I received a response about the false positive issue. According to Barracuda, it shouldn't be possible.
Their response follows: -------- Gerald, We investigated your claim and found that our Web Filter could not be blocking the dll as described. Please see the attached explanation from one of our Spyware engineers. We appreciate your feedback and please feel free to contact me directly if you have any additional questions. Thanks, Sean -- Sean Heiney Product Manager Barracuda Networks, Inc. www.barracuda.com Office: +x.xxx.xxx.xxxx xxxxxxx (at) barracuda.com -----Original Message----- From: Dave Michmerhuizen Sent: Wednesday, April 18, 2007 4:03 PM Subject: RE: wireshark wireshark is the successor to ethereal. We don't have an sbus.dll in our spyware database. In any case, we don't match on file names - we match on MD5 hashes of files. Our definition for Adware.Toolbar.ILookup.Sbus has no associated files. It only triggers on outboud traffic to toolbar.searchbus.com. If the customer is seeing a block message (ie, a message in their browser) with Adware.Toolbar.ILookup.Sbus on it, that would be... odd, unless they were navigating to that url. If the customer is seeing infection activity in their WebFilter UI - that is not file related. The WebFilter only cares about traffic. An entry on the infection activity tab that reads Adware.Toolbar.ILookup.Sbus should be the result of outbound traffic to toolbar.searchbus.com. If there is doubt about that I can usually verify it by looking at the WebFilter through the support tunnel. It's best to coordinate something like that with someone on the WebFilter support team. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 4:45 PM The message has been included below. Username of poster: Gerald Combs ---------------------------- Message Subject: Wireshark sbus.dll false positive? I've received a couple of reports from users that the Barracuda Web Filter has been triggering a false positives for each release of [url=http://www.wireshark.org/]Wireshark[/url]. Wireshark's S-Bus plugin is named "sbus.dll", and the Web Filter apparently thinks this is the ILookup.Sbus worm. One such report can be found here: [url]http://www.wireshark.org/lists/wireshark-users/200704/msg00112.html [/url] Can someone at Barracuda confirm and fix this? ---------------------------------- Barracuda Networks makes the best spam firewalls and web filters. www.barracuda.com _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users