Re: Latest dist v5.2

["DePriest, Jason R." <jrdepriest () gmail com>]

On Thu, Jan 21, 2010 at 9:19 AM, Ron <> wrote:
> So, this problem is going to need some comment/discussion.
>
> The file that's causing the issue is nselib/data/psexec/nmap_service.exe.
> That file is uploaded by the smb-psexec script, and executes the psexec
> services remotely. It's required for psexec to work, and is the same thing
> done by Sysinternals' psexec (as well as metasploit's, winexe's, etc).
>
> What it does is run the programs given to it as arguments and write their
> output to a text file. That's it. The textfile is downloaded/deleted by
> smb-psexec and displayed to the user. It doesn't do any network traffic or
> anything like that.
>
> Although this doesn't really behave like malware, it doesn't surprise me
> that some over-zealous a/v software would pick it up. I had avoided
> submitting the .exe file to virustotal for exactly that reason.
>
> So my question is, what do we do? The best bet might be to include
> nmap_service.exe separately. When somebody runs the script the first time,
> it checks if the file exists (and maybe checks the hash of the file, too, to
> make sure it wasn't tampered/deleted/etc), and then does the upload/etc. If
> the file doesn't exist, the user is told to download it from somewhere else.
>
> The other option is to tell the a/v vendor to cut it out, but I can't see
> that working. :)

Actually, this is pretty much the only option.  Sysinternal's psexec
occasionally gets flagged as a virus along with other legit things
like upx-compressed executables because malware also use them.

That's free / open source for you, right?

You have to let the vendors know they are triggering false positives.

It's up to them if they care or not.

> Opinions?
> Ron

-Jason
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/