Is nsExec.dll a self-mutating virus !!!
When I use PAM to launch WinMerge 2.8, my Comodo Security Firewall is very worried.
EVERY TIME it is worried.
When I use PAM to launch OpenOffice, Comodo never gives an alert.
It probably did give an alert last year when I first used it, but it honoured my request to REMEMBER and it has not troubled me since.
When I use PAM to launch WinMerge 2.8, my Comodo Security warns :-
1. Red Alert
Defense+ malware heauristic analysis has detected possible malware behaviour in
C:\Documents and Settings\Dad\Local Settings\Temp\nsi2F.tmp\ns30.tmp
This is a new folder, with 5 off *.dll + 1 off splash.jpg
I click allow and all 7 files remain then 1 second later
2. Amber Alert
ns30.tmp is new parent to reg.exe, cannot be recognised, and can take over execution.
I click allow and ns30.tmp is deleted as Winmerge is launched.
Two Seconds after I close Winmerge, the entire folder ...\Temp\nsi2F.tmp\ is deleted.
Repeat test
3. Red Alert
Defense+ malware heauristic analysis has detected possible malware behaviour in
C:\Documents and Settings\Dad\Local Settings\Temp\nst33.tmp\ns34.tmp
This is a new folder, with 5 off *.dll + 1 off splash.jpg
I click allow and all 7 files remain then 1 second later
4. Amber Alert
ns34.tmp is new parent to reg.exe, cannot be recognised, and can take over execution.
I click allow and ns34.tmp is deleted as Winmerge is launched.
Two Seconds after I close Winmerge, the entire folder ...\Temp\nst33.tmp\ is deleted.
Upon each Red alert, before I "allow" I copy the new folder to another partition.
Subsequent analysis shows that in every case :-
C:\Documents and Settings\Dad\Local Settings\Temp\ns???.tmp\nsExec.dll is always identical
C:\Documents and Settings\Dad\Local Settings\Temp\ns???.tmp\ns??.tmp is always identical.
C:\Documents and Settings\Dad\Local Settings\Temp\ns???.tmp\ns??.tmp is always identical to nsExec.dll, apart from 4 bytes.
Each time I tell Comodo to ALLOW, I have also authorised REMEMBER, unfortunately you fool it by using a different random name in a different random folder, so the next new name catches us by surprise again and again.
I would appreciate it if you changed from random names to fixed constant names so I can have an instant launch without having to cancel two security alerts.
In principle I approve of "portability", but until this is fixed I intend to add a short cut on my desk-top to instantly start, in a NON-Portable fashion
H:\PortableApps\WinMergePortable\App\WinMerge\WinMergeU.exe
because that avoids any aggravation with Comodo Security - I have just tested it.
I do not know if this problem means that this application is not quite portable, it depends upon how you define portable, but regardless of compliance or otherwise, it could be distressing if the Corporate I.T. Security manager comes running with a P45 because of alarm bells being rung by his Security systems when a "locked down" computer starts detecting the operation of multiple different executables that are masquerading as *.tmp files in a temp folder. It would be a kindness to users in such an environment if the name etc was not only fixed, but if it had a proper executable extension, and did not look like something evil that has secretly entered.
Apart from this feature, I like WinMerge 2.8
Alan