One of these days, I received a call stating that the Firewall service at one of the customers had gone down. The server is running on a windows 2003 sp2 with ISA 2006 Sp1.
Also installed on the same server is Surfcontrol. How did it start, well one of the administrator restarted the service !
Event id: 14057.
the source is Mocrosoft Firewall.
The firewall services stopped because an application filter module C:\windows\system32\alockout.dll generated an exception code c00000005 in address 710DBE2C. when function complexAsyncIO was called. To remove recently installed application filters and restart the service.
well I was not so sure whether surf control needed to implement alockout.dll, I was pretty sure that it would not. so I asked the site Admin to figure out any changes were made,.. none to his knowledge.
The administrator had restored from a backup, complete system state. no way to audit who had installed them, no forensic evidence there ( not a good practice to be followed ). asked the administrator to rename it back to alockout.dll, once done asked to run the regsvr32 / u alockout.dll, it said that the file failed to register. It was fine as long as we could find the registry entry.
deleted the appinit. and asked to delete the file. ISA seems to be working.