Is the spyware blocking your firewall?

Is spyware clogging your firewall?
Is the spyware blocking your firewall?
(English Source:Http://techrepublic.com.com/5100-1009_11-5553653.html? Tag = NL. e030)

By Jonathan yarden
By Jonathan yarden)
Translation: endurer

Takeaway:
If you're troubleshooting intermittent network connectivity, spyware cocould be the culprit. Jonathan yarden tells you how to check your firewall for spyware infection.

Introduction:
If you are troubleshooting a problem such as a network connection that is interrupted at a time, spyware may be the culprit. Jonathan yarden tells you how to check your firewall for spyware infection.

Organizations frequently ask me for balance ance in diagnosing and resolving Internet problems. after a bit of detective work, I usually find that the problems are not really an Internet security issue. there's so much complexity in the specified ate network these days, and so forth places where a problem can occur, that simply identifying the true source of a networking problem is increasingly complex.
Many organizations often ask me to help diagnose or solve Internet problems. After a few tests, I usually find that it is not an Internet security problem. The computer networks of contemporary corporate groups are so complex that there are quite a few locations where problems may occur, and the complexity of simply verifying the true root cause of network problems is also increasing.

Earlier this month, a hospital that I periodically do some consulting for contacted me and asked for some sort ance. because I 've worked there on other projects, I was already quite familiar with its network configuration and equipment.
At the beginning of this month, a hospital I previously made a decision for contacted me and asked me for help. I have worked on other projects there, so I am already familiar with its network configurations and devices.

This organization uses check point's FireWall-1, a modular firewall platform. Depending on your network, this can either be just what you need or overkill.
This organization uses the Check Point's FireWall-1, a combined firewall platform. It depends entirely on your network. It can only meet your needs, or have more features.

The company also uses websense enterprise, an HTTP Content-filtering system that monitors and restricts web sites. websense interacts with the HTTP proxy on Firewall-1 (the HTTP Security Server) using the URL filtering protocol (UFP ).
The company also uses websense enterprise, an HTTP content filtering system that monitors and restricts web sites. Websense interacts with the HTTP proxy service in the Firewall-1 (HTTP Security Server) through the URL filtering protocol (UFP.

After weeks of trouble, the organization called me in to help solve one of the more frustrating computer problems: intermittent failure. during normal business hours -- but not always -- web surfing didn't always work. the problem sometimes occurred even with accessing internal web sites not proxied by Firewall-1.
After suffering for several weeks, this organization asked me to help solve a problem that plagued computers and failed to be interrupted. This fault occurs during normal business hours, but it is not always the case-webpage access is not always working. This problem sometimes occurs even in accessing an internal Web site that does not need to go through a Firewall-1 proxy.

At first, the description of the error sounded like a DNS failure, but this wasn't the case. Further details suggested a failure of the Firewall-1 HTTP proxy.
At first, the error description sounds like a DNS resolution failure, but not actually. Further details suggest that the Firewall-1 HTTP Proxy Server fails.

After reviewing the log files, we discovered that one participant web site was repeatedly turning up in the logs, and websense was consistently denying access to this web site. but for some reason, it was also Randomly Dropping legitimate URLs as well -- sometimes not even showing up in the log files.
After review of the log file, we found that a specific web site appears repeatedly in the log, and websense has been refusing to access this Web site. But for some reason, it also randomly discards/omissions (endurer Note: it is blocked in the following text) Some Legal URLs-sometimes not even displayed in the log file.

We finally discovered that the URL that websense was blocking was eviting of a spyware program transmitting information. it began at 7: 30 a.m. and continued throughout the day, and other workstations were also showing up in the logs.
We finally found that the URL blocked by websense is evidence of information transmitted by spyware. It started at AM and lasted for one day, and the log files of other workstations also had similar records.

After further investigation, we determined that a program called wild tangent Updater was responsible for all of the log entries. the wild tangent Updater was attempting to transmit usage information, but it was failing because outbound HTTP requests required authentication by Firewall-1.
After more investigation, we confirm that a program named wild tangent Updater is responsible for all the logs.
The wild tangent Updater program attempts to send customary information but fails because external HTTP requires Firewall-1 validation.

Firewall-1 and websense were doing exactly what they shocould. So why were they also blocking legitimate Web sites?
Both Firewall-1 and websense work very precisely. But why do they block legitimate Web sites?

All network-connected devices using TCP have limits to their ability to communicate. TCP is a connection-oriented protocol, and it uses a socket for communication.
The communication capability of all TCP network connection devices is limited. TCP is a connection-oriented protocol that uses Sockets for communication.

Checkpoint Firewall-1 employs login individual proxy servers using TCP to handle communication from the internal network to and from the public internet. Firewall-1 also uses TCP to communicate with websense to determine whether to allow a URL.
The checkpoint Firewall-1 serves some unique proxy servers that use TCP to handle communications between the internal network and the Internet. The checkpoint Firewall-1 also uses TCP to communicate with websense, deciding whether to allow access from a URL.

I suspected that wild tangent Updater was causing either Firewall-1 or websense to run out of TCP sockets. TCP sockets have timeouts, so they don't just disappear when you're finished with communication.
I suspect wild tangent Updater has caused a TCP socket running timeout for the Firewall-1 or websense. TCP sockets have timeout settings, so they do not disappear immediately when you have completed communication.

My theory seemed to explain the problems quite well. after a quick Google search and a visit to phoneboy.com, I felt that I was on the right track. so we are increased the socket limits for Firewall-1 and websense from their default values, and the problem went away.
My theory seems to be a good explanation of this problem. After Google quickly searched for and accessed phoneboy.com, I felt that I was on the right path. So we added socket restrictions on the default values of Firewall-1 and websense, which solved the problem.

Whether the wild tangent Updater caused the problem or merely precipitated it, there are certainly a lot of other firewall systems out there that cocould also experience this type of problem. if you're having similar difficulties, check your firewall: spyware may be clogging it.
Whether or not wild tangent Updater causes this problem or simply promotes it, there are still a large number of other firewalls in other places that may experience this problem. If you already have similar difficulties, check your firewall: The spyware may be blocking it.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday!

Jonathan yarden is the senior UNIX System Administrator, network security manager, and senior software has ECT for a regional ISP.
Jonathan yarden is a UNIX senior system administrator and a network security expert. He is also a senior software architect at a local ISP.