 GMT

Since upgrading to the latest build of Blink, I had several files found with KEYLOG.CJI, .CJN and .CJS

These files had been around for a while and never triggered a hit as a Trojan. They were all deleted. The same Trojan is now popping up in my System Volume Information folder. I completed a scan the other day and all appeared to be fine. The same trojan popped up again in the system volume folder again. Is this an actual infection or are these false hits? If this is an actual infection, anyone have thoughts on how they keep showing up even after the system was cleaned? (Full scan with no problems).

System firewall denied traffic in event log

Jarvis — Sun, 21 Oct 2007 15:01:15 GMT

Example:

 Event ID:  BLINK-SFW-13  
 Severity:  Low  
 Description:  The firewall applied the default action  
 Remote Port: 80 
 Request: Denied 
 Remote IP: 69.50.231.160 
 Local Port: 1216 
 Local IP: 192.168.8.10 
 Alert: No 
 Protocol: TCP

Passive mode is OFF and stateful is now always on in Blink 3.5. So any attempted outbound communication should be attributable to a process, or the System Process. But this traffic gets past the Application firewall and gets stopped by the System firewall.
This has been an issue since I have been using Blink, but so far no explanation has been found.

Log Maintenance time cannot be changed

Jarvis — Wed, 31 Oct 2007 22:50:39 GMT

Options --> Events --> Perform Log Maintenance at. Change it to any time, Press OK. Go back in and it has returned to 12:30am.

Blink Personal 3.5.3 has been released

lnicula — Thu, 01 Nov 2007 21:32:00 GMT

Release Notes and download link can be found here:

http://forums.eeye.com/forums/t/383.aspx

False positive on some newsgroup messages

Philip Gardner — Wed, 31 Oct 2007 08:38:50 GMT

In a newsgroup that I belong to, postings from one particular person trigger Blink 3.5 beta.

Whenever I click on one of these posts to preview or open it, Blink jumps in and I get a popup saying "Terminated - Request/response contains formatting string (NNTP). Attacker IP 194.177.96.26" The message is not displayed.

(The attacker IP resolves to nntp.aioe.org, which is my news server.)

I think this may be because the message-IDs of posts from this person contain a percent sign (%). I understand that percent-encoding is a common phisher trick, as it can help disguise RLs and malicious scipts. But there's no reason for a percent sign not to appear in a Message-ID.

"Central Policy" rules in Application firewall section

Jarvis — Sun, 21 Oct 2007 16:00:45 GMT

In Blink 3.2.2 there were some rules provided to home users that were shown as "Central Policy" in the source column. They would show up even if the application in question was not installed.

In Blink 3.5 these rules don't show up immediately, but it when the associated application is run for the first time they appear. This is an improvement from a usability point of view. However, the rules appear as "User" rules which is confusing! I was thinking "I'm sure I did NOT create that rule, but there it is and the source is User".

Minor problem with Vulnerability Assessment

Philip Gardner — Fri, 26 Oct 2007 08:11:04 GMT

Blink Beta 3.5 finds a high-risk vulnerability on my system: "DNS Cache Pollution Vulnerability Registry Fix Required". However, when I follow up the link to Microsoft's support page (Q241352), I find that this vulnerability applies to NT4, Windows 2000 and Windows 2003. I am running XP Home SP2, so the vulnerability does not apply. I assume that Blink has a database of vulnerabilities - if so, it should check the OS version.

PhilG

Anti-malware - process of dealing with infections

Jarvis — Mon, 22 Oct 2007 21:12:42 GMT

Hi

Is there a plan to improve the way that the user can deal with detected infections?

An infection is found but the "Log Only" option is set: you can't deal with the infection because it doesn't appear in the quarantine.
I have UltraVNC Viewer installed, and Blink is detecting that files with a .vnc extension are associated with it, i.e. it is detecting HKEY_CLASSES_ROOT\.vnc
Although the scanner is set to Quarantine and Log if quarantine fails, it does not quarantine this, so I can't "Trust" it.