Nmap Development mailing list archives
Re: Latest dist v5.2
From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Thu, 21 Jan 2010 09:59:51 -0600
On Thu, Jan 21, 2010 at 9:19 AM, Ron <> wrote:
So, this problem is going to need some comment/discussion. The file that's causing the issue is nselib/data/psexec/nmap_service.exe. That file is uploaded by the smb-psexec script, and executes the psexec services remotely. It's required for psexec to work, and is the same thing done by Sysinternals' psexec (as well as metasploit's, winexe's, etc). What it does is run the programs given to it as arguments and write their output to a text file. That's it. The textfile is downloaded/deleted by smb-psexec and displayed to the user. It doesn't do any network traffic or anything like that. Although this doesn't really behave like malware, it doesn't surprise me that some over-zealous a/v software would pick it up. I had avoided submitting the .exe file to virustotal for exactly that reason. So my question is, what do we do? The best bet might be to include nmap_service.exe separately. When somebody runs the script the first time, it checks if the file exists (and maybe checks the hash of the file, too, to make sure it wasn't tampered/deleted/etc), and then does the upload/etc. If the file doesn't exist, the user is told to download it from somewhere else. The other option is to tell the a/v vendor to cut it out, but I can't see that working. :)
Actually, this is pretty much the only option. Sysinternal's psexec occasionally gets flagged as a virus along with other legit things like upx-compressed executables because malware also use them. That's free / open source for you, right? You have to let the vendors know they are triggering false positives. It's up to them if they care or not.
Opinions? Ron
-Jason _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Latest dist v5.2 AntonĂn Sprinzl (Jan 21)
- Re: Latest dist v5.2 Jonathan R (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 DePriest, Jason R. (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 DePriest, Jason R. (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 Michael Pattrick (Jan 21)
- Re: Latest dist v5.2 Michael Pattrick (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- AW: Latest dist v5.2 Wissmann, Dirk (Jan 21)
- Re: Latest dist v5.2 Fyodor (Jan 21)
- Re: Latest dist v5.2 Tom Sellers (Jan 21)