Old 14th November 2006, 17:20   #1
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
Notice: NOD32 disables nsprocess plugin

As a matter of fact the known antivirus-software NOD32
from ESET www.eset.com will treat "nsprocess"
as "potential malware" from now on. (def 1.1858)

http://nsis.sourceforge.net/NsProcess_plugin
http://nsis.sourceforge.net/mediawik.../NsProcess.zip

Quote:
.... it's intended for killing processes so it must
be detected as a Potentially unsafe app:

Description

Features:
Find a process by name
Kill a process by name
Kill all processes with specified name (not only one)
The process name is case-insensitive
Win95/98/ME/NT/2000/XP support
Small plugin size (4 Kb)
To disable this warning disable the option for "Adware/Spyware/Riskware"

From my point of view - no advantage in disabling this option.
Examples can be downloaded here: http://www.themexp.org/
themesxp.org distributes their content in a package with
lots of adware/spyware. NOD32 prevents the download.

Cheers

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 14th November 2006, 22:51   #2
kichik
M.I.A.
[NSIS Dev, Mod]
 
kichik's Avatar
 
Join Date: Oct 2001
Location: Israel
Posts: 11,343
If you have experienced this problem and it interrupts your installer, please let NOD32 know that it's unacceptable by you. I'll also have a little chat with them about the consequences of such a false detection, "not a virus" or not.

NSIS FAQ | NSIS Home Page | Donate $
"I hear and I forget. I see and I remember. I do and I understand." -- Confucius
kichik is offline   Reply With Quote
Old 15th November 2006, 15:43   #3
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
I did - and above you got the answer!

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 16th November 2006, 19:13   #4
kichik
M.I.A.
[NSIS Dev, Mod]
 
kichik's Avatar
 
Join Date: Oct 2001
Location: Israel
Posts: 11,343
I was actually talking to everyone who has this problem. In your case, you should continue and explain how unreasonable it is. You have a very valid installer which is absurdly disturbed because it uses a valid Windows API. If they wish to warn of process termination, they should hook TerminateProcess, warn about its usage only when it's used, and not just block any application that mentions it.

NSIS FAQ | NSIS Home Page | Donate $
"I hear and I forget. I see and I remember. I do and I understand." -- Confucius
kichik is offline   Reply With Quote
Old 17th November 2006, 00:51   #5
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
omg kichik - it is no longer my problem (i never used nsprocess).

it belongs to those who use it - i just got messages while updating nsis.
the rest is between you and eset - and they dont change their mind.

so i asked you to put a notice on the wiki page.

but instead you like to discuss what can not be discussed - got it?

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 24th January 2007, 20:20   #6
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
Update - nsprocess.dll is no longer a bad file.

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 26th January 2007, 12:38   #7
rxs2k5
Member
 
Join Date: Apr 2006
Posts: 66
Hi Brummelchen,

hmm I currently a nod32 user and got attracted by this.... I wish to know more about your last post which says:

Quote:
Update - nsprocess.dll is no longer a bad file.
Hmm let's see I can identify what you mean

1. Nod32 updated their virus signatures so that nsprocess.dll no longer detected by it as bad ? And it safe to use. It will not affect other nod32 users anymore from now on right ?

2. Or is it I have to redownload nsprocess plugins from nsis wiki development center and patch over the current one I am using, which works before this error cause by nod32 ?
rxs2k5 is offline   Reply With Quote
Old 26th January 2007, 13:00   #8
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
till november i had nsprocess laid in my nsis directory which
is regularly scanned from nod. after that i removed it.
But i have a folder to collect new or updates files from nsis
in which the plugin is stored. the latest (full) scan has
nothing found. so i assume that eset has refreshed or refined
the signatures.

nevertheless the potential damage of this file within nsis
is existant. The best way is FindWindow and to inform user
to close the applikation

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 29th January 2007, 16:32   #9
onad
Senior Member
 
onad's Avatar
 
Join Date: Dec 2004
Location: Turkey
Posts: 447
IMHO the best way is to recompile the Process Plugin yourself and add some extra code and verion data, so checksum will not be the same. Maybe even use UPX or something else.

BTW always tell Symantec that they are cripling great open source software where they can check themselfs if the code is malicious.

"Just do it"
onad is offline   Reply With Quote
Old 30th January 2007, 13:55   #10
Brummelchen
Major Dude
 
Join Date: May 2003
Posts: 681
afterward packed files (eg with upx) are scanned and detected.

Greets, Brummelchen
Brummelchen is offline   Reply With Quote
Old 7th February 2007, 13:14   #11
Backland
Senior Member
 
Join Date: Sep 2006
Posts: 150
As of now, nsProcess.dll is still listed by more than 10 of the major anti-virus/spyware applications.

Bottom line is, if you want to avoid problems with users due to the false positives, your best bet is to implement the plugin's functionality directly into your installer with the System plugin.

Naturally, a DLL consisting of only functions used to kill processes is going to look suspicious.
Backland is offline   Reply With Quote
Old 7th February 2007, 20:15   #12
Red Wine
Forum King
 
Red Wine's Avatar
 
Join Date: Mar 2006
Location: Ath. GR
Posts: 2,078
Quote:
Originally posted by Backland
As of now, nsProcess.dll is still listed by more than 10 of the major anti-virus/spyware applications.

Bottom line is, if you want to avoid problems with users due to the false positives, your best bet is to implement the plugin's functionality directly into your installer with the System plugin.

Naturally, a DLL consisting of only functions used to kill processes is going to look suspicious.
I used to use nsProcess plugin and I was desperate with all these annoying AV politics against the plugin instead of hook on TerminateProcess as kichik mentioned above.
So, Backland please, post an example here or better at wiki on how to accomplish the bottom line you mentioned above!

Quick AVI Creator - Quick and easy convert from DVD/MPEG/AVI/MKV to AVI/MP4/MKV
Quick AVI Creator entirely edited with NSIS and entirely upgraded to Unicode NSIS
Red Wine is offline   Reply With Quote
Old 7th February 2007, 20:49   #13
Backland
Senior Member
 
Join Date: Sep 2006
Posts: 150
I have so far settled to use the TerminateProcess macro posted in the wiki by Takhir.

I have looked over the code required to correctly terminate a process given its module name (on Win 9x-XP), and the code is fairly large... implementing it using the System plugin is certainly going to be a big job.

Another option is to call the tskill utility, although I'm not sure if it ships/works with Windows 9x.

HTH
Backland is offline   Reply With Quote
Old 7th February 2007, 20:55   #14
Red Wine
Forum King
 
Red Wine's Avatar
 
Join Date: Mar 2006
Location: Ath. GR
Posts: 2,078
Just an example please... I'm not so advanced user to understand without an example!

Quick AVI Creator - Quick and easy convert from DVD/MPEG/AVI/MKV to AVI/MP4/MKV
Quick AVI Creator entirely edited with NSIS and entirely upgraded to Unicode NSIS
Red Wine is offline   Reply With Quote
Old 8th February 2007, 09:21   #15
Backland
Senior Member
 
Join Date: Sep 2006
Posts: 150
http://nsis.sourceforge.net/Find_and_Close_or_Terminate
Backland is offline   Reply With Quote
Old 8th February 2007, 09:39   #16
Red Wine
Forum King
 
Red Wine's Avatar
 
Join Date: Mar 2006
Location: Ath. GR
Posts: 2,078
You're pointing me to Takhir's function, already know this, unfortunately it can't terminate processes without window class/name so it can't replace the functionality of nsProcess plugin.

Probably I misunderstood because I thought you have a way to replace the nsProcess functionality with system plugin and a code example on how to do this, would be very nice and helpful for me.

Apologies...

Quick AVI Creator - Quick and easy convert from DVD/MPEG/AVI/MKV to AVI/MP4/MKV
Quick AVI Creator entirely edited with NSIS and entirely upgraded to Unicode NSIS
Red Wine is offline   Reply With Quote
Old 8th February 2007, 11:15   #17
Backland
Senior Member
 
Join Date: Sep 2006
Posts: 150
You can take a look at that code here:
http://www.codeproject.com/threads/killprocess.asp

However, implementing that solution using the System plugin is not an easy on any given day (and inserting it into a plugin will probably meet the same fate as nsProcess)
Backland is offline   Reply With Quote
Old 8th February 2007, 11:41   #18
Red Wine
Forum King
 
Red Wine's Avatar
 
Join Date: Mar 2006
Location: Ath. GR
Posts: 2,078
I repeat, I thought you have some solution using system plugin, it's my mistake that I didn't realize that you were just talking

I have a painful issue with a process that I'm able to terminate only with nsProcess, however, the plugin is blocked in several systems from AVs. That's all, I thought you might have the solution.

Quick AVI Creator - Quick and easy convert from DVD/MPEG/AVI/MKV to AVI/MP4/MKV
Quick AVI Creator entirely edited with NSIS and entirely upgraded to Unicode NSIS

Last edited by Red Wine; 8th February 2007 at 12:12.
Red Wine is offline   Reply With Quote
Old 8th February 2007, 12:33   #19
Backland
Senior Member
 
Join Date: Sep 2006
Posts: 150
I'm working on the solution as I have similar problem

Will post any updates here...
Backland is offline   Reply With Quote
Old 8th February 2007, 12:36   #20
Backland
Senior Member
 
Join Date: Sep 2006
Posts: 150
See here:

http://www.microsoft.com/technet/sys...es/pskill.mspx


Works well, however it displays an EULA, its 183KB and I haven't looked into redistribution rights either...
Backland is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump