General Discussion

Unique Antivirus Alert

Blue1978 — Sun, 15 Nov 2009 23:05:42 GMT

Here is a unique AV alert I received recently. Seems the heuristic engine tripped on this file. This file is ligitament though, so this is a false-positive. :)

Event ID: BLINK-MAL-205
Severity: High
Description: Blink has found a malware application
Alert: Yes
Action: Log Only
Name: Fake Microsoft Application
Found Item: C:\Program Files (x86)\Microsoft Works\lnchtour.exe
MD5 Checksum: E8CE912100A93456CE4C87BAAFDAABC1
Category: Suspicious
Name: Fake Microsoft Application
Category: Suspicious
Malware Description: This application claims to be made by Microsoft, but it is packed/encrypted. Hackers pack/encrypt their viruses to avoid detection.
Detected by: Heuristics Engine

Question-new user

baldys15 — Mon, 09 Nov 2009 22:17:11 GMT

Hello I have a few questions on the Blink Personal 4.5 Beta or program can be used on a daily basis, whether it is better to install a stable version? Whether something is improved when it comes to detecting malware, the program has for example, heuristics and detection module rookits? How he deals with the detection malware? or created separate versions of Blink Edtion eg Antivirus, Internet Security, etc., or blink as a personal automatic update database? and if you can send viruses, eg the e-mail or create the appropriate department.

PS I can help translating the program into Polish, and if necessary I can translate the final version:)

Exporting STIG Definitions

barrya1 — Thu, 22 Oct 2009 15:53:17 GMT

Need to find out if it is possible to export the stig and iava definitions so that the this data can be converted into a searchable database in order to streamline determining exactly how many stigs & iava fixes are required per operating system, or stig type.Currently there are over 3,000 stigs showing up when a full scan is done. This is too much and need to devise a way to streamline this process and parse out exactly what is needed per operating system on servers and clients by using a searchable database. Having to physically go to each host machine and perform STIGS on each host is too time consuming. If we could somehow find a way to export the stig data into a searchable database format then this process could be effectively implemented. As it is now no one is able to get compliant with these STIGS due to time constraints.

TIA

Blink Pro and Rootkits

jaiamma — Thu, 29 Oct 2009 07:02:00 GMT

Is Blink Pro 4.4.2 designed to detect and remove rootkits? Or is it recommended I use another product to look for rootkits?

Thanks,

Tom

Microsoft Security Essentials (MSSE)

jaiamma — Sun, 25 Oct 2009 07:33:51 GMT

Hi,

Any conflicts between MSSE and Blink Pro 4.4.2? If I run MSSE on my XP SP3 PC, will there be any problems related to Blink Pro also running? MSSE not needed if I'm using Blink Pro?

Thanks,

Tom

Virus Bulletin Reviews of Blink Professional

Blue1978 — Thu, 08 May 2008 20:31:58 GMT

http://www.virusbtn.com/Session-f4fba84f36602d6a022d7269ee3597ef/virusbulletin/archive/2008/05/vb200805-eeye-blink

For those that do not have access to VB, here it is (minus the pretty pictures that is):

---------------------------------------------------------------------------------------------------------------------------------------------------------

EEYE DIGITAL SECURITY BLINK
PROFESSIONAL 4.0
John Hawes

Editor: Helen Martin

"Founded ten years ago and based in Orange County,
California, eEye Digital Security fi rst made its name as
a vulnerability research company, providing security
advisories on fl aws found by its teams investigating a wide
selection of software and offering businesses a range of
security auditing services. From this grew the company’s
current range of security offerings, which include several
packages focused on protecting network-facing servers
from the vulnerabilities presented by fl aws in software and
confi guration, managing policy enforcement and incident
reporting across corporate networks, as well as monitoring
network traffi c for potentially dangerous activity.
The company’s vulnerability alerting service continues to
offer privileged detail and early warnings on upcoming
dangers, as well as a forum for administrators to debate the
latest fl aws and the hottest techniques for locking down
systems and networks. The company boasts more than half
of the US Fortune 100 companies amongst its clients, and
its early research successes include spotting and alerting on
the IIS fl aw, which soon after allowed the Code Red worm
to spread across the world’s web servers.
The Blink desktop offering fi rst appeared about four years
ago, and has grown from a simple HIPS product into a
full endpoint suite, combining the standard ingredients of
anti-malware and fi rewall with proactive defence in the
form of intrusion prevention and vulnerability management.
The suite is available in a full-featured ‘personal edition’
for home users, and the professional edition, which offers
greater fl exibility of confi guration and can be combined
with a centralized management and reporting system.
Version 3.0 of the product, using anti-malware technology
provided by the Norman engine, received its fi rst VB100
award in June last year in some style. The latest version
(4.0) is due for release shortly, featuring the redesigned
interface introduced in version 3.5, additional Windows
Vista support and a number of improvements under the
hood."

WEB PRESENCE, INFORMATION AND
SUPPORT

"eEye’s main web presence is at www.eeye.com, a site
dominated by product marketing with in-depth coverage
of the fi rm’s various offerings. All products are available
as time-limited trial editions, with the personal edition of
Blink currently free for home-user purposes while offering the same level of protection as the professional suite, and all
are backed up by a wealth of information about them and
the security problems they address. The site also carries the
usual items of company and product news, as well as links
to a number of favourable reviews and test performances.
On the more technical side of things, a research sub-site is
the home of the company’s vulnerability information, most
of which seems to be available only to subscribers to the
company’s ‘Preview’ services. This offering is available
at several levels of detail, the higher of which include
personalized network security scanning, advice and insider
information on the latest undisclosed vulnerabilities, as well
as the standard alerting, in-depth analysis and newsletters
on signifi cant software security issues. The area also
includes a selection of security research tools available for
download.
Technical support for the products is similarly available
at a range of subscription levels, with the most basic
providing access to email-based support via an online
form. A knowledgebase of common issues is available to
all, however, and provides brief and often highly technical
details on a range of common issues, focusing on the
server range of products and the management suite. In
fact, all the searches I carried out specifying Blink as
a fi lter returned information on issues associated with
deploying Blink across the network (generally solvable
by setting Windows networking controls correctly).
Behind the customer login area resides access to further
documentation and guidance, including the user manuals
which are also accessible directly from within the product,
more on which later.
Having spent long enough looking at the information
available online, it was time to get my hands on the product
and see whether it would stand up to the impressive boasts
made about it in the wealth of marketing material."

INSTALLATION AND CONFIGURATION

"Initial installation of the product is a pretty standard
process. The installer for the latest beta build of version
4.0 of the product comes in at a very reasonable 45 MB
and runs through its business pretty rapidly, with the usual
installation location options and EULA to be got through,
as well as an unusually long activation key. On one
system, the installer complained about a freeware browser
sandboxing utility I had installed, insisting it be removed
before the installation could continue, but there were no
other hitches.
At the end of the process a dialog provides some
information on the product’s default settings and status
– this begins with the fi rewall in rather minimal protective
status, set to allow anything that is not specifi cally blocked
by a rule. This gives something of a clue as to how the
product operates – this is no simple set-and-forget tool
for the average unskilled user, and although the default
set of functions do provide a basic level of protection
against the majority of attacks, the beauty here is in the
depth of control available. A huge range of optional
extras are available to achieve maximum lockdown, while
the product’s initial state is to apply only those thought
suitable for all situations. Tuning the product to meet the
individual requirements of the user requires considerable
understanding of the problems being faced and the means
provided by the product to mitigate them.
The interface provided to access this vast confi guration
is simple and reasonably appealing, being modelled
along similar lines to built-in Windows tools such as
the ‘Security Center’ or other system confi guration
applications, with menus of options on the left and details
in the main panel. This gives it a straightforward and
no-nonsense feel, achieving a sense of simplicity and
authority without the unfriendly starkness which often
comes along with more business-oriented products. This
again refl ects the product’s ethos, not bending to the
whims of the inexperienced user with lots of twinkly
cartoon graphics.
Navigating the system is pretty untaxing. There are fi ve
main categories, of which at least three are pretty obvious
– the fi rewall, anti-malware and vulnerability scanning
components. The other two, labelled ‘Intrusion Prevention’
and ‘System Protection’, seem to overlap somewhat and it
is not immediately obvious what each covers, but looking
inside soon clears things up. The system protection
area covers guarding of registry and applications, while
everything else, including anti-phishing measures, is
included under intrusion prevention. With most of these
now fairly standard in security suites, I opted to start off
with the most novel, the vulnerability scanner."

SYSTEM HARDENING FUNCTIONS

"With the product installed, there are several steps
required before the host system is fully secured to Blink’s
satisfaction. The initial interface shows several items to be
lacking the comforting green tick that signifi es that they are
fully active. The most interesting and unusual of these is
the vulnerability scanner. This requires an initial run to fi nd
any problems with the current setup of the system, and the
setting up of a schedule to look out for any further fl aws.
Running the vulnerability scan is a pretty simple process.
The module has few options, simply the ability to schedule
scans or run them manually, and a report viewer to analyse
the results. The scan itself was pretty fast, taking no more
than a minute or two even on crowded and low-powered
systems. In test systems in the sealed VB lab, a large
number of problems were easily identifi ed thanks to the
lack of access to recent updates from Microsoft. To emulate
a real user more closely, I fi red up a well-used and by now
rather wheezy old laptop, which had languished powered
down under a bed for several months. With the product
installed and updated, the vulnerability scanner found an
even wider range of issues – the majority of which were
easily resolved by letting the Microsoft updater carry out
its slow and tedious business of downloading and installing
missing patches. However, for the remaining issues it
seemed that considerably more work would be required to
satisfy Blink’s stringent requirements.
Several of the remaining issues concerned various pieces
of software installed on the system, ranging from several
Adobe and Mozilla products to more surprising ones such
as WinRar. While some had their own updaters, several
required manual update or even reinstallation. Among the
most serious problems found was a ‘zero-day’ vulnerability in some Microsoft software which, as the report pointed out,
was as yet unpatched; instead a workaround was suggested,
with a link helpfully provided to advice from US-CERT on
applying it. One item remaining on the ‘high risk’ list was
a problem with anonymous registry access, a slack setting
which could be closed down with a few tweaks in the
registry.
Browsing further down the lengthy report, a slew of
entries detailed potential weaknesses in my system. These
included a lack of fully trackable logging, unsafe caching
of usernames, passwords and page fi le contents, as well as
various issues with unnecessary services, drive sharing and
allowing unaccredited users to perform various activities.
The autorun default, a spreading vector of a lot of recent
unpleasant worms, was also highlighted, and even the fact
that users could insert USB key drives and use them to
move data off the machine was mentioned as a potential
means for unwanted data extraction.
Each entry was accompanied by details of how to
correct or mitigate the problem, usually in the form
of instructions for doctoring registry keys, changing
settings using Control Panel tools, or links to more
involved instructions in appropriate places, predominantly
Microsoft Knowledge Base articles. Each entry was also
accompanied by links to alerts and advisories on the
subject, from the likes of Secunia and iDefense as well
as eEye’s own vulnerability pages, Microsoft bulletins
and articles and other alerts from the software developers
involved in any given fl aw, with CVE numbers included
where appropriate.
The depth of detail provided was remarkable, and the
range of areas covered, from potential remote exploits
and sources of data extraction to problems with fully
accountable logging and physical access points for abusive
users, was quite staggering. The sheer scale of the issue of locking down a system could easily be overwhelming,
particularly for the less technically minded user, but for
a network admin wanting to ensure all the systems in
his charge are as secure as possible, and with the power
to automate most of the tasks involved, this is surely an
invaluable tool.
Vulnerabilities in software are a huge vector for malware,
particularly in the ever-growing area of web threats
which are rapidly increasing in complexity, subtlety
and scale, with more and more legitimate sites playing
unwitting host to attacks. Most of these attacks make use
of long-patched fl aws, probing systems for holes to sneak
malware onto new victims, and the importance of keeping
a system fully patched is greater than ever. Since this task
is also more complex than ever, having details of all the
potential dangers in a single report, along with information
on remediation, and having it regenerated rapidly on a
regular basis to keep up with the latest developments, is an
enormous advantage.
The only feature I could think of that would be a useful
addition would be an option to disregard some of the
entries, as either unfi xable in a given situation or not
applicable under a corporate policy, but given the attention
to detail it seems more than likely that such functionality
is already available to admins using the separate
management tools. As it was, it was tempting to try to
eliminate each and every one of the issues fl agged up, if
only to see what would happen when a scan found nothing
to complain about – surely some kind of fanfare or shiny
virtual gold medal would be an appropriate reward for
such diligence.
Sadly time was too pressing to go to such great lengths,
and I left my test machines with a few minor issues
remaining unfi xed to look into the more common security
measures provided by the suite."

SYSTEM PROTECTION FUNCTIONS

"Of course, once the system is fully patched and confi gured
to the product’s liking, the vulnerability scanner
becomes a core part of the ongoing protection offered. A
scheduled scan will highlight new patches as and when
needed, including updating the status of those nasty
as-yet-unpatched fl aws. New confi guration tips are also
added as researchers spot new vectors and new potential
issues with the standard setup of a Windows system. Beyond
this rather special functionality, however, the product
also offers a full set of the more usual protection features
provided by most other security suites on the market.
At the core of the standard anti-malware protection
provided is the Norman engine with its strong ‘sandbox’
heuristics. Running it over the VB test sets showed a high
level of detection, which was improved still further after
upping the heuristic settings. The interface to the engine and
all the fi le-hooking and other integration is developed by
eEye, and operating the scanner and adjusting the on-access
settings proved a pleasingly simple business, with defaults
seeming well chosen and appropriate. Any on-demand
scans required were also available from the context menu.
On its own this seemed something of an improvement on
Norman’s own interface to the same detection technology,
which I have frequently found rather complex and fi ddly
when adapting it to the specifi c needs of VB100 testing.
Scanning speeds and on-access overheads closely mirrored
past test results for Norman and Blink, implying that little
extra burden was being placed on the systems by the
range of added extras. The Norman engine has a long and
illustrious past in VB100 comparative testing, and with
a few recent problems caused by a batch of polymorphic
items now behind it, it looks set to continue to do well. It
also regularly achieves decent scores in other independent tests, making the ‘Advanced’ grade in the most recent
AV-Comparatives test and scoring ‘Satisfactory’ or better in
all but the speed category in AV-Test’s latest set of results.
In our own speed measurements, both Norman and Blink
products appear in the middle of the fi eld, somewhat
behind some of the zippiest products but never imposing
the sort of overheads seen in the weightier ones. Using
the product on a range of systems I never observed any
intrusive slowdown, although when running the updater on
a particularly aged and underpowered machine whilst trying
to carry out several other tasks, things did become a little
slow to respond for a few minutes as drive lights fl ickered
and crackled with effort.
Moving on to the intrusion prevention fi lters, these
again seem to focus to a large extent on vulnerability
monitoring, watching numerous protocols for suspicious
data which could indicate an attempted attack. The large set
of categories comes fully stocked with long lists of known
bad behaviours, and a separate tab presents a lengthy list
of signatures for known exploits. The majority are active
by default, but some are provided for those who have more
specifi c needs, which include a website-blocking section
populated with common social networking sites.
The process of adding more rules and signatures is via
a simple and straightforward wizard, which in all these
modules advises the user to be sure they know what they
are doing before setting up a rule which could impinge
on important system operations. With the default settings
already pretty thorough, exploit signatures can be extended
by adding pattern strings of one’s own design, providing
the user with a level of control over what comes through to
the machine usually only available to network admins. The phishing controls, listed under ‘Identity Theft Rules’, cover
a range of common tricks found on phishing web pages,
including hidden or spoofed URLs and links, and again can
be extended to the user’s content.
The system protection setup operates in a similar manner,
this time with far fewer built-in rules but with the same
straightforward system to allow the user to generate their
own. Setting controls on specifi c applications, ensuring
doctored versions cannot be run, or even allowing them
only to be run by a specifi c parent process, is a pretty
straightforward task achieved in a few clicks, and a similar
system prevents (or allows) access to specifi c areas of
the registry.
The fi rewall also uses the same system, giving a pleasing
consistency across the product. The various options, with a
handful of default system-wide rules and more for specifi c
applications, are presented clearly and legibly with a
good level of plain-language description to assist the less
technical user. Its initial rather passive setup does require
a few extra steps to ensure a decent level of protection, but
this can be done with a couple of clicks of check-boxes, and
it seemed to operate well once fully up and running.
Most of these rules function in a quiet and unfl ashy way, not
bombarding the user with a deluge of hyperbolic warnings
about blocked activities and simply logging unwanted
events, if desired. Even the on-access malware scanner
produced small, simple popups with the minimum of fuss.
The settings can be programmed to provide a training
popup, fi lled with detail and options, when an unknown
application attempts a restricted activity. In my tests,
these managed to block the handful of malicious items
that managed to get past the signatures and heuristics of
the anti-malware engine, as they attempted to leak data
from the system, contact base to download further nasties, doctor important registry entries or perform other malicious
activities. The popups default to a deny action if left for
45 seconds.
My only quibble with the whole setup is that the
descriptions of the rules are often considerably longer
than the display space available. Double-clicking the title
bar boundaries shrinks the area even further rather than
expanding it to the required width, which means that it takes
some fi ddly stretching of boxes and dragging of sliders to
read the full detail of any given rule or setting. That this
detail is available at all is impressive, however"

HELP AND GUIDANCE

The provision of clear and useful information, a pattern
repeated across the product, caters more than adequately
for the complexity of confi guration available. While this
is not a simple set-and-forget system, and may appear
daunting to many inexperienced users at the desktop level,
the product provides plenty of information for those willing
to put a little effort into deciding for themselves how to set
things up.
Beyond the basic information provided alongside each
individual rule, vulnerability alert or malware warning, a
superbly detailed manual is provided, alongside an equally
well thought out help system. Unlike many help pages,
which often do little more than list the available buttons and
what they do, this is properly task-oriented, detailing the
steps required to achieve a given objective. The manual PDF
runs to some 99 pages, providing even more step-by-step
information on how the various features should be operated,
including detailed instructions for defi ning new rules. All
are written in lucid language with a minimum of jargon, and
are clearly aimed at putting the exceptional power of the
product within the reach of the humbler user."

CONCLUSIONS

"With such an in-depth product to look at in a very
short time, it has not been possible to do more than
skim the surface of Blink’s capabilities. I have focused
predominantly on the vulnerability scanner as it is a rare
if not unique component in a security suite, but the rest
of the functions (apart from the straightforward antimalware
scanner) are also unusual in the sheer depth of
confi guration available. In the right hands, this product
can do far more than provide solid security from malicious
code and attacks; it can implement a complete usage
policy, managing many aspects of how a system and its
user operate, including controlling access to unwanted
software and web resources, maintaining hygiene
standards and accountability through logging.
Of course, those hands need to know what they are doing,
but as I have come to see through longer exposure to the
product and its support systems, they do not necessarily
need to be those of an expert. Enough background
information and links to further resources are provided at
almost every level of the product to allow an informed and
committed novice not only to implement a solid security
regime on their system, but also to learn a considerable
amount about it along the way. The home-user version,
offering the same full range of tools and options, can be put
to use fairly simply using more or less the default settings
to provide a very decent level of security, but with a little
effort, and some trust in the assistance provided, can allow
anyone to take control of their computer and take a little
responsibility for their own online safety.
Of course, I can understand how this could be rather too
much to bear for many home users, and they may be better
off investing in something more cuddly, but for those
willing to put in the effort the rewards should be well
worth it. In a more professional setting, for those requiring
absolute control to enforce a detailed and demanding
security policy, Blink can provide a superb breadth of power
to do just that, in a single well-designed and solid package."

Technical details

Technical details
eEye Digital Security Blink Professional 4.0 was variously tested
on:

AMD K7, 500 MHz, 512 MB RAM, running Microsoft Windows
XP Professional SP2 and Windows 2000 Professional SP4.

Intel Pentium 4 1.6 GHz, 512 MB RAM, running Microsoft
Windows XP Professional SP2 and Windows 2000 Professional
SP4.

AMD Athlon64 3800+ dual core, 1 GB RAM, running Microsoft
Windows XP Professional SP2 and Windows Vista SP1 (32-bit).

AMD Duron 1 GHz laptop, 256 MB RAM, running Microsoft
Windows XP Professional SP2.
XP Professional SP2 and Windows 2000 Professional SP4.

------------------------------------------------------------------------------

Works Cited:

Hawes, John. "eEye Digital Security Blink Professional 4.0."

2008. 01 May 2008. <http://www.virusbtn.com/Session-f4fba84f36602d6a022d7269ee3597ef /virusbulletin/archive/2008/05/vb200805-eeye-blink.>

------------------------------------------------------------------------------

West Coast Labs

cdhartman — Tue, 13 Oct 2009 04:41:47 GMT

I'd like to see a report on Blink. ~ Thanks

Microsoft Security Essentials and Blink

Blue1978 — Wed, 30 Sep 2009 17:42:50 GMT

Today I tried Microsoft's Security Essentials alongside Blink. So far I have not encountered any problems at all. Both security applications seem completely happy with eachother. I did however, disable Windows Defender, this is no longer needed if you were to use Microsoft's Security Essentials.

http://www.microsoft.com/Security_essentials/

http://www.microsoft.com/security/portal/

My first impression of Security Essentials is it is very clean, light, simple, and straight to the point. There are not a lot of confusing menus to go through and is easy to understand. I give Microsoft a thumbs up for this product!

So for those that are concerned with the detection rates of the Norman AV in Blink, this is a great addon. I checked on the website av-comparitives: http://www.av-comparatives.org/ and Microsofts "Live One Care" which to my knowledge the Security Essentials is based off of, received a 90% detection rate in August 2009's test results. Norman's AV received a 84% detection rate.

On another note, Computerworld had the following article on Security Essentials:

http://www.computerworld.com/s/article/9138730/Independent_tester_Security_Essentials_very_good_

Either way, this is a step up for those that worry about these things, but still want to be able to use Blink.

I have attached some screenshots of Microsoft's Security Essentials for anyone interested in seeing what it looks like.

(Click on the Pictures to make them larger)

Microsoft Security Essentials's Home Tab

Got a single license and would like to upgrade to a 3 pc license without having to buy the whole package again

fdkaplan — Sat, 19 Sep 2009 12:14:00 GMT

Is this possible?Thanks, fdkaplan@hotmail.com

Blink on MacBook

pgohara — Wed, 16 Sep 2009 12:26:16 GMT

I have a MacBook with Windows Vista on a Bootcamp partition. I have a Parallels virtual machine set up but rarely use it. The last time I tried to run a virus scan in Vista booted from the Bootcamp partition it ran for 18 hours before I shut it down. It was scanning the Mac OS drive partition at the time. I have had some other problems with the latest version of Mac OS (Snow Leopard) and Windows and Blink.

Anyone have any experience with this type of setup? The virus scan is the most troublesome issue.

Thanks.

Conficker - are we already protected?

Brent — Wed, 01 Apr 2009 01:21:37 GMT

Not sure why i cannot find a post about this supposed issue we might have tomorrow... but....

If we are running blink are we already scanned and covered - or would we need to search through the pile of info on a Vulnerability scan and fix it all to be protected?

Examples of Blink Reacting to Protect You

Blue1978 — Wed, 18 Mar 2009 02:20:24 GMT

I just thought I would post some alerts that I got while hunting for Malware with Blink installed in a Windows XP Home Edition SP2 (without any patches installed using only IE7) in VMware running with full Administrative privilages. Both the Firewall and AV components in Blink were disabled for these tests.

Hostile Site: biglendlive(dot)nfo/hitstat/index(dot)php

1. Upon visiting this site, Blink's Application Protection displayed the following alert:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Reason: KERNEL32.DLL!LoadLibraryA
Action: Restart process
Program: C:\Program Files\Internet Explorer\iexplore.exe
Alert: Yes

Note: Blink detected an abnormal behavior in one of the monitored applications. It is very likely that you are witnessing an attempt to exploit a known or unknown buffer overflow vulnerability in this application. The best course of action is to update this application to the latest version available from its vendor. Also, please report this issue to eEye to be investigated further. If you are sure that this is not an attack, you can disable the Application Protection layer for this application by editing the apiex.ini file in the Config folder under the Blink installation directory.
To add an exclusion for this application, open the file in notepad or your favorite text editor and add a line in this format: PROCESS_NAME;;Kevlar;0
Replace the PROCESS_NAME entry above with the .exe name reported above in this event. For example, to exclude notepad.exe create an entry like this: notepad.exe;;Kevlar;0

Hostile Site: 89.248.172.156/660/index(dot)php

1. Upon visiting this site, Blink's Application Protection displayed the following alert:

Event ID: BLINK-APP-100
Severity: High
Description: Blink detected a suspicious system call.
Reason: KERNEL32.DLL!LoadLibraryA
Action: Terminate Process
Program: C:\Program Files\Internet Explorer\iexplore.exe
Alert: Yes

Hostile Site: hunters-of-darkness(dot)de/cgi-stat/index(dot)php

1. Upon visiting this site, Blink's Intrusion Prevention System displayed the following alert:

Event ID: BLINK-IPS-110257
Severity: Low
Description: This website shows indications of 'Heap spraying' - a Technique that could allow remote arbitrary code to execute if exploitation is successful
Attacker: http://hunters-of-darkness.de/cgi-stat/index.php
Request: <Script Language="JavaScript"> rJFMOZwTmu1 = ("x4343x4343x0febx335bx66c9x80b9x8001xef33xe243xebfaxe
Log File: C:\Program Files\eEye Digital Security\Blink\Captures\Mar_17_2009\capture_Mar_17_2009_21_04_11_093_01.cap
Process Path: C:\Program Files\Internet Explorer\iexplore.exe
Action: Terminated
Alert: Yes
Protocol: TCP

Trouble viewing online recorded demos

wrkidd — Wed, 19 Aug 2009 16:19:52 GMT

New to the forum so if this is not the right location please let me know where i should seek help. I am trying to view one of the recorded online demos for Retina Network Security Scanner but Windows Media Play gives me an error saying it doesn't support the necessary protocol. Changing the transport protocol to rstp does not work as suggested by Media Player.

Thanks in advance.

Freeze on Vista

TrevorP — Thu, 23 Jul 2009 14:17:30 GMT

I have just purchased a new copy of blink personal for a new Acer laptop (TravelMate 7730G-9A4G64Mn), which shipped with Vista SP2 Business (32-bit). I purchased, paidfor, downloaded and installed blink, but as soon as the blink engine finishes initialising, the computer hangs. The mouse still moves (and HDD light continues to tick away normally), but all programs (including explorer.exe) become unresponsive. Booting in safe mode works fine, and a system restore to the point before installing blink results in a working machine again.

After installing blink, and hard rebooting the PC, it boots fine, and shows the password screen normally, but as soon as you log in, the machine again locks up.

After disabling both services, and the blink exe (Local_User run items in registry), the machine boots fine. I can manually start both services, but as soon as I fire up the exe, the machine freezes again.

Disabling the EXE, but leaving the services starting automatically also results in a frozen machine after logging in.

Finally, when the machine is "frozen" pressing ctrl+alt+delete, and waiting about 2 minutes, results in a black screen and the following message:

[title] Logon process has failed to create the security options dialog.
[red X] Failure - Security Options

Has anyone seen this problem before? Any ideas on resolving it?

Thanks in advace,
Trevor.

Uninstall issue

MarkH — Tue, 28 Jul 2009 18:19:52 GMT

Hello.....

I have Blink personal free version="3.0.9.1503" installed on my system. I haven't used it in quite some time and have been trying to uninstall it. When I attempt to do so, I get the following message: " Internalerror 2753 blinksrv.exe ".

Any help with this issue would be greatly appreciated.

Thx,

MarkH

Error 1921 cannot uninstall

jfrett — Mon, 03 Aug 2009 16:31:41 GMT

I have blink pro installed on one of my machines running server 2003, and when I try to uninstall I get this error.

Error 1921 'blinksvc' could not be stopped, verify you have sufficient privileges.

I am logged on as a domain admin. In Services it shows the Blink service engine as 'stopping'.

What do I need to do to uninstall? Thanks in advance.

emmon.exe

vkundakci — Fri, 31 Jul 2009 14:37:38 GMT

I have suddenly gotten 4 cases of Trojan (malware found) for emmon.exe in 4 different directories of Pinnacle's PCTV. I have had this software installed on my system for months, so I suspect the latest AV updates are causing this. Are these false positives? Thanks. /V


Malware Name	W32/Harnig.LKO
Triggered by	C:\WINDOWS\system32\DRVSTORE\PCTVEMPV_2F7BD2C4E47BED8624A9FFC3F25FE600C17EEB60\emMON.exe

Malware Name	W32/Harnig.LKO
Triggered by	C:\Program Files\Pinnacle\TVCenter Pro\Drivers\PCTVEMP\emmon.exe

Malware Name	W32/Harnig.LKO
Triggered by	C:\Documents and Settings\Vace\Pinnacle\TVCenterProSetup\Driver\PCTV 70e 80e 100e 320e 330e 800e\32 bit\emmon.exe

Malware Name	W32/Harnig.LKO
Triggered by	C:\Documents and Settings\Vace\Pinnacle\TVCenterProSetup\Driver\PCTV 70e 80e 100e 320e 330e 800e\64 bit\emmon.exe

AV updates

rorodrig90 — Wed, 29 Jul 2009 00:41:55 GMT

Hello,

Is there a link online I can see which shows the current blink antivirus engine? After I run an update it says "Blink AntiVirus Engine 1.0.743". Is there a place online / on your website where I can confirm that this is what is current available?

Databasing results

Jonathan Dasco — Tue, 21 Jul 2009 10:38:51 GMT

Im interested in placing the eEye Retina into a DB, for office managment, but didnt see any perscibed way of accomplishing this in the instruction manual. Does anyone have experience making this conversion?

Firewall Rules for Travel, Public Hotspots?

Dave L — Mon, 06 Jul 2009 01:28:17 GMT

I’ve done some reading through the forums and am getting lost in the details of firewall system-wide rules for Blink Personal, and how to customize them for travel purposes.

As I understand it, the current default rules from eEye are supposed to allow normal LAN traffic, e.g., file and printer sharing.

What I am worried about is making sure I am using a secure set of rules when I am on a public wireless hot spot or a hotel Ethernet. In those cases, I think I would want to disallow the normal LAN IP address ranges, and perhaps a host of other traffic.

This issue has been discussed in some detail elsewhere in the forums. But it all seems soooo complicated to create my own set of special rules.

I know I could buy a portable travel router with a built-in firewall, but I would like to avoid paying $50-100 for protection that I presume is already available through Blink.

What would be ideal would be for the Blink interface to allow quick selection of a family of rules depending on whether one is connected to a “trusted” local network, or a public network.

Lacking that, I would be really happy with two sets of “default” standard system-wide rules that I could switch between by importing depending on my circumstances.

So, assuming the current default rules are suitable for home or office LAN use, could eEye, or some very generous forum member, post a set of "default" travel rules for dummies? Seems like “Tips and Tricks” in some sort of sticky post might be an excellent place to eventually put this.

By the way, I made a curious observation in setting the default rules for two of my computers, both running Blink Personal 4.3.2, Rule Version 1527. One default set has 18 rules, the other has 16 rules. Fifteen rules are the same, three are not. And the rest are not in the same order. Seems like a bug.

System Wide Rules

Dakota — Fri, 28 Mar 2008 15:44:11 GMT

I am not a security expert but I do want my system as secure as possible. I noticed that the System Wide Rules under Firewall Rules has several items entered but no check marks beside them. Am I suppose to check these items? I am not technially inclined on computer security so I have no idea which rules I should check. If these rules are important why aren't they already activated, if they are not important why are they there? Also, is there a section somewhere on the forum where the experts have posted new rules that should be added? I, so far, have found only one and I have included it in my rules. I love the option of adding new rules, I just wish I could find some recommendations. Thank you.

sending samples

amvinfe — Sun, 28 Jun 2009 00:06:10 GMT

Hello to the whole community,
where we can send infected samples that Blink does not recognize?
Thank you

Marco

amvinfe at suspectfile dot com

Blink Personal: Symantec identifies as Infostealer Gampass

hangfire — Sat, 27 Jun 2009 11:08:32 GMT

Tried running setup, Symantec detects it as Infostealer Gampass; when executed and does asks for re-boot.

Any clue?

TIA

-HF

How to Run Blink as Administrator at User Login

JayEff — Fri, 12 Jun 2009 23:12:26 GMT

Is there a preferred way to run Blink as Administrator at user login, or is it recommended that one does not attempt this?

Massive AV Updates

martin — Fri, 12 Jun 2009 13:27:43 GMT

Would you please explain why AV updates periodically are so much larger than at other times? Most recent large one is 44+ MB and obviously they continue to grow in size. I ask because usually your servers time out or provide "unexpected response". This can happen for days before a full update is achieved. Thank you.