Sygate Firewall and AntiVir AV programs

[Sidewinder]

Under normal circumstances, my AV program is updated daily (sometimes just the signatures, sometimes just the .exe modules, sometimes both). This week it was both.

The Sygate Firewall starts automatically from the registry during system startup.

During todays weekly AV scan, the following window was posted by the firewall (sygate):

The executable has changed since the last time you used: E:\AntiVir PersonalEdition Classic\avscan.exe
File Version :            7.0.0.35
File Description :      Workstation On-Demand Scanner
File Path :            E:\AntiVir PersonalEdition Classic\avscan.exe
Process ID :            0xEF0 (Heximal) 3824 (Decimal)

Connection origin :      local initiated
Protocol :            Raw Ethernet
Local Address :       0.0.0.0
Local Port :            0
Remote Name :                  
Remote Address :      0.0.0.0
Remote Port :             0

Ethernet packet details:
Ethernet II (Packet Length: 56)
      Destination:       ff-ff-ff-ff-ff-ff
      Source:       00-30-bd-90-96-08
Type: ARP (0x0806)
Address Resolution Protocol (ARP)
      Hardware type: Ethernet (0x0001)
      Protocol type: IP (0x0800)
      Hardware size: 6
      Protocol size: 4
      Opcode: Request
      Sender hardware address: 00-30-bd-90-96-08
      Sender IP address: 192.168.2.3
      Target hardware address: 00-00-00-00-00-00
      Target IP address: 192.168.2.2

Binary dump of the packet:
0000:  FF FF FF FF FF FF 00 30 : BD 90 96 08 08 06 00 01 | .......0........
0010:  08 00 06 04 00 01 00 30 : BD 90 96 08 C0 A8 02 03 | .......0........
0020:  00 00 00 00 00 00 C0 A8 : 02 02 00 01 A9 9B 50 10 | ..............P.
0030:  48 EC E5 07 00 00 00 00 :                         | H.......        

This would have been fine and dandy except the window was posted 15 minutes into the AV scan. To make matters worse, the AV scan continued to run while I debated how to respond to this message. Normally I would just respond "yes" to dismiss the window, but today I waited an hour, all the while the AV scan continued to process.

Am I asking too much for the firewall to post the window immediately upon the AV startup when the discrepency should have been noticed? Am I also asking too much to have the firewall suspend execution of this or any program where it finds a problem and wait for the user (me!) to respond to the window?

If you have any thoughts on this, I'd appreciate hearing them.

 8-)

[Fed]

Nothing to worry about, your AV has updated it's exe file & Sygate saw the change.

[Sidewinder]

Thanks Fed but I was hoping there was something actually wrong here. I understand why the window popped-up, I was more concerned about the 15 minute time lag it took to do so and why the AV program was not suspended while I delayed choosing what to do.

I thought this is what firewalls did at the minimum. Interesting thought: Will an AV program discover a virus in it's own executable?

 8-)

[dl65]

 Sidewinder...... Is it possible that your Av was utilizing all of your machines resources while it was scanning and that would possibly explain the delay .....
What are the specs on your machine ?  You didn't happen to check what was going on with the task manager did you ?

dl65  

[Fed]

I'd think Sygate would only popup when avscan tried to access the net and that access would have been blocked until you decided what to do.
Probably avscan checking for new virus sigs & nothing to do with the  virus scan you were running.

[Sidewinder]

Thanks guys I appreciate the help. Let me try to explain more. All my maint programs including AV sig updates and AV scans run from a logon script. The script is crafted so each program runs sequentially with no execution overlap.

Most maint programs are scheduled for Saturday at startup. AV sigs are checked for daily. The AV scan runs each Sunday. The actual .exe update took place Sat when the sigs were also updated. When the scan ran Sunday, the Sygate window popped-up and specifically mentioned the changes to the avscan.exe file which is the AV scanner program.

I didn't check the task manager list, but considering a scan program would use lots of I/O, the Sygate program should have no problem grabbing an interrupt.

The system is a Dell Inspiron 5150 Laptop 2.4 GHz, 512MB Ram, 40GB disk, XP SP2 fully updated and reasonably protected. Haven't actually found a virus, trojan, or other malware in over 14 months.

Maybe I'm concerned about nothing, but that 15 minute lag and the non-suspension of the job in question seems out of character for a firewall.

 8-)

[Fed]

Here's my theory & I'm sticking to it.

15 minutes into the scan your avscan.exe tried to access the internet but since it was 'changed' on the last update Sygate picked it up.
Then the avscan.exe was blocked from accessing the internet until you gave it the OK.
Needless to say the scan continued on thoughout this time although internet access was blocked.
My bet is that your avscan 'calls home' to either report info or get info or both.

[Sidewinder]

OK guys. I'll buy Fed's theory for now. Seems reasonable as anything else I've heard from my friends. Phones home, huh? Wonder where it calls? Sygate was discontinued after being sold to Symantec. Maybe it just calls that empty phone booth in dataland.

[Sigh]

 8-)

[Fed]

Not Sygate, Avscan accessing the internet.
I'm currently trialing (playing with) Prevx1, I think it does the same.