search

WISE-Developers / Project_issues

This handles incoming tickets like bugs and feature requests
GNU Affero General Public License v3.0
2 stars 0 forks source link

[Prometheus Bug]: NSI Fails to run Java detection script with Antivirus installed. #202

Open willgoerzen opened 1 year ago

willgoerzen commented 1 year ago

Contact Details

No response

What happened?

When installing Prometheus (and I assume other apps), Trellix (McAfee) blocks the detection script from running due to a suspicious double filename extension.

Looking at the NSI script, the temp name generated includes a .tmp extension, then when the script adds a .bat to the end of this, it ends up being [tempname].tmp.bat, which my antivirus doesn't seem to like.

Version

(Dev) 2021.12.03

What version of Windows are you seeing the problem on?

Windows 10 64-bit

Relevant log output

McAfee/Trellix Log: 
2023-06-22 17:24:06.110Z    |Activity|ApBl                |mfeesp                   |      9084|     27224|BOPAP               |XModuleEvents.cpp(851)                  | [DOMAINUSER] ran C:\Users\[DOMAINUSER]\Prometheus_2021.12.03.exe, which tried to access the file C:\Users\[DOMAINUSER]\AppData\Local\Temp\nsrA95F.tmp.bat, violating the rule "Suspicious Double File Extension Execution", and was blocked. For information about how to respond to this event, see KB85494.

Approvals Process

spydmobile commented 1 year ago

@RobBryce I co-assigned this for your review.

spydmobile commented 1 year ago

@willgoerzen thank you for reporting this!