McAfee detects extrange movements

Advertisement

Luisillo
Joined:
Posts:
3
Location:
Madrid

McAfee detects extrange movements

Hello.

I founded that my AV McAfee with the latest DAT detected some extrange modifications on registry when installing WinSCP 4.2.1

C:\DOCUME~1\luis\CONFIG~1\Temp\is-TPN7O.tmp\winscp423setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection BLOCKED
C:\DOCUME~1\luis\CONFIG~1\Temp\is-TPN7O.tmp\winscp423setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray BLOCKED
C:\DOCUME~1\luis\CONFIG~1\Temp\is-TPN7O.tmp\winscp423setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore BLOCKED

I'm not sure why the installer is touching that area of the registry, but it looks it is trying to modify some keys related to the antivirus and it blocked to protect himself...
I have not noticed this behaviour in previous versions :/

Can we know what is happening?
Thank you!

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: McAfee detects extrange movements

I'm sorry, but I do not understand what the log, you've posted, says. The file path on the left side is temporary file used by the installer. I do not know the registry path on the right, neither I see how this is related. Noone else reported similar concern before.

Reply with quote

Luisillo
Joined:
Posts:
3
Location:
Madrid

I truncated the log to make it more clear (too much truncate I think :o

The log has 3 columns.
1. File wich is executing and provoked the alert
2. Objective. The process in 1. is modifying/ading/deleting something to that key
3. Result. Blocked. It could be just a warning but AV detects this as a try to modfying McAfee files and regs and it blocks it.

The thing is, that I don't know why does the installer has to write multiple keys on registry reserved area for McAfee
I mean, most virus try to stop antivirus by disabling antivirus keys on registry and this looks like just like that!

Reply with quote

martin
Site Admin
martin avatar

As nobody else reported the problem, I'm tempted to either consider this false positive of your anti-virus, or that your local copy of WinSCP installer got infected.

Reply with quote

Luisillo
Joined:
Posts:
3
Location:
Madrid

I've got 4 machines managed reporting that problem.
Every time I try the installer i get those alerts, trying to write on antivirus keys. I cannot say what is it doing. I can only ensure that it is writting something in an area which is not related at all whit scp communications, or others.

I was wondering about if WinSCP tries to disable, or configure mcafee firewall to permit conections to ssh and others. But, thes alert shows when I double-click on the installer, not while installer is installing data, configuring ports, etc.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

WinSCP (neither application, nor installer) does not try to change configuration of any antivirus.

Did you downloaded installer separately on each of the 4 machines? What sourceforge mirror did you use (or rather, which mirror was selected for your location)? Can you try another one?

Reply with quote

Guest

I had this same issue...

4/30/2010 10:43:07 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
4/30/2010 10:43:08 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write
4/30/2010 10:43:08 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
4/30/2010 10:43:08 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write
4/30/2010 10:43:09 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
4/30/2010 10:43:09 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write
4/30/2010 10:43:10 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
4/30/2010 10:43:10 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write
4/30/2010 10:43:10 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
4/30/2010 10:43:11 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write
4/30/2010 10:43:11 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
4/30/2010 10:43:11 AM Blocked by Access Protection rule MY_USERNAME C:\Temp\is-QMA5J.tmp\winscp427setup.tmp \REGISTRY\MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write

I have no idea which mirror was used. However, this is a serious issue that should be acted upon immediately.

Reply with quote

martin
Site Admin
martin avatar

My statement is still the same as above. I do not see anything wrong about installer writin to temp directory.

Reply with quote

pwilson
Guest

More troubling McAffe activity

I just installed the latest stable version (at the time of this post, 4.2.9) and during the install, McAfee alerted me to some blocked actions. I checked the log, and if I read this correctly, it would appear that the installer was trying to modify McAfee's registry keys. Am I reading this correctly? If so, this is highly suspect. What's more troubling is the fact that when I received the notification to upgrade a few weeks ago, I went to the download page, and the download page had apparently been hacked. I created a ticket and it was quickly resolved (https://winscp.net/forum/viewtopic.php?t=9215&highlight=hacked). I'm seriously concerned that WinSCP, the website, software, or both, have been compromised as both are highly desirable targets. I hope I'm just being paranoid, but I think it's worth looking into.

12/30/2010   9:24:13 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:14 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\Alerts   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:15 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\DefaultTask   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:15 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:15 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray   Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings   Action blocked : Write
12/30/2010   9:24:15 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray\Plugins   Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings   Action blocked : Write
12/30/2010   9:24:15 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:15 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Alert Client   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Detect   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Email Scanner   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\McPAL   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\MCVSSNMP   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\NVP   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Script Scanner   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:16 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator   Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings   Action blocked : Write
12/30/2010   9:24:17 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:17 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\Alerts   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:17 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\DefaultTask   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:17 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:17 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray   Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings   Action blocked : Write
12/30/2010   9:24:17 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray\Plugins   Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Alert Client   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Detect   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Email Scanner   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\McPAL   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\MCVSSNMP   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\NVP   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:18 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:19 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\Script Scanner   Common Standard Protection:Prevent modification of McAfee files and settings   Action blocked : Write
12/30/2010   9:24:19 AM   Blocked by Access Protection rule    <machine name redacted>   C:\Users\<user name redacted>\AppData\Local\Temp\is-F70UF.tmp\winscp429setup.tmp   \REGISTRY\MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator   Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings   Action blocked : Write

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: More troubling McAffe activity

pwilson wrote:

I just installed the latest stable version (at the time of this post, 4.2.9) and during the install, McAfee alerted me to some blocked actions. I checked the log, and if I read this correctly, it would appear that the installer was trying to modify McAfee's registry keys. Am I reading this correctly? If so, this is highly suspect. What's more troubling is the fact that when I received the notification to upgrade a few weeks ago, I went to the download page, and the download page had apparently been hacked. I created a ticket and it was quickly resolved (https://winscp.net/forum/viewtopic.php?t=9215&highlight=hacked). I'm seriously concerned that WinSCP, the website, software, or both, have been compromised as both are highly desirable targets. I hope I'm just being paranoid, but I think it's worth looking into.
4.2.9 is out few weeks already and I do not have any other such report. Where did you download WinSCP installer from?

Regarding alleged hacking of the winscp.net site: It was version history page (not download page), which is part of wiki-based documentation of WinSCP. As any wiki, such as Wikipedia, some people find it funny to post nonsenses there. This can hardly be called hacking.

Reply with quote

Guest
Guest

4.2.9 installer writing to McAfee registry entries

I've also had this problem, just today. I downloaded the installer two days ago, from the iWeb sourceforge mirror. When I ran the installer today, McAfee logged a number of attempts to write to VirusScan registry entries. Here's a list of the registry entries the installer attempted to write to:

    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\Alerts
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\DefaultTask
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\TaskLastData
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\Tasks
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\McTray
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\McTray\Plugins
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\Alert Client
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\Detect
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\Email Scanner
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\McPAL
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\MCVSSNMP
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\NVP
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\On Access Scanner
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\VSCore\Script Scanner
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator

Why might this be happening?

Reply with quote

martin
Site Admin
martin avatar

Re: 4.2.9 installer writing to McAfee registry entries

So can you try to download the installer again, from another mirror, and try to reinstall it, to see if the problem repeats?

Reply with quote

pwilson
Guest

Re: More troubling McAffe activity

My apologies regarding the "hacking" of the history page. I obviously didn't look deeply enough and didn't realize that this page was in a Wiki. I agree, this isn't hacking, just spamming.

Regardless, it seems like more people than just me are experiencing this weird registry issue. Would it be possible for you to test and try to confirm, or would you need a copy of McAfee? I don't really have any reason to believe that WinSCP's source code itself is compromised, but if you're still using OpenCandy in the installer, might there not be possible connection there? I'm not too familiar with OpenCandy - do they give you a binary library or do you have access to their source code so you can truly verify that their software contains no malware - aside, of course, from the junk they're openly hocking in your installer ;)

martin wrote:

pwilson wrote:

I just installed the latest stable version (at the time of this post, 4.2.9) and during the install, McAfee alerted me to some blocked actions. I checked the log, and if I read this correctly, it would appear that the installer was trying to modify McAfee's registry keys. Am I reading this correctly? If so, this is highly suspect. What's more troubling is the fact that when I received the notification to upgrade a few weeks ago, I went to the download page, and the download page had apparently been hacked. I created a ticket and it was quickly resolved (https://winscp.net/forum/viewtopic.php?t=9215&highlight=hacked). I'm seriously concerned that WinSCP, the website, software, or both, have been compromised as both are highly desirable targets. I hope I'm just being paranoid, but I think it's worth looking into.
4.2.9 is out few weeks already and I do not have any other such report. Where did you download WinSCP installer from?

Regarding alleged hacking of the winscp.net site: It was version history page (not download page), which is part of wiki-based documentation of WinSCP. As any wiki, such as Wikipedia, some people find it funny to post nonsenses there. This can hardly be called hacking.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,476
Location:
Prague, Czechia

Re: More troubling McAffe activity

pwilson wrote:

Regardless, it seems like more people than just me are experiencing this weird registry issue. Would it be possible for you to test and try to confirm, or would you need a copy of McAfee? I don't really have any reason to believe that WinSCP's source code itself is compromised, but if you're still using OpenCandy in the installer, might there not be possible connection there? I'm not too familiar with OpenCandy - do they give you a binary library or do you have access to their source code so you can truly verify that their software contains no malware - aside, of course, from the junk they're openly hocking in your installer ;)
Can you send me an email, so I can send you back a custom build of WinSCP installer to track the problem? Please include link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.

Reply with quote

Guest
Guest

Re: 4.2.9 installer writing to McAfee registry entries

martin wrote:

So can you try to download the installer again, from another mirror, and try to reinstall it, to see if the problem repeats?

I just downloaded the installer from a different mirror (superb-sea2) and ran it. I'm getting the same behavior as before -- it writes to VirusScan (and Firefox) registry entries. Also, I just noticed that it's doing this as soon as the installer runs, before the first installer screen ("Welcome to the WinSCP Setup Wizard") is shown.

For what it's worth, I'm also seeing this behavior from IZarc 4.1.2, which also uses OpenCandy.

Reply with quote

pwilson
Joined:
Posts:
2
Location:
USA

Re: Email sent

pwilson wrote:

I've sent prikryl an email and I'll document what we find, if anything, in this thread.

Update: Martin has had me test various builds of the installer and we have found the following things:

  • Up until about two weeks ago, I was able to reproduce this issue, however since about a week ago, McAfee has no more complaints regarding the installer. I used the same installer on both occasions.
  • When the issue was reproducable, McAfee reported the attempted registry changes consistently at the same time when loading the installer.

I think it's a bit too early to definitively call this one way or the other, however I think the following options are possible:

  • McAfee registered a false positive
  • OpenCandy "phones home" and changes its installation routine dynamically (pure speculation on my part - would need to be tested with a close eye to open network connections)
  • Gremlins

Ultimately, I think this requires more testing and waiting to see if we can identify a pattern of behavior.

Whatever the outcome, however, I would like to acknowledge Martin's patience and willingness to respond to his user's questions and concerns. His efforts help to make the open source software community a successful and thriving one. I personally rely on WinSCP on a daily basis and would encourage everyone who feels the same way that I do to donate and help continue the development of this software.

Patrick

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum