On Jun 5, 9:03 am, Ron Lopshire <not...@ovbl.org> wrote:
> Nick Skrepetos wrote:
> > On Jun 4, 10:58 am, Dale <d...@nowhere.not> wrote:
>
> >>Nick Skrepetos wrote:
>
> >>>On Jun 2, 1:43 pm, d...@nowhere.not wrote:
>
> >>>>I have the professional version of SuperAntiSpyware. I also use
> >>>>Kaspersky Internet Security. The KIS firewall opens a popup whenever
> >>>>SAS checks for updates and says " Executable file has changed".
>
> >>>>For some reason, SSUPDATE.EXE does not run from its installed folder,
> >>>>but is copied to a temp folder each time it is used, then run from the
> >>>>temp folder. KIS firewall thinks a "new" version is bing run and
> >>>>wants to prevent it.
>
> >>>>Why is this method used for SAS update? I can't find a setting for
> >>>>KIS, sort of disabling it, the prevent the KIS popup.
>
> >>>You should be able to set KIS to "trust/allow" the SSUPDATE.EXE. The
> >>>updater would only be run once every 8 hours.
>
> >>That doesn't help, Nick. I have tried every way to "trust/allow"
> >>SSUPDATE.EXE, in both the SAS directory and the Temp directory, and
> >>nothing prevents it being flagged. The fact that you always copy it to
> >>the Temp directory sets off KIS 7.0 alarm.
>
> >>Kaspersky still says the flag is normal because the .exe is being
> >>changed. This KIS v7.0 is still in Beta, but will be final-released
> >>later this month.
>
> > KIS should recognize the EXE is not changing, it's the same file each
> > time, with same MD (fingerprint).
>
> What exactly is going on with the EXE, Nick? Even though the file is the
> same, does the EXE get moved to a temporary location, and then back again?
>
> KL's response is that the EXE changes, therefore you get a popup. This
> is how KIS/KAV works with all other executables. If I move any other EXE
> file to a temporary folder, and then back again, the EXE gets flagged
> even though the file itself has not changed.
>
> Is KL the only security suite flagging SAS?
>
> Ron - Hide quoted text -
>
> - Show quoted text -

The SSUPDATE.EXE file is copied to the temp folder and run from there
so the updater can update itself without requiring a reboot - most
firewalls and active protections will check the MD5/Fingerprint and if
the file is not "new" and was previously trusted/allowed, they won't
touch it - I am not sure why KIS is not doing that properly.

-Nick