[SOLVED] Dangerous operation blocked

[ErinC]

Hi all,

I'm currently testing the PCOP 6 client before allowing this update to go out to our customers and I appear to have an issue.

I ocassionally see a Panda message onscreen that says

Code: Select all

"2 dangerous operations blocked" 
5005 rule
c:\program files (x86)\internet explorer\iexplore.exe

The message unfortunately does not provide any further information. We only have the PCOP AV enabled, and not the firewall.

Browser functionality doesn't appear to be affected. When I got this message earlier on today I was actually browsing to the Panda PCOP console login.

Anyone else got this ? This behaviour is different from v5 and I would like to clarify the situation before rolling v6 out.

[Pandamonium]

Hi Mate,

Just want to dbl check there is no Hijack on your IE.

Can you run the following and report back: http://support.pandasecurity.com/forum/ ... ?f=24&t=16

Thanks

[ErinC]

Thank you for your reply Pandamonium,

I have run the Panda ActiveScan Cleaner as advised and it's now just sitting there saying "Analyzing Cloud Report" ... it's been that way for 15 minutes now.
I am pretty sure the system is clean, I run HiJackThis and MBAM regularly and the PC has PCOP resident too of course.

Analyzer is still sitting doing nothing apparently and I need to leave and take this laptop with me. I'll run it again tomorrow and post back.

[ErinC]

I've run the scanner again and again it's just sitting there doing nothing whilst displaying "Analyzing offline ... The analysis results will appear in a few moments". I left it for 10 minutes or more. This is irrelevant though, the PC is clean I'm sure of it.

I have done some more testing and the pop-up is only displayed when I access the Kaseya SAAS9 console. The remote control functionality in Kaseya is now broken so Panda appears to be blocking some component (thus the pop-up). Anyone any idea how I resolve this? I rely on the Kaseya console.

[Pandamonium]

Hi,

Can you PM me your client number / username so I can check your detections in your console?

[Pandamonium]

Here is the explanation: http://blog.cloudantivirus.com/2010/06/ ... drule=5005

Does your Kesaya run through your browser?

[ErinC]

Rule 5005: During normal behaviour Web browsers shouldn’t need to execute files from downloaded programs directories. This rule prevents some IE vulnerabilities normally exploited by drive-by downloaders. If you receive an alert, some kind of vulnerability is being exploited.

Yes the Kaseya console is web based. I'm accessing it using a fully patched up installation of Internet Explorer 9.
Whilst it's nice to have an explanation of the error code, a workaround would be nicer

[ErinC]

Update: I just received an email from corp tech support.

this is normal behaviour to block these actions as they mimic a browser exploit. Often malware gets executed using these command shell actions.

http://blog.cloudantivirus.com/2010/06/ ... drule=5005

The way to stop this is to log into the console, go to Installation and Settings, Profile, choose the affected profile, AntiVirus and untick "Block Malicious Actions".

This will stop Kasaya from being blocked.

So the workaround is to turn off this protection feature which isn't great but at least it will fix it in the short term. Methinks this "Block Malicious Actions" feature needs a URL whitelist.

[Pandamonium]

agreed