Now it is time to appreciate Dr. Web anti-virus software for obscure settings.
This thing has inside it module called "netmon" or smth like that. And guess what: if you DON'T configure it to work and monitor specific network ports, it'll nonetheless monitor ALL of your traffic and will decide which one is 'bad' and which one is 'good'.
I stumbled across this stuff today when troubleshooted DFS Sysvol replication in one of our Active Directory domains. It was just broken. It's not a DNS issue (I've checked it twice), it's not an NTFS rights assignment issue, not an SMB issue. Heck, I even sniffed network traffic to see what's going on.
No clues.
And then I decided - time for the tool of last resort - ProcMon. I've pulled Procmon, grabbed some info and watched. And then my eye picked a clue - Dr.Web, writing into some .log file.
I looked inside, and there was lines of [DEBUG], that clearly stated that my traffic on TCP port 389 was blocked!
My coleague said that "we don't use this module, but let's look at it".
Tiny question mark in admin panel with hint "Monitoring and blocking all traffic unless configured otherwise" brought me to schock.
Who is making software like this? Why? No answers.
But, as far as we checked one box to monitor only specific ports, everything went back to life.
Fuck Dr.Web. For real.
This thing has inside it module called "netmon" or smth like that. And guess what: if you DON'T configure it to work and monitor specific network ports, it'll nonetheless monitor ALL of your traffic and will decide which one is 'bad' and which one is 'good'.
I stumbled across this stuff today when troubleshooted DFS Sysvol replication in one of our Active Directory domains. It was just broken. It's not a DNS issue (I've checked it twice), it's not an NTFS rights assignment issue, not an SMB issue. Heck, I even sniffed network traffic to see what's going on.
No clues.
And then I decided - time for the tool of last resort - ProcMon. I've pulled Procmon, grabbed some info and watched. And then my eye picked a clue - Dr.Web, writing into some .log file.
I looked inside, and there was lines of [DEBUG], that clearly stated that my traffic on TCP port 389 was blocked!
My coleague said that "we don't use this module, but let's look at it".
Tiny question mark in admin panel with hint "Monitoring and blocking all traffic unless configured otherwise" brought me to schock.
Who is making software like this? Why? No answers.
But, as far as we checked one box to monitor only specific ports, everything went back to life.
Fuck Dr.Web. For real.