False positive with 5737: system.dll and dialer.dll from NSIS (Nullsoft Scriptable Install System)

J

Jason McKinnon

All was good for a while, but after updating to the latest signatures
(5737), it appears that system.dll is now being detected as
CoolWebSearch.Cameup (Browser Modifier) and dialer.dll is coming up as
AntivirusGold (potentially Unwanted) - I'll also post to the false positive
form at http://www.microsoft.com/athome/sec...isv/fpform.aspx, and I've
already posted to the NSIS forum thread tracking these incidents at
http://forums.winamp.com/showthread.php?s=&threadid=209232

I just wanted to mention it here in case someone else is wondering whether
anyone has reported this yet.

Thanks,
Jason
 
R

Robin Walker [MVP]

Jason McKinnon said:
All was good for a while, but after updating to the latest signatures
(5737), it appears that system.dll is now being detected as
CoolWebSearch.Cameup (Browser Modifier) and dialer.dll is coming up as
AntivirusGold (potentially Unwanted) - I'll also post to the false
positive form at
http://www.microsoft.com/athome/sec...isv/fpform.aspx, and I've
already posted to the NSIS forum thread tracking these incidents at
http://forums.winamp.com/showthread.php?s=&threadid=209232

Why do you consider these to be false positives?
What is the full directory path to each of the suspect files?

My Windows does not have a "dialler.dll", so that is suspect.
The only legitimate "system.dll" that I can find is part of the .NET
framework. If yours is elsewhere, it is highly suspect.
 
J

Jason McKinnon

Robin,

I'm going to try to respond nicely to your ignorance of a product that you
are *clearly* not familiar with. I'm also going to spell it out nice and
clearly for anyone else who doesn't know what NSIS is or what it does.

NSIS is the Nullsoft Scriptable Install System (long ago known colloquially
as the "llama installer"). It's the installer that was written by the guys
that brought the world such nifty software as WinAMP, long before there were
any other decent media players out there. One thing that was really nice
about it was that they decided that the world would be a better place if
InstallShield didn't have a monopoly on the Installer market, so they made
it free and open source.

This software has been around for a very long time, and it is certainly not
spyware. It has the pretty much the same functionality as InstallShield,
and if you consider NSIS to be spyware, then by the same logic
InstallShield, and even Microsoft's Windows Installer must also be spyware.
The biggest problem here is that being free and open source, a number of
cash-strapped Spyware developers choose to use the freely available NSIS
platform to install their products. They could just as easily use one of
the others, but that would cost them money. So because some of the NSIS
installer plugins get bundled with the setup program of spyware, every now
and again, the anti-spyware vendors forget about what they spent hours doing
just a few weeks before, and they declare the dll to be part of the
spyware's code, which it isn't - it is merely part of the installer's code.

Please feel free to visit the web site at http://nsis.sourceforge.net -
please also feel free to read through each and every line of code there and
then proclaim to the rest of the readers of this group exactly which line of
code you find to be "suspect". Just because you can't find a file called
"dialer.dll" on your machine does *not* count.

As for the full path to the files, on *my* machine, and those of thousands
of developers out there that actually use NSIS to create installers, the
files are in C:\Program Files\NSIS\Plugins, right where they should be...

On anyone else's machine, they could be in any of a number of places,
including one's temp folder, for example, if you installed a piece of
software that happened to make use of one of the affected plugins in order
to install the software you were installing.

For completeness, the reason I didn't go into a lot of detail was because I
saved that detail for the official false positive submission for the
technical people that know what they are talking about (Bill and André - you
guys are saints to put up with this sort of thing in the newsgroups every
single day). Also, if you *bothered* to search the newsgroups for NSIS and
false positive, you will see the previously targeted dll's were math.dll and
nsisdl.dll (actually, nsisdl.dll got picked on two separate occasions, and
has also been picked on a few times by anti-virus vendors, all of whom have
noted the false positives and made the appropriate changes to their
signatures, never questioning them for being suspect, just because they
didn't have a copy of that file on *their* machine - that's why the false
positives reporting page has a space to fill in the download location so
that they can look into it further).

I hope that this clarifies things just a little bit.

Thank you all for taking the time to read this - I am sure you all have work
to do, as do I - I apologize for the lengthy diatribe.

P.S. Robin, next time, please take the time to actually read the subject
line before responding in haste regarding something you are not familiar
with. Better yet, if you have never heard of the product, please do us all
a favor and just skip to the next thread.
 
R

Robin Walker [MVP]

Jason McKinnon said:
the files are in C:\Program Files\NSIS\Plugins, right
where they should be...

OK, that was the info that was needed.
next time, please take the time to actually read the
subject line before responding in haste regarding something you are
not familiar with.

These was nothing in the body of your original post that mentioned that
these files were specific to a particular product, and the subject line was
too long for the reference to NSIS to be visible on my newsreader.

If you or the vendors wish to report the false positive, please use the
forms available at:
http://www.microsoft.com/athome/security/spyware/software/isv/forms.mspx
 
J

Jason McKinnon

Robin Walker [MVP] wrote (in part):
If you or the vendors wish to report the false positive, please use the
forms available at:
http://www.microsoft.com/athome/security/spyware/software/isv/forms.mspx

....which is precisely what I said I did...

but anyway, that aside, onto today's dilemma (bug?):

For some reason, this morning's scan did *not* pick up the two "suspect"
files (C:\Program Files\NSIS\Plugins\system.dll and C:\Program
Files\NSIS\Plugins\dialer.dll), even though they have not been moved,
quarantined, or deleted, and have been repeatedly detected 3 days in a row
since the installation of signatures 5737. I also checked to make sure that
a newer version of the signatures had not been installed (completely shut
down MSAS and started it up again, with no change in the date or the
version).

Looking through various logs on my system, I see the following (in
chronological order):

7/20/2005 2:00:20 AM: Spyware detected: 0
7/20/2005 4:42:26 PM: Software updated from 1.0.614 to 1.0.615
7/21/2005 2:00:22 AM: Spyware detected: 0
7/22/2005 2:00:02 AM: Spyware detected: 0
7/22/2005 4:26:18 PM: Definitions updated to 5737
7/23/2005 2:00:13 AM: Spyware detected: 2, removed: 0, quarantined: 0
7/24/2005 2:00:23 AM: Spyware detected: 2, removed: 0, quarantined: 0
7/26/2005 2:00:06 AM: Spyware detected: 2, removed: 0, quarantined: 0
7/27/2005 2:00:07 AM: Spyware detected: 0

This behavior is a little disturbing, so if there is any further information
I can provide to help troubleshoot what happened here, I would be only too
happy to help.

Thanks,
Jason
 
B

Bill Sanderson

Check the location where ignored stuff lives? Options, Settings, SPyware
Scan....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top