Comodo warnings about Metageek Inssider

Discussion in 'other software & services' started by TheWindBringeth, Feb 22, 2013.

Thread Status:
Not open for further replies.
  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I needed an AP sniffer on someone's Windows 7 Pro x64 highly-likely-to-be-clean computer and decided to give Metageek Inssider a go after scanning the exe with local AV and also checking its hash at VT. I went with the latest, which IIRC was 2.1.6.1394. It installed without significant warnings but things got interesting when I ran it. The first Comodo 5.12 alert:

    Modify Key HKUS\XXXXX\Software\Microsoft\SystemCertificates\My

    suggested to me that it was attempting to modify certificates in the current user's personal certificate store so I disallowed that. The program didn't die and I continued to see numerous suspicious looking alerts until it finally terminated. Then I grabbed the Comodo log (there were 76 blocked actions) and quickly deduped the entries which also reordered them alphabetically, but here is that list of unique blocked inssider.exe actions:

    ATM I don't suspect other software, malware, was involved. However, I need to try to understand this and wanted to ping any of you that have installed and used this software (on a Windows 7 computer, ideally).

    Do you see any certificates that it installed? Have you seen similar alerts when installing/using it, or do you now if you temporarily delist it as trusted? I don't know why it would be trying to modify certificate related registry keys. Perhaps it is opening keys with greater than necessary permissions or Comodo is confused or whatever. Any input you might have would be appreciated. Thanks.
     
  2. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I was able to give this another go; this time using procmon to capture and look at more activity. Looking at the stacks when those registry keys were accessed for example. They looked similar enough to examples of .Net certificate checking for signed assemblies that I think that is what was going on. There is one signed assembly dll that ships with Inssider. I eventually ran the program and allowed all Comodo alerted actions while keeping it firewalled as I didn't think Internet access would be necessary. I didn't see anything I think requires followup.

    A less than professional grade analysis, but good enough I hope.
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Thanks for posting back your findings
     
Loading...
Thread Status:
Not open for further replies.