I'm using the one posted earlier. I've tried creating c:\capture, 
c:\capture\log and c:\capture\tmp , and copying capture.exe to c:\capture, as 
suggested may be necessary in this file. 

I attach a copy of the file...

Steve

On Wed, 25 Jul 2007 12:33:59 -0700
"Christian Seifert" <[EMAIL PROTECTED]> wrote:

> seems like your file monitor is not starting up correctly.
> 
> to get it to start correctly. To solve this issue, start the Capture client,
> wait for the client to be fully started and then press 'q' and enter. This
> will cause the filter driver to unload. Take a new snapshot of your VM.
> 
> Now, this is not likely to solve your issue that you were having regards the
> classification of the server. Could you send me your exclusion lists that
> you are using as well.
> 
> thanks-
> christian
> 
> On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> >
> > Sorry for the delay - clam av has been causing errors on my mail server ):
> >
> > As requested.
> > On Tue, 24 Jul 2007 15:01:54 -0700
> > "Christian Seifert" <[EMAIL PROTECTED]> wrote:
> >
> > > Steve, can you just run Capture.exe from the command line and send us
> > the
> > > output.
> > > Christian
> > >
> > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > >
> > > > As I thought... all files are in c:\ as per the install instructions.
> > > >
> > > > What now?
> > > >
> > > > On Tue, 24 Jul 2007 15:54:39 +1200
> > > > Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > >
> > > > > I'm not at my desk at the moment, but everything's installed in c:\,
> > as
> > > > per the instructions. I'll check everything tomorrow...
> > > > >
> > > > > Steve
> > > > >
> > > > > On Tue, 24 Jul 2007 14:19:12 +1200
> > > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > > > OK now it looks like we are getting somewhere. From what the log
> > says
> > > > > > it looks like the exclusion lists aren't loading up ... there
> > should
> > > > > > not be any read events if you used the exclusion lists I provided.
> > > > > > What directory have you put the client in on the VM? The 1.1version
> > > > > > has a restriction in that you have to have Capture in c:\. The
> > server
> > > > > > runs the file C:\Capture.bat which in turn runs the client which
> > is
> > > > > > located at C:\Capture.exe
> > > > > >
> > > > > > Cheers,
> > > > > > Ramon.
> > > > > >
> > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > > > > > OK, I've reverted to IE 6 now, and it still tells me that google
> > is
> > > > a mailcious site. I still get warnings about popups - are there other
> > things
> > > > that I should have installed, or configured?
> > > > > > >
> > > > > > > Here's my config.xml
> > > > > > >
> > > > > > > <?xml version="1.0"?>
> > > > > > > <config>
> > > > > > >
> > > > > > > <server address="192.168.1.190" port="902" username="root"
> > > > password="xxxxxxxx">
> > > > > > >         <vm path="/home/vmware/Windows XP Professional/Windows
> > XP
> > > > Professional.vmx" username="chris" password="chris" />
> > > > > > > </server>
> > > > > > >
> > > > > > > </config>
> > > > > > >
> > > > > > >
> > > > > > > The XP Pro client is patched up to date, with the exception of
> > IE7.
> > > > The .exl files are as posted on this list yesterday. The attached log
> > > > expands to just under 1mb, and apparently shows that google is
> > malicious. I
> > > > have *never* managed to mark a site as safe.
> > > > > > >
> > > > > > > Server is RHEL4. Client is happily being controlled/reset as
> > > > expected.
> > > > > > >
> > > > > > > I've got about 250,000 sites to check if I can ever get it to
> > work
> > > > properly. What is wrong?
> > > > > > >
> > > > > > > Steve
> > > > > > >
> > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700
> > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote:
> > > > > > >
> > > > > > > > so IE just doesnt accept your settings...I really havent
> > > > encountered this
> > > > > > > > before.
> > > > > > > > What if you turn on the phishing filter. Does it continue to
> > > > prompt you
> > > > > > > > then?
> > > > > > > >
> > > > > > > > Christian
> > > > > > > >
> > > > > > > >
> > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > > > > > > >
> > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700
> > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote:
> > > > > > > > >
> > > > > > > > > > Steve,
> > > > > > > > > >
> > > > > > > > > > I misread your initial email. It seems like the problem is
> > not
> > > > that
> > > > > > > > > capture
> > > > > > > > > > reports a site as malicious although it is not (in that
> > case
> > > > one would
> > > > > > > > > have
> > > > > > > > > > to edit the exclusion list), but rather you are just being
> > > > prompted to
> > > > > > > > > > enable the phishing filter each time IE7 is opened.
> > > > > > > > > Correct - although just most of the time, not always.
> > > > > > > > > >
> > > > > > > > > > Did you take a snapshot of the VM after you disabled the
> > > > phishing
> > > > > > > > > filter?
> > > > > > > > > > Once you disabled the phishing filter and restart IE, does
> > it
> > > > prompt you
> > > > > > > > > > again?
> > > > > > > > > >
> > > > > > > > > Yes.
> > > > > > > > > > Christian
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > > > > > > > > >
> > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700
> > > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Steve,
> > > > > > > > > > > >
> > > > > > > > > > > > lets check one thing. When you state that you
> > "disabled
> > > > it", what
> > > > > > > > > user
> > > > > > > > > > > were
> > > > > > > > > > > > you when you did so?  One thing to watch out for is
> > that
> > > > the
> > > > > > > > > > > configuration
> > > > > > > > > > > > options in IE need to be undertaken with the same user
> > as
> > > > in the
> > > > > > > > > > > > config.xmlfile. If that is administrator, you
> > explicitly
> > > > need to
> > > > > > > > > login
> > > > > > > > > > > > as
> > > > > > > > > > > > Administrator before making config adjustments in IE.
> > > > > > > > > > > I was the same user that the server uses. I've told IE
> > not
> > > > to use it,
> > > > > > > > > and
> > > > > > > > > > > done through the internet security options, and disabled
> > it
> > > > there as
> > > > > > > > > well. I
> > > > > > > > > > > don't know of anywhere else to disable it... not that
> > that's
> > > > saying
> > > > > > > > > much as
> > > > > > > > > > > I look after linux servers for a living!
> > > > > > > > > > > >
> > > > > > > > > > > > If that wasnt the problem, I would recommend adding
> > this
> > > > option to
> > > > > > > > > your
> > > > > > > > > > > > exclusion list, so it is being ignored by Capture in
> > its
> > > > assessment
> > > > > > > > > to
> > > > > > > > > > > the
> > > > > > > > > > > > malicious nature of the site.
> > > > > > > > > > > How? I'd normally read the relevant documentation, but I
> > > > can't seem to
> > > > > > > > > > > find any. I'd also expect this to be a part of a default
> > > > install!
> > > > > > > > > > > >
> > > > > > > > > > > > Hope this helps -
> > > > > > > > > > > > Christian
> > > > > > > > > > > Cheers,
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Steve
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Capture-HPC mailing list
> > > > > > > > > > > Capture-HPC@public.honeynet.org
> > > > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > ----
> > > > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert
> > > > > > > > > >
> > > > > > > > > > PGP key
> > > > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> > > > > > > > > > Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712
> > C8DB
> > > > 0583 B046
> > > > > > > > > BAEF
> > > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Capture-HPC mailing list
> > > > > > > > > Capture-HPC@public.honeynet.org
> > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > ----
> > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert
> > > > > > > >
> > > > > > > > PGP key
> > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> > > > > > > > Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB
> > 0583
> > > > B046 BAEF
> > > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Capture-HPC mailing list
> > > > > > > Capture-HPC@public.honeynet.org
> > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > _______________________________________________
> > > > > > Capture-HPC mailing list
> > > > > > Capture-HPC@public.honeynet.org
> > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > _______________________________________________
> > > > > Capture-HPC mailing list
> > > > > Capture-HPC@public.honeynet.org
> > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > >
> > > > _______________________________________________
> > > > Capture-HPC mailing list
> > > > Capture-HPC@public.honeynet.org
> > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > ----
> > > Web: http://www.mcs.vuw.ac.nz/~cseifert
> > >
> > > PGP key
> > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> > > Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
> > BAEF
> > >
> >
> > _______________________________________________
> > Capture-HPC mailing list
> > Capture-HPC@public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/capture-hpc
> >
> >
> >
> 
> 
> -- 
> ----
> Web: http://www.mcs.vuw.ac.nz/~cseifert
> 
> PGP key
> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
> 

Attachment: FileMonitor.exl
Description: Binary data

_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Reply via email to