sorry steve --- I am a bit puzzled myself.

lets try one more thing.

When you startup capture from the command line. Open IE and go to
www.google.com. Do you see any events output on the command line window?
If not, that tells us that the exclusion lists are good and are being loaded
(as the attached file suggested)

Then, try again via the server. If google is classified as malicious, then
try to start the server and interrupt it during the retrieval of the page
(that way the server wont reset the VM). This allows you to check out the
window capture is running in. Maybe that will give us the pointers that we
need to solve this...

Christian


On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:

I'm using the one posted earlier. I've tried creating c:\capture,
c:\capture\log and c:\capture\tmp , and copying capture.exe to c:\capture,
as suggested may be necessary in this file.

I attach a copy of the file...

Steve

On Wed, 25 Jul 2007 12:33:59 -0700
"Christian Seifert" <[EMAIL PROTECTED]> wrote:

> seems like your file monitor is not starting up correctly.
>
> to get it to start correctly. To solve this issue, start the Capture
client,
> wait for the client to be fully started and then press 'q' and enter.
This
> will cause the filter driver to unload. Take a new snapshot of your VM.
>
> Now, this is not likely to solve your issue that you were having regards
the
> classification of the server. Could you send me your exclusion lists
that
> you are using as well.
>
> thanks-
> christian
>
> On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> >
> > Sorry for the delay - clam av has been causing errors on my mail
server ):
> >
> > As requested.
> > On Tue, 24 Jul 2007 15:01:54 -0700
> > "Christian Seifert" <[EMAIL PROTECTED]> wrote:
> >
> > > Steve, can you just run Capture.exe from the command line and send
us
> > the
> > > output.
> > > Christian
> > >
> > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > >
> > > > As I thought... all files are in c:\ as per the install
instructions.
> > > >
> > > > What now?
> > > >
> > > > On Tue, 24 Jul 2007 15:54:39 +1200
> > > > Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > >
> > > > > I'm not at my desk at the moment, but everything's installed in
c:\,
> > as
> > > > per the instructions. I'll check everything tomorrow...
> > > > >
> > > > > Steve
> > > > >
> > > > > On Tue, 24 Jul 2007 14:19:12 +1200
> > > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > > > OK now it looks like we are getting somewhere. From what the
log
> > says
> > > > > > it looks like the exclusion lists aren't loading up ... there
> > should
> > > > > > not be any read events if you used the exclusion lists I
provided.
> > > > > > What directory have you put the client in on the VM? The
1.1version
> > > > > > has a restriction in that you have to have Capture in c:\. The
> > server
> > > > > > runs the file C:\Capture.bat which in turn runs the client
which
> > is
> > > > > > located at C:\Capture.exe
> > > > > >
> > > > > > Cheers,
> > > > > > Ramon.
> > > > > >
> > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > > > > > OK, I've reverted to IE 6 now, and it still tells me that
google
> > is
> > > > a mailcious site. I still get warnings about popups - are there
other
> > things
> > > > that I should have installed, or configured?
> > > > > > >
> > > > > > > Here's my config.xml
> > > > > > >
> > > > > > > <?xml version="1.0"?>
> > > > > > > <config>
> > > > > > >
> > > > > > > <server address="192.168.1.190" port="902" username="root"
> > > > password="xxxxxxxx">
> > > > > > >         <vm path="/home/vmware/Windows XP
Professional/Windows
> > XP
> > > > Professional.vmx" username="chris" password="chris" />
> > > > > > > </server>
> > > > > > >
> > > > > > > </config>
> > > > > > >
> > > > > > >
> > > > > > > The XP Pro client is patched up to date, with the exception
of
> > IE7.
> > > > The .exl files are as posted on this list yesterday. The attached
log
> > > > expands to just under 1mb, and apparently shows that google is
> > malicious. I
> > > > have *never* managed to mark a site as safe.
> > > > > > >
> > > > > > > Server is RHEL4. Client is happily being controlled/reset as
> > > > expected.
> > > > > > >
> > > > > > > I've got about 250,000 sites to check if I can ever get it
to
> > work
> > > > properly. What is wrong?
> > > > > > >
> > > > > > > Steve
> > > > > > >
> > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700
> > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote:
> > > > > > >
> > > > > > > > so IE just doesnt accept your settings...I really havent
> > > > encountered this
> > > > > > > > before.
> > > > > > > > What if you turn on the phishing filter. Does it continue
to
> > > > prompt you
> > > > > > > > then?
> > > > > > > >
> > > > > > > > Christian
> > > > > > > >
> > > > > > > >
> > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > > > > > > >
> > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700
> > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote:
> > > > > > > > >
> > > > > > > > > > Steve,
> > > > > > > > > >
> > > > > > > > > > I misread your initial email. It seems like the
problem is
> > not
> > > > that
> > > > > > > > > capture
> > > > > > > > > > reports a site as malicious although it is not (in
that
> > case
> > > > one would
> > > > > > > > > have
> > > > > > > > > > to edit the exclusion list), but rather you are just
being
> > > > prompted to
> > > > > > > > > > enable the phishing filter each time IE7 is opened.
> > > > > > > > > Correct - although just most of the time, not always.
> > > > > > > > > >
> > > > > > > > > > Did you take a snapshot of the VM after you disabled
the
> > > > phishing
> > > > > > > > > filter?
> > > > > > > > > > Once you disabled the phishing filter and restart IE,
does
> > it
> > > > prompt you
> > > > > > > > > > again?
> > > > > > > > > >
> > > > > > > > > Yes.
> > > > > > > > > > Christian
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]>
wrote:
> > > > > > > > > > >
> > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700
> > > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]>
wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Steve,
> > > > > > > > > > > >
> > > > > > > > > > > > lets check one thing. When you state that you
> > "disabled
> > > > it", what
> > > > > > > > > user
> > > > > > > > > > > were
> > > > > > > > > > > > you when you did so?  One thing to watch out for
is
> > that
> > > > the
> > > > > > > > > > > configuration
> > > > > > > > > > > > options in IE need to be undertaken with the same
user
> > as
> > > > in the
> > > > > > > > > > > > config.xmlfile. If that is administrator, you
> > explicitly
> > > > need to
> > > > > > > > > login
> > > > > > > > > > > > as
> > > > > > > > > > > > Administrator before making config adjustments in
IE.
> > > > > > > > > > > I was the same user that the server uses. I've told
IE
> > not
> > > > to use it,
> > > > > > > > > and
> > > > > > > > > > > done through the internet security options, and
disabled
> > it
> > > > there as
> > > > > > > > > well. I
> > > > > > > > > > > don't know of anywhere else to disable it... not
that
> > that's
> > > > saying
> > > > > > > > > much as
> > > > > > > > > > > I look after linux servers for a living!
> > > > > > > > > > > >
> > > > > > > > > > > > If that wasnt the problem, I would recommend
adding
> > this
> > > > option to
> > > > > > > > > your
> > > > > > > > > > > > exclusion list, so it is being ignored by Capture
in
> > its
> > > > assessment
> > > > > > > > > to
> > > > > > > > > > > the
> > > > > > > > > > > > malicious nature of the site.
> > > > > > > > > > > How? I'd normally read the relevant documentation,
but I
> > > > can't seem to
> > > > > > > > > > > find any. I'd also expect this to be a part of a
default
> > > > install!
> > > > > > > > > > > >
> > > > > > > > > > > > Hope this helps -
> > > > > > > > > > > > Christian
> > > > > > > > > > > Cheers,
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Steve
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Capture-HPC mailing list
> > > > > > > > > > > Capture-HPC@public.honeynet.org
> > > > > > > > > > >
https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > ----
> > > > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert
> > > > > > > > > >
> > > > > > > > > > PGP key
> > > > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> > > > > > > > > > Primary key fingerprint:   E979 0D9A 9187 D821 F86F
B712
> > C8DB
> > > > 0583 B046
> > > > > > > > > BAEF
> > > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Capture-HPC mailing list
> > > > > > > > > Capture-HPC@public.honeynet.org
> > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > ----
> > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert
> > > > > > > >
> > > > > > > > PGP key
> > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> > > > > > > > Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712
C8DB
> > 0583
> > > > B046 BAEF
> > > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Capture-HPC mailing list
> > > > > > > Capture-HPC@public.honeynet.org
> > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > _______________________________________________
> > > > > > Capture-HPC mailing list
> > > > > > Capture-HPC@public.honeynet.org
> > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > > > _______________________________________________
> > > > > Capture-HPC mailing list
> > > > > Capture-HPC@public.honeynet.org
> > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > >
> > > > _______________________________________________
> > > > Capture-HPC mailing list
> > > > Capture-HPC@public.honeynet.org
> > > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > ----
> > > Web: http://www.mcs.vuw.ac.nz/~cseifert
> > >
> > > PGP key
> > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> > > Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583
B046
> > BAEF
> > >
> >
> > _______________________________________________
> > Capture-HPC mailing list
> > Capture-HPC@public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/capture-hpc
> >
> >
> >
>
>
> --
> ----
> Web: http://www.mcs.vuw.ac.nz/~cseifert
>
> PGP key
> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
BAEF
>

_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc





--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Reply via email to