WG & New Lavasoft Refupdate2.0

Discussion in 'WormGuard' started by Bouch, May 3, 2002.

Thread Status:
Not open for further replies.
  1. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Greetings all! This is just FYI to any that may be interested. I downloaded and installed Lavasoft's new RefUpdate 2.0 for use with Adaware 5.8 from here: http://www.jamcomputerservices.com/fantom/download.htm (hope I did that right.), which is not a usual source for Adaware downloads to the best of my knowledge. When I ran the program in the usual way: Start/Programs/Lavasoft Refupdate/Ref Update 2.0, up came the Wormguard warning screen to indicate that the file had been temporarily blocked from executing. The shortcut is: "C:\Program Files\Lavasoft RefUpdate\UNWISE.EXE" /W1 "C:\Program Files\Lavasoft RefUpdate\INSTALL.LOG"
    and WG identifies this as a "Suspicious File Name - Multiple File Extensions". I would attach a jpeg of the screen shot (I made one), but I don't know how. In any event, I gave permission for the file to run anyway, and everything worked just fine. Trust that my experience won't be the exception. (Don't you just hate it when something only happens in your case, nobody else's?)Regards.

    Bob
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmmm the way you display the names here, seem just ordinary install and uninstall files, but i wonder if you were able to copy and paste that part from the window
    where it says what are the real file names. (highlight/clipboard, etc)
    If it was something like install.5.8.exe or thing like that it was clear, but now i'm puzzling too!
     
  3. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Hi Jooske.  Yeh, it's weird isn't it. If you right click on RefUpadte 2.0 in the Programs menu and then Properties, the target is identified as specified in my original post. I simply copied it to Notepad for inclusion in my post. Never seen anything quite like it. When I first saw it, I thought that it was going to do an uninstall.

    If you go to the Lavasoft Ref Update folder and launch RefUdate2.0.exe, you get the same warning from Wormguard temporarily blocking execution based on two file extensions.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    RefUdate2.0.exe this one has a multy extension.
    If you rightclick scan the files or the whole Lavasoft directory, does any of your scanners come up with any other warning?
    I have difficulty to think a file like install.log in a zip RefUpdate2.0.exe and the unwise.exe would show up themselfs as suspicious. Are there more files included in that RefUpdate or just those two?
    Are you sure the program exe to run Lavasoft itself is called RefUpdate.2.0.exe or only the update program?
     
  5. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Risk Assessment:Re: WG & New Lavasoft Refupdate2.0

    RefUpdate 2.0 is a separate program from Adaware 5.8. Each is downloaded, installed and launched separately, and the user cannot access one from the other. Actually, I always thought that it would be nice to be able to update the database from inside Adaware itself, but that ability is not provided.

    Anyway, whether you launch RefUpadate 2.0 from the programs menu or by opening RefUpdate 2.0.exe in the folder C:\Program Files\Lavasoft RefUpdate, Wormguard issues the warning:

    Risk Assessment: Uncertain

    *> Suspicious Filename - Multiple File Extensions.
      This filename appears to have 2 file extensions.
      The REAL file extension is: .EXE

    which I don't understand. There is a total of 8 files in the C:\Program Files\Lavasoft RefUpdate folder as follows: reffile.awr; reflist.bak; reflist.sig; example.bat; Install.log; Read me.txt; RefUpdate 2.0.exe; and Unwise.exe.

    Are you an Adaware user Jooske? If so, give it a try yourself and see what happens. I have done a file scan with NAV2002, TDS-3 and TrojanHunter, and none of the three report any suspicious files. Regards.

    Bob
     
  6. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Very interesting.  Within the space of about 3 days, Lavasoft replaced Ad-aware release 5.80 with release 5.81 and changed the executable in their RefUpdate software which, of course, changed all of the above.  I can only wonder what they were thinking (or smoking?) with their original releases.  Certainly moved to replace them very quickly.
     
  7. Raygun

    Raygun Registered Member

    Joined:
    Apr 24, 2002
    Posts:
    31
    Location:
    The Beach!
    Do you think wormguard was seeing the RefUpdate2.0.exe as a double or possible fake extension due to the (2.0) just before the (.exe)  o_O?
     
  8. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Yeh, that's exactly what was happening.  What I also find interesting is that the new RefUpdate folder contains both the original executable RefUpdate 2.0.exe (which WG blocked because it saw two extensions) and the new RefUpdate.exe. Why it would contain both, I have no idea.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    More WormGuard users complaining?
    Maybe other programs block that too.
    For me it is strange if i have an UpdateProgram2.0.exe as a self extractor, the working executable of the extracted program would have the same name, that would be UpdateProgram.exe or UP20.exe would be acceptable, but not the same as the extracting thing.
    Think this is what they corrected. (hope).
     
  10. controler

    controler Guest

    Me thinks WG warns of any more than one file extention and yes, 2.0.exe is what Wg is thinking is a double extention. It is pretty tough to make any program that doesn't require some user input.

    Over?
     
  11. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Bob:
    I had EXACTLY the same problem. Because I had Adaware 5.81 I had to get new Refupdate and WG blocked it as multiple file extensions.

    It is reading the 2.0.exe [. being the extra] as multiple.

    Now I TRIED to resolve this by adding Refupdate2.0.exe to the 'allowed' list, but NO go. Still blocks.
    I even tried copying the Refupdate file then changing it's name, but WG still grabbed it.

    I tried several way of listing that file in the 'allowed' list but no go.

    Soooooooooooooooo, I just open it, then allow WG to run it. Not the best, but still works.
     
Thread Status:
Not open for further replies.