Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Psires.dll changes all the time, independent of PSI updates - leg...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
elations Psires.dll changes all the time, independent of PSI updates - legit or breach? Reflection on security implications.
Member 8th Jul, 2009 16:59
Ranking: 1
Posts: 8
User Since: 7th Jul, 2009
System Score: N/A
Location: N/A
Last edited on 8th Jul, 2009 17:57

Some security application I use are set to warn me if components of installed programs change (namely Kaspersky AV and Outpost Firewall). The rationale behind alerts of this type is, if I understood it right, to allow users to decide if any given change is desired/safe (for example because of an update or recovery/system restore) or not. If the reason why a component changes isn't known, there is a certain chance it might be caused by a security breach/malware of some kind and blocking it would avert something that's unwanted/potentially harmful. I'm not an expert, but my observation so far was that previously verified program components only change due to user input like updates, restorations from backups, etc. Without user input only auto-updates come to mind as possible cause, though I'm sure there are other potential reasons I'm not aware of. Anyway, the advice given by security applications like the ones I use is to block the changed program if it isn't known what the cause for the change is.

Now I've found that I'm getting frequent alerts regarding psires.dll, which seems to change with a frequency previously unseen elsewhere. So far, whenever this happened, because I couldn't explain it, I decided to reinstall rather then permit. Funnily enough, these warnings have frequently served as a kind of update alert because I found that, just around that time, a new version was out. My assumption therefore had been, till yesterday, that, like certain other security applications, PSI has a auto-update function, though, unfortunately, one where, it appears, the user isn't clearly informed or given a choice in the matter.

However, this time, when installing v1.5.0.0, I decided to take a little closer look. Lacking more than basic computer skills, the best method I could easily think of was to use QuickPar, a checksum verifier and file recovery tool, to check the file immediately after installation and then after some time, and, in particular, each time a warning pops up. Generally used file verification formats like md5, sha-1, etc, only test if files are identical or not. Par2, developed for verifying multi-part binary usenet posts, treats the file as consisting of a certain, configurable number of separate blocks and deals with each block individually. Unfortunately, while this works perfectly in a usenet scenario with predefined block sizes, in a general situation where the size and location of alterations is random, the system only works up to the location where the first modification occurs. .

Anyway, I'm just mentioning this because it seems to indicate that the original psires.dll remains, in part or even completely, intact. However, immediately after installation, once PSI is started, psires.dll goes through a series of changes, becoming larger as this happens. This is the first time I've seen a DLL behave like that. If it doesn't mean my system has been compromised, which I really hope it doesn't, then the only explanation I can think of would be that these changes are by design, perhaps as a way to take account of installed programs or to incorporate user settings or other, system-specific information. No use speculating,. I'm a computer idiot and probably make a fool of myself. I'm, admittedly, completely lost when trying to explain this.

But, whatever the exact reasons why psires.dll behaves this way are, the first thing I urgently want to know is: are they legit? If they are, at least I can sigh a sigh of relief, reassured that those regular changes probably aren't sign of a sophisticated invasion of my systems. Once my nerves have calmed down a bit, I'd, however, also like to know where I can find documentation about this behavior. My knowledge is very limited, of course, but from what I've observed so far, DLLs seemed to be static till updated. And is it not that, if all DLLs changed all the time like that, tightly set security programs would throw up dialog boxes demanding tough decisions without end? Mind you, this wouldn't be simple decisions of the type Vista asks users to make all the time but, in cases like psires.dll, where a program component changes for no apparent reason, for the average user, they would tend to be nuts too tough to crack.

Also, in case these automatic changes are legit, shouldn't there be clear, easily accessible information about it, ideally given to the user as part of the installation routine? At least, perhaps, in cases where application control type security software is installed. In systems where it is, depending on how tightly it is configured, these warnings are bound to pop up. At least the less computer savvy users like me are bound to get confused whenever that happens. If in doubt, in opposition to all my lethargic tendencies, I tend to go with "better safe than sorry" and end up reinstalling PSI in response to such pop-ups more often than not. Other users, with as little understanding as me may decide differently and just block the PSI, thereby reducing the security of their system. (Or, I hate to think of it, they allow it... but their psires.dll has been really hacked ;)). What I mean to say is that without clear information and guidelines, accidents are bound to happen.


Thanks for reading this and sorry if it is a really stupid query. But this has been bugging me for quite a while and, left to my own devices, I wasn't able to resolve the issue . Also, please take into account that English isn't my mother tongue (though I've been speaking it for a while); please be forgiving if something doesn't seem to make sense or isn't clear - that's probably because I didn't manage to express it properly. Please ask if anything needs clarification.

Thanks you in advance for any input.


--
elations

Anthony Wells RE: Psires.dll changesall the time, independent of PSI updates - legit or breach? Reflection on security implications.
Expert Contributor 8th Jul, 2009 17:31
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 8th Jul, 2009 17:39
Superb English and clearly explained to a "non-techie" like me .

It sums up a lot of the problems in setting up and responding to firewall and other signature/behavior blocker alerts - many not simply - or in some cases too simply - explained and to let by or refuse , that is the question ; security risk versus ease and speed of use .

I too would be very interested to learn as to whether Secunia can provide us with some clarification - obviously without giving aid to the bad guys.

Love the question , hope I understand the answer (no chance if it comes in Danish :))

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: Psires.dll changesall the time, independent of PSI updates - legit or breach? Reflection on security implications.
Handling Contributor 8th Jul, 2009 21:44
Score: 11619
Posts: 8,908
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 8th Jul, 2009 21:46
This file is part of Secunia and is not a threat. It is an application extention dated 24/3/2009.

http://www.threatexpert.com/files/psires.dll.html

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
elations RE: Psires.dll changes all the time, independent of PSI updates - legit or breach? Reflection on security implications.
Member 9th Jul, 2009 03:55
Score: 1
Posts: 8
User Since: 7th Jul 2009
System Score: N/A
Location: N/A
on 8th Jul, 2009 21:44, Maurice Joyce wrote:
This file is part of Secunia and is not a threat. It is an application extention dated 24/3/2009.

http://www.threatexpert.com/files/psires.dll.html[...

That's great, or, at least, was - till 24th March... as far as the analyzed cases are concerned. But once the checksum changes, even if the name remains the same, who's to say the file is still doing the same things it used to do when it was considered safe? Presently, on my system, at least, psires.dll seems to change every other day. I've seen it in sizes ranging from ~2kb upto 2MB and inbetween. If it behaves like this, so how am I, the average user, or anyone, to be sure it hasn't been compromised? The first note on the ThreatExpert link says exactly that:

"Please note that the name of the file should NOT be used to define if it is legitimate or not. Such determination can only be made by observing its dynamic behaviour."

If the checksum remained the same it would be easy but, unlike in other programs on my system, it doesn't. Once the checksum changes, nothing short of behavioral analysis could determine safety, as noted by ThreatExpert. And how to be sure that a hacker could not exploit this uncertainty regarding the file's identity?

(That'd admittedly be weird: PSI in need of a Secunia advisory ;))
Was this reply relevant?
+0
-0
M.Hansen RE: Psires.dll changes all the time, independent of PSI updates - legit or breach? Reflection on security implications.
Secunia Official 9th Jul, 2009 11:15
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi

The psires.dll serves as a library for all the icons for the programs detected in the PSI. Rather than getting all the icons from each programs folder, the PSI will load them from the psires.dll.

New programs detected will add new icons to the psires.dll.

I hope this answered your question.


--
Kind regards,

Morten Hansen
Secunia PSI Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
elations RE: Psires.dll changes all the time, independent of PSI updates - legit or breach? Reflection on security implications.
Member 9th Jul, 2009 19:41
Score: 1
Posts: 8
User Since: 7th Jul 2009
System Score: N/A
Location: N/A
Last edited on 9th Jul, 2009 19:58
Good to know. I suspected something along those lines because file size changes seemed to go hand in hand with changes in installed/monitored programs.

So now, knowing this as a result of starting this thread, I personally feel reassured (wasn't seriouly worried in the first place, but rather bewildered). But I still wonder if it wouldn't be more appropriate to store those icons in a file with a different extension. The main reason is, as already mentioned, that many security applications with application/component control functions don't monitor just EXEs but register changes in DLLs (plus registry writes and certain other changes) and whenever there's such a change, give a warning and ask for user confirmation. If accepted, the confirmation lasts as long as the checksum of the file remains the same, but should it change at any point, the user is presented with a new warning and asked to confirm again.

So I personally now know why psires.dll changes all the time, but other users of this type of application control type security don't. As such, a certain number of users is bound to get confused by this behaviour on a regular basis. Many programs have databases of installed programs, including checksums, version info, etc, but mangage this information differently, in particular without causing regular security alerts. Considering PSI itself is in the business of security, it is even more bewildering that it would be designed in such a way as to regularly cause such alerts by other apps designed to keep the user safe.

Anyway, that's just my personal view on the issue. I'm technically not well versed and, in particular, not faced with the task of programming PSI and don't have the least idea of other issues involved that PSI developers need to take into consideration. So I accept whatever design the people responsible think is best. The only thing I'm trying to do is express how it looks from a users' perspective, in case this aspect might have been overlooked.
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability