Prev: virus-probleem
Next: Can Someone please help me with my Computer stuff? 78984
From: T.H on 27 Jan 2010 13:30
Perhaps slightly OT...

www nirsoft net

offers an IE password utility. It does get some hits on both VirusTotal
and Jotti. The hits seem to suggest a "risky" application. Certainly
that makes sense as it is intended to display hidden passwords in IE.
But I have had occasion to need an IE-only supported password I did not
write down.

Do any of you have any comments on this particular utility?

Thanks in advance.

T.H (same as other T.H posting from Windows PC - this one is an Ubuntu
PC - not intending to deceive anyone.) ;-))
From: Ant on 27 Jan 2010 14:22
"T.H" wrote:

> www nirsoft net
>
> offers an IE password utility. It does get some hits on both VirusTotal
> and Jotti. The hits seem to suggest a "risky" application.

It and other utilities from Nirsoft are frequently used by malware to
steal information. So if you found it on your PC but hadn't put it
there, its presence would be suspicious. That's why it gets flagged.

The Nirsoft programs are ok and not dangerous.

(BTW, there's no alt.comp.spyware group so I removed it)


From: VanguardLH on 27 Jan 2010 15:35
Ant wrote:

> "T.H" wrote:
>
>> www nirsoft net
>>
>> offers an IE password utility. It does get some hits on both VirusTotal
>> and Jotti. The hits seem to suggest a "risky" application.
>
> It and other utilities from Nirsoft are frequently used by malware to
> steal information.

Any program that goes beyond the simplistic GUI provided by the OS could be
classified as such. Claiming these utilities are incorporated into malware
would also mean SysInternals, TweakUI, X-Teq, Resplendence, Rekenwonder, or
any other utility that digs into, modifies, or augments the OS is also
employed by malware. They all give you a deeper level of access, control,
and monitoring than the simplistic GUI or included programs provided by the
OS. Hell, even many DOS-mode commands would also qualify because they can
be used by malware. Why did all my filetype associations disappear?
Because some malware used the 'assoc' command or code extracted from therein
to delete them. Even the system API for the OS would qualify since it
obviously gets used by malware code.

> So if you found it on your PC but hadn't put it there, its presence would
> be suspicious. That's why it gets flagged.

That would apply to ANY software that covertly appeared on your host. You
are saying that you wouldn't get suspicious if you found an FTP, telnet,
messenger, e-mail, or word processing program suddenly appeared in which you
never participated or authorized its installation?

> The Nirsoft programs are ok and not dangerous.

With that I agree.
From: VanguardLH on 27 Jan 2010 15:49
T.H wrote:

> Perhaps slightly OT...
>
> www nirsoft net
>
> offers an IE password utility. It does get some hits on both VirusTotal
> and Jotti. The hits seem to suggest a "risky" application. Certainly
> that makes sense as it is intended to display hidden passwords in IE.
> But I have had occasion to need an IE-only supported password I did not
> write down.

Anti-virus programs that alert on Nirsoft are stuck with a decision that was
made a decade ago that hacker tools are bad and must be alerted upon
although they show up on the host through standard installers or by simple
extraction or copying that the *user* chose to put on their host. Hacker
tools are often denoted by anti-virus programs as "bad" despite garnering a
reputation over a decade of providing useful tools to the user. It also
seems quite arbitrary as to what AV programs class as hacker tools. I
haven't yet seen any of SysInternals get alerted upon (even before Microsoft
acquired the tool set) although it involves digging into the OS as deep or
deeper than Nirsoft.

This category of apps is often called PUPs (Probably Unwanted Programs) yet
every one that I've seen them alert on my hosts has been one that I
deliberately installed. The PUP is there because I *want* it there. You
could configure your AV program to eliminate it checking for PUPs or you
could get its alert and then have it add the wanted program to its exclusion
list.

You could always just go look for yourself at what are the Nirsoft utilities
(nirsoft.net) to judge for yourself. They have produced a respectable
collection of useful utilities but remain stigmatized with the old hacker
persona proliferated in movies and in television.

Are you saying that you never installed the Nirsoft utility and it just
appeared without your authorization?
From: David H. Lipman on 27 Jan 2010 17:49
From: "T.H" <t1nf01l.h4t(a)notgoodemail.com>

| Perhaps slightly OT...

| www nirsoft net

| offers an IE password utility. It does get some hits on both VirusTotal
| and Jotti. The hits seem to suggest a "risky" application. Certainly
| that makes sense as it is intended to display hidden passwords in IE.
| But I have had occasion to need an IE-only supported password I did not
| write down.

| Do any of you have any comments on this particular utility?

| Thanks in advance.

| T.H (same as other T.H posting from Windows PC - this one is an Ubuntu
| PC - not intending to deceive anyone.) ;-))

It is a risk tool but not malware in the traditional sense.

It can be considered malware if used maliciously. However it can also be used
legitimately

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



 |  Next  |  Last
Pages: 1 2
Prev: virus-probleem
Next: Can Someone please help me with my Computer stuff? 78984