Wireshark-users: Re: [Wireshark-users] Barracuda false positive?

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Thu, 19 Apr 2007 10:30:21 -0700
I received a response about the false positive issue.  According to
Barracuda, it shouldn't be possible.

Their response follows:
--------
Gerald,

We investigated your claim and found that our Web Filter could not be
blocking the dll as described.  Please see the attached explanation from
one of our Spyware engineers.

We appreciate your feedback and please feel free to contact me directly
if you have any additional questions.


Thanks,

Sean

--
Sean Heiney
Product Manager
Barracuda Networks, Inc.
www.barracuda.com
Office: +x.xxx.xxx.xxxx
xxxxxxx (at) barracuda.com

-----Original Message-----
From: Dave Michmerhuizen
Sent: Wednesday, April 18, 2007 4:03 PM

Subject: RE: wireshark

wireshark is the successor to ethereal.

We don't have an sbus.dll in our spyware database.

In any case, we don't match on file names - we match on MD5 hashes of
files.

Our definition for Adware.Toolbar.ILookup.Sbus has no associated files.
It only triggers on outboud traffic to toolbar.searchbus.com.

If the customer is seeing a block message (ie, a message in their
browser) with Adware.Toolbar.ILookup.Sbus on it, that would be... odd,
unless they were navigating to that url.

If the customer is seeing infection activity in their WebFilter UI -
that is not file related.  The WebFilter only cares about traffic.  An
entry on the infection activity tab that reads
Adware.Toolbar.ILookup.Sbus should be the result of outbound traffic to
toolbar.searchbus.com.   If there is doubt about that I can usually
verify it by looking at the WebFilter through the support tunnel.  It's
best to coordinate something like that with someone on the WebFilter
support team.


-----Original Message-----
From: gerald@xxxxxxxxxxxxx [mailto:gerald@xxxxxxxxxxxxx]
Sent: Tuesday, April 17, 2007 4:45 PM

The message has been included below.

Username of poster: Gerald Combs
----------------------------
Message Subject: Wireshark sbus.dll false positive?

I've received a couple of reports from users that the Barracuda Web
Filter has been triggering a false positives for each release of
[url=http://www.wireshark.org/]Wireshark[/url].  Wireshark's S-Bus
plugin is named "sbus.dll", and the Web Filter apparently thinks this is
the ILookup.Sbus worm.  One such report can be found here:
[url]http://www.wireshark.org/lists/wireshark-users/200704/msg00112.html
[/url]

Can someone at Barracuda confirm and fix this?


----------------------------------
Barracuda Networks makes the best spam firewalls and web filters.
www.barracuda.com