For the last several months my Checkpoint Safe @ Office 500W (S@O 500W) has been logging at five minute intervals a Stateless ICMP error. It has been bugging me as it clutters up my error log and accounts for >50% of the log entries.
Details of error line item from the S&O 500W are:
- Source is always x.x.x.50 which is my S@O 500w box
- Destination is always x.x.x.120 which is a XP-64 system with BitDefender Total Security 2009
- Service is ICMP 0 (Echo Reply)
- Reason Stateless ICMP
- Rule -1
- Net None
There are numerous other computers on the network runing XP and Vista (not 64 bit for either) with TrendMicro Internet Security that do not generate this traffic. I went with BD as I need the 64bit support.
After using the Wireshark sniffer on my XP64 system I finally figured out that the source of the IGMP requests was my BD firewall as the data in ICMP protocol sent had "BitDefender Fi rewall Broadcast .." embedded in it. Since I had previously shutdown the BD firewall from within the program and the error did not go away, I decided to uncheck the "BitDefender Firewall NDIS Filter Driver" on the adapter property page.
After re-establishing the connection, Wireshark stopped reporting any requests to 224.0.0.1 and the S@O security logs showed none of the previous errors.
To test if I could turn the error back on, I re-checked the "BitDefender Firewall NDIS Filter", it came up with a warning that this was a non-Microsoft certified program type warnig. I then rebooted the computer and had no IGMP attempts. However, I soon figured out that I had hosed something as I could no longer due any virus scans and the File Zone and Net Zone graphs showed no activity. To fix this required the download of the removal tool and the latest 64bit install package. Of course after I got everything corrected the multicast pings resumed.
So after thinking that it was XP64 or my Realtek adapter it turned out to be BitDefender. I have tried blocking in the BD FW Advanced Rules any outbound activity to 224.0.0.1 with no success. I have also attempted to create a FW rule on the S@O 500W and not log the error but the box contains a level of security called "Smart Defense" which takes priority over the FW rules and is the source of the reported issue.
Long post but I have been debugging this for awhile. More details are available on the Sofaware Discussion Group http://sofaware.infopop.cc/eve/forums/a/tp...361/m/930102541.
Bottom line, why is the BD Firewall issuing multicast requests to 224.0.0.1 and is there anyway to stop it? My guess is that there is something wrong with the multicast request that is causing the S@O 500W SmartDefense module to react the way it is. If a BD expert wants my Wireshark log file that details what is going out, let me know as I can not upload that file type here.
I know it is not a security issue but it is a pain.
Thanks,
Pete
