2. NSIS Discussion
  3. Notice: NOD32 disables nsprocess plugin

Archive: Notice: NOD32 disables nsprocess plugin


Brummelchen
14th November 2006 18:20 UTC

Notice: NOD32 disables nsprocess plugin
As a matter of fact the known antivirus-software NOD32
from ESET www.eset.com will treat "nsprocess"
as "potential malware" from now on. (def 1.1858)

http://nsis.sourceforge.net/NsProcess_plugin
http://nsis.sourceforge.net/mediawik.../NsProcess.zip

.... it's intended for killing processes so it must
be detected as a Potentially unsafe app:

Description

Features:
Find a process by name
Kill a process by name
Kill all processes with specified name (not only one)
The process name is case-insensitive
Win95/98/ME/NT/2000/XP support
Small plugin size (4 Kb)
To disable this warning disable the option for "Adware/Spyware/Riskware"

From my point of view - no advantage in disabling this option.
Examples can be downloaded here: http://www.themexp.org/
themesxp.org distributes their content in a package with
lots of adware/spyware. NOD32 prevents the download.

Cheers

kichik
14th November 2006 23:51 UTC

If you have experienced this problem and it interrupts your installer, please let NOD32 know that it's unacceptable by you. I'll also have a little chat with them about the consequences of such a false detection, "not a virus" or not.

Brummelchen
15th November 2006 16:43 UTC

I did - and above you got the answer!

kichik
16th November 2006 20:13 UTC

I was actually talking to everyone who has this problem. In your case, you should continue and explain how unreasonable it is. You have a very valid installer which is absurdly disturbed because it uses a valid Windows API. If they wish to warn of process termination, they should hook TerminateProcess, warn about its usage only when it's used, and not just block any application that mentions it.

Brummelchen
17th November 2006 01:51 UTC

omg kichik - it is no longer my problem (i never used nsprocess).

it belongs to those who use it - i just got messages while updating nsis.
the rest is between you and eset - and they dont change their mind.

so i asked you to put a notice on the wiki page.

but instead you like to discuss what can not be discussed - got it?

Brummelchen
24th January 2007 21:20 UTC

Update - nsprocess.dll is no longer a bad file.

rxs2k5
26th January 2007 13:38 UTC

Hi Brummelchen,

hmm I currently a nod32 user and got attracted by this.... I wish to know more about your last post which says:

Update - nsprocess.dll is no longer a bad file.
Hmm let's see I can identify what you mean

1. Nod32 updated their virus signatures so that nsprocess.dll no longer detected by it as bad ? And it safe to use. It will not affect other nod32 users anymore from now on right ?

2. Or is it I have to redownload nsprocess plugins from nsis wiki development center and patch over the current one I am using, which works before this error cause by nod32 ?

Brummelchen
26th January 2007 14:00 UTC

till november i had nsprocess laid in my nsis directory which
is regularly scanned from nod. after that i removed it.
But i have a folder to collect new or updates files from nsis
in which the plugin is stored. the latest (full) scan has
nothing found. so i assume that eset has refreshed or refined
the signatures.

nevertheless the potential damage of this file within nsis
is existant. The best way is FindWindow and to inform user
to close the applikation

onad
29th January 2007 17:32 UTC

IMHO the best way is to recompile the Process Plugin yourself and add some extra code and verion data, so checksum will not be the same. Maybe even use UPX or something else.

BTW always tell Symantec that they are cripling great open source software where they can check themselfs if the code is malicious.

Brummelchen
30th January 2007 14:55 UTC

afterward packed files (eg with upx) are scanned and detected.

Backland
7th February 2007 14:14 UTC

As of now, nsProcess.dll is still listed by more than 10 of the major anti-virus/spyware applications.

Bottom line is, if you want to avoid problems with users due to the false positives, your best bet is to implement the plugin's functionality directly into your installer with the System plugin.

Naturally, a DLL consisting of only functions used to kill processes is going to look suspicious.

Red Wine
7th February 2007 21:15 UTC

Originally posted by Backland
As of now, nsProcess.dll is still listed by more than 10 of the major anti-virus/spyware applications.

Bottom line is, if you want to avoid problems with users due to the false positives, your best bet is to implement the plugin's functionality directly into your installer with the System plugin.

Naturally, a DLL consisting of only functions used to kill processes is going to look suspicious.
I used to use nsProcess plugin and I was desperate with all these annoying AV politics against the plugin instead of hook on TerminateProcess as kichik mentioned above.
So, Backland please, post an example here or better at wiki on how to accomplish the bottom line you mentioned above!

Backland
7th February 2007 21:49 UTC

I have so far settled to use the TerminateProcess macro posted in the wiki by Takhir.

I have looked over the code required to correctly terminate a process given its module name (on Win 9x-XP), and the code is fairly large... implementing it using the System plugin is certainly going to be a big job.

Another option is to call the tskill utility, although I'm not sure if it ships/works with Windows 9x.

HTH :)

Red Wine
7th February 2007 21:55 UTC

Just an example please... I'm not so advanced user to understand without an example!

Backland
8th February 2007 10:21 UTC

http://nsis.sourceforge.net/Find_and_Close_or_Terminate
:)

Red Wine
8th February 2007 10:39 UTC

You're pointing me to Takhir's function, already know this, unfortunately it can't terminate processes without window class/name so it can't replace the functionality of nsProcess plugin.

Probably I misunderstood because I thought you have a way to replace the nsProcess functionality with system plugin and a code example on how to do this, would be very nice and helpful for me.

Apologies...

Backland
8th February 2007 12:15 UTC

You can take a look at that code here:
http://www.codeproject.com/threads/killprocess.asp

However, implementing that solution using the System plugin is not an easy on any given day (and inserting it into a plugin will probably meet the same fate as nsProcess) :)

Red Wine
8th February 2007 12:41 UTC

I repeat, I thought you have some solution using system plugin, it's my mistake that I didn't realize that you were just talking ;)

I have a painful issue with a process that I'm able to terminate only with nsProcess, however, the plugin is blocked in several systems from AVs. That's all, I thought you might have the solution.

Backland
8th February 2007 13:33 UTC

I'm working on the solution as I have similar problem ;)

Will post any updates here...

Backland
8th February 2007 13:36 UTC

See here:

http://www.microsoft.com/technet/sys...es/pskill.mspx


Works well, however it displays an EULA, its 183KB and I haven't looked into redistribution rights either...

Fork me on GitHub