RealPlayer - Blocked by MSAS?

[Chuck]

I run RealPlayer periodically - there are some online presentations like the monthly SANS webcast that uses it and yes -
I set all possible privacy options on.

Each time I start RP, MSAS pops up twice for Unknown Process - once that it has blocked an Unknown Process from
starting, and a second time that it has blocked an Unknown Process from adding itself to be started automatically. Give
it two pats on the back, OK.

Thank you, Microsoft. If there's anything I hate worse than the Microsoft treatment of its customers, it's RealPlayer
insisting repeatedly on running the RealNetworks Scheduler, and restarting that piece of crapware every time I run
RealPlayer.

But wait a minute. You lie! Every time I close RealPlayer, I check Process Explorer, and have to kill realsched. Then
I check AutoRuns, and delete TkBellExe from HKLM\Run. WTF?

 

[Bill Sanderson]

Interesting. You don't see any green dialogs for "known process" allowed?

I see the green dialog when I run QuickTime. I've told microsoft
Antispyware to permanently block the quicktime system tray task, and that
works until the next time you run QT, and then it comes right back again,
because it is a "known" spyware free app. I don't object too strongly to
this--it isn't Microsoft's job to change the behavior of an app I keep
installed part of whose behavior I disagree with--but the "permanently
block" language really isn't true.

 

[Chuck]

Interesting. You don't see any green dialogs for "known process" allowed?

I see the green dialog when I run QuickTime. I've told microsoft
Antispyware to permanently block the quicktime system tray task, and that
works until the next time you run QT, and then it comes right back again,
because it is a "known" spyware free app. I don't object too strongly to
this--it isn't Microsoft's job to change the behavior of an app I keep
installed part of whose behavior I disagree with--but the "permanently
block" language really isn't true.

Nope, it's orange now, it mentions RealNetworks specifically as an application
change blocked from installing itself in the registry, and it lies. I have to
look real quick cause the notice pops up and goes away in a second or so.
Nothing in Event Viewer either.

There's realsched.exe running now, and in HKLM\...\Run, there's another
TkBellExe entry.

If I kill realsched.exe with RP running, when I end RP, it starts another copy,
and it readds TkBellExe to HKLM\...\Run. Typical spyware behaviour.

I just went carefully thru my Security Agents, and I see no mention of any Real
events, blocked or not. How do you add an item to block it?

 

[Andre Da Costa]

Here's a tip when it pops up, quickly press Print Screen on your keyboard
and paste in a image program such as Microsoft Paint, then read the message.

 

[Chuck]

Here's a tip when it pops up, quickly press Print Screen on your keyboard
and paste in a image program such as Microsoft Paint, then read the message.

Andre,

Good call. I now have 3 .gif files - 2 pop-up windows, and a Blocked Entrys
list, for a souvenir.

The pop-up:
Orange: "Microsoft AntiSpyware Notice" "An Application Change has been blocked"
"Microsoft AntiSpyware has blocked the startup program RealPlayer (32-bit) by
RealNetworks Inc from being installed in your startup registry."
"Name: RealPlayer (32-bit)"
"File path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

I hit "Manage blocked Startup Registry Entrys" and get a list of blocked entrys,
which realsched.exe is listed. I could remove it, but I don't.

I hit Close, and the list window, and the orange pop-up, both disappear.

I refresh my Autoruns window, and a new TkBellExe entry is there. And in my
Process Explorer, a new realsched.exe.

I kill realsched.exe, delete the TkBellExe entry in Autoruns, and I'm back to
normal.

I repeat the above procedure, but Remove the realsched.exe entry from the
Blocked Entrys list. I again kill realsched.exe, and remove the new TkBellExe
entry from HKLM\...\Run.

I repeat the above procedure yet again, now I get a blue pop-up "An Unknown
Startup Program RealPlayer (32-bit) Requires Approval". I select Block again.

Again I kill realsched.exe. This time, no HKLM\...\Run entry for TkBellExe.

Some progress. Right.

One more time. An orange pop-up again. And after closing the Blocked Entrys
list, and watching the pop-up close again, I again kill realsched.exe, and again
remove TkBellExe.

Anybody for WhackAMole?

 

[Bill Sanderson]

You can block an item in place, or "permanently remove" it- via tools,
advanced tools, system explorers.

However--permanently remove just means that instance at that moment--it
isn't going to block it from coming back.

You'd have to get Realplayer defined as an app to be removed by Microsoft
Antispyware, and that isn't likely, I believe--it has to transgress the set
of guidelines linked to here:

http://support.microsoft.com/kb/892340 Microsoft Windows AntiSpyware (Beta)
identifies a program as a spyware threat (Listing criteria and Dispute
process)

 

[Chuck]

You can block an item in place, or "permanently remove" it- via tools,
advanced tools, system explorers.

However--permanently remove just means that instance at that moment--it
isn't going to block it from coming back.

You'd have to get Realplayer defined as an app to be removed by Microsoft
Antispyware, and that isn't likely, I believe--it has to transgress the set
of guidelines linked to here:

http://support.microsoft.com/kb/892340 Microsoft Windows AntiSpyware (Beta)
identifies a program as a spyware threat (Listing criteria and Dispute
process)

Bill,

Thanks for the final piece of the puzzle. You're right - it isn't going to keep
it from coming back.

I just looked at the .gif of the blue pop-up. There's a check box below the
Allow / Block buttons. But the check box isn't "Remember this decision", but
"Send to SpyNet". DOHH.

I guess "Send To SpyNet" is a globally aggregated "Remember this decision" (if
it ever happens).

I'm so used to learning firewalls like Zone Alarm that actually Remember MY
Decisions.

BTW, thanks so much for putting "plugh" in your address munge. I so needed to
start playing Adventure again.

 

[Bill Sanderson]

I like revisiting Adventure periodically myself. There's a real domain at
the end of that munge, but one with no mailserver. I'm very pleased to have
permission to use the munge. I s'pose I should check periodically to see
that the circumstances are still valid--such things change over time.

You're right about Spynet being a globally aggregated set of such decisions,
and we aren't going to find many users turning Realplayer down, I suspect.
Even if we do, the app doesn't transgress the guidelines, I suspect.

 

[Chuck]

I like revisiting Adventure periodically myself. There's a real domain at
the end of that munge, but one with no mailserver. I'm very pleased to have
permission to use the munge. I s'pose I should check periodically to see
that the circumstances are still valid--such things change over time.

You're right about Spynet being a globally aggregated set of such decisions,
and we aren't going to find many users turning Realplayer down, I suspect.
Even if we do, the app doesn't transgress the guidelines, I suspect.

Bill,

The last time I visited Adventure with any regularity was when my computer was
shared with a dozen other workers - a time shared PDP-15 - with me and coworkers
alternating between playing, and looking over our shoulders for the boss to come
by.

Now with the kick in the butt performance of a dedicated 2G desktop system, and
no interference by the boss...

I'm not against RealPlayer, but I do oppose RealSched, and I'm not the only one.
Post a HijackThis log in any experts forum, with realsched.exe listed, and
you'll get told to remove that crapware.

And I know this is a Beta product, but shouldn't the message "has blocked (this
program) from being installed" be worded a bit differently, if nothing is
actually prevented? Should we trust MSAS to protect us against real malware?

 

[Bill Sanderson]

Some of the messages have contradictory wording at this point--my impression
is that they are generated from a database of phrases, and that there are
some pointer confusions resulting in messages which don't make much sense.
When I've intentionally installed, say, bearshare, on a VPC, I've gotten
appropriate messages-it bundles a mixture of stuff you would want blocked,
and things you might choose not to block. In my case I allowed it all,
'cause I was trying to test removal. I'll do another test eventually where
I choose block on everything and see whether it does the job--there's been
some concern that some of the block messages come so late that the damage
may already be done. The blocking actions I've checked have been effective,
but they have been rather simple--hosts file additions and the like.