yipes--indexing spawns malware

This forum is to discuss general things about X1.

Moderator: Mods

yipes--indexing spawns malware

Postby jreyes1958 » Fri Mar 19, 2010 9:11 am

First -- i've been an x1 user since its initial launch. just a great product- after moving to windows 7 i tried default windows desktop search but decided i needed my x1 back so just downloaded a new version of to put on my new windows 7 laptop.

running windows 7 -- outlook 2007
x1 version 6.57

when i launched x1, it started indexing in the background -- saw the emails start coming up in the panel.

a few seconds later norton NIS 2009 went on full alert -- multiple blocks of malware bredolab, zbot, antivirus2010, trojan.downlader etc etc. luckily NIS2009 said it blocked everything.

once i stopped x1 from indexing, the alerts stopped-so believe the indexing spawned the problem. Luckily nothing got infected as norton seemed to have blocked everything but you never know

I think i know what is going on but please can someone verify before i reinstall x1 and go through this nightmare again.

I believe the following may be happening:

1) either the x1 download is infected or more likely...

2) when x1 is indexing -- it indexes outlook deleted files by default,

in indexing the deleted folder it is opening up attachments/extracting in those deleted emails-- many of the deleted items in outlook are probably phishing attacks for launching malware as thats a common vector for malware launches -- while i never open those emails and send them right to deleted folders, x1 isn't so smart -- it opens up and extracts what if finds anywhere including outlook deleted folders trashfile. -- luckly norton NIS went shields up -- so i think i got lucky.


This is really dangerous -- for x1 to open up those attachments and somehow "execute" the zipped file sitting in deleted folders-or i guess to open up any zipped attachments anywhere -- guess i don't know why indexing would then actually execute what is sitting in those attachments -- that seems weird behavior -- would think it would simply find name of the file without actually firing off the zipped executable..

anyway
can anyone confirm that is is likely behavior.x1 unzipping attachments and then "executing" the deliverable somehow -- considering that when i launched x1 for the first time it started indexing automatically -- a computer that was less protected would have been inadvertently been infected through x1 indexing of attachment deleted outlook folder.

I have emptied the deleted folder but am now afraid of relaunching x1.

I will not use this product (and i love this product) and will ask for a refund if i can't find a way to keep x1 from inadvertently spawning this type of attack -- would mean that any incoming email that sits in your inbox or spam folder or deleted folder that has attachment that might be dangerous would be launched upon indexing -- if i turn off the indexing of attachments (assume that's possible -- that probably solves part of the problem, but i don't know that) -- kinda defeats the purpose.

i think default installation will be to not index deleted files or not open zip files in email attachments -- or something like that or warn user to empty deleted files -- or find a way for x1 to index without executing what it finds .


i know this is a lot to digest --and hate to lay the blame on X1-- but beileve X1 is at fault here -- nothing else was running except x1 indexing -- once i stopped indexing , alerts stopped. --


i think i dodged a bullet that x1 inadvertently set off.

help

I am also posted this to customer service .
jreyes1958
 
Posts: 5
Joined: Mon Apr 19, 2004 11:31 am

Re: yipes--indexing spawns malware

Postby Kenward » Fri Mar 19, 2010 12:42 pm

This is the first time I have seen a report like this here.

My first thought is to wonder how on earth anyone allows dangerous stuff like that to get on to their PC, let alone in a place where it might get indexed.

Have you got Outlook's spam security turned off?

On the messages, I can't see that X1 would execute stuff unless you tried to view the suspect messages, but I will leave it to an expert to go into that. X1 will look inside zipped files to index them. That's one of its roles in life.

In the meantime, you can tell X1 not to index folders that might contain dangerous messages. I always have it set so that X1 does not index deleted items, and certainly not "Junk".

As a long-time user, you don't need me to tell you how to exclude those folders from your indexes.

In your shoes I would take a serious look at my email practices. In my case I have at least three levels of protection.

    I filter all incoming messages with Mailwasher
    I allow Outlook to trap anything that gets through
    For really polluted mailboxes I use GMail to intercept, filter out rubbish, then forward what's left
    Like you, I also have anti-virus stuff running

At least you have now confirmed that your anti-virus software works, although most of the people I know gave up on Norton quite some time ago. Perhaps they have got their act back together. It seems to work for you.
MK
X1 Search 8.5.2 - Build 6001si (64-bit)
Windows 10 Pro 64-bit | Windows 10 Home 32-bit
No, I have nothing to do with X1, just a user since 2004.
Kenward
X1 Guru
X1 Guru
 
Posts: 4107
Joined: Tue Apr 20, 2004 2:35 am
Location: UK

Re: yipes--indexing spawns malware

Postby tjh » Fri Mar 19, 2010 12:58 pm

What a lot of drama!

Any time a file is scanned (not executed!!) a virus scanner will look at what's being scanned and, if it sees a pattern it recognises, will flag it as a virus.

What's happening here is perfectly normal behaviour. X1 is scanning your email to index it, the virus scanner is seeing a pattern of bytes it recognises as X1 scans and is flagged the email/content in the email as a virus.

Now, where you've got this idea that X1 is trying to _execute_ the code from, I have no idea. But it's not trying to do that and to suggest it is shows a lack of understanding of how file scanning/virus scanning works.

If you had a zip file on your desktop with supernasty.exe in it, when your virus scanner scanned that it'd show as a virus. Doesn't mean your virus scanner is trying to execute the supernasty.exe!

Looking at the content in a zip file (what X1 is doing) isn't dangerous! Even if that zip file is full of malware and nastiness.
Trying to *execute* what's in a zip file (what X1 certainly isn't doing) is very dangerous.

You're confusing the two. Don't.
TiM
X1 Search v8.5.1 - 6001se (64 Bit)
tjh
X1 Super User
X1 Super User
 
Posts: 400
Joined: Sat Apr 12, 2008 4:12 am
Location: Napier, New Zealand

Re: yipes--indexing spawns malware

Postby jreyes1958 » Fri Mar 19, 2010 2:46 pm

Dear TJH and kenward
thanks for the reply.

I got an answer from customer support and x1 is doing what i thought it might be doing. (will explain what they told me in a sec) -- they say it is doing what i suspected -- see link they sent me .
http://tinyurl.com/x1-kb-false-positive-alert.

1) how does this stuff get on a computer (i have a NIS2009/malwarebytes/superantispyware installation) -- even with a patched up virus protected machine -- your inbox will have phishing attempts -- usually facebook/email phishing attempts trying to get you to download some email attachment or other some nasty to ruin your day by pretending to be from facebook administrator, family member , email administrator -- etc -- they hope you click and open the attachment and there you go "have a nice day". you hope your virus scanner will recognize the attachments and kill them --So all those nasty emails get shoved by your antivirus to your spam/quarantine folder or deleted folder or recycle bin. -- so they are safely quarantined -- all part of a normal security protection scheme.


2)so here is what customer support told me. as i suspected, X1 will A) index your email and by default will 1) index all folders including spam/quarantine and deleted folder items. Then 2) to index the files it makes a COPY of the live virus attachment to your hard drive temp directory - to index the file and then deletes it after it indexes it-supposedly never actually executing the file itself. So this is normal x1 behavior -- any attachment it finds it copies and then indexes -- BUT this copying to the hard disk then sets off the anti-virus alarm -- so supposedly while its made a harmless copy (in x1's mind at least) for a few seconds that live virus file sits on your hard disk and the antivirus thinks the file is an attack and goes into full alert mode. -- you can imagine that when x1 is indexing a full spam/quarantine fiold or deleted file repository and doing this copying by the dozens that your antivirus will go overtime in thinking there is a full blown attack. --



4) the solution is to exclude the spam/quarantine/deleted items folder from x1 scanning or they also suggested, but i think is not optimal, to exclude the x1 temporary folder where it makes copies from antivirus scanning . I did the first and the alerts went away during re-indexing

3) As far as drama -- seeing norton ping and ping and ping over and over again with ever kind of nasty just will make your hair stand up on end -- when i realized that it might be x1 indexing a quarantine repository i shut off the indexing and the alerts. stopped.


so it is a well documented problem -- just scary to see it firsthand. But as you say -- looks like it all worked as it was supposed to but the warnings were pretty nervewracking.

so bottom line . it is expected behavior for x1 to make copies of these nasties lurking in email quarantine to your hard drive thus triggering the alert. they claim however that it's safe and the file itself is never executed. - that i can't verify but have to take a leap of faith.

Now it does mean that if a suspect email doesn't get caught by the antivirus -- it will sit in your inbox waiting for you to open the attachment -- i won't open it of course, but x1 will blindly open it , copy it, index and thus trigger a false positive on a real virus file -- since you can't exclude the inbox from scanning -- this is bound to happen. -- so hopefully through all this -- no harm done (fingers crossed).

What i would wish is that by default out of the box that it wouldn't index deleted/spam/quarantine folders and give you a chance to configure it to avoid this scary false alarm.


BTW, i did give up on norton some time ago but the new 2009 version made me a reconvert ---redone from ground up i believe - small footprint , small impact on performance -- actually works now and since using it have been protected 100% and can't say that before 2009 version with norton or others i tried.

It is definitely worth a re look if you gave up as i did in its prior bloatware versions.

I realize antivirus/antimalware are like religions -- priests, acoylytes, faithful and anti-crusaders so don't want to start a flame war -- but the new version is working for me better than my forays to other vendors over the last few years--tried both mainstream and esoteric but my current NIS 2009/malwarebytes and superantispyware has worked and been unobtrusive.


thanks again for the response --

kind regards
JR
jreyes1958
 
Posts: 5
Joined: Mon Apr 19, 2004 11:31 am

Re: yipes--indexing spawns malware

Postby Kenward » Fri Mar 19, 2010 2:59 pm

jreyes1958 wrote:1) how does this stuff get on a computer -- even with a patched up virus protected machine -- your inbox will have phishing attempts --


Not here it doesn't. See my earlier suggestions on safe email.

I practice this. I also run regular scans. They have never found anything of a slightly dangerous variety on my PC.

In any case, phishing attempts will not deliver nasties. It sends email links that have other ways of causing damage.

You clearly worry about these things, so this link to MailWasher might be useful. Another one for the paranoid is the Microsoft Security Essentials.
MK
X1 Search 8.5.2 - Build 6001si (64-bit)
Windows 10 Pro 64-bit | Windows 10 Home 32-bit
No, I have nothing to do with X1, just a user since 2004.
Kenward
X1 Guru
X1 Guru
 
Posts: 4107
Joined: Tue Apr 20, 2004 2:35 am
Location: UK

Re: yipes--indexing spawns malware

Postby jreyes1958 » Sat Mar 20, 2010 12:53 am

Kenward

many thanks for the suggestion on mailwasher. looked at it a some time ago. At that time it was a CPU monster -- tried a lot of things to tweak but never could break the CPU cycles.

but am willing to revisit it again to see if it makes a difference.

its help like this that makes forums so useful.

thanks for the great feedback,kenward


JR
jreyes1958
 
Posts: 5
Joined: Mon Apr 19, 2004 11:31 am


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 37 guests