Bd Firewall Generating Igmp/multicast Requests
For the last several months my Checkpoint Safe @ Office 500W (S@O 500W) has been logging at five minute intervals a Stateless ICMP error. It has been bugging me as it clutters up my error log and accounts for >50% of the log entries.
Details of error line item from the S&O 500W are:
- Source is always x.x.x.50 which is my S@O 500w box
- Destination is always x.x.x.120 which is a XP-64 system with BitDefender Total Security 2009
- Service is ICMP 0 (Echo Reply)
- Reason Stateless ICMP
- Rule -1
- Net None
There are numerous other computers on the network runing XP and Vista (not 64 bit for either) with TrendMicro Internet Security that do not generate this traffic. I went with BD as I need the 64bit support.
After using the Wireshark sniffer on my XP64 system I finally figured out that the source of the IGMP requests was my BD firewall as the data in ICMP protocol sent had "BitDefender Fi rewall Broadcast .." embedded in it. Since I had previously shutdown the BD firewall from within the program and the error did not go away, I decided to uncheck the "BitDefender Firewall NDIS Filter Driver" on the adapter property page.
After re-establishing the connection, Wireshark stopped reporting any requests to 224.0.0.1 and the S@O security logs showed none of the previous errors.
To test if I could turn the error back on, I re-checked the "BitDefender Firewall NDIS Filter", it came up with a warning that this was a non-Microsoft certified program type warnig. I then rebooted the computer and had no IGMP attempts. However, I soon figured out that I had hosed something as I could no longer due any virus scans and the File Zone and Net Zone graphs showed no activity. To fix this required the download of the removal tool and the latest 64bit install package. Of course after I got everything corrected the multicast pings resumed.
So after thinking that it was XP64 or my Realtek adapter it turned out to be BitDefender. I have tried blocking in the BD FW Advanced Rules any outbound activity to 224.0.0.1 with no success. I have also attempted to create a FW rule on the S@O 500W and not log the error but the box contains a level of security called "Smart Defense" which takes priority over the FW rules and is the source of the reported issue.
Long post but I have been debugging this for awhile. More details are available on the Sofaware Discussion Group http://sofaware.infopop.cc/eve/forums/a/tp...361/m/930102541.
Bottom line, why is the BD Firewall issuing multicast requests to 224.0.0.1 and is there anyway to stop it? My guess is that there is something wrong with the multicast request that is causing the S@O 500W SmartDefense module to react the way it is. If a BD expert wants my Wireshark log file that details what is going out, let me know as I can not upload that file type here.
I know it is not a security issue but it is a pain.
Thanks,
Pete
Comments
-
This is in no way my field of experise but I'll give it a try until somebody in support has a better idea.
The 224.0.0.1 multicast address is used to request that all multicast-capable hosts announce themselves to the requester. or something along those lines.
The only service that could need this for some remote inexplicable reason is the home management function in BitDefender.
I'm guessing it might multicast to see what IPs are online instead of connecting to each and getting timed out after a while because the machine is not online.
Try disabling the service.0 -
This is in no way my field of experise but I'll give it a try until somebody in support has a better idea.
The 224.0.0.1 multicast address is used to request that all multicast-capable hosts announce themselves to the requester. or something along those lines.
The only service that could need this for some remote inexplicable reason is the home management function in BitDefender.
I'm guessing it might multicast to see what IPs are online instead of connecting to each and getting timed out after a while because the machine is not online.
Try disabling the service.
When I reinstalled BD, I did not enable the network function and when I go to the network tab all the computers are greyed out. On my original installation I had enabled the network function and it did show my one computer. In both installations the Arrakis service which I understand is part of this network function had not started.
Networking is not my field of expertise either but I am learning a few things.
Pete0 -
When I reinstalled BD, I did not enable the network function and when I go to the network tab all the computers are greyed out. On my original installation I had enabled the network function and it did show my one computer. In both installations the Arrakis service which I understand is part of this network function had not started.
Networking is not my field of expertise either but I am learning a few things.
Pete
This is a bump to see if anyone has an answer. Since May 2009, I have upgraded from 2009 to 2010 of Total Internet Security but still have the same issue. I have seen one other post from someone who has identified the same problem but that is all.
Thanks,0 -
The problem describe above is still occuring. Additional debug that I have tried with no effect are:
- Disabled BD firewall
- Disabled BD Antivirus realtime protection
- Upgraded the drivers for the Realtek NIC
- As previously mentioned, upgraded BD 2009 to 2010, latest updates installed
Attached are two PDFs of PCAP files (I could not upload the PCAP files, if you want them please PM me) , that were triggered when the target IP address is 224.0.0.1.
Flip1 BD Firewall Multicast Issue 2010-06-09a Updated BD & Realtek driver - demonstrates that the problem occurs every five minutes. The last portion of the string captured is "BitDefender Fi rewall Broadcast .."
Flip1 BD Firewall Multicast Issue 2010-06-09b 4 CP manual pings & 1 BD IGMP - demonstrates the response of pinging 224.0.0.1 from the command prompt and also captured one of the BD firewalls multicast with same signature as above.
Also, attached is an image of my Safe@Office 500 security log file. Note that 192.168.5.50 is the Safe@Office and 192.168.5.120 is the XP64 computer with the problem. I have blanked out my external IP address.
Thanks for any help that you can provide. The system works it is just something that bugs me, because I have been unable to fix it.0 -
Hello Flip1,
Please tell me if you have the HomeNetwork module within BitDefender Security Center enabled at the present time and if you have a computer set as Update Server. Also please open a command prompt, type ipconfig /all and tell me the set gateway.
Last but not least restart Windows in Safe Mode and open Control Panel once the PC has loaded the Operating System. Look under Windows Accounts and tell me if you have an username "BitDefendercom".
Looking forward to your answer!
Regards,0 -
Hello Flip1,
Please tell me if you have the HomeNetwork module within BitDefender Security Center enabled at the present time and if you have a computer set as Update Server. Also please open a command prompt, type ipconfig /all and tell me the set gateway.
Last but not least restart Windows in Safe Mode and open Control Panel once the PC has loaded the Operating System. Look under Windows Accounts and tell me if you have an username "BitDefendercom".
Looking forward to your answer!
Regards,
Hi Daniel, sorry for the late response.
1) HomeNetwork module is not enabled. It was enabled at one time but during a required uninstall/reinstall, I did not re-enable as only one computer is using BD.
2) Update Server - No update server and there was not one in the original install either.
3) Default Gateway is 192.168.5.50
4) After boot to Safe Mode - Checked Local Users and Groups under Computer Management Console and no username of "BitDefendercom" was present.
Thanks,
flip10