SuperAntiSpyware Update Issue

[Ron Lopshire]

Nick Skrepetos wrote:
> On Jun 5, 9:03 am, Ron Lopshire <not...@ovbl.org> wrote:
>
>>Nick Skrepetos wrote:
>>
>>>On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
>>
>>>>That doesn't help, Nick. I have tried every way to "trust/allow"
>>>>SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
>>>>nothing prevents it being flagged. The fact that you always copy it to
>>>>the Temp directory sets off KIS 7.0 alarm.
>>
>>>>Kaspersky still says the flag is normal because the .exe is being
>>>>changed. This KIS v7.0 is still in Beta, but will be final-released
>>>>later this month.
>>
>>>KIS should recognize the EXE is not changing, it's the same file each
>>>time, with same MD (fingerprint).
>>
>>What exactly is going on with the EXE, Nick? Even though the file is the
>>same, does the EXE get moved to a temporary location, and then back again?
>>
>>KL's response is that the EXE changes, therefore you get a popup. This
>>is how KIS/KAV works with all other executables. If I move any other EXE
>>file to a temporary folder, and then back again, the EXE gets flagged
>>even though the file itself has not changed.
>
> The SSUPDATE.EXE file is copied to the temp folder and run from there
> so the updater can update itself without requiring a reboot - most
> firewalls and active protections will check the MD5/Fingerprint and if
> the file is not "new" and was previously trusted/allowed, they won't
> touch it - I am not sure why KIS is not doing that properly.

Thanks, Nick. I will see what KL says about it.

Ron

[Ron Lopshire]

John Allen wrote:

> Nick Skrepetos wrote:
>
>>On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
>>
>>>That doesn't help, Nick. I have tried every way to "trust/allow"
>>>SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
>>>nothing prevents it being flagged. The fact that you always copy
>>>it to the Temp directory sets off KIS 7.0 alarm.
>>>
>>>Kaspersky still says the flag is normal because the .exe is being
>>>changed. This KIS v7.0 is still in Beta, but will be final-released
>>>later this month.
>>
>>KIS should recognize the EXE is not changing, it's the same file each
>>time, with same MD (fingerprint).
>
> I use KAV and Superantispyware Pro with real time enabled and have no
> conflicts.

John, which OS (PDM is not fully functional in Vista yet)? And are you
using the PDM with KAV? I don't have any conflicts with KIS and SAS
Pro, but with default KAV/KIS settings, every 8 hours I get an AIC popup
that says the SSUPDATE.EXE has been changed.

Ron

[John Allen]

Ron

Windows XP SP2 and XP native firewall.

I am using Proactive Defense in KAV - Application Activity Analyser and
Registry Guard, but not Application Integrity Control.

I have the following in KAV trusted Apps

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all boxes
ticked)

John

Ron Lopshire wrote:

> John Allen wrote:
>
> > Nick Skrepetos wrote:
> >
> >>On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
> > >
> > > > That doesn't help, Nick. I have tried every way to "trust/allow"
> > > > SSUPDATE.EXE, in both the SAS directory and the Temp directory,
> > > > and nothing prevents it being flagged. The fact that you
> > > > always copy it to the Temp directory sets off KIS 7.0 alarm.
> > > >
> > > > Kaspersky still says the flag is normal because the .exe is
> > > > being changed. This KIS v7.0 is still in Beta, but will be
> > > > final-released later this month.
> > >
> > > KIS should recognize the EXE is not changing, it's the same file
> > > each time, with same MD (fingerprint).
> >
> > I use KAV and Superantispyware Pro with real time enabled and have
> > no conflicts.
>
> John, which OS (PDM is not fully functional in Vista yet)? And are you
> using the PDM with KAV? I don't have any conflicts with KIS and SAS
> Pro, but with default KAV/KIS settings, every 8 hours I get an AIC
> popup that says the SSUPDATE.EXE has been changed.
>
> Ron



--

[Ron Lopshire]

John Allen wrote:

>>John Allen wrote:
>>
>>>Nick Skrepetos wrote:
>>>>
>>>>KIS should recognize the EXE is not changing, it's the same file
>>>>each time, with same MD (fingerprint).
>>>
>>>I use KAV and Superantispyware Pro with real time enabled and have
>>>no conflicts.
>>
>>John, which OS (PDM is not fully functional in Vista yet)? And are you
>>using the PDM with KAV? I don't have any conflicts with KIS and SAS
>>Pro, but with default KAV/KIS settings, every 8 hours I get an AIC
>>popup that says the SSUPDATE.EXE has been changed.
>
> I am using Proactive Defense in KAV - Application Activity Analyser and
> Registry Guard, but not Application Integrity Control.
>
> I have the following in KAV trusted Apps
>
> C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all boxes
> ticked)

That's it, John. It is the AIC that doesn't like the behavior of
SSUPDATE.EXE.

Ron

[John Allen]

Ron, then you could put an exclusion mask in KAV to allow SSUPDATE.EXE
unrestricted application activity.

John
..
Ron Lopshire wrote:

> John Allen wrote:
>
> > > John Allen wrote:
> > >
> > > > Nick Skrepetos wrote:
> > > > >
> > > > > KIS should recognize the EXE is not changing, it's the same
> > > > > file each time, with same MD (fingerprint).
> > > >
> > > > I use KAV and Superantispyware Pro with real time enabled and
> > > > have no conflicts.
> > >
> > > John, which OS (PDM is not fully functional in Vista yet)? And
> > > are you using the PDM with KAV? I don't have any conflicts with
> > > KIS and SAS Pro, but with default KAV/KIS settings, every 8 hours
> > > I get an AIC popup that says the SSUPDATE.EXE has been changed.
> >
> > I am using Proactive Defense in KAV - Application Activity Analyser
> > and Registry Guard, but not Application Integrity Control.
> >
> > I have the following in KAV trusted Apps
> >
> > C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all boxes
> > ticked)
>
> That's it, John. It is the AIC that doesn't like the behavior of
> SSUPDATE.EXE.
>
> Ron



--

[Ron Lopshire]

John Allen wrote:

> Ron Lopshire wrote:
>
>>>>>Nick Skrepetos wrote:
>>>>>
>>>>>>KIS should recognize the EXE is not changing, it's the same
>>>>>>file each time, with same MD (fingerprint).
>>>>>
>>>>>I use KAV and Superantispyware Pro with real time enabled and
>>>>>have no conflicts.
>>>>
>>>>John, which OS (PDM is not fully functional in Vista yet)? And
>>>>are you using the PDM with KAV? I don't have any conflicts with
>>>>KIS and SAS Pro, but with default KAV/KIS settings, every 8 hours
>>>>I get an AIC popup that says the SSUPDATE.EXE has been changed.
>>>
>>>I am using Proactive Defense in KAV - Application Activity Analyser
>>>and Registry Guard, but not Application Integrity Control.
>>>
>>>I have the following in KAV trusted Apps
>>>
>>>C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all boxes
>>>ticked)
>>
>>That's it, John. It is the AIC that doesn't like the behavior of
>>SSUPDATE.EXE.
>
> Ron, then you could put an exclusion mask in KAV to allow SSUPDATE.EXE
> unrestricted application activity.

That doesn't work, John. You cannot exclude such behavior (using a
temporary file). IOW you cannot specify an *.exe file that does not
exist. Check out the KL Users Forum. This has been discussed ad nauseum.

http://forum.kaspersky.com/index.php?showforum=4

Those who are using AIC just put up with it. At least for the time being.

Ron

[Dale]

Ron Lopshire wrote:
> John Allen wrote:
>
>>> John Allen wrote:
>>>
>>>> Nick Skrepetos wrote:
>>>>> KIS should recognize the EXE is not changing, it's the same file
>>>>> each time, with same MD (fingerprint).
>>>> I use KAV and Superantispyware Pro with real time enabled and have
>>>> no conflicts.
>>> John, which OS (PDM is not fully functional in Vista yet)? And are you
>>> using the PDM with KAV? I don't have any conflicts with KIS and SAS
>>> Pro, but with default KAV/KIS settings, every 8 hours I get an AIC
>>> popup that says the SSUPDATE.EXE has been changed.
>> I am using Proactive Defense in KAV - Application Activity Analyser and
>> Registry Guard, but not Application Integrity Control.
>>
>> I have the following in KAV trusted Apps
>>
>> C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all boxes
>> ticked)
>
> That's it, John. It is the AIC that doesn't like the behavior of
> SSUPDATE.EXE.
>
> Ron

Ron,

It is the Firewall in KIS 7.0 that flags SSUPDATE.EXE. In fact, I don't
see any AIC function in KIS 7.0. Short of disabling the firewall, I
still have not found a way to stop flagging SSUPDATE overwrite.

Dale

[John Allen]

OK Thanks

Ron Lopshire wrote:

> John Allen wrote:
>
> > Ron Lopshire wrote:
> >
> > > > > > Nick Skrepetos wrote:
> > > > > >
> > > > > > > KIS should recognize the EXE is not changing, it's the
> > > > > > > same file each time, with same MD (fingerprint).
> > > > > >
> > > > > > I use KAV and Superantispyware Pro with real time enabled
> > > > > > and have no conflicts.
> > > > >
> > > > > John, which OS (PDM is not fully functional in Vista yet)? And
> > > > > are you using the PDM with KAV? I don't have any conflicts
> > > > > with KIS and SAS Pro, but with default KAV/KIS settings,
> > > > > every 8 hours I get an AIC popup that says the SSUPDATE.EXE
> > > > > has been changed.
> > > >
> > > > I am using Proactive Defense in KAV - Application Activity
> > > > Analyser and Registry Guard, but not Application Integrity
> > > > Control.
> > > >
> > > > I have the following in KAV trusted Apps
> > > >
> > > > C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all
> > > > boxes ticked)
> > >
> > > That's it, John. It is the AIC that doesn't like the behavior of
> > > SSUPDATE.EXE.
> >
> > Ron, then you could put an exclusion mask in KAV to allow
> > SSUPDATE.EXE unrestricted application activity.
>
> That doesn't work, John. You cannot exclude such behavior (using a
> temporary file). IOW you cannot specify an *.exe file that does not
> exist. Check out the KL Users Forum. This has been discussed ad
> nauseum.
>
> http://forum.kaspersky.com/index.php?showforum=4
>
> Those who are using AIC just put up with it. At least for the time
> being.
>
> Ron



--

[Ron Lopshire]

Dale wrote:
> Ron Lopshire wrote:
>
>>John Allen wrote:
>>>
>>>I am using Proactive Defense in KAV - Application Activity Analyser and
>>>Registry Guard, but not Application Integrity Control.
>>>
>>>I have the following in KAV trusted Apps
>>>
>>>C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all boxes
>>>ticked)
>>
>>That's it, John. It is the AIC that doesn't like the behavior of
>>SSUPDATE.EXE.
>
> It is the Firewall in KIS 7.0 that flags SSUPDATE.EXE. In fact, I don't
> see any AIC function in KIS 7.0. Short of disabling the firewall, I
> still have not found a way to stop flagging SSUPDATE overwrite.

I will have to check it out, Dale. I am still using KIS 6 MP2. I usually
don't use outbound filtering with a PFW, but I currently have AH set to
training mode. I will pay attention to the flags to see which component
doesn't like it.

I don't think the flags do anything, anyway. If I don't do anything, SAS
updates anyway. Makes me wonder what is going on. I am leery of putting
too much effort into it, though, as the entire PDM has been redone with
KIS 7.

My KL license was purchased prior to the release of KIS 6, and as such,
I got a license key file. I am not sure that it works, yet, with KIS 7.
And to my knowledge, the KIS 7 installer on the Beta Server is still
corrupted. Otherwise, I would probably update now.

Ron

[Ron Lopshire]

Dale wrote:

> Ron Lopshire wrote:
>
>>John Allen wrote:
>>
>>>I am using Proactive Defense in KAV - Application Activity Analyser and
>>>Registry Guard, but not Application Integrity Control.
>>>
>>>I have the following in KAV trusted Apps
>>>
>>>C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (all boxes
>>>ticked)
>>
>>That's it, John. It is the AIC that doesn't like the behavior of
>>SSUPDATE.EXE.
>
> It is the Firewall in KIS 7.0 that flags SSUPDATE.EXE. In fact, I don't
> see any AIC function in KIS 7.0. Short of disabling the firewall, I
> still have not found a way to stop flagging SSUPDATE overwrite.

You are correct, Dale. It is the AH module in KIS 6 (FW in KIS 7) that
is flagging SSUPDATE.EXE. I will have to investigate whether it actually
blocks the update or not. On the surface, it only appears to be an
annoyance.

Ron