Hi everyone
I've been having troubles recently (the past 2 weeks or so) with Sygate personal firewall crashing unexpectedly, and no error message is given. At first I thought it was a software conflict of some kind.
But now I'm thinking that there is a exploit out there that will bring down Sygate. I am finding that SPF is crashing only when this bad inbound traffic is occuring. Many times it blocks incoming stuff, but fairly often my firewall will die without warning. These bad packets are hitting me on a variety of ports, but 5000 seems to be the most commonly used. 0, 80, and 113 are also used fairly often. The remote ports from which the connection attepts originate are high-numbered
I have seen .dll requesters pop up, asking for permission, and within seconds of their appearance, they disappear again, and the Sygate program is no longer running. The icon for SPF remains in the lower right, but it goes away if I move the mouse pointer over it. Yesterday this happened twice in a row, in rapid succession. (The request was something about a remote initiated connection attempt to load .dll files relating to Windows help)
Here is some info from my event log. Most of this I don't really understand, but perhaps it has something to do with SPF crashing all the time. Maybe there isn't an exploit out there, but I have a misconfiguration on my machine
In the System log, there is an entry from today saying the Service Control Manager is giving me an Error, and the Event ID is 7034. It says "The Sygate Personal FIrewall service terminated unexpectedly. It has done this 2 time(s)." I've tried looking around a bit, but I haven't found anything that explains what Event ID 7034 is, and WHY Sygate is crashing.
The Event Viewer for this System log entry says a file named netevent.dll is involved, version 5.1.2600.
In my Security log, there are a few entries I also don't understand. These entries were created shortly after I logged on, before connecting to the net.
Event Type: Failure Audi
Event Source: Securit
Event Category: Policy Change
Event ID: 61
Date: 5/19/200
Time: 5:56:00 P
User: NT AUTHORITY\NETWORK SERVIC
Computer: POOP
Description
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Event Type: Failure Audi
Event Source: Securit
Event Category: Policy Change
Event ID: 61
Date: 5/19/200
Time: 5:56:01 P
User: NT AUTHORITY\NETWORK SERVIC
Computer: POOP
Description
IPSec Services: IPSec Services failed to initialize RPC server with error code: The authentication service is unknown
. IPSec Services could not be started
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Event Type: Failure Audi
Event Source: Securit
Event Category: Account Logon
Event ID: 68
Date: 5/19/200
Time: 5:56:01 P
User: NT AUTHORITY\SYSTE
Computer: POOP
Description
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_
Logon account: (***myname***
Source Workstation: POOP
Error Code: 0xC000006
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Event Type: Failure Audi
Event Source: Securit
Event Category: Logon/Logoff
Event ID: 52
Date: 5/19/200
Time: 5:56:01 P
User: NT AUTHORITY\SYSTE
Computer: POOP
Description
Logon Failure
Reason: Unknown user name or bad passwor
User Name: (***myname***
Domain: POOP
Logon Type:
Logon Process: Advapi
Authentication Package: Negotiat
Workstation Name: POOP
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
(Why the heck is this appearing I didn't make a mistake when I typed in my password, I just typed it once and logged right in....
Event Type: Failure Audi
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 5/19/2004
Time: 5:56:01 PM
User: NT AUTHORITY\SYSTEM
Computer: POOP1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: (***myname***)
Source Workstation: POOP1
Error Code: 0xC000006A
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
And finally, we have my successful logon entry...
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 5/19/2004
Time: 5:56:11 PM
User: POOP1\(***myname***)
Computer: POOP1
Description:
Successful Logon:
User Name: (***myname***)
Domain: POOP1
Logon ID: (0x0,0xDB75)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: POOP1
Logon GUID: {00000000-0000-0000-0000-000000000000}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I don't have other computers or routers involved at home. I am connecting to the 'net through a dialup. I am also running TDS-3, PG, port explorer, AntiVir, and Opera 7.50 when I'm online.