We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] Barracuda false positive?

From: Ionreflex <ionreflex@xxxxxxxxx>
Date: Fri, 20 Apr 2007 13:41:18 -0400
So, the scan pinpoint again to sbus.dll as a ILookup.Sbus threat; I already had the file scanned by VirusTotal online solution, and the file is as clean as a surgeon before an operation!

Gerald, since you already have a case open with Barracuda Networks, I'm gonna personally post you everything I have regarding that issue; I don't think harass them in double would be wise. I have double check everything, shouldn't be any dark spot left...

Keep on sniffing :o)

2007/4/19, Ionreflex <ionreflex@xxxxxxxxx>:
Well, I printed the report (should've kept a digital one!) and the spyware scantool from the Web-Filter appliance is clearly stating otherwise! I'm gonna rescan my laptop tonight, and post a follow-up tomorrow...


2007/4/19, Gerald Combs <gerald@xxxxxxxxxxxxx>:
I received a response about the false positive issue.  According to
Barracuda, it shouldn't be possible.

Their response follows:

We investigated your claim and found that our Web Filter could not be
blocking the dll as described.  Please see the attached explanation from
one of our Spyware engineers.

We appreciate your feedback and please feel free to contact me directly
if you have any additional questions.



Sean Heiney
Product Manager
Barracuda Networks, Inc.
Office: +x.xxx.xxx.xxxx
xxxxxxx (at) barracuda.com

-----Original Message-----
From: Dave Michmerhuizen
Sent: Wednesday, April 18, 2007 4:03 PM

Subject: RE: wireshark

wireshark is the successor to ethereal.

We don't have an sbus.dll in our spyware database.

In any case, we don't match on file names - we match on MD5 hashes of

Our definition for Adware.Toolbar.ILookup.Sbus has no associated files.
It only triggers on outboud traffic to toolbar.searchbus.com.

If the customer is seeing a block message (ie, a message in their
browser) with Adware.Toolbar.ILookup.Sbus on it, that would be... odd,
unless they were navigating to that url.

If the customer is seeing infection activity in their WebFilter UI -
that is not file related.  The WebFilter only cares about traffic.  An
entry on the infection activity tab that reads
Adware.Toolbar.ILookup.Sbus should be the result of outbound traffic to
toolbar.searchbus.com.   If there is doubt about that I can usually
verify it by looking at the WebFilter through the support tunnel.  It's
best to coordinate something like that with someone on the WebFilter
support team.

-----Original Message-----
From: gerald@xxxxxxxxxxxxx [mailto: gerald@xxxxxxxxxxxxx]
Sent: Tuesday, April 17, 2007 4:45 PM

The message has been included below.

Username of poster: Gerald Combs
Message Subject: Wireshark sbus.dll false positive?

I've received a couple of reports from users that the Barracuda Web
Filter has been triggering a false positives for each release of
[url="" href="http://www.wireshark.org/%5DWireshark%5B/url" target="_blank" _onclick_="return top.js.OpenExtLink(window,event,this)"> http://www.wireshark.org/]Wireshark[/url].  Wireshark's S-Bus
plugin is named "sbus.dll", and the Web Filter apparently thinks this is
the ILookup.Sbus worm.  One such report can be found here:

Can someone at Barracuda confirm and fix this?

Barracuda Networks makes the best spam firewalls and web filters.
Wireshark-users mailing list