Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Latest dist v5.2

From: Ron <ron () skullsecurity net>
Date: Thu, 21 Jan 2010 09:19:51 -0600
So, this problem is going to need some comment/discussion.
The file that's causing the issue is nselib/data/psexec/nmap_service.exe. That file is uploaded by the smb-psexec script, and executes the psexec services remotely. It's required for psexec to work, and is the same thing done by Sysinternals' psexec (as well as metasploit's, winexe's, etc).
What it does is run the programs given to it as arguments and write their output to a text file. That's it. The textfile is downloaded/deleted by smb-psexec and displayed to the user. It doesn't do any network traffic or anything like that.
Although this doesn't really behave like malware, it doesn't surprise me that some over-zealous a/v software would pick it up. I had avoided submitting the .exe file to virustotal for exactly that reason.
So my question is, what do we do? The best bet might be to include nmap_service.exe separately. When somebody runs the script the first time, it checks if the file exists (and maybe checks the hash of the file, too, to make sure it wasn't tampered/deleted/etc), and then does the upload/etc. If the file doesn't exist, the user is told to download it from somewhere else.
The other option is to tell the a/v vendor to cut it out, but I can't see that working. :) 

Opinions?
Ron
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: