dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11946
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel

Premium Member

Why is this software dangerous?

I've posted this before but I never got a good answer so if no one minds I'm going to try again hoping perhaps someone has a new perspective or something

NirSoft's WirelessNetView.exe found here:
»www.nirsoft.net/utils/wi ··· iew.html

Keeps getting flagged by my anti-virus app as a PUP. Now I know I can turn off searching for PUPs and I know I can enter it in the list of exclusions. So thanks in advance for telling me that

But my question is ... why does it get flagged at all? From what I can see all it does is tell you what wireless networks there are in your area around you. This seems pretty harmless to me so I'm guessing that I must be missing something here.

So if someone could please tell me how this is malicious I would appreciate it. If it would threaten peoples security and you would rather not post that kind of thing here then that's fine but please then just post "yes, if you know how, this software can be used maliciously if you know what you are doing but I am not going to post why here because that wold be telling someone how to do something malicious and we don't want to do that". That would be enough for me. I'll understand.

Or is it that the software itself is infected with something separate and apart from its stated purpose? Does it spy on people that use it or something? Trojan?

Ken1943
join:2001-12-30
Brighton, CO

1 recommendation

Ken1943

Member

False positive. Put it in the antivirus ignore list.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird to Sentinel

Premium Member

to Sentinel
Nirsoft creates a number of "utility" or "tool" programs that can get flagged by AVs for various coding reasons. In all cases I've run across, it's because the tool does something in a certain way that looks suspicious to an AV program, and it flags it. Nirsoft and their software have been around for years, though it's always wise to ask in a forum like this about such things. Whether Nirsoft's programs could somehow be written in a different way that doesn't get flagged and still do the job, I'll leave for others to argue... but they do work, they are safe, and I do just what Ken1943 See Profile suggests: put them in the AV ignore list.
psloss
Premium Member
join:2002-02-24

psloss to Sentinel

Premium Member

to Sentinel
Didya read this already?
»blog.nirsoft.net/2012/10 ··· me-tool/

MumRAR
@sky.com

MumRAR to Blackbird

Anon

to Blackbird
said by Blackbird:

Nirsoft creates a number of "utility" or "tool" programs that can get flagged by AVs for various coding reasons.

They are not F/p's and are NOT detected by behavioural analysis.

This is such a fudged topic not helped by Nirsoft persistence claims that they are F/p's or power users that decry F/p also.

2 scenario's, you are network admin using these tool(s) for end means to enable your job then they are legitimate tools.

2nd scenario, the tools are used by hacker who has just compromised a computer to gain data from the newly compromised computer and/or network.

AV's are tasked with protecting end users who like databases to think for them as opposed to "informed" power users who know what the tools are and why they are using them.

Since end users without a clue outnumber power users hands down then all these detections should stay to protect them.

It beggers belief that Nirsoft can't figure that for themselves or maybe they want their tools abused without any checkpoints.

HA Nut
Premium Member
join:2004-05-13
USA

1 recommendation

HA Nut to Sentinel

Premium Member

to Sentinel
PUP = Potentially Unwanted Program. Glad to see your antivirus classified it that way and no worse.

I agree with the others. The "goodness" of a PUP is in the mind of the beholder.
dsilvers
join:2009-05-17
Canyon Lake, TX

1 edit

1 recommendation

dsilvers to Sentinel

Member

to Sentinel
NirSoft tools are general considered safe. It is always best policy to check MD5's and ask questions if you are concerned. ComboFix, a tool used to clean infections, was actually infected recently.

VirusTotal gets seven hits for WirelesNetView with all but one indicating Pups, Tools, Riskware and one generic detection.

I just ran it. No malware, trojan, virus, spyware or anything malicious dropped. No calling home to the mother ship. All this does is reveal wireless connection near you. I suppose it could be used for sniffing unprotected wireless connections. Just paranoid AV's.

Edit: for clarity

sbconslt
join:2009-07-28
Los Angeles, CA

1 recommendation

sbconslt to Sentinel

Member

to Sentinel
MumRar had the first best answer. These are signature detections, not heuristics. They flag Nir's utilities because they can be used by attackers to case a network. They can also be used for completely innocent purposes. Dynamite can also be used for mining and digging.

ZZZZZZZ
Premium Member
join:2001-05-27
PARADISE

1 recommendation

ZZZZZZZ to MumRAR

Premium Member

to MumRAR
quote:
Since end users without a clue outnumber power users hands down then all these detections should stay to protect them.
And most users [at least on this board] have known for years about Nirsoft's apps being flagged.

I use about a dozen of his apps.

Sportsfan
join:2012-03-26

Sportsfan

Member

I've been using Nirsoft's apps for years, never had a problem except one alert with MSE, although when I updated the app to the latest version, MSE no longer flagged it.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran to sbconslt

Premium Member

to sbconslt
said by sbconslt:

MumRar had the first best answer. These are signature detections, not heuristics. They flag Nir's utilities because they can be used by attackers to case a network. They can also be used for completely innocent purposes. Dynamite can also be used for mining and digging.

If everything that can be used by attackers was flagged, there'd be nothing left unflagged.
OZO
Premium Member
join:2003-01-17

2 recommendations

OZO

Premium Member

A bet attackers use dir or ls (depending on OS) too. Following that (IMHO, dumb) logic - the shell providing that should be flagged as PUP too, right? Some called that paranoia... :-(
OZO

OZO to Sentinel

Premium Member

to Sentinel
The best way to find out is to ask the developers of that particular AV. Why do they think it's anyhow dangerous and should be flagged? Here you'll get only speculations and a bunch of guesses...

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

Dustyn to Sentinel

Premium Member

to Sentinel
Which anti virus program is flagging it as PUP?

sbconslt
join:2009-07-28
Los Angeles, CA

sbconslt

Member

Here is the virustotal analysis for the most current version of Nirsoft WirelessNetView.exe:

»www.virustotal.com/file/ ··· nalysis/

OP's scanner is, I'm guessing, Avast, which flags it as Win32:PSWtool-AP [PUP].
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Dustyn

Premium Member

to Dustyn
Avira flags it. Always has.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

2 recommendations

AVD to dsilvers

Premium Member

to dsilvers
said by dsilvers:

Just paranoid AV's.

I think there is an undercurrent in the AV market that the more it detects, the better product it is. PUPs is just one way of inflating results. (another place you see this is the flagging of tracking cookies as the end of the world)
dsilvers
join:2009-05-17
Canyon Lake, TX

1 recommendation

dsilvers

Member

said by AVD :
PUPs is just one way of inflating results.

Yea, I agree. At least Antivir and Avast will let you turn off the PUP detection.

Mr Anon
@sbcglobal.net

Mr Anon to Sentinel

Anon

to Sentinel
To answer the question directly: Its because of the program's function. It will decrypt your wireless keys as you know and if you were to come across this on your system without your knowledge... PUP

Its just to bring your attention that it is located on your computer.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

said by Mr Anon :

It will decrypt your wireless keys as you know and if you were to come across this on your system without your knowledge... PUP

Wait a sec. Isn't that what I want? And if I run it on my system, doesn't that mean that it runs with my permission (or, as you said, knowledge)
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel to Mr Anon

Premium Member

to Mr Anon
Wait a sec. Decrypt my wireless keys? That doesn't sound good. What does that mean exactly?

I was under the impression that the only thing this program does is to search your area for wireless networks that are in your area and displays them to you.

This is pretty much exactly what the tool that comes with every wireless NIC does; it shows you wifi networks in your area that you can connect to.
The only reason that I like the one from NirSoft is that it is more thorough and shows more information such as channels.
MrFixit1
join:1999-11-26
Madison, WI

MrFixit1

Member

Your impression is correct .
NirSoft does have other utilities that do " decrypt " passwords , but this one does not.

Just to throw out another thought about why a lot of anti-virus companies flag his utilities , might it have anything to do with the fact that they make it easy to track just what the programs are doing ?
Na that couldn't have anything to do with it , all anti-virus companies are completely honest and above board

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to Sentinel

Premium Member

to Sentinel
Perhaps my memory mis-serves me, but back in the mid-late 90's, I recall Norton AV (which I used back then) for a time flagging any product from NirSoft simply because NirSoft also made a couple of password-retrieval programs. At the time, I had a couple of different NirSoft file tools on my Win95 system that kept tossing Norton alerts, and in digging into it, I vaguely recall that being the explanation. In any case, for reasons like that and others, NirSoft has been at odds with AV houses since the dawn of time, because of the nature and capabilities of some of their tools. Those tools might under some kinds of circumstances allow deeper system exploitation by a hacker... just as obtaining admin access would allow a hacker to do things on a system he might not be able to otherwise.
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel to MrFixit1

Premium Member

to MrFixit1
Yeah, I definitely see that some of the tools there I don't want, like or need. And I could see how having them on your system could be a danger if you are not aware and sufficiently knowledgeable.

But what was confusing to me was that this particular tool seems totally harmless. All it appears to do is what any built in wifi nic tool does, only better and more thorough. So I could not for the life of me see why this particular tool was being flagged as being even simply potentially unwanted. I just don't see how it can be used maliciously any more than your standard wifi searching tool that comes with your NIC.

So I thought that this tool must have some other use that I am unaware of or the tool itself must be infected with some other hidden software that does something else.
However it is becoming increasingly clear to me by what many have stated here, that it looks as though this tool is only being flagged because the manufacturer of this tool has other tools which could be harmful. That seems kind of inaccurate to me.