Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: misdetection?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Sophos
And, this specific program:
Sophos Anti-Virus 7.x

This thread has been marked as locked.
lindzog misdetection?
Member 2nd Jan, 2009 13:13
Ranking: 0
Posts: 53
User Since: 2nd Jan, 2009
System Score: N/A
Location: UK
Secunia said my Sophos was out of date and identified it as version 6.x. HOwever, it is not. I have version 7.6.3. Any idea why this might happen?

--
Lindzog

Franadora1 RE: misdetection?
Member 2nd Jan, 2009 16:10
Score: 5
Posts: 13
User Since: 20th Jul 2008
System Score: N/A
Location: Raleigh NC, US
Check the Installation Path (as shown in the Advanced mode).
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 2nd Jan, 2009 18:27
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
hi. tks for the reply. I dont see how looking at the file path helps. I only have one version of sophos on my laptop and it is up to date. Ive contacted Sophos about this and they advise me it is likely to be a problem with the Secunia software. Apparently there have been issues in the past with Secunia not having the up to date IDE's from Sophos therefore Secunia does not know how to identify the up to date version.

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 3rd Jan, 2009 11:35
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
It is possible there are remnants of old programme on your laptop. To confirm:
To locate the exact file that the Secunia PSI has detected, please follow there guidelines using the
ADVANCED interface:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
* Click on the entry of the programme to “expand’ it.
* Click on Technical details to see the installation path of the detected file.
* Remember the installation path and close down the menu.
* Click Open Folder and locate the detected file.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 3rd Jan, 2009 13:04
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
yes done all that already. Got Advanced. took myself to the file. its some folder in Sophos called Retargetable Folder. But dont see how that helps me.

--
Lindzog
Was this reply relevant?
+0
-0
wolfenbuttel01@hetnet.nl RE: misdetection?
Member 3rd Jan, 2009 14:21
Score: 0
Posts: 28
User Since: 10th Dec 2008
System Score: N/A
Location: N/A
Lindzog,
Not important you can see - your machine must see. Maurice asked to check for remnants of older versions. Did you find? Now you should look for a way to delete these remnants. Are you using XP or Vista - home or professional?
Philip
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 3rd Jan, 2009 22:12
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
XP Pro. There's nothing there that would tell me whether these are part of some outdated Sophos file or not. For all i know they could be critical current files. As I said before, they said there were issues previously with Secunia not having access to their up to date IDEs and so mis-identifying program versions. It seems to be a problem not unique to Sophos, as ive seen several threads here where Secunia is misidentifying versions. Secunia is just an experiment for me and i may end up just removing it. Ill see how it goes.

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 3rd Jan, 2009 23:56
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I prefer to use forums rather than asking programme support helplines for answers. In my considerable dealing with support teams they always defend their own programme.

When time allows you can prove one way or the other who is correct and confirm your PC is totally secure at the same time.

* Redownload Sophos & save to desktop.
* Uninstall current installed Sophos as recommended by them & reboot
* Run PSI - if any files are found delete them ( a side issue is why any are there if you uninstalled as per the Sophos instructions)
* Rerun PSI - if U get the all clear
* Reinstall Sophos from desktop
* Reboot
* Run PSI
A bit of a haul but in my view well worth the effort to be absolutely sure your system is secure and to prove which of the two programmes was in error.







--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 3rd Jan, 2009 23:56
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I prefer to use forums rather than asking programme support helplines for answers. In my considerable dealing with support teams they always defend their own programme.

When time allows you can prove one way or the other who is correct and confirm your PC is totally secure at the same time.

* Redownload Sophos & save to desktop.
* Uninstall current installed Sophos as recommended by them & reboot
* Run PSI - if any files are found delete them ( a side issue is why any are there if you uninstalled as per the Sophos instructions)
* Rerun PSI - if U get the all clear
* Reinstall Sophos from desktop
* Reboot
* Run PSI
A bit of a haul but in my view well worth the effort to be absolutely sure your system is secure and to prove which of the two programmes was in error.







--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 4th Jan, 2009 00:44
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
tks. i guess that would work but its a considerable hassle. Im inclined to trust what Sophos has said to me. Or to be more precise, if i had to choose between trusting what Sophos says or what Secunia reports, I will go with Sophos. They say i have the latest version and it is completely secure. Secunia, from reading the Forums, is responsible for all manner of false reports, so, as I say, I think Ill just stick with what Sophos says, and, if necessary, uninstall the untrustworthy Secunia.
Anyway I really appreciate your advice so tks for taking the trouble to answer and share your thoughts. If there are any other developments I shall post them here. tks again. L

--
Lindzog
Was this reply relevant?
+0
-0
Tarq57 RE: misdetection?
Member 4th Jan, 2009 10:08
Score: 16
Posts: 106
User Since: 20th Dec 2007
System Score: N/A
Location: NZ
In my experience of the Secunia PSI it will identify out of date file versions on the computer. Sometimes rescanning removes these detections. Where the detection has remained, I have researched, and always found a remnant. Sometimes in documents and settings, sometimes an old version of a program file.
I recommend the action suggested above to reinstall Sophos. (If you want to be assured it is completely uninstalled, try Revo uninstaller.)
The presence of an out of date Sophos file is unlikely to represent a vulnerability - I don't know because I don't know what the report indicates, only you can determine that from the info presented, and the linked advisory - but you might find it a worthwhile exercise.

Of course your Sophos program will be reporting itself as up to date; you will almost certainly be determining this by clicking on the "check for updates" button (or its' equivalent) from within the current installed operating program. Doesn't mean there aren't old remnants somewhere.

--
Windows XP Home 32, SP3- patched as they are released, AMD 3500+, 2G RAM, avast 8.0, Autorun Eater, Secunia PSI.
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 4th Jan, 2009 12:50
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
yes its perfectly possible that an old version of Sophos is being reported, but i dont think that is worth the hassle of an uninstall/reinstall. I have checked and my version and virus data-base is fully up to date so I have no concerns about Sophos at all. The concerns, if any, are to the merits of retaining Secunia. As I say, if anything goes, it will be this program. I think i could find it a pain if it continues making false identifications. I dont see any option to remove it from the start up program/system tray either. This is one of my benchmarks for judging the quality of a product - whether it attaches itself to the start up menu etc. I dont like programs that help themselves to my computer without my permission.

--
Lindzog
Was this reply relevant?
+0
-0
wolfenbuttel01@hetnet.nl RE: misdetection?
Member 4th Jan, 2009 13:49
Score: 0
Posts: 28
User Since: 10th Dec 2008
System Score: N/A
Location: N/A
Lindzog,
Could you try something else? Because you are using XP-pro you might have another possibility. Screen you have for deleting software might have an underligned link. Click on this help-info (if available) and you could find more ways in repairing, changing and/or deleting files.
Moreover you can try to find a program like InstallShield or System Wise Installer. I think all is about small remnants. Can be very annoying if you cannot grow accustomed to. You had better try to get rid of it, but not if this is a problem to achieve.
Philip
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 4th Jan, 2009 17:05
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 4th Jan, 2009 17:12
You can stop Secunia from using the start menu. Open the programme>setting tab> remove ticks from "Start The Secunia PSI On Boot" & Enable Program Monitoring"

I think your last thread was a little unfair. Secunia are no different to Sophos & many other programmes that hijack the the start up menu. I believe they do it with the good intention of allowing novice users to get protection/useage "out of the box".

Experienced users tend to prefer the Opt In as opposed to the Opt Out approach to all things PC. That said, an experienced user will also know that the first thing to do after any new programme installation is to modify the Options/Preferences/Set up to make it work to individual taste as opposed to the programme default settings. In this instance you do not appear to have done that before passing judgement.

The great thing about Secunia is that it is programmable and unlike many other expensive so called "fixers" scans a system and reports back to the user. The user is in total control and has the opportunity to make a balanced judgement on what action to take to clear up the insecurities.

In your case you have elected to ignore the potential flaw on your system. That is how it should be but that does not prove, as others have pointed out in this thread, that Secunia has given you a false positive as you suggest.





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 4th Jan, 2009 18:42
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Wolf, tks for that. I didnt fully understand your reply. But i do have Installshield on my notebook.
Maurice, i hadnt discovered that there was an option to disable Secunia from Start Up, so yes I was probably a little unfair. The feature raises my opinion of Secunia, as I do hate the way programs routinely attach themselves to the startup. Yes many routinely do this and its unacceptable. The fact that Secunia gives this opt-out is a definite plus. I cant see any option to remove it from the System Tray though. I realise that if not booted up, it wont display there, or shouldnt. However, some programs, good ones in my view, allow you to disable the program icon from appearing in the System Tray, even when running. Secunia would go up in my estimation even further if it did this.
I agree the false positive may be just be something I choose to live with. All I am saying is that if i had to choose whether the fault lies with Secunia software rather than Sophos, I would tend to trust Sophos.
Ive said already reported that Sophos told me that there have been past problems with Secunia not having their up to date IDE's and it may be that this is still what causes false readings. The most useful thing Secunia has done for me to date, is make me aware that all the previous, outdateed Sun Java updates can be deleted from Add Remove programs. I didnt know this until now. Apart from that I have found it that useful, it is early days.

--
Lindzog
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 5th Jan, 2009 13:00
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
I should have perhaps mentioned here too, in case it is of interest, that Secunia also identified as insecure, 2 versions of Microsoft XML
Core Services (MSXML) 4.x. I followed the Download steps but it makes no difference. It just takes me to the Windows Update site and all my updates are up to date anyway. I guess these are just further detections to ignore?
There is also Sun Java JRE 1.4. Ive Uninstalled all my other Java updates but left this one as Im not sure whether it was just an old update that can be removed or something that is still required.

L

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 5th Jan, 2009 13:20
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 5th Jan, 2009 13:27
There are numerous threads on XML - it does seem troublesome for one reason or another.

To completely purge your system of all old & useless Java remnants go to
http://raproducts.org/
Download the binary zip file to desktop and use it from there.

I tick & use all the cleaning tools offered (there are 2 tabs). You should end up with only Java (TM)6 Update 11 in add/remove.

I do this every time I update Java to get rid of the old dross - never failed me yet.
Worth rerunning PSI - I think you will find the problem is solved unless U have the insecurity on a drive other than C.

Just had a look at my installed MSXML in add remove. I have got
MSXML 4.0 SP2 (KB9361281) & MSXML SP2 (KB954430) - does that tally with U?



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 5th Jan, 2009 19:08
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
i appear to have MSMXL 4.0 SP2 (KB936181)
MSMXL 4.0 SP2 (KB954430)
and MSXML 6.0 Parser (KB936181)

tks for the other prog. ill investigate that.
Sophos want me to send them my "Retargetable" file

L

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 5th Jan, 2009 21:11
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 5th Jan, 2009 23:19
Nice to see that Sophos are interested in the issue. Are U going to post the result?

We appear to differ on MSXML 6 Parsar Mine is KB933579
Your KB number appears to be the same for MSXML 4 & 6



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 5th Jan, 2009 23:26
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Glad to. Sophos said the following:

"The file location that you are seeing is the original installer. This is not what is currently running your AV but rather what installed it in the first place. The files in it are old but they are also irrelevant because they are only used during the install process."

This would suggest if deleted these set up files, the false detection might disappear. But I dont think i will.

Still not clear what to do about those MSXML things.
Not clear how to use Raproducts either. What do you do with it when you get to the wesbsite?

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 5th Jan, 2009 23:43
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 5th Jan, 2009 23:50
I would put an ignore on Sophos - clearly has an exe file in that secunia noted was out of date - not sure it can be exploited if in a setup folder.

Java Removal.

Use the link I gave U
Once in the website click the Windows Binary (zip) file
That will take U to the Sourceforge.net site & it will commence to download once U give it normal permission.
Save to desktop.
Click desktop icon & the zip should open for U to see the RA exe file
Click that and the cleaner appears on desktop

MSXML - I am lucky - mine is OK but looking at other threads it looks like a minefild. Let us hope someone picks up the thread to advise - I would certainly be interested

Java use JAVA & JRE - it can be confusing but they are the same thing.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 5th Jan, 2009 23:47
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
yes i downloaded and extracted it. i think its all done now. I just had a bit of glitch because i wasnt clear whether the JRE file i had was different from the normal Java update. So when I tried to download the latest version, i had several failed downloads. Anyway I cleaned/removd the old JRE using the tool and it says i have the latest version so guess all is well. tks for that.

--
Lindzog
Was this reply relevant?
+0
-0
-B-K- RE: misdetection?
Member 6th Jan, 2009 12:12
Score: 0
Posts: 13
User Since: 19th Dec 2008
System Score: N/A
Location: N/A
Last edited on 6th Jan, 2009 12:15
If I should choose between Sophos AntiVirus and PSI I would without a doubt choose PSI.

The reason? Its quite simple: There is simply no better program for finding and patching vulnerabilities on your PC than the PSI! (trust me, I've tried about everything on the internet in this category).

What goes for Sophos AntiVirus, it is "just" an antivirus. It's a good idea to have one, but there is a lot to choose from, and Sophos is not the only good one.

Just my humble opinion.
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 17th Jan, 2009 18:15
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
my opinion is even more humble, but i would never choose Secunia over my AV. It may well be a great product. I have no idea. But I would be more concerned about picking up Viruses and Trojans than the prospect of some hacker being able to exploit some allegedly unpatched porthole buried in an obscure program on my system. I wouldnt argue for a moment that Sophos is the best AV. Indeed AVG free, which I use on another application, seems very good to me. I once made the mistake of Reinstalling and OS, and going online before I had activated my AV and Firewall. (This was before the advent of the Windows Firewall). I had infections and pop-ups before I could say Boo. Ok, a Secunia program, had it existed then, might have plugged the holes that allowed this to happen, but I probably would have got the infections before I could even download it. I cant quite remember how I got round the problem at the time. I think I probably reinstalled the OS, activated the trial AV/Firewall until such times as I had installed my Free ones and then uninstalled the trial. It may not be the same problem now with the windows firewall etc, but its still an issue i think when you do an OS reinstall - how not to get infected in the time it takes you to download your protection. Ive digressed a bit here. sorry. Humbly sorry.

--
Lindzog
Was this reply relevant?
+0
-0
kennethp RE: misdetection?
Member 1st Dec, 2009 15:45
Score: 0
Posts: 1
User Since: 9th Dec 2008
System Score: N/A
Location: N/A
This system has Sophos version 7.6.14 on a company network. Secunia flags the auto-update function of Sophos as insecure everytime it checks for downloads. Our network checks for updates hourly. At every update attempt Secunia flags the process as insecure and then the updater closes it reports the program as "patched". I grew tired of watching the updater listed as insecure so i added it to the ignore list.

C:\WINDOWS\Temp\sophos_autoupdate1.dir\1259599448\ System\msxml4.dll
C:\WINDOWS\Temp\sophos_autoupdate1.dir\1259599448\ SXS\msxml4.dll
C:\WINDOWS\Temp\sophos_autoupdate1.dir\1259606915\ System/msxml4.dll
C:\WINDOWS\Temp\sophos_autoupdate1.dir\1259606915\ SXS\msxml4.dll
C:\WINDOWS\Temp\sophos_autoupdate1.dir\1259618312\ System\msxml4.dir
C:\WINDOWS\Temp\sophos_autoupdate1.dir\1259618312\ SXS\msxml4.dir
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 1st Dec, 2009 18:23
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
I just ignore it too. I have to ignore a couple of Secunia's reports. I havent added them to the ignore list but I do ignore them. If it comes to a choice between Secunia and Sophos, Sophos wins.

--
Lindzog
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 1st Dec, 2009 18:23
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
I just ignore it too. I have to ignore a couple of Secunia's reports. I havent added them to the ignore list but I do ignore them. If it comes to a choice between Secunia and Sophos, Sophos wins.

--
Lindzog
Was this reply relevant?
+0
-0
E.Jeppesen RE: misdetection?
Secunia Official 2nd Dec, 2009 09:10
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
kennethp; I have just updated the detection rule for Microsoft XML Core Services (MSXML) 4.x. Please perform a full system scan with the PSI and let us know if that has solved the issue.
lindzog RE: misdetection?
Member 2nd Dec, 2009 11:51
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
For what its worth, two of my "insecure programs" are Microsoft XML Core Services (MSXML) 4.x. Ive just done another Secunia scan and there was no change in their detection. Curiously when I hit the solution option, I now get a message saying "The Link you are trying to open requires Internet Explorer to function correctly and therefore will not use your default browser. Press Ok to continue." When I press Ok it takes me to Windows Update, just as previously, where nothing is offered. I am currently still using IE6, as I didnt like IE7 when it came out. I guess Ill have to install IE8 soon, as IE6 becomes less supported. Im sure somone will advise me to use Firefox but I will politely decline that for now too.
Anyway, MSXML detection problems still seems to exist. rgds L

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 2nd Dec, 2009 12:25
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
This may help with MSXML.


UPDATING MSXML 4
================

1. MSXML 4 is a standalone version that supports legacy 3rd party installs.
2. Microsoft have released the final SP prior to it becoming obsolete on 13 April 2010.

Your problem should be resolved if you uninstall all versions of MSXML 4 SP2 - reboot - and then install MSXML 4 SP3 which is a complete replacement for SP2 & the various hot fixes.

As for any new install read the Release Notes here:
http://download.microsoft.com/download/A/2/D/A2D85...

The download link is here:
http://www.microsoft.com/downloads/details.aspx?Fa...
The download file to select is MSXML.MSI 2.3MB

Secunia picks it up as secure with version 4.30.2100.0



11:24 02/12/2009


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ ŻŻŻŻ


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 2nd Dec, 2009 13:05
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
hmm..i dont like uninstalling such stuff, but ive done it and uninstalled 3 such sp2 files. Ive also downloaded the update you recommended, but on the MS download page you pointe me at there is a third file which is a Cab file. It asks where the location where I want to extract it and I dont know the answer to that.

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 2nd Dec, 2009 14:16
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
As stated in my post U only require the MSI file. Many on this forum have been successful by using the post as published.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 2nd Dec, 2009 14:37
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Apologies, but I didnt see anything in your post where you said to "only" download that file (of the three on offer.)

Anyway, Ive done it now, just done a scan and Secunia still twice detects Microsoft XML Core Services (MSXML) 4.x - even though these no longer exists in my Add/Remove programs.

Back to the drawing board...

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 2nd Dec, 2009 14:52
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What path is the insecurity showing?

FINDING A VULNERABILITY FILE PATH
=================================

To locate the exact file that the Secunia PSI has detected, use or switch to the ADVANCED interface, then :

1 Click on the + sign of the programme to "expand' it.
2 Click on Technical Details in the Toolbox to see the installation path of the detected file. (Copy (CTRL+C) & paste (CTRL+V) the Installation Path of the file back to the Forum if U are unsure what to do next)).



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 2nd Dec, 2009 15:16
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Version Detected:
4.20.9818.0

They are both below and appear identical



Installation Path:
C:\savxpsa\savxp\SXS\msxml4.dll

Last Inspection of Program:
2nd Dec. 2009, 14:07 CET

Version Detected:
4.20.9818.0

Installation Path:
C:\savxpsa\savxp\SXS\msxml4.dll

Last Inspection of Program:
2nd Dec. 2009, 14:07 CET





--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 2nd Dec, 2009 15:39
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Microsoft update MSXML to :

C:\Windows\WinSxS

The path U have given C:\savxpsa\savxp\SXS\msxml4.dll

belong to Sophos.

There are issues with this Sophos folder:

http://www.sophos.com/search/search-results/?searc...

I would personally right click & delete them but U may wish to contact Sophos Support & ask for advice.


14:38 02/12/2009




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 2nd Dec, 2009 15:54
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
That's interesting as the third detection is also a Sophos file, refered to above. I went through all this with Sophos and you at the time but didnt reach any solution. Im reluctant to start deleting things on the Sophos tree.
Does this mean I neednt have done the download you suggested and should I now use System Restore to put my machine back to where it was previously? It was a bit slow for a while after the download and locked up eventually but it does seem to be settling down again now. It has an underlying problem about being slow at power-on (before the windows screeen appears) and its difficult to be sure what is the cause of what sometimes. (In case you mention Start up programs and the like, I suspect its a hardware issue, because it seems to be worse when the notebook is cold. Once warm, and having been used for a while, it reverts to proper and speed and is quite fast) Anyway, I digress from the issue, but justifiably i think. If the download you recommended earlier is a Microsoft Solution why is it not offered by Windows Update?


--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 2nd Dec, 2009 16:12
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Before we go any further let us establish that MSXML is secure & is being reported by PSI.

Navigate to:

C:\savxpsa\savxp\SXS\msxml4.dll

C:\savxpsa\savxp\SXS\msxml4.dll

Rename them both:

C:\savxpsa\savxp\SXS\msxml4.dll_old

Complete a full rescan with PSI.

1. Is MSXML4 showing under the patched tab as

Microsoft XML Core Services (MSXML)4 version 4.30.2107.0?

2. Has the vulnerability reported by PSI been removed?


15:10 02/12/2009


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 2nd Dec, 2009 16:40
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Im a bit out of my comfort zone now. I could only find one of those files at the location. I changed it to what you suggested and the file immediately became an unrecognisable file type.
Secunia then reported only one MXML insecure instead of 2 - this is before i did a scan, which is currently running.
Under the Patched Tab it says "Microsoft XML Core Services (MSXML)4.x 4.30.2100.0 (not the number you quote)

When the scan finishes - which is taking a while - I plan to change the re-named file back to what it was.

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 2nd Dec, 2009 18:21
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 2nd Dec, 2009 18:22
Up to U but it has proved the point.

Your MSXML4 is now up to date to version 4.30 (SP3) which proved your install was OK by updating C:\Windows\SxS (system32)

What U are left with is Sophos dross.

If U rename it back to its original then that element of Sophos is vulnerable & will remain so until:
1. U rename it to prevent exposure.
2. U delete the files.

This is not a misdetection by PSI as decribed. MSXML is secure - a programme (Sophos) which has old MSXML files is the problem.

I suspect that C:\SAVXPSA is an old Sophos installation folder.

It looks to me like MSXML has never been vulnerable hence no offer of an update from Microsoft. The vulnerability is & always has been MSXML files embedded in Sophos as your paths proved.





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 2nd Dec, 2009 19:15
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
I would agree with that. I think we established some time ago that there was an old Sophos installation file was being found by Secunia. Now its been established that the other detected files are part of the Sophos "dross." But i dont know how to safely get rid of the old Sophos, other than just deleting it from the Windows Explorer tree - and even then I am not 100 percent sure there would be no consequences for the rest of the Sophos system.

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 2nd Dec, 2009 19:32
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I do not think any real harm will be done.

As U rightly say Sophos is an excellent product.

I can only advise what I would do.

1. Track down both files again & delete them.

Rerun PSI to confirm the problem is over.

If Sophos starts misbehaving (highly unlikely).

1. Download a brand new copy of Sophos & save it to desktop.
2. Uninstall Sophos via their own programme uninstaller or via add/remove
3. Install the new copy from desktop.
4. Delete the desktop installation folder.

Run PSI.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 7th Dec, 2009 12:20
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Sophos said i could delete the savx install file (dross) from the C/folder. So i did.
I now have no detections. :-)
tks.

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 7th Dec, 2009 18:05
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Very good news. I note early on this thread U said
"I just ignore it too. I have to ignore a couple of Secunia's reports. I havent added them to the ignore list but I do ignore them. If it comes to a choice between Secunia and Sophos, Sophos wins".

I think we have now proved there is no competition.

Sophos is an anti viral programme and very good at it.

Secunia looks for vulnerabilities in programmes & found one in Sophos in that the Sophos install procedure does not include removing installation files once they have finished. In this instance the vulnerability was minor.

I would use them side by side & trust both for their different roles in keeping a PC secure.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 10th Dec, 2009 09:56
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
That's true to some extent. And this process revealed another Sophos weakness. I dsicovered that my v 7 is not latest. It should be v 9. However Sophos did not automatically update the software only the definitions file. I've now downloaded v 9 and will have to run another secunia scan to see there are no further remnants from this process. Even so of it came to a choice between secunia or Sophos (or any av) I would choose sophos. You can manage without secunia but I would never want to be without av protection. That said I'm pleased with secunia. It's a good product. Rgds L

--
Lindzog
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 28th Dec, 2009 22:04
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Er, I have the dreaded msxml4 detection back again.

Its located here C:\escw_9_sa\scf\System\msxml4.dll which seems to be a System file. (youll remember last time it was in Sophos install.)
I dont know how this got created. I have enabled the Sophos Firewall since, but ive done some other things too such as install IE 8 then promptly uninstall it because it was so slow and unweildy.
Back to the drawing board then?

L

--
Lindzog
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 28th Dec, 2009 22:04
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Er, I have the dreaded msxml4 detection back again.

Its located here C:\escw_9_sa\scf\System\msxml4.dll which seems to be a System file. (youll remember last time it was in Sophos install.)
I dont know how this got created. I have enabled the Sophos Firewall since, but ive done some other things too such as install IE 8 then promptly uninstall it because it was so slow and unweildy.
Back to the drawing board then?

L

--
Lindzog
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 28th Dec, 2009 22:04
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Er, I have the dreaded msxml4 detection back again.

Its located here C:\escw_9_sa\scf\System\msxml4.dll which seems to be a System file. (youll remember last time it was in Sophos install.)
I dont know how this got created. I have enabled the Sophos Firewall since, but ive done some other things too such as install IE 8 then promptly uninstall it because it was so slow and unweildy.
Back to the drawing board then?

L

--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 28th Dec, 2009 22:13
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 28th Dec, 2009 22:14
This is a Sophos install as well!

I believe it is Sophos Endpoint Security & Control V9 - it should be located in C:\Program Files\Sophos

Good Luck

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
lindzog RE: misdetection?
Member 29th Dec, 2009 22:30
Score: 0
Posts: 53
User Since: 2nd Jan 2009
System Score: N/A
Location: UK
Sophos have responded to me saying the following:

"The C:\escw_9_sa folder is where the installer extracts the installation files. Therefore you can delete this folder.

For your reference the MSXML4.dll file is a Microsoft file. This update provides a number of security and bug fixes to XML core services. It is a pre-requisite to installing Sophos AV."

I pointed out that as this was the second such installation that had appeared to create a Secunia-identified vulnerability. They've since said they are aware of the issue and are working on packaging a later version of the MSXML into the installer in the near future.

I dont actually understand what the MSXML file does, nor do I ever hope to. But hopefully this info means something to somebody.


--
Lindzog
Was this reply relevant?
+0
-0
Maurice Joyce RE: misdetection?
Handling Contributor 29th Dec, 2009 22:56
Score: 11295
Posts: 8,718
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Pleased everything is back to normal - Sophos are a good Company so I have no doubt they will include a fix at some stage.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability