Sumatra PDF - suspicious activity?

When I went to update it the other day I noticed suspicious activity. My Comodo D+ starting throwing up all kinds of shady looking alerts. Sumatra was trying to take all sorts of liberties that I wouldn't allow anything on my computer to take... accessing the memory of things like (i.e. lsass, csrss, winlogon, svchost, etc...) basically asking to take free reign over my system.

I was shocked, and naturally declined it all. I thought maybe upon trying to update I had somehow been redirected to a rouge site and got a bad install, so I made sure I was at the right site and tried it again... same results.

I uninstalled it, and am looking for a new PDF Reader.

Has anyone else noticed such activity?

 

could it not have been because of sumatra wanting to install shell extensions and take over as the default PDF reader and to automatically check for updates? or maybe it needs access to those modules to enable touch gestures support which sumatra has?

 

Can't say I ever have. 0_o weird

 

I'm not saying that is impossible but Sumatra PDF is OPEN SOURCE. You can download the source code and check it yourself to see if it hides something.

 

It's hard to examine sources for trojan code. There have been cases where open source projects have been compromised by malicious third parties - it's not that common, but it has happened.

Maybe it would be worthwhile to notify the program's author?

 

I find it very hard to believe that the author of this software would include anything nefarious. I've been using this for years and he is very responsive to any concerns or problems:

http://forums.fofou.org/sumatrapdf/

 

Perhaps the site was hacked and installers replaced with malware, this happened not too long ago to uTorrent.

 

This is precisely why I use a HIPS (and outbound FW). A perfectly legit app one day can become rogue the next. And not in all cases purposely (i.e. UTorrent). I also do not believe the author of Sumatra would do it willingly.

I trust everything I have on my computer, and in cases like mine HIPS have very little value. Situations like this remind me of exactly why I still have it in my arsenal. That thing you trust could become compromised. And without flags like that going up, how would you know? Not all malware cripples your system. Some just sit back, collect some data, then cling to another (trusted) app to send it back to some lair.

It addition to the Windows processes I listed, it was also trying to gain access to the memory of several other programs: namely Comodo FW itself. It all looked very shady. I've never seen anything request the types of privileges it was seeking. It was basically saying: "Will you allow this program to have free reign over your system?"

But until more people start chiming in saying they notice the same thing, I don't wanna raise too big a stink over it. But then again I'm not sure many use it. And of those that do, who has HIPS set very sensitively? And of those, who tried to update Sumatra PDF lately? And of those, who would take the time to post about it in here to warn others? When you weed through all that criteria... I may be the only one.

 

It would be more helpful if you could provide details: screenshots, logs etc. of comodo before here anyone gets panic. Without that, all is speculation without sense.
I just installed Sumatra 2.1.1. and there was no suspicious activity:

Files were extracted to install dir, registry entries for shell extension were created. And that was all.
http://www.abload.de/img/20120624153541xz261.jpg

(I did't choose the advanced options to make sumatra the default pdf reader or do integrate it into windows search)

 

At the time it didn't really occur to me to take screenshots of it. I imagine this applies to most people. That hardly invalidates their experiences. I'm not trying to create any panic here, just warn (and potentially help) people. Is that not what this place is about? And I even stated in my post (if you got that far) that I didn't want to into a big issue until more people could reproduce it.

But sadly when you do so, there are always fan boys that will attack you for it, deem it "baseless" or whatnot because you don't have a polaroid. I'm not saying this applies to you. If the shoe fits, wear it... just saying in general.

Anyone that's familiar with my posts in here knows this isn't something I'd conjure out of thin air to hate on something. In fact, I'm as anti-hater/fanboy as they come. Crap like that is a pet peeve to me.

And FWIW, I did click on the advanced options. Not sure why that would set off that chain of events though?...

 

Do you realize this post of yours is number 666!

Best regards,

 

@luciddream
It wasn't to attack you, sorry if you felt so.

I was only trying to say that without any details of comodo's messages nobody can really give you answers. So you will only get some speculation f.e. "perhaps the site was hacked..."

But it seems nobody (until I jumped in) in this thread has made the effort to retest it and log what sumatra does. For me (used the installer from official site) there was nothing suspiciuous, even with advanced options enabled. (no access to sass, csrss, winlogon, svchost...).

Maybe you run it again and give us some log of comodos messages?

€: and btw. - what have the fanboys to do with all that

 

It's a normal reaction not to take screenshots. First you need to solve the problem, and screenshots are not the first thing that comes to mind when you have a potential malware issue.
However, if you want to investigate the issue, you can start by trying to reproduce it in a controlled environment (VM for instance) and see if you can find out about it. And then you can take screenshots too, if you find something suspicious.