Windows Defender Keeps Killing My App [VB.NET]

Prev: Olaf - I've converted your mandelbrot app
Next: Connecting to a WAN

From: Mr. Taco on 4 Oct 2009 22:15

I wrote a fairly simple windows service that checks a website and
returns the status, emails me if the site is down. Works fine in XP (of
course), but windows defender in vista labels it as "Alert Type:
Unclassified software" and "takes action against it".

I've modified the app manifest to require admin, highest avail and
invoker, but it's not helping anything. In my travels, I glossed over
some idea where I would have to start the service with a "runas" - I
have no idea what that is or where to begin with that.

I've been using the VS command line and the installutil to install the
service for testing.

Anyway, if someone could tell me what the best practice is to deploy a
windows service on vista, I would appreciate it.

Thanks,

taco

Event Viewer:

Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from your
computer. Allow changes only if you trust the program or the software
publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {6B2DCXXX-5E56-4577-869F-CXXXXXXXXXXX}
User: XXXXX-XXXXX\XXXXX
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found:
process:pid:2592;service:WWWCheck;file:C:\Users\XXXXXXX\Desktop\serviceApp\WWWCheck\bin\Debug\WWWCheck.exe
Alert Type: Unclassified software
Detection Type:

From: "Mr. Arnold" MR. on 5 Oct 2009 01:03

From: Mr. Taco on 5 Oct 2009 07:45

That is an unacceptable solution. Developers don't release applications
with instructions for end users to modify widows defender so their
application will run. Rubbish.

And thanks you for the suggestion to "GOOGLE" the issue, like I'm a fool
and didn't already google the situation.

Anyone have a real answer?

-T

Mr. Arnold wrote:
>
> "Mr. Taco" <mrtaco(a)nospam.nospam> wrote in message
> news:%23BlZxGWRKHA.4028(a)TK2MSFTNGP05.phx.gbl...
>> I wrote a fairly simple windows service that checks a website and
>> returns the status, emails me if the site is down. Works fine in XP (of
>> course), but windows defender in vista labels it as "Alert Type:
>> Unclassified software" and "takes action against it".
>
>
> Yes, it works on XP as it's an open by default O/S for the most part
> wide open to attack. Vista is not XP and is not open by default or wide
> open to attack so easily.
>
> I suspect you're going to have to configure Windows Defender and tell it
> that your program is safe to run and not notify upon system start-up.
> You can use Bing or Google and look-up the information on how to
> configure WD on Vista.
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4479 (20091004) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

From: Nobody on 5 Oct 2009 10:08

"Mr. Taco" <mrtaco(a)nospam.nospam> wrote in message
news:%23BlZxGWRKHA.4028(a)TK2MSFTNGP05.phx.gbl...
>I wrote a fairly simple windows service that checks a website and
> returns the status, emails me if the site is down. Works fine in XP (of
> course), but windows defender in vista labels it as "Alert Type:
> Unclassified software" and "takes action against it".
>
> I've modified the app manifest to require admin, highest avail and
> invoker, but it's not helping anything. In my travels, I glossed over
> some idea where I would have to start the service with a "runas" - I
> have no idea what that is or where to begin with that.
>
> I've been using the VS command line and the installutil to install the
> service for testing.
>
> Anyway, if someone could tell me what the best practice is to deploy a
> windows service on vista, I would appreciate it.

I don't use VB.Net, but made services in VC6. It's possible that you are
running it as a regular application(Some services have command line options
for debugging or testing). Instead of running the service directly using
Explorer, use the Services applet in Control Panel to start it. Also, in the
"Log On" tab, check which account that the service is using, you can change
it if you want to. Installation tools internally use CreateService() API
function and the last two parameters specify the account to use. You can
decide what account to use at install time, or change it later using the
Services applet.

Finally, one of the changes in Vista and after is that services run in their
own session for security reasons, called session 0, which is non
interactive, so you can't use things like
FindWindow/EnumWindows/SendMessage/PostMessage to talk to the service from a
GUI app. If you need to make a software that configures the service, you
have to make a second EXE and communicate with the service using some
mechanism, such as named pipes, winsock, or the registry.

See this article:

Application Compatibility: Session 0 Isolation
http://msdn.microsoft.com/en-us/library/bb756986.aspx

This is what Session 0 Isolation is trying to prevent(Look for "WM_TIMER"
and "Session 0"):

http://en.wikipedia.org/wiki/Shatter_attack

From: Mr. Arnold on 5 Oct 2009 14:16

Mr. Taco wrote:
> That is an unacceptable solution. Developers don't release applications
> with instructions for end users to modify widows defender so their
> application will run. Rubbish.
>
> And thanks you for the suggestion to "GOOGLE" the issue, like I'm a fool
> and didn't already google the situation.
>
> Anyone have a real answer?

It's not my fault that you don't know how to look things up and get the
correct answer.

Because if you did look it up, you would know to write a Windows NT
service that uses the Least Privilege on Vista.

<http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Vista_Services.doc>

<copied>

Windows services commonly run in the LocalSystem account, the most
powerful account on the system. This makes such services attractive
targets for virus writers. Ideally, services should limit their damage
potential by running in a lower-privilege account such as LocalService
or NetworkService. However, many services require at least some
privileges that only LocalSystem supports. The all-or-nothing model that
was used earlier than Windows Vista meant that a service that required
any LocalSystem privileges had to also include all other LocalSystem
privileges. This often meant including privileges that the service did
not require, creating an unnecessarily high damage potential.
Windows Vista addresses this issue by allowing services to run with
least privilege. Services are no longer restricted to the default set of
privileges that are supported by a standard account. Instead, services
can select an account that has the privileges that they require and then
remove all other unnecessary privileges. This feature can be used for
any type of service account: LocalService, NetworkService, LocalSystem,
a domain, or a local account.

<end copy>

The very fact that you told Vista that the program needed admin rights
at system startup invoked Windows Vista and Windows Defender to take
action, which I suspect is your real problem.

asInvoker -- The standard user token is used to start the process.

http://www.devx.com/VistaSpecialReport/Article/33856/1954

| Next | Last
Pages: 1 2
Prev: Olaf - I've converted your mandelbrot app
Next: Connecting to a WAN