Caveat- Microsoft Press web site

Discussion in 'other software & services' started by Howard Kaikow, Sep 19, 2009.

Thread Status:
Not open for further replies.
  1. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    Uing Firefox, I went to the MSFT Press web site to see what they had for Windows 7.

    One of the links was

    http://www.microsoft.com/learning/en/us/Book.aspx?ID=13487&locale=en-us

    When I clicked on the link, I got jibberish, i.e., Firefox did not process the HTML.

    So I copied the link into IE 6 and found that in addition to the usual ActiveX controls messages, according to Kaspersky Auntie Virus, the web site was trying to install/use new DLLs.

    So beware when trying to use that web site unless you are willing to have DLLs added just to peruse the web site,
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Other than that particular link, how does the rest of the site work with your browsers?
     
    Last edited: Sep 20, 2009
  3. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I have no time to investigate the site.

    I'll wait until the Windows 7 books are published, likely within the next 3 weeks, and go back to check for particular books.

    I just wanted to warn folkes that DLLs might get installed if your AV software does not have the proper options set.

    I can see the need for running Javascript or PHP, but not installing a DLL to just peruse a web page.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Which dll files try to install?
     
  5. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I did not make a list.

    Kaspersky AV pops up a warning on each one.
    to detect this, you would need to use an AV that provides such warnings.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Interesting. Anyone else seeing this using IE6?
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,940
    Location:
    U.S.A.
    Howard Kaikow, do you have the IE Tab add-on for FF? Switching to IE mode, the page renders as it should in Firefox, without any downloads.

    In my IE6, the page renders without any ActiveX warnings, but I do have Microsoft set in the Trusted Zone and my AVG Anti-virus does not indicate any downloads. Just FYI.
     
  8. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I will not install an IE tab in FF. If needed, I can use Opera in IE mode. Hmmm, I should try the link in Opera, but first I'll post this.

    I have IE 6 options set to ask me each time an attempt is made to use ActiveX. Most folkes likely have that warning disabled. I only use IE, when forced to by the web site, e.g., for Windows/Office updates. There are very few other web sites that I MUST deal with that require use of IE.

    In order to see the messages about the downloads, your AV has to have the ability to detect such download attempts.

    Do not know what AVG detects.
    Check the options.

    I can disable the checks in Kaspersky, buy why would I do so?
     
  9. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    Opera does not have these issues.

    I just tried in IE 6 again.

    I still get the pop ups from Kaspersky, but Kaspersky is now automatically blocking the change to the DLsL.

    The message for the first one is:

    9/20/2009 00:26:02 J:\Program Files\Internet Explorer\iexplore.exe Attempt to load a new or modified module J:\Winnt\system32\PNGFILT.DLL into process.

    The file is the IE PNG plugin image decoder.
    Created on 29 Aug 2002, last modified on 26 June 2009.

    Maybe these are updated DLLs that do not get updated by Windows update, and IE 6 wants to install an update.

    In any case, as long as the AV complains, I'll not allow the DLL to be updated/installed.

    I could try IE 8 on another computer with KIS 2009, instead of KAV 7.0.1.325.
     
  10. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    The problem does not occur on a Vista system with IE 8 and KIS 2009 (8.0.0.506) with latest KIS updates.

    The problem occurs on a Windows 2000 system with IE 6 and KAV 7.0.1.325 with latest KAV updates. An AV needs options to detect such cases, I expect that not all AVs will do so, especially the free AVs.

    However, on both systems, Firefox cannot render the page.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    My IE6 on Win2K is configured to permit everything. Here is one of the cache directories:

    cache1.gif

    The second item is not a true dll (binary executable), rather, a text file:

    cache-ads.gif

    A search for that filename brings up lots of links about ADS (Ad Delivery Service) which Microsoft seems to have used for many years.

    ----
    rich
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I didn't see any attempt to update that dll on my Win2K system with IE6.

    ----
    rich
     
  13. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    The issue is not what IE 6 permits.

    The issue is whether the AV program is flagging an attempt to install a new/modified version of a DLL. If one uses Opera or Firefox, those DLLs would not be used.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm using IE6 and I got no alert about installing an updated DLL.

    ----
    rich
     
  15. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    The issue is lack of understanding on part of the user. As Rmus has shown, that "DLL" is a text file instead of a binary.
     
  16. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    That's a function of the AV program you use and the options that you have selected in the AV.

    Kaspersky includes an option called Proactive Defense.
    Within KAV 7.0.1.325, Proactive Defense includes options that I can disable enable:

    Application Activity Analyzer(I believe that this is the one that flags attempts to change DLLs)

    Application Integrity Control

    Registry Guard

    I've been using Kaspersky for about 4 years. When I investigated using Kaspersky, my recollection is that not many AVs had such extensive checking, the free AVs even less so.
     
  17. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    PNGFILT.DLL is NOT a text file, it is a real DLL.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, I don't use an AV but I checked and nothing has been updated:

    cache-dlls.gif

    Anyway, no new executable, DLL or otherwise, can install without my permission. I tested by attempting to download the updated version of this DLL:

    cache-ae2.gif

    ----
    rich
     
  19. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,940
    Location:
    U.S.A.
    My AVG Resident Shield does detect download attempts and I have it set to scan files with the following extensions: ;386; ASP; BAT; BIN; BMP; BOO; CHM; CLA; CLAS*; CMD; CNM; COM; CPL; DEV; DLL; DO*; DRV; EML; EXE; GIF; HLP; HT*; INI; JPEG*; JPG; JS*; LNK; MD*; MSG; NWS; OCX; OV*; PCX; PDF; PGM; PHP*; PIF; PL*; PNG; POT; PP*; SCR; SHS; SMM; SYS; TIF; VBE; VBS; VBX; VXD; WMF; XL*; XML; ZL* and will even scan files without any extension.

    Also, I have set Windows Defender, with SpyNet membership, to alert me on any system changes as well. No contemporaneous updates on DLLs when looking at that page.

    FYI. I run WinXP and have 2 pngfilt.dll (C:\WINDOWS\system32 - modified 06/26/09 and C:\WINDOWS\ServicePackFiles\i386 - modified 08/04/04).
     
  20. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    That's not true.

    Unless prevented by the OS, or an AV program, or ..., there are ways to replace DLLs programmatically. A standard download cannot, but there are ways to do this programmatically.
     
  21. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    The AV has to do more than detect downloads.

    It has to determine whether the download is attempting to add a new/modified DLL.

    It is also possibe that this is a Windows 2000 and IE 6 specific issue with KAV 7.0.1.325.
     
  22. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,940
    Location:
    U.S.A.
    Perhaps that could be the case and that's why I don't see it. If any Wilders member has this OS, Browser & AV configuration, please respond.
     
  23. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    If a tree falls, will you not believe it, unless you see the tree fall?

    It is KAV 7.0.1.325 that issues the warning.
    I cannot install IE 7 or 8 on a Windows 2000 system, so I cannot check whether the issue is related to Win 2000.

    I would expect that the PNGFILT.DLL is used by IE 6 in Win 2000 and other OS as well.

    However, each AV will work differently, and may work differently in each OS.
    Each AV may, or may not, flag attempts to add new/modified DLLs.

    In Vista, with IE 8, there may be no need to modify the DLLs, so they are not flagged by KIS 2009. Perhaps, that is also true of IE 6 in XP.

    The real points of this thread are that one should NOT disable prompts/warnings in AV programs, and that, sigh!, MSFT continues to not verify that their web pages work in Firefox.

    When I first started using Kaspersky several years ago, I quickly found that it did a much more exhaustive scan than the other AV I had previously used (NAV up until, and including, 2006, McAfee versions 10 and 11). I also temporarily used NIS 2008, but never did any scans, it's a looong story.

    As of now, I have enough KAV licenses to last until early 2016, should I live that long. And enogh KIS licenses to last until 2014, should I live that long.
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Download the dll file and then use the "file" command from the gnutils port for Windows and see what comes up. You'll then know the exact filetype ...
    Mrk
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is not what you stated earlier - you referred to "install":

    AV is not the only way to block installations of new executables.

    Do you really believe that Microsoft updates DLLs programatically? That would take some rather creative programing to accomplish just by visiting a web site.

    Anyway, according to my screen shot above, my DLL was not modified, Win2K + IE6, so something particular to your system has caused the results you observe.

    It seems to me that you should ask for verification of what you observed before assuming it applies to everyone with Win2K + IE6!

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.