Archive: Microsoft Antispyware "detects" NSIS


Microsoft Antispyware "detects" NSIS
This morning, Microsoft Antispyware reported to me that NSISDl.dll was spyware of a "High Threat Level".
Anyone else see this?


Another reason not to have the M$ AntiSpyware.... I was also aware that put Firefox in the same problem... spyware lol

I think is the beta state of the product


i tested ms antispyware (beta1) in my vm (windows xp sp2, first start) and i didn't get this message (nsis 2.05 installed). if you google for "nsisdl.dll", the first hits are all about viruses, maybe there's a connection.

btw: that firefox screenshot was a fake (also see slashdot) :)


Originally posted by Yathosho
btw: that firefox screenshot was a fake (also see slashdot) :)
and apparently was done by one of the members who frequent our GD forums ;)

-daz

nsisdl.dll was apparently used in some trojan horse. We've had lots of reports about this a couple of months ago. As far as I know, all anti-virus companies have already updated their definition files to make a better distinction. It seems like Microsoft is simply lagging behind. If the beta has a report feature of some kind, send them a note. If it doesn't have one and the latest version still detects nsisdl.dll, I'll have a word with them.


This morning Microsoft's beta spyware scanner reported "high" threat level spyware in NSIS/plugins/Math.dll.


You should report it at:

http://www.spynet.com/falsepositive.aspx


FYI, MS AntiSpyware beta1 just "found" plugins\math.dll.

Windows 2000, SP4.


see the two posts above ;)


and

Originally posted by Yathosho
see the two posts above ;)
from mine on what to do :)

-daz

FYI, my Microsoft AntiSpyware (Beta 1), v 1.0.501, Def v 5707, just detected plugins\math.dll as spyware too, as above. I was going to fill out the false positive form at www.spynet.com/falsepositive.aspx but it clearly states that, "The submitter should be the vendor of the program."

Just thought I would pass this along, thanks.


I too confirm math.dll as being found as a threat...


The submitter should be the vendor, but that's just a suggestion. The first question is whether you're the vendor or not. I can not keep filling these submission forms for every little company that decided the anti-spyware business is the next big thing and accidentally mistook NSIS or part of it for spyware just because some spyware was using it. Feel free to fill in my e-mail in case they need more details, but please fill it yourself where possible. My e-mail address is kichik at users dot sourceforge dot net.


Will do, thanks for your help kichik.:up:


Got the following from Microsoft:

Thank you for your recent inquiry about NSISdl plug-in and the issue you reported. Today, we updated the signature library for Microsoft Windows AntiSpyware to version 5713. We believe this new signature library contains the updates necessary to address the issue that you raised. This new signature library is now available for users who subscribe to the automatic signature update mechanism, as well as users who choose to manually update their signature library.
Please let me know if it's still giving false positives on NSISdl.dll so I can report it to them.

My MSSW came back clean yesterday... Finally.


Still showing a positive
I have just installed NSIS 2.0.6 and guess what, MS Antispyware is now showing nsisdl.dll as spyware. Has this dll been updated for v2.0.6?


nsisdl.dll wasn't changed since version 2.01. If you're using the latest definition files for your anti-spyware software, see my above posts for instructions on reporting this to Microsoft.


Latest definitions of antispyware (20th May) still show up this dll as being a trojan downloader. I have logged a report to microsoft.

For info the link to the false positive form is now:
http://www.microsoft.com/athome/secu...sv/fpform.aspx


I have version 5719 of the signature library and MS Antispyware is still detecting nsisdl.dll as spyware. I'm runing xp pro sp2. I submitted a report to microsoft stating that this is a false positive.

Is there any other action we can take? Is there plan of action to address this with microsoft aside from the false positive reporting that I and other users/nsis devs have done?

Our product is installed using nsis and (like many other products) it goes out to 100s of thousands of users so this is quite alarming for my company. Fortunately we found the problem before our customers have but its only a matter of time.

Any information on your plan of action here would be greatly appreciated because we can use that to keep the fires under control while this gets worked out.

Thanks for your help and support. We are big fans of NSIS and are confident that you'll work this out quickly.

Regards,

--Tim
_____________________
Timothy S. Mitrovich
Consultant
Motive, Inc.
http://www.motive.com


There is no other solution but to keep notifying the anti-spyware companies.


I have had this problem for a while and I keep
telling the program that it is a false virus.

I worry that users of this installer will think the
installed files are viruses. I searched around the
net and found many complaining about it worrying
where it came from. Some don't know that it is a
plug-in used to download in installers from NSIS.

The most I can say is if any others are
too worried they could use InetLoad.

Attached is a Photo Taken Today from
the MS AntiSpyWare Program Scan !!!


I have reported the issue to Microsoft again.


I'm beginning to think this is MS way of saying why aren't you using the MS installation toolkit? Oh, you don't want to use it, then your other kits have trojans, etc...

I wonder how many people actually stopped using NSIS because of this. I am willing to bet this made an impact at some point. Sad to be honest :(


The reason behind the problem is that a malious piece of software has abused code from NSISdl (NSIS plug-in that support HTTP downloads). That's why some virus-scanners and anti-spyware tools reported it as a virus.

Only installers that use the NSISdl plug-in can be affected by this false positive. Howver, all these problems have been solved except this single issue with the MS tool. I'm sure this will also be fixed soon.


The issue should be fixed in the new definitions file, please let me know the results.


All was good for a while, but after updating to the latest signatures (5737), it appears that system.dll is now being detected as CoolWebSearch.Cameup (Browser Modifier) and dialer.dll is coming up as AntivirusGold (potentially Unwanted) - I'll also post to the false positive form at http://www.microsoft.com/athome/secu...sv/fpform.aspx and the newsgroup microsoft.private.security.spyware.signatures, and hopefully these will be corrected quicker than the previous incidents with math.dll and nsisdl.dll


... and all is now good again after 5739 was released ...


Back to the same deal with th 5743 signatures --> system.dll is detected as CoolWebSearch.Cameup and dialer.dll is detected as AntivirusGold.

I already submitted the false positive form at microsoft.com.


If you want to get rid of it you could recompile the plugin DLL you use and add some extra resource file, e.g. an icon, change some version info , UPX it etc. etc... The signature would not be of spyware anymore.

Yes, I know it is a very stupid situation, but at least you could solve your problem and have no worrying users anymore.


Does using of the LZMA compression resolve the problem?