You are here

Security alert from WinMerge 2.8 Launcher

12 posts / 0 new
Last post
Alan_B
Offline
Last seen: 5 years 6 months ago
Joined: 2008-01-15 14:18
Security alert from WinMerge 2.8 Launcher

Is nsExec.dll a self-mutating virus !!!

When I use PAM to launch WinMerge 2.8, my Comodo Security Firewall is very worried.
EVERY TIME it is worried.

When I use PAM to launch OpenOffice, Comodo never gives an alert.
It probably did give an alert last year when I first used it, but it honoured my request to REMEMBER and it has not troubled me since.

When I use PAM to launch WinMerge 2.8, my Comodo Security warns :-

1. Red Alert
Defense+ malware heauristic analysis has detected possible malware behaviour in
C:\Documents and Settings\Dad\Local Settings\Temp\nsi2F.tmp\ns30.tmp

This is a new folder, with 5 off *.dll + 1 off splash.jpg
I click allow and all 7 files remain then 1 second later
2. Amber Alert
ns30.tmp is new parent to reg.exe, cannot be recognised, and can take over execution.

I click allow and ns30.tmp is deleted as Winmerge is launched.
Two Seconds after I close Winmerge, the entire folder ...\Temp\nsi2F.tmp\ is deleted.

Repeat test

3. Red Alert
Defense+ malware heauristic analysis has detected possible malware behaviour in
C:\Documents and Settings\Dad\Local Settings\Temp\nst33.tmp\ns34.tmp

This is a new folder, with 5 off *.dll + 1 off splash.jpg
I click allow and all 7 files remain then 1 second later
4. Amber Alert
ns34.tmp is new parent to reg.exe, cannot be recognised, and can take over execution.

I click allow and ns34.tmp is deleted as Winmerge is launched.
Two Seconds after I close Winmerge, the entire folder ...\Temp\nst33.tmp\ is deleted.

Upon each Red alert, before I "allow" I copy the new folder to another partition.
Subsequent analysis shows that in every case :-
C:\Documents and Settings\Dad\Local Settings\Temp\ns???.tmp\nsExec.dll is always identical
C:\Documents and Settings\Dad\Local Settings\Temp\ns???.tmp\ns??.tmp is always identical.
C:\Documents and Settings\Dad\Local Settings\Temp\ns???.tmp\ns??.tmp is always identical to nsExec.dll, apart from 4 bytes.

Each time I tell Comodo to ALLOW, I have also authorised REMEMBER, unfortunately you fool it by using a different random name in a different random folder, so the next new name catches us by surprise again and again.

I would appreciate it if you changed from random names to fixed constant names so I can have an instant launch without having to cancel two security alerts.
In principle I approve of "portability", but until this is fixed I intend to add a short cut on my desk-top to instantly start, in a NON-Portable fashion
H:\PortableApps\WinMergePortable\App\WinMerge\WinMergeU.exe
because that avoids any aggravation with Comodo Security - I have just tested it.

I do not know if this problem means that this application is not quite portable, it depends upon how you define portable, but regardless of compliance or otherwise, it could be distressing if the Corporate I.T. Security manager comes running with a P45 because of alarm bells being rung by his Security systems when a "locked down" computer starts detecting the operation of multiple different executables that are masquerading as *.tmp files in a temp folder. It would be a kindness to users in such an environment if the name etc was not only fixed, but if it had a proper executable extension, and did not look like something evil that has secretly entered.

Apart from this feature, I like WinMerge 2.8

Alan

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Can you allow

"Is nsExec.dll a self-mutating virus !!!"
No it is not. The rest of your message seems to indicate that you know that.

Can you tell your Comodo to allow use of the temp directory by WinMerge 2.8 portable launcher?

I had a similar problem with my McAfee not liking the use of the temp directory by TBP till I told McAfee to add it to it's exceptions list.

==== It Said: ====
3/22/2008 3:34:36 PM
Would be blocked by Access Protection rule
(rule is currently not enforced)
C:\path\ThunderbirdPortable\ThunderbirdPortable.exe
C:\Documents and Settings\Tim\Local Settings\Temp\nso11.tmp\FindProcDLL.dll
Common Standard Protection:
Prevent common programs from running files from the Temp folder Action blocked : Execute

My translation of the above:
"ThunderbirdPortable.exe is trying to run programs from your temp directory which is something that "I"[McAfee] have been told to keep an eye on"

===== So I Said: ====
Rule Name:
Prevent common programs from running files from the Temp folder

Processes to exclude:
ThunderbirdPortable.exe

======

Note that the changing subdirectory name:
\Temp\nso11.tmp\
becomes irrelevant as I have told McAfee to allow TBP to run files from the \Temp\ directory.

What you can try, if your situation is similar, is find out what "rule" WMP is "violating" and tell Comodo that it is something you want to allow WMP to do.

The question is what "rule" is WMP "violating"? That would depend on the setting of Comodo itself.

Tim

[edit: By the way, before someone jumps on it, Comodo is just doing its' job, just as McAfee was. It is warning you about actions it has been told to look out for because they can be dangerous. Hopefully it has settings that allow you to make an informed decision to override it.]

Things have got to get better, they can't get worse, or can they?

Alan_B
Offline
Last seen: 5 years 6 months ago
Joined: 2008-01-15 14:18
Tim First, I apologize for

Tim

First, I apologize for being a little cheeky with my attention seeking headline.

At first I very briefly toyed with the idea of permitting any sort of activity in
C:\Documents and Settings\Dad\Local Settings\Temp\
and immediately rejected the idea because :-
1) This is a "personal profile" temp folder that several good, decent, and honest applications make use of, what is known to them will also be known to hackers and virus writers who may want to try their luck; and
2) I have never seen any such option in Comodo.

Thank you for your suggestions. I have now scrutinised and adjusted the Comodo Defense+ settings and can now report that :-
Asserting that both
H:\PortableApps\WinMergePortable\WinMergePortable.exe and
H:\PortableApps\WinMergePortable\App\WinMerge\WinMergeU.exe
are trusted had no effect - still the same Red alert followed by an Amber alert;
Asserting that both are "Installer or Updater" removed the red alert, but the Amber alert remains.
The exact text is :-
"reg.exe was allowed to be executed previously. However a new parent application, ns28A.tmp, is detected and it could not be recognized. Once the application is executed, its parent will have the full control over its execution. If ns28A.tmp is one of your everyday applications, you can safely allow this request."
This ns???.tmp is different every time.
I believe the Red alert is removed because, although the warning did not state that there was a parent, Comodo seemed to know that ns???.tmp was spawned by an application that had been elevated to the status of "Installer or Updater".

No matter how pure and perfect Grand-dad may be, there is a limit to how far down the line one can trust his great great great grand-children, and I guess that Comodo does not trust anything beyond the child, i.e. the child ns???.tmp inherits certain permissions from its WinMergePortable.exe parent, but when ns???.tmp then tries to take over the world with reg.exe that is going to far, hence the Amber alert remains. (Also, I do not know if Comodo remembers that the grand-parent for reg.exe is an "Installer or Updater") n.b. I did not KNOW what reg.exe was, and thought it might be something to do with regedit. I have just Googled and found :-
"The command-line utility reg.exe is a powerful and versatile way to manage the Windows XP Registry."
and also
"If the reg.exe process is on your computer, your pc could be infected with a worm known as 'alcarys.g'."
Shivers up my spine !!!

Upon further investigation I found that whilst Comodo creates "remember" rules for specific files in specific folders, it was possible for me to modify one rule to
C:\Documents and Settings\Dad\Local Settings\Temp\*.*
and "Installer or Updater" for this is only just sufficient to avoid any alerts.
Unfortunately I cannot restrict this permission to descendants of Winmerge etc., so this gives Carte Blanche to all the legal stuff that till now has made safe use of this temporary folder, and will also permit tomorrow's Trojans to have a field day.

In conclusion :-
I trust PortableApps and Winmerge and am happy to elevate to "Installer or Updater" status;
I am not prepared to risk all and sundry existing applications, nor tomorrow's Trojans, to do whatever they like in ...\temp\*.*, therefore I can remove the Red alert, but am stuck with the Amber alert;
It is un-important to me whether I suffer the minor aggravation of a single Amber alert upon a "Portable" launch, or the minor irritation of knowing that a desk-top short cut is NON-Portable and may further bloat my registry (which grows a few more KByte every other day due to I know not what);

BUT if a PortableApps user has inadvertantly unleashed a storm of "Virus Alerts" from his company computer through the network to the company I.T. department, he may be faced with an angry I.T. manager shouting "If it looks like a duck, and quacks like a duck, it IS a duck", and if he is already on his final written warning that could be the end of a promising career. n.b. Whilst I can adjust my home security settings to avoid these alerts, this is not an option with a company computer that is locked down to prevent installation of anything.

This problem is a minor irritation to me, but could be a MAJOR problem for others, and it seems unnecessary because OpenOffice can be launched without this "feature".

Alan.

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Wow

Wow, big reply Blum

Also way beyond my skills to address Sad

I'm sorry my suggestion was not more helpful.

I really can't address the situation between OO and WMP
I do know that McAfee has problems with TBP but Not FFP.
I guess is has something to do with what the launcher needs to do.

As far as giving a consistent name to the temporary directory, that is something John would have to address. I sense it might not be as easy as we might think.

And yes, you should be careful, you don't want to lose your job.

Good Luck,
again, sorry I could not be more helpful.

Tim
-

Things have got to get better, they can't get worse, or can they?

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 2 months ago
Joined: 2006-01-06 21:27
NSIS

It is simply a temporary file (generated by NSIS on runtime), most likely a plugin. It is most definitely not a virus, as I have scanned the package.

The reason it has a .tmp file extension is because that is what NSIS uses. There is no way to change this.

"If you're not part of the solution, you're part of the precipitate."

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
Ryan

It's not the .tmp file extension he's concerned with,

it's the prefix:
nsi30.tmp
nst33.tmp
ns??.tmp etc, etc

His hope seems to be that if the prefix [actually the whole name of the directory] would stay the same so he could then allow it in Comodo.

But as I said, I'm sure it's not as easy as we might think Wink

He is sure at this time that it is not a virus and that is not really his concern.

Tim
-

Things have got to get better, they can't get worse, or can they?

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 2 months ago
Joined: 2006-01-06 21:27
Ah.

Well, that is not possible either. NSIS automatically generates the names and we have no control over that.

"If you're not part of the solution, you're part of the precipitate."

Alan_B
Offline
Last seen: 5 years 6 months ago
Joined: 2008-01-15 14:18
1. I confirm Tim's

1. I confirm Tim's understanding that I do not believe it to be a virus.
I trusted this site and application sufficiently to reject the Comodo option to submit to them for analysis the "suspected malware".

2. These malware warnings do not occur when I launch these Portable Apps. :-
OpenOffice;
VLC;
Sumatra;
Thunderbird;
PeaZip.

I have just tested the launching of the above Portable Apps, and get no warnings;
I also tested 7-Zip, and was surprised to get the same malware warnings as are given to WinMerge, and referring to similar randomised ns???.tmp files.

Please forgive my ignorance, but I think of PeaZip and 7-Zip as being alternative applications that do the same sort of job as one-another, and that would use the same Windows services and facilities to do their work, and would work under the same constraints as one-another.
Obviously PeaZip is wrapped/packaged/launched in such a way that NSIS is not used, OR if NSIS is used it creates a *.tmp file that is well behaved and does not look like malware. If 7-Zip does the same sort of job as PeaZip, is it impossible to launch it in the same non-malware-threatening fashion, or is it just a major aggravation to re-write a requirements specification from scratch and to start all over again ? Been there, Done that, spent 30 years real time software engineering with embedded processors, but much less time writing software for DOS, and very little experience of getting Windows to do what I want !!!

I never experienced these malware warnings before using WinMerge 2.8, and I never noticed them after two brief launches of WinMerge 2.6.14, hence I assumed it could be easily fixed to be like the rest of the family. I do however accept the advice that it is not so easy.

These malware warnings are a minor inconvenience to me. I am now retired and have no I.T. manager complaining about what I am doing on his network. Others are in a less fortunate situation, and may get the I.T. department descending like a ton of bricks if they launch a Portable App and it unleashes a flood of virus alerts. Were I an I.T. manager I would be especially suspicious if I was warned that reg.exe or regedit.exe was being driven by an executable that pretended to be a *.tmp. So don't do it for me, but if possible please fix it for those whose careers could be terminated.

Alan.

Bruce Pascoe
Offline
Last seen: 12 years 11 months ago
Joined: 2006-01-15 16:14
...

The issue, I'm guessing, is that both WinMerge and 7-Zip use the registry and the launcher must handle this by copying the settings back and forth between the registry and the portable settings. So since reg.exe is used to modify the registry (something malware likes to do) instead of NSIS doing it itself, Comodo sees it as a security threat.

Believe me, if it could be fixed, we'd fix it. It's not up to us, though--it's up to the NSIS developers.

Alan_B
Offline
Last seen: 5 years 6 months ago
Joined: 2008-01-15 14:18
Thank you Bruce You pointed

Thank you Bruce

You pointed me in the right direction for understanding this issue.
If only it was fixable !!!

I have a total of 16 different applications in PortableApps.
I have just searched that entire folder for *.reg files and found only 3 matches :-
WinMerge;
WinDirStat;
7zip_portable.

PeaZip has no such *.reg , so this explains why 7Zip has the problem and PeaZip does not.

This problem exists only with the applications that include a *.reg file.
I wish the problem could be fixed,
but at least I now understand the cause, and know there is nothing I can do about it.

Thank you

Alan

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 2 months ago
Joined: 2006-01-06 21:27
Correct.

I've had a look myself and the error seems to be from the nsExec plugin, which is used to import the .reg file back into the registry.

There is no way around this at the moment.

"If you're not part of the solution, you're part of the precipitate."

haustin
Offline
Last seen: 13 years 3 months ago
Joined: 2007-09-19 17:59
workaround = ExecDos.dll

I posted the fix here, but as usual, crickets...

I don't hold my breath, but I hope that developers actually notice the tips and suggestions posted by other developers. Perhaps there should be a forum specifically to collect such findings, or even a convention of starting thread subjects with "TIP: " within the existing Development forum.

Things considered generally helpful (or even all TIPs) could be linked from the Wiki.

Thoughts? -hea

Log in or register to post comments