JWC

Why does EAM blocklist block nirsoft.net?

Recommended Posts

I use a number of their apps, including smartsniff.exe, which EAM claims contains a trojan.

I have reported this as a false-positive.

Does Emsi have conclusive and irrefutable evidence that NirSoft produces software with built-in malicious trojans?

Because an app may appear to exhibit trojan-like behaviour, it isn't necessarily malicious.

J

Share this post


Link to post
Share on other sites

Most of Nirsoft's tools are categorized as "Riskware" (like the tools to extract serial numbers, password crackers, sniffers etc.). You may want to read up on Riskware here:

http://www.emsisoft....cles/tec060926/

OK, I've edited the rule to "Don't block". Some of their tools are very handy to have and I've never had a problem getting infected.

Share this post


Link to post
Share on other sites

I've never had a problem getting infected.

Riskware is not whether or not you get infected. Riskware simply poses a security threat depending on who uses the tool. A tool that writes all registration codes of all installed applications to a text file can be handy (if the original owner of the computer lost a serial but still has the application installed for example) or it may be dangerous (if malware bundles the tool, executes it without the user's knowledge and sends of the resulting text file to the attacker). Riskware is essentially a grey zone of software, that is often abused by malware, but is technically not malware itself. Another term you may want to search for for further information is "PUP" (Possibly Unwanted Program).

Share this post


Link to post
Share on other sites

Riskware simply poses a security threat depending on who uses the tool.

That would be me... ;) Fabian,

no one else touches my system :angry:

Jim

Share this post


Link to post
Share on other sites

Isn't that a bit harsh?

I guess Emsi wants to play-it-safe. A user has to take deliberate action to unblock the site.

The Admin can limit the actions of other non-admin users to prevent them from changing rules, etc. if there's any doubt about what the n-a user might download. It would just mean extra steps for the Admin to unblock nirsoft, download something and then reblock.

Not a big deal, I was just surprised when I saw it blocked and wanted to know if Emsi had knowledge that nirsoft had suddenly become dangerous.

I use their sniffer on occasion and EAM believes that has a Trojan, so I exclude it from EAM's attempts to quarantine it.

J

Share this post


Link to post
Share on other sites

Nirsoft's tools are just tools, it is same as giving a gun to a wise or bad man, in some countries guns are forbidden to civilian, so most AV vendors prefer declare this tools as "malicious" even if it may result as more false positive.

Thanks :D

Share this post


Link to post
Share on other sites
EAM even blocks the nirsoft.net website.

Isn't that a bit harsh?

This was not intentional and has been fixed in the latest update.

Share this post


Link to post
Share on other sites

As far as I can see only one scanner reported it as "malware site", which really is not the case. The site is legit/safe, see also Fabian's explanation in post #4 of this topic.

In other words, the site is perfectly safe, there is no chance of your computer getting infected when you visit it. The fact that EAM blocked it last week was unintentional and that detection has been fixed already.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.