SuperAntiSpyware Update Issue

[dale@nowhere.not]

I have the professional version of SuperAntiSpyware. I also use
Kaspersky Internet Security. The KIS firewall opens a popup whenever
SAS checks for updates and says " Executable file has changed".

For some reason, SSUPDATE.EXE does not run from its installed folder,
but is copied to a temp folder each time it is used, then run from the
temp folder. KIS firewall thinks a "new" version is bing run and
wants to prevent it.

Why is this method used for SAS update? I can't find a setting for
KIS, sort of disabling it, the prevent the KIS popup.

Dale

[Robin T Cox]

On Sat, 02 Jun 2007 14:43:11 -0600, dale wrote:

> I have the professional version of SuperAntiSpyware. I also use
> Kaspersky Internet Security. The KIS firewall opens a popup whenever
> SAS checks for updates and says " Executable file has changed".
>
> For some reason, SSUPDATE.EXE does not run from its installed folder,
> but is copied to a temp folder each time it is used, then run from the
> temp folder. KIS firewall thinks a "new" version is bing run and
> wants to prevent it.
>
> Why is this method used for SAS update? I can't find a setting for
> KIS, sort of disabling it, the prevent the KIS popup.
>
> Dale

Doesn't every software firewall do this? I now use a router with a
built-in firewall, but when I was using a modem I used a Kerio software
firewall. The Kerio firewall always checked after an upgrade in my spyware
(and some other) software, to see if the change was intended by me, or
whether it was the result of malware.

[dale@nowhere.not]

On Sat, 02 Jun 2007 20:53:54 GMT, Robin T Cox <nomail@nomail.net>
wrote:

>On Sat, 02 Jun 2007 14:43:11 -0600, dale wrote:
>
>> I have the professional version of SuperAntiSpyware. I also use
>> Kaspersky Internet Security. The KIS firewall opens a popup whenever
>> SAS checks for updates and says " Executable file has changed".
>>
>> For some reason, SSUPDATE.EXE does not run from its installed folder,
>> but is copied to a temp folder each time it is used, then run from the
>> temp folder. KIS firewall thinks a "new" version is bing run and
>> wants to prevent it.
>>
>> Why is this method used for SAS update? I can't find a setting for
>> KIS, sort of disabling it, the prevent the KIS popup.
>>
>> Dale
>
>Doesn't every software firewall do this? I now use a router with a
>built-in firewall, but when I was using a modem I used a Kerio software
>firewall. The Kerio firewall always checked after an upgrade in my spyware
>(and some other) software, to see if the change was intended by me, or
>whether it was the result of malware.

Most firewalls will check for critical SW executable changes. In this
case, SAS update isn't changed, it is just loaded into another
location, then executed. That is the sequence the firewall does not
like.

[Nick Skrepetos]

On Jun 2, 1:43 pm, d...@nowhere.not wrote:
> I have the professional version of SuperAntiSpyware. I also use
> Kaspersky Internet Security. The KIS firewall opens a popup whenever
> SAS checks for updates and says " Executable file has changed".
>
> For some reason, SSUPDATE.EXE does not run from its installed folder,
> but is copied to a temp folder each time it is used, then run from the
> temp folder. KIS firewall thinks a "new" version is bing run and
> wants to prevent it.
>
> Why is this method used for SAS update? I can't find a setting for
> KIS, sort of disabling it, the prevent the KIS popup.
>
> Dale

You should be able to set KIS to "trust/allow" the SSUPDATE.EXE. The
updater would only be run once every 8 hours.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[Dale]

Nick Skrepetos wrote:
> On Jun 2, 1:43 pm, d...@nowhere.not wrote:
>> I have the professional version of SuperAntiSpyware. I also use
>> Kaspersky Internet Security. The KIS firewall opens a popup whenever
>> SAS checks for updates and says " Executable file has changed".
>>
>> For some reason, SSUPDATE.EXE does not run from its installed folder,
>> but is copied to a temp folder each time it is used, then run from the
>> temp folder. KIS firewall thinks a "new" version is bing run and
>> wants to prevent it.
>>
>> Why is this method used for SAS update? I can't find a setting for
>> KIS, sort of disabling it, the prevent the KIS popup.
>>
>> Dale
>
> You should be able to set KIS to "trust/allow" the SSUPDATE.EXE. The
> updater would only be run once every 8 hours.
>
> Nick Skrepetos
> SUPERAntiSpyware.com
> http://www.superantispyware.com
>

That doesn't help, Nick. I have tried every way to "trust/allow"
SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
nothing prevents it being flagged. The fact that you always copy it to
the Temp directory sets off KIS 7.0 alarm.

Kaspersky still says the flag is normal because the .exe is being
changed. This KIS v7.0 is still in Beta, but will be final-released
later this month.

Dale

[Nick Skrepetos]

On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
> Nick Skrepetos wrote:
> > On Jun 2, 1:43 pm, d...@nowhere.not wrote:
> >> I have the professional version of SuperAntiSpyware. I also use
> >> Kaspersky Internet Security. The KIS firewall opens a popup whenever
> >> SAS checks for updates and says " Executable file has changed".
>
> >> For some reason, SSUPDATE.EXE does not run from its installed folder,
> >> but is copied to a temp folder each time it is used, then run from the
> >> temp folder. KIS firewall thinks a "new" version is bing run and
> >> wants to prevent it.
>
> >> Why is this method used for SAS update? I can't find a setting for
> >> KIS, sort of disabling it, the prevent the KIS popup.
>
> >> Dale
>
> > You should be able to set KIS to "trust/allow" the SSUPDATE.EXE. The
> > updater would only be run once every 8 hours.
>
> > Nick Skrepetos
> > SUPERAntiSpyware.com
> >http://www.superantispyware.com
>
> That doesn't help, Nick. I have tried every way to "trust/allow"
> SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
> nothing prevents it being flagged. The fact that you always copy it to
> the Temp directory sets off KIS 7.0 alarm.
>
> Kaspersky still says the flag is normal because the .exe is being
> changed. This KIS v7.0 is still in Beta, but will be final-released
> later this month.
>
> Dale- Hide quoted text -
>
> - Show quoted text -

KIS should recognize the EXE is not changing, it's the same file each
time, with same MD (fingerprint).

-Nick

[Dale]

Nick Skrepetos wrote:
> On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
>> Nick Skrepetos wrote:
>>> On Jun 2, 1:43 pm, d...@nowhere.not wrote:
>>>> I have the professional version of SuperAntiSpyware. I also use
>>>> Kaspersky Internet Security. The KIS firewall opens a popup whenever
>>>> SAS checks for updates and says " Executable file has changed".
>>>> For some reason, SSUPDATE.EXE does not run from its installed folder,
>>>> but is copied to a temp folder each time it is used, then run from the
>>>> temp folder. KIS firewall thinks a "new" version is bing run and
>>>> wants to prevent it.
>>>> Why is this method used for SAS update? I can't find a setting for
>>>> KIS, sort of disabling it, the prevent the KIS popup.
>>>> Dale
>>> You should be able to set KIS to "trust/allow" the SSUPDATE.EXE. The
>>> updater would only be run once every 8 hours.
>>> Nick Skrepetos
>>> SUPERAntiSpyware.com
>>> http://www.superantispyware.com
>> That doesn't help, Nick. I have tried every way to "trust/allow"
>> SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
>> nothing prevents it being flagged. The fact that you always copy it to
>> the Temp directory sets off KIS 7.0 alarm.
>>
>> Kaspersky still says the flag is normal because the .exe is being
>> changed. This KIS v7.0 is still in Beta, but will be final-released
>> later this month.
>>
>> Dale- Hide quoted text -
>>
>> - Show quoted text -
>
> KIS should recognize the EXE is not changing, it's the same file each
> time, with same MD (fingerprint).
>
> -Nick


I'll try again to convince Kaspersky that it should not be flagged, but
I doubt I'll have any better luck this time.

Dale

[Ron Lopshire]

Nick Skrepetos wrote:

> On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
>
>>Nick Skrepetos wrote:
>>
>>>On Jun 2, 1:43 pm, d...@nowhere.not wrote:
>>>
>>>>I have the professional version of SuperAntiSpyware. I also use
>>>>Kaspersky Internet Security. The KIS firewall opens a popup whenever
>>>>SAS checks for updates and says " Executable file has changed".
>>
>>>>For some reason, SSUPDATE.EXE does not run from its installed folder,
>>>>but is copied to a temp folder each time it is used, then run from the
>>>>temp folder. KIS firewall thinks a "new" version is bing run and
>>>>wants to prevent it.
>>
>>>>Why is this method used for SAS update? I can't find a setting for
>>>>KIS, sort of disabling it, the prevent the KIS popup.
>>
>>>You should be able to set KIS to "trust/allow" the SSUPDATE.EXE. The
>>>updater would only be run once every 8 hours.
>>
>>That doesn't help, Nick. I have tried every way to "trust/allow"
>>SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
>>nothing prevents it being flagged. The fact that you always copy it to
>>the Temp directory sets off KIS 7.0 alarm.
>>
>>Kaspersky still says the flag is normal because the .exe is being
>>changed. This KIS v7.0 is still in Beta, but will be final-released
>>later this month.
>
> KIS should recognize the EXE is not changing, it's the same file each
> time, with same MD (fingerprint).

What exactly is going on with the EXE, Nick? Even though the file is the
same, does the EXE get moved to a temporary location, and then back again?

KL's response is that the EXE changes, therefore you get a popup. This
is how KIS/KAV works with all other executables. If I move any other EXE
file to a temporary folder, and then back again, the EXE gets flagged
even though the file itself has not changed.

Is KL the only security suite flagging SAS?

Ron

[Nick Skrepetos]

On Jun 5, 9:03 am, Ron Lopshire <not...@ovbl.org> wrote:
> Nick Skrepetos wrote:
> > On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
>
> >>Nick Skrepetos wrote:
>
> >>>On Jun 2, 1:43 pm, d...@nowhere.not wrote:
>
> >>>>I have the professional version of SuperAntiSpyware. I also use
> >>>>Kaspersky Internet Security. The KIS firewall opens a popup whenever
> >>>>SAS checks for updates and says " Executable file has changed".
>
> >>>>For some reason, SSUPDATE.EXE does not run from its installed folder,
> >>>>but is copied to a temp folder each time it is used, then run from the
> >>>>temp folder. KIS firewall thinks a "new" version is bing run and
> >>>>wants to prevent it.
>
> >>>>Why is this method used for SAS update? I can't find a setting for
> >>>>KIS, sort of disabling it, the prevent the KIS popup.
>
> >>>You should be able to set KIS to "trust/allow" the SSUPDATE.EXE. The
> >>>updater would only be run once every 8 hours.
>
> >>That doesn't help, Nick. I have tried every way to "trust/allow"
> >>SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
> >>nothing prevents it being flagged. The fact that you always copy it to
> >>the Temp directory sets off KIS 7.0 alarm.
>
> >>Kaspersky still says the flag is normal because the .exe is being
> >>changed. This KIS v7.0 is still in Beta, but will be final-released
> >>later this month.
>
> > KIS should recognize the EXE is not changing, it's the same file each
> > time, with same MD (fingerprint).
>
> What exactly is going on with the EXE, Nick? Even though the file is the
> same, does the EXE get moved to a temporary location, and then back again?
>
> KL's response is that the EXE changes, therefore you get a popup. This
> is how KIS/KAV works with all other executables. If I move any other EXE
> file to a temporary folder, and then back again, the EXE gets flagged
> even though the file itself has not changed.
>
> Is KL the only security suite flagging SAS?
>
> Ron - Hide quoted text -
>
> - Show quoted text -

The SSUPDATE.EXE file is copied to the temp folder and run from there
so the updater can update itself without requiring a reboot - most
firewalls and active protections will check the MD5/Fingerprint and if
the file is not "new" and was previously trusted/allowed, they won't
touch it - I am not sure why KIS is not doing that properly.

-Nick

[John Allen]

I use KAV and Superantispyware Pro with real time enabled and have no
conflicts.


Nick Skrepetos wrote:

> On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
> > Nick Skrepetos wrote:
> > > On Jun 2, 1:43 pm, d...@nowhere.not wrote:
> > >> I have the professional version of SuperAntiSpyware. I also use
> > >> Kaspersky Internet Security. The KIS firewall opens a popup
> > whenever >> SAS checks for updates and says " Executable file has
> > changed".
> >
> > >> For some reason, SSUPDATE.EXE does not run from its installed
> > folder, >> but is copied to a temp folder each time it is used,
> > then run from the >> temp folder. KIS firewall thinks a "new"
> > version is bing run and >> wants to prevent it.
> >
> > >> Why is this method used for SAS update? I can't find a setting
> > for >> KIS, sort of disabling it, the prevent the KIS popup.
> >
> > >> Dale
> >
> > > You should be able to set KIS to "trust/allow" the SSUPDATE.EXE.
> > > The updater would only be run once every 8 hours.
> >
> > > Nick Skrepetos
> > > SUPERAntiSpyware.com
> > > http://www.superantispyware.com
> >
> > That doesn't help, Nick. I have tried every way to "trust/allow"
> > SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
> > nothing prevents it being flagged. The fact that you always copy
> > it to the Temp directory sets off KIS 7.0 alarm.
> >
> > Kaspersky still says the flag is normal because the .exe is being
> > changed. This KIS v7.0 is still in Beta, but will be final-released
> > later this month.
> >
> > Dale- Hide quoted text -
> >
> > - Show quoted text -
>
> KIS should recognize the EXE is not changing, it's the same file each
> time, with same MD (fingerprint).
>
> -Nick



--