I am working on a project that contains nearly identical clients (same basic featuresets, different UI) in very different environments (Winforms, Mobile, and Web). The biggest difference is that the web sites (one client-equiv site, one admin site, and a set of web services) contains some additional functionality. I’ve architected this to maximize the amount of code we can reuse in all of these environments. The data tiers all implement common interfaces or abstract classes. The business tiers all extend classes in a shared DLL. And the presentation tiers are all independent but all go through the same basic API to call into the business tier. If I get interest in it, I can go more into this.

Because there is so much common functionality, the databases are all very similar (and in some cases, large parts are 100% identical). The winforms and web systems all use SQL Server for their databases (Express on the clients but we don’t hit any of those limitations). However, with our Compact Framework project, it’s quite a bit different since we have to use SQL Server Compact Edition (or whatever they’re calling it this month). We have yet to find an easy automated way to take a desktop database and convert it into a compact edition database, so we wrote a little utility. It only took a couple of days, so it wasn’t that bad. We essentially call the sp_tables proc in SQL Server in our development database, iterate through the results, and generate CREATE TABLE scripts based on it. Easy enough. And for the data, we simply use Command Builders and DataAdapters (we use a SqlCeCommandBuilders and SqlCeDataAdapter for the Compact Edition interface but it works just fine for us) and the WriteXml and ReadXml methods that go with it.

During development of our utility, we used the IgnoreSchema option with WriteXml when trying to fix a bug and forgot to turn it back off. This just came back to bite us in the ass! One of our tables in the final database that we’re converting is called “MessageType” and is a simple lookup table (2 ints and a varchar(50) is all). Well, when we were trying to import the data for it, we were getting an exception on the DataAdapter.Update call: “There was an error parsing the query.” We spent 2-3 hours trying to figure it out and we finally figured out the problem and it came back to that IgnoreSchema option that we had set and erroneously left!

So we have our “MessageType” table and we also had an “AuditLog” table. A column in the AuditLog table was called “MessageType” and was completely unrelated to our MessageType table. Yeah, bad naming here – we need to fix that obviously but it shouldn’t be enough to confuse .NET, right? Wrong! Since our XML files were generated without schemas, .NET must make some assumptions about the XML coming in. In this case, I think it decides that any XML node that comes up as <MessageType> is an entry for our MessageType table, when it comes time to populate our MessageType table. But when it goes into the XML we pass it, it sees the <MessageType> nodes from our AuditLog table and because the tag matches, it tries to start parsing it as though it belongs to our MessageType table, which will obviously fail! So now you see the source of our problem.

Switching IgnoreSchema back to WriteSchema was a simple fix to the problem. Other things can be done that could have resolved this specific problem but this was the most wrong thing we had done and needed to fix. Now, time to go play with a freshly generated set of SQL Server Compact Edition databases on our PDAs!

-Shane

This is a follow-up to this post.

I believe I have finally found a fix to the issue with KB944533 that breaks IE for some people running Kaspersky Internet Security (KIS).

The Problem:
So what I believe to be the scenario that triggers the problem is if you have KIS (perhaps limited to version 7 but this I do not know) installed but disable the firewall, you will run into the problems reported in this post. It is important to note the part about the firewall as that appears to be the problem.

An MS MVP said here:

Given other related threads here, I would not recommend attempting to disable the firewall in Kaspersky Internet Security in favor of using the Windows Firewall unless you can figure out how to completely disable the former. If you manage to do it, please let us know how.

I can now vouch for this – disabling KIS’s firewall causes problems!

The Fix:
The fix is simply to re-enable the firewall while you install the patch AND keep it enabled until at least the next time you run IE. When you do, KIS Firewall will open a prompt mentioning that the IE executable has been modified. Once you allow this, then voila – you’re done and you have this patch installed correctly and working. At this point you MIGHT be free to disable the KIS firewall again. Since installing the patch, I have yet to turn it off because I have been prompted 2-3 times with the dialog stating that the executable has been changed and I keep clicking on the allow option. I don’t plan to turn the firewall off again until after a few reboots of no prompts.

My Rant:
Bad Kaspersky! Obviously when I disable the firewall, it only disables parts of it. Bad! Bad! Bad! And I think it gets worse too, but I’ll wait a bit for that part.

What appears to me is going on here is that some portion of KIS is realizing that the executable has been modified. Because of this modification, I assume Kaspersky is intercepting DNS requests for whatever reason. Obviously the prompt to allow these sorts of DNS requests is isolated in the firewall, but also obvious is that the engine’s check for these DNS requests is NOT isolated to just the firewall. So this means that in order to allow these sorts of exceptions (i.e. make your system less secure in a sense), you must ENABLE the firewall! That makes absolutely no sense at all!

Now all of this has been a headache for me and many other people, but I think it gets worse. Reconsider everything that has gone on here and ignore the annoyance. Let me recap:

1. IE’s executable gets modified.
2. IE attempts to connect to the internet via domains and is blocked but when attempting by IP is not blocked
3. KIS Firewall does the blocking because it realizes the executable has been changed

Now reconsider #2 and #3 together – the firewall blocks internet access to protect you, right? Nope! It only kinda partly blocks internet access. If the program is connecting via IP address, then the firewally lets it do anything it wants! So if somebody finds an exploit in IE to modify the executable so it sends all of your personal data to the internet, Kaspersky firewall does NOTHING to block that data transmission if it is sending it to an IP address, it only blocks it if it needs to resolve a domain name.

My Conclusion:
Bad Kaspersky! Go to your room and fix it!

I have three workstations on my desk at work that I use on a daily basis. One runs Vista Ultimate, one runs Vista Business, and the other is Vista Home Premium. Since yesterday was Patch Tuesday, I had a dozen or so Windows Updates to install. All installations on all 3 systems seemed to go just fine.

However, my Home Premium box’s IE started acting funny! It could not load web pages by domain but could load them by IP. Obviously a DNS-related issue, right? Think again! I could open up Visual Studio and browse sites just fine in it! Pings worked, Firefox worked, everything worked except for IE by domain name! And all of this was working before patching, so that’s the obvious culprit. After uninstalling patches one-at-a-time, I finally got to KB 944533 (1/4 MB source so it may take a bit to load and render!) and after uninstalling that patch and rebooting, IE ran fine again!

Reading through the KB article, it mentions KB 942818 as a known issue with the patch. I’m running a combination of Kaspersky AV, Kaspersky Proactive Defense, Windows Firewall, and Windows Defender, so if KB 942818 applies to me, then it is Kaspersky AV or Proactive Defense that has issues with it. When installing updates I get into the habit of, upon the first prompt by Kaspersky Proactive Defense, disabling it for 5 minutes, so that is indeed what I did, so I suspect this is the culprit, IF KB 942818 is correct.

While it is not a conclusive test, I’m going to try reinstalling it with Kaspersky completely disabled from before beginning installation. If it is still broken, then I will try again with it all completely enabled the entire time, manually allowing exceptions as prompted. I will post back here the results.

Update #1 (Feb 13, 2008): Apparently having Kaspersky completely disabled the entire time does not fix this. I am now back in a broken state. Next I will uninstall the patch and re-install it with Kaspersky completely enabled the entire time.

Update #2 (Feb 13, 2008): While I’m waiting for it to install yet again, I wanted to mention another behavior that I thought was peculiar that I noticed. If, while browing things in Visual Studio 2005, I immediately went to the same URL in IE as I was viewing in Visual Studio (such as www.cnn.com), then IE would pull the page up although it was obviously being loaded from cache (some dynamic images were dead, some bad javascript and styles, etc. and all links were dead). So it seems that IE’s domain-to-cache linking was working correctly, IP address-to-internet was working correctly, just not domain-to-internet.

Update #3 (Feb 13, 2008): Well, installing it with everything turned on and being aware of the changes made no difference either. I’m giving up for the day and will try again later. As of this point, I have no way to have this patch installed and IE working on this machine, but since it’s a cumulative security patch, I WANT to have it installed!

Update #4 (Feb 14, 2008): As mentioned here, it is appearing as though Kaspersky Internet Security v7.0.0.125d may be the culprit here. I have began a post in Kaspersky’s forums discussing this here. So far, no luck with anything else.

Update #5 (Feb 20, 2008): I have located a post here by A.BORD that pointed out that pausing KIS via the icon in the tray doesn’t really disable things (who knows what it does). If you open up the KIS control panel and individually disable everything in KIS, then the update should install without problems and once you reboot, you can re-enable everything again and be fine and happy. I am trying this right now to see if I can install the patch via this method. If it works, I’ll outline it in more detail.

Update #6 (Feb 20, 2008): I got my hopes up for nothing. This made no difference. I guess I’m going to completely uninstall Kaspersky, install the patch, and then reinstall Kaspersky. I REALLY hope this fixes the problem. I think Microsoft and Kaspersky need to cooperate a bit more than they have on this patch. It’s ludicrous to have to uninstall my security software just to install a Microsoft security patch.

Update #7 (Feb 20, 2008): I’ve fixed it. See my post here with more details.

-Shane