Updates & Changes to ICEWatch

 

As of 10/22/2005, ICEWatch moved to a new web hosting site along with the rest of DAdler.net. We're now living at BlueHost.com, and ICEWatch has its own subdomain: http://icewatch.dadler.net. Please update your links!

Version 3.12 – 29 June 2006

  1. Fixed an uninitialized loop variable case that occurred when a new attack list file was opened (i.e. new to ICEWatch). Could lead to anything from silent failure on shutdown to an app crash. Many thanks to Ian for reporting and helping me debug this.
  2. Changed the URL for automatic update checks to use icewatch.dadler.net.

Version 3.11 – 22 October 2005

  1. A word of special thanks to my small cadre of dedicated beta testers. Thanks Jac, Jon, Jonathan, Kevin, Peter and Rob -- I could not ship these updates without your help!!
  2. Fixed a long-standing, intermittent (but very difficult to reproduce & track down) bug; this one has been around since Version 2.0! It would lead to corrupted data display or, more commonly, Page Faults right after a new attack record came in. On average, it would only occur every 100 or so attacks, and it would not recur when you restarted ICEWatch. With the perseverance of Kevin I was able to track this one down; fixing it required significant changes to the interactions between the UI and monitoring threads. Thanks for the assist, Kevin!
  3. Added direct support for suspend & resume states. While no bugs were reported, since the behavior of objects ICEWatch depends on (e.g. file handles, change events, normal events) is not clearly defined for all suspend states (sleep, hibernate, low-battery suspend), these changes ensure that ICEWatch will work properly when the system resumes operation. Special thanks to Rob for help in figuring out how Windows handles suspend and resume.
  4. As part of the Page Fault / corruption bug fix, the order in which attack actions (e.g. playing a sound, flashing the window, launching a program) are executed has been changed.
  5. Reading and management of the Extra IP Data has been sped up tremendously. Previously this data was read (and reread) for each record that needed it when MAC Address or DNS Name were displayed. Because each record required a file read, scrolling could be jerky; sorting on these columns in previous versions could be very slow. This data is now read once per IP address and kept in memory. This makes scrolling, display and sorting with these columns just as fast as other columns. It also makes cleaning up the Hosts directory faster. However, it can also make ICEWatch startup noticeably slower if you have thousands of Extra IP Data files that are read in. If startup is too slow, you can speed things up if you: (a) delete older attack list records and (b) clean up the Hosts directory once that is completed. Special thanks to Kevin and Rob for sending me their contents of their entire Hosts directory for test cases.
  6. Fixed a bug in sorting by DNS Name and MAC Address that would lead to random sort results; guess nobody (myself included) was sorting by these columns very often.
  7. Fixed a memory leak that would leak one process handle each time the Copy to E-mail command was used.
  8. Fixed a bug in the Issue/Severity remapping logic that would go into an infinite loop if there was even one ill-formed line in that ini file section.
  9. Fixed a bug introduced into the Delete Attack Records code in version 3.10.05; it had no ill effect if you were deleting all attack records. However for deletion from the current selection, it would ignore the selection and delete the 6th record displayed along with all older attack records. Ouch!
  10. Fixed a bug that would not properly send Quit requests (e.g. you try to close ICEWatch) to the Watcher Thread when that thread was busy processing attack information. This could lead to the UI seeming non-responsive and shutdowns of ICEWatch that were not entirely clean.
  11. Fixed a bug that would sometimes not display an attack record until you either changed display modes (e.g. turn Show All on and then off) or restarted ICEWatch. Thanks go to Kevin for helping me track this down with a solid repro case!
  12. Fixed a long-standing bug (of sorts) in how the Run program was saved to the INI file. If you surrounded the entire string with double quotes, Windows would happily strip those off for you as unnecessary. ICEWatch will now ensure that the double quotes are kept in place in these cases. Thanks to Kevin for reporting this one.
  13. Lots of misc. code cleanup while fixing all these bugs!
  14. Version 3.11.01 fixed a bug introduced in v3.11.00 where deleting attack data could fall into an infinite loop. I am embarrassed that the release went out with this bug, and thanks go to Jac for reporting this one.
  15. Added code to make the startup time of ICEWatch as fast as possible when you have a large Hosts directory.
  16. Increased the time between checks for a different Outside IP Address, and now also do a better job noting when the address was last checked versus when it last changed.
  17. Improved the handling of isolated errors on specific URL's used to check the Outside IP Address.
  18. Fixed a long-standing bug in the code that parses the Attack List file; specifically, how incomplete or erroneous attack list entries are handled. Thanks go to Kevin for helping me track this tricky bug down!
  19. When your attack list file is first read, ICEWatch will now pop up a warning dialog if you have too many bad records in your attack list file (which really slows down startup or re-initialization). Too many is defined as more than 40% or so of the records for smaller attack list files, or more than 200 total for larger files.
  20. Version 3.11.03 is the first release built with Visual Studio.Net / VC ++ 2003. However this had the undesirable side-effect of requiring people to install the .NET runtime v1.1 to get MSVCR71.dll . To avoid this, v3.11.04 was released with the library statically linked. While this increased the size of ICEWatch.exe, it's worth it to simplify installation and avoid our own little DLL hell.
  21. Fixed version 3.11.05 to look for new versions of the software at ICEWatch's new home: http://icewatch.dadler.net.

Version 3.10 – 2 November 2003

  1. Fixed a bug in the recently-added Cleanup Hosts Dir command. This bug could potentially delete Host information for attacks that came in between the time you invoked the Cleanup Hosts Dir command and the time that the cleanup was completed. The most common side effect of this bug, however, is that old Host information was not deleted when it should've been deleted. There was also a bug fixed in the comparison code that could have deleted data from the Hosts Dir that was still useful to ICEWatch. Thanks go to Jac for helping me track this one down!
  2. Fixed a bug in the Delete From Selection and Delete All Records commands where archiving records to a new backup file resulted in no records backed up in that file (archiving to a non-empty backup file worked fine). As part of this fix, the default backup file for archival was changed (it is now the current attack file with ".bak" appended) and added a test to ensure the backup file and current attack file are not one in the same. Thanks again go to Jac for helping me track down another bug.
  3. Added validation for numeric values read out of the ICEWatch.ini file; this will prevent errors in cases where a user manually edits the file and uses invalid or out-of-range values.
  4. Added support for the Reference command that appeared in BlackICE version 3.6.cbd; as part of this addition, the Advice shortcut was changed to Ctrl-Z, freeing up Ctrl-E as the shortcut for Reference.
  5. Added initial support for polling the attack list file; this is a fundamental change to the monitoring code in ICEWatch, and may be removed if it proves too destabilizing. In any case, thanks go to Jon for suggesting this feature.
  6. Fixed a subtle bug that would prevent Run from working if ICEWatch created the attack list file for you. It would not crash, but you could not Run against that attack file until you either selected a different file then re-selected the new one or exited and restarted ICEWatch. Thanks to Jon for helping me track this one down.
  7. Made a subtle change to the Delete Records code so that it never opens the active attack list file in R/W mode (but does open it for exclusive R/O access).
  8. Now treats records deleted from the BlackICE GUI as "dead records."
  9. Fixed a bug that could lead ICEWatch to be invisible unless maximized if two or more instances of ICEWatch were started in quick succession. Related to this bug, added validation to the reading of [Window] values from ICEWatch.ini; this code ensures that at least part of the ICEWatch window is visible when the window size and position values are applied.
  10. Added a warning to this help file's introduction noting that BlackICE needs to be configured to allow ICEWatch to access the Internet. Thanks go to Rob for raising this issue.
  11. Improved the time/date checking of the Cleanup Hosts Dir command. Previously, ICEWatch would not delete any HOSTS dir records if they had been accessed at or after the time that the last attack was recorded. If you intercept attacks with BlackICE infrequently, you would not be able to delete HOSTS dir records if you had viewed the corresponding attack list record when deleting the attack list records (got that?). Net result was if you had infrequent attacks, you could have unneeded HOSTS dir records hanging around for quite a while. ICEWatch is now much better at cleaning those up.
  12. Fixed a long-standing bug in the Outside IP Address logic. If your ICEWatch.ini file's [URLS] section contained any entries where the last two numbers before the URL are 0,3 and you did not start ICEWatch with the /O0 switch, then you've probably seen this error sporadically. It shows up as a Divide by Zero fault that crashes ICEWatch either during startup or immediately after an attack comes in. Thanks go to Rob, who first reported this problem and to Kevin, for some awesome bare-metal debugging to help me track this one down.
  13. Decreased the overall file size by 2 - 3k by eliminating diagnostic strings when diagnostic messages are disabled.
  14. Updated additional broken links. If you find any broken links in this Help File, please drop us a line and let us know. Thanks!!
  15. Now allows users to access the Preferences Dialog, even when ICEWatch is "running."
  16. Added code to explicitly close the Attack File when monitoring is stopped (which could keep you from clearing your attack list from BlackICE), and cleaned up the logic that allows you to stop/quit monitoring while updating Outside IP Address information in response to an attack.
  17. Added a reminder dialog to the Download Update process; this should help remind people to update BlackICE's Application List with the new version information from ICEWatch!
  18. The SpamCop Host Tracker (also see the Host Track command) recently changed the format of its HTML data. As a result, all Copy to E-mail commands would use bait-42728e1b-3f9de3bd@good.julianhaight.com as the e-mail address for abuse reports. If you send mail to this address, SpamCop may blacklist your e-mail address or domain (ouch)!! With this fix, ICEWatch is once again able to parse abuse e- mail addresses from SpamCop's Host Tracker. Thanks go out to Rob for reporting this bug!
  19. Added more context-sensitive help topics and added support for the F1 key in all dialogs/cases where help is available. This does not mean F1 will always bring up Help, but it does mean F1 should bring up relevant Help information when it is available. If you find cases where Help isn't working and you think it should, please drop us a line and let us know.
  20. Updated the index in this help file.

Version 3.09 – 7 February 2003

  1. Added automated retries to automated update checking for cases where ICEWatch cannot read the update information from the Web. Also cleaned up the "remind me in one hour" case so that it no longer redefines the time that updates were last checked successfully.
  2. Added version information to Internet calls so sites accessed by ICEWatch are able to determine the version number being used. Some sites which have been particularly hard hit by older (3.07.05 or earlier) versions of ICEWatch may choose to start blocking requests from these older versions (see below for more information on the bug fix in v3.07.06).
  3. Fine-tuned automatic updating; now fewer error dialogs are able to show up if there are problems checking for an update (ICEWatch will just retry in less-than two hours).
  4. Changed the way ICEWatch asks Windows to flash the window when an attack is detected. As a result, ICEWatch should once again load and run properly under NT 4.
  5. Fixed a bug introduced in v3.01 where viewing older attack records could result in garbage being displayed for Intruder Port, Victim Port, or Packet Flags.
  6. The documentation for substitution variables states that %rec_index% = Index into the Attack-List.csv file, when it was actually the record number in the internal ICEWatch list of attack records. This has been changed so that %rec_index% returns its documented result.
  7. Added Delete From Selection and Delete All Records commands to the Edit menu (in v3.09.03). Also added the ability to archive the records before deleting them (in v3.09.04, with thanks to Bill for suggesting the archive feature).
  8. Added the Cleanup Hosts Dir command.

Version 3.08 – 22 November 2002

  1. ICEWatch distribution moved to dadler.net. Many thanks to Robin Keir (author of the original ICEWatch program) for hosting ICEWatch v2+ on his website for the past couple of years!
  2. Added manual and automated update checking; this is available from the Help Menu item Update Options... command.
  3. Tweaked the code that decides which URL's to use for Outside IP address checking, including a bug that incorrectly ruled out new URL's after 3 tries if there was even 1 failure.
  4. Added a button to the Preferences Dialog.
  5. Fixed a bug in timestamp conversion that would lead time values in the ICEWatch.ini file where the hour was 12 AM to be treated as 12 PM.
  6. Found a bug in the C-runtime library routine sscanf that led to problems interpreting version number strings (e.g. "3.08.00"), so converted version interpretation and IP string interpretation to use a custom-coded routine instead. Please let me know if you notice any problems with IP addresses (e.g. incorrect by IP address).
  7. Improved the documentation for Run Program on File Change entry; thanks go to Peter for pointing out the need for this.
  8. Added Variable Substitution to the Run Program on File Change option. Thanks (again) to Peter for the suggestion.
  9. Made the flashing of the window + icon when an attack comes in optional (flashing was added as a non-optional feature in v3.06).
  10. Readjusted the Minimum Severity spin control placement using code to compensate for how Windows XP was placing everything (finishing what was started in v3.06). The upper-limit for using the up/down buttons for this spin control is once again 100.
  11. The Status / Monitor .Ini Section menu command now sets and unsets its checkmark properly.

Version 3.07 – 7 November 2002

  1. Fixed a bug in command line processing that left double quotes on arguments (the leading/trailing double quotes should be stripped off).
  2. Reformatted the Packet Flags column to always display as a full 3 byte value (6 hexadecimal digits). This makes it easier to reconcile what ICEWatch displays with what BlackICE displays.
  3. Updated the Copy to Clipboard code to fix how errors are handled; the previous code could, in some error-handling cases, result in ICEWatch grabbing and not freeing the clipboard. Also repaired a bug introduced by a "fix" made in v3.05 where ICEWatch "beeped" on occasion when you try to copy information (meaning the copy failed); if you retried the copy it would always succeed.
  4. Added the option to toggle between 12-hour and 24-hour time formats.
  5. Added Help to the tray icon menu.
  6. Added "i of n records shown" to the title bar.
  7. Fixed a bug in the Outside IP address code that led to rapid, repeated and unnecessary re-checks of the Outside IP address (which in turn hammered those web sites ICEWatch uses to discover the Outside IP address). Please pick this fix up (v3.07.06 or later) and begin using immediately (to stop hammering all those websites needlessly). This release also contains an updated list of websites to use for Outside IP address information. Thanks to Syd for reporting this problem!

Version 3.06 – 21 July 2002

  1. Cleaned up the Copy to E-mail feature substantially; it can now handle large numbers of records at one time, and a bug found in 3.05.03 was fixed in the registry-reading code. It also adds abuse e-mail addresses as returned by SPAMCop (or else displays the SPAMCop web page so people can see why we could not find an address). Many thanks to Jac for both suggesting the feature and helping with the testing.
  2. Finally added mouse cursor management, which means the hourglass cursor will now be displayed when we are busy doing something (like looking up outside IP addresses or reading attack files across a slow network link).
  3. Adjusted some of the text field sizes and alignment in the Preferences dialog to improve how it appears on 800 x 600 screens. Also narrowed the range for the Minimum Severity to 0 - 99 (instead of 0 - 100), because using 100 is the same as -1, and the edit control was not wide enough to clearly show three digits.
  4. Added support for the ICEWatch.ini [E-mail] and [Severity] sections.
  5. Added the /S command line option.
  6. Made the dialog that warns you when an abuse address cannot be found (during Copy to E-mail) top-most; this keeps the dialog from disappearing behind the browser window we open.
  7. Added timers to code that reads outside IP Addresses. Testing on XP shows that this makes ICEWatch less likely to hang on an unresponsive HTTP call.
  8. Added the /W switch.
  9. Cause the window and taskbar button to flash when an alert is issued by ICEWatch. This is an experimental feature that may be removed or enhanced in the future.
  10. Added real small icons (instead of letting the system create them for the tray), and now make them flash if there is an unacknowledged attack. Of course, this is only meaningful if a tray icon is displayed.
  11. Fixed a bug that would not let users see any records the first time they opened an attack list file. Now, once the file is first opened by ICEWatch, all records which meet the minimum severity test will be show as new attacks waiting to be acknowledged.
  12. Updated Index in this help file.

Version 3.05 – 2 June 2002

  1. Changed the Advice URL to http://www.iss.net/security_center/advice/Intrusions/ because the old NetworkICE URL stopped working.
  2. Updated a number of links in this help file to their new ISS URL's, and a broken SpamCop URL in the Edit Menu help text.
  3. Added "Protocol" as one of the data columns we turn on by default.
  4. Added "Intruder's port #" to the information copied to the clipboard by the Copy command, because some ISP's have asked that this information be included (along with the newly-added Protocol data). Also added a good reference on decoding information in the data pasted to the clipboard under this same help file topic.
  5. Added the Copy to E-mail command.
  6. Started minor-minor version numbering (e.g. 3.05.01) to simplify this update log while keeping version numbers meaningful/accurate for updating purposes. This change log will always have the date of the most recent version. Help/About will show all digits of the version number.

Version 3.04 – 25 April 2002

  1. Minor tweaks and fixes to the new threading model code and improved on some start-up error messages.

Version 3.03 – 20 April 2002

  1. Updated Outside IP Address code to pay attention to quit requests from the user.
  2. Added title bar notification for some data read events that can take awhile across the network.
  3. Sped up loading large Attack-List files; should be really noticeable as the file approaches 1,000 records or more.
  4. No longer exit the background thread (which terminates ICEWatch) if we're not able to monitor a specific file or directory (for attack lists or INI monitoring), but do notify the user of this problem. Also, if Minimize on Run is set, do not minimize if we are not able to monitor the specified attack list file.
    6. Updated index and topics in the help file.

Version 3.02 – 6 April 2002

  1. Updated the SpamCop host tracker URL for use with the Host Track menu command.
  2. Changed attack result code shown by ICEWatch for blank Attack-List.csv codes to be "n/a" instead of "?unknown?". The "?unknown?" code will still be used in cases other than blank.
  3. Added the Monitor .Ini Section command to the Status menu. This allows you not only to turn use of the [Maintain] section on and off, but also allows you to alter the [Maintain] information in ICEWatch.ini and start using those changes simply by turning Monitoring off and back on again.

Version 3.01 – 1 April 2002

  1. Added support for displaying "dead" records. These are records that BlackICE v2.9 and later comments out from Attack-List.csv by replacing the Severity value with a number sign (#). Accordingly, when dead records are displayed, their Severity is shown as "#".
  2. Added support for three new data columns added in v2.9 of BlackICE: Intruder Port, Victim Port, and Packet Flags.
  3. Fixed an old bug that prevented reasonable default field widths from being calculated for display columns. Since this is only meaningful when values are not stored in ICEWatch.INI, it was hard to notice, but it was noted and repaired as part of the dead record work.
  4. Updated the list of servers queried for Outside IP Address information; four of them were no longer operational.
  5. Increased the maximum size of the [Maintain] section in icewatch.ini from 4k to 32k.
  6. Updated help topics tangentially affected by changes in v3.00 and v3.01.

Version 3.00 – 23 March 2002

  1. Fixed edge condition where monitoring both an Attack-List.csv and Firewall.ini file (using the [Maintain] section in icewatch.ini) in the same directory occasionally missed a change to one or the other. As a result of this rewrite, only one background monitoring thread is started, and it is always started as part of initializing ICEWatch and should not exit until you exit ICEWatch. This was a total rewrite of the background thread code, hence the jump to version 3.00.

Version 2.23 – 11 September 2001

  1. Added the Show Selection command.

Version 2.22 – 29 June 2001

  1. Write the outside IP address list to file after every update; this keeps crashes of any sort from causing the loss of outside IP address history.
  2. Added support for the [Maintain] section to the icewatch.ini file. This section is used to ensure specific FireWall.ini entries for BlackICE are always present.

Version 2.21 – 28 May 2001

  1. Added outside IP address tracking when records are copied to the clipboard for reporting purposes. If you do not use a NAT or other address translation device, this should not have any impact in you. Also added the /O command line option. Thanks to Jac for putting me on the trail of a deadlock bug!

Version 2.20 – 21 April 2001

  1. Revamped the feature where running a second instance of ICEWatch causes the initial instance to pop up and play a sound. Playing the sound is now subject to the Silent Time setting in the Preferences dialog box.
  2. Added Ctrl-N as an accelerator key for Edit / Preferences.

    3. Version 2.19 – 12 February 2001

  3. Fixed a bug in the drop-down list code introduced in version 2.17. This bug could corrupt the local memory arena if the list of files grew close to the limit. Also fixed a bug where opening an unavailable file could lead to a crash.

Version 2.18 – 26 November 2000

  1. If an exit/close program operation is canceled (using the confirmation dialog added in version 2.16), then ICEWatch is instead minimized as per its minimize settings in the Preferences dialog.

    2. Version 2.17 – 11 November 2000

  2. Added drop-down combo box list to the Preferences Dialog for the file to monitor. This tracks the last n attack files you have monitored (where n is set by the /M command line switch) . It is very useful for monitoring the attack lists on several machines (each running BlackICE) across the network.
  3. Reorganized help file's Table of Contents.

Version 2.16 – 28 October 2000

  1. Added a confirmation dialog to the exit procedure to prevent accidental closure of ICEWatch. Also added /N switch (no confirm) to override this. For those who really want to know, sending WM_CLOSE with wParam = 0x7D00 will bypass the confirmation dialog (sending WM_ENDSESSION with wParam != 0 has the same net effect). By default, WM_CLOSE is sent with wParam = 0.
  2. Fixed a bug in WriteListViewColInfo() that allowed the sort indicator to be written out with the column name. Net result was order and width information on sort columns was lost. Please note: you may loose your existing column order and width information the first time you run this new version of ICEWatch; this will only happen the first time you run v2.16.

Version 2.15 – 12 October 2000

  1. Added command line switch processing. While "start" will still be accepted for Autostarting (if it is the only non-switch token the command line), we now support: /A (autostart), /T (always show the tray icon). Please change your calls to ICEWatch to use on the command line /A in lieu of "start".
  2. Fixed some broken links in the help file index.
  3. Previous assertions in the FAQ notwithstanding, in previous versions of ICEWatch, you had to exit ICEWatch before you could clear the BlackICE attack list. Now you need only stop running / monitoring the attack list in order to clear it with BlackICE.

Version 2.14 – 11 September 2000

  1. Added Show Old/Severe to Edit menu. Shows older attacks that also pass the current minimum severity test.
  2. Made changes to the Minimum Severity Level in the Preferences Dialog take effect as soon as the dialog is closed, instead of waiting until monitoring is restarted (or some other "significant change" occurred).
  3. Cleaned up code in rarely (if ever) executed error handling sections. Also improved how dialogs are centered on the screen (only difference you will notice is if a dialog was larger than your display).

Version 2.13 – 8 September 2000

  1. Added Silent Times to the Preferences Dialog. This lets you choose a time span during which the alert sound will not play. Useful if you (or others) sleep near the monitored computer.
  2. Free the thread handle for the monitoring thread when the thread exits (wasn't freed previously, resulting in a small memory "leak" that was not cleaned up until ICEWatch was closed).

Version 2.12 – 2 September 2000

  1. Fixed a bug in how ICEWatch.ini files with no timestamps recorded are interpreted. Without this fix, attack records could not be seen (happened most often with a new or cleared attack-list.csv file). Thanks to Tony for this report.
  2. BlackICE v2.1cn seems more aggressive in its coalescing of attack records (or else I just never saw this sort of coalescing before). To catch these cases, added port info to the list of columns checked (also checks attacker IP address and issue number), and thanks again Tony.

Version 2.11 – 25 August 2000

  1. Fixed a bug that led the Preferences Dialog to ignore changes in the Run Program field. Thanks to Jac for the report.

Version 2.10 – 10 August 2000

  1. Initial public release on Robin Keir's website. Thanks to Robin for giving me access to the original ICEWatch source code and for helping test out this release!

Home

Hit Counter