QGIS application installer is packaged with Nirsoft components #32247
Comments
|
What OS are you using? |
|
The OS I'm using is Windows. The installers are QGIS-OSGeo4W-2.14.5-1-Setup-x86_64.exe or OSGeo4W-3.4.12-1-Setup-x86_64.exe. Both of them are packaged with Nirsoft components. |
|
@jef-n is responsible for windows packaging and installers for windows. He's the one that can tell what those components are for, and if it's possible/desirable to avoid them. |
No - but there have been a couple of false positives once in a while - often about GRASS binaries, but IIRC none about nircmd so far. |
|
I'd hazard that you should pester your AV solution about the false positive rather than target QGIS/nirsoft for a tool that is pretty much universally considered very safe. In fact, 0 of 50+ common antivirus engines flagged any of the nirsoft files included in OSGeo4w64 as malicious. Files taken from OSGeo4w64 release of 3.8.3 VirusTotal for nircmd.exe VirusTotal for nicmdc.exe VirusTotal for NirCmd.chm What AV are you using that is flagging them as PUP/PUA? |
|
TrendMicro is now flagging (and removing) nircmd as HackTool.Win64.NirCMD.SM with low risk and the apparently erroneous assessment that it is dropped by other malware or unintentionally downloaded. This part makes me wonder if it's used in some malware and thus flagged"It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine." |
|
I am getting the same virus alerts. See this |
|
hello there, I and all my colleagues having QGIS installed got the same issue on 14 May. Trend Micro reported and had removed both the nircmd.exe and nircmdc.exe as well as several windows shortcut files. Since QGIS is one of the great GIS tools and we would like to keep using and promotion of it to our GIS users, I'd be grateful if there is anyone from QGIS such as developers to tell and confirm both exe files are essential files/components supporting the QGIS. Could we whitelist the two exe files in Trend Micro? Many thanks in advance. |
|
You can whitelist them. They seem to be essential, as they're used to set environment variables/etc under Windows. If it makes you feel any better, Sophos routinely removes portions of ArcGIS 10.7 on my work computer, so QGIS is in good company at least 🤣 |
|
Jürgen do we still need this tool now that QGIS handles it owns variables
in the main exe to bootstrap the rest of the process?
…On Tue, May 19, 2020 at 12:35 PM Saijin-Naib ***@***.***> wrote:
You can whitelist them. They seem to be essential, as they're used to set
environment variables/etc under Windows.
If it makes you feel any better, Sophos routinely removes portions of
ArcGIS 10.7 on my work computer, so QGIS is in good company at least 🤣
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#32247 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAC5FXDZ6OQFNLKDIRGS3FDRSHV6ZANCNFSM4JAVGKRQ>
.
|
Other stuff in OSGeo4W also uses it to create shortcuts. And what do we do about this other more versatile hacking tool named python? |
The problem is Python doesn't usually get flagged by AV software, whereas the NirSoft components regularly get flagged. This has been happening on and off for ten years. Yes, we can blame the AV company and dismiss it as a false positive, but many corporate environments have zero tolerance to AV detections. For example where I work this caused QGIS to be uninstalled from all devices and is now treated with suspicion. Overall this has the effect of lowering the reputation of QGIS by association. Could QGIS and OSGeo4W be packaged without NirSoft? |
Probably because python is too widely used and false positives on that would cause actual harm on trendmicro's reputation. nircmd on the other hand is a defenseless innocent victim.
Yes, but the tool didn't change, just trendmicro's results - and they apparently even ignore the reports they get after some time and flag it again.
But you probably agree, that that is not a smart move. nircmd is not the problem, trendmicro is - and is notorious to be and should not be blindly trusted.
Of course. |
|
There are some interesting observations and explanations why it is not so easy to solve the issue from either nircmd or QGIS - and I tend to agree: Citation from http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/ Some people ask me, “Why don’t you simply contact the Antivirus companies to resolve the false alerts issues ?”
|
|
I think the problem is nirsoft itself: I would appreciate, if you could replace that tool with someting more secure. Thanks! |
|
FWIW, Sophos also complains about NirCmd |
|
FWIW, osgeo4w testing doesn't have nircmd |
|
Sophos hasn't removed anything from the new OSGeo4W-NG installs, so that's been pleasant |
|
i just had the same remark from Sophos, about nircmdc.exe... |
|
The OSGeo4W-NG install no longer uses nircmd, it uses bgspawn, which Sophos no longer removes. |
|
I have the same problem with Sophos. |
https://qgis.org/en/site/forusers/download.html and scroll down to "QGIS in OSGeo4W testing" |
|
Thanks, jef-n! |
|
Dear jef-n, I experience the same problems with nircmdc.exe. Do I have to use the OSGeo4W Network Installer, from the testing area, to get a nircmdc.exe free installation? I´ve tried with the Standalone installers from OSGeo4W testing packages but this didn`t work. Thanks. |
|
I recently found this to be the issue in a government office installation of QGIS, (on Windows 10 using the standalone 64-bit installer for 3.18) though to my knowledge no antivirus issues popped up during the installation. Instead, the final installation steps to create shortcuts failed without any overt notification. The postinstall.log just ends with this error: |
Probably. At least here, Sophos randomly decides to nuke various components of both QGIS and ArcGIS whenever the fancy strikes it. The OSGeo4W-NG installer linked above by jef-n skirts this nicely. |
Feature description.
I noticed that the QGIS application installer is packaged with Nirsoft components. Were you aware of this as my antivirus solution is detecting the installer as a PUP/PUA. As a feature request, can you package the QGIS application installer with a reputable source besides Nirsoft? This would be beneficial for users like myself who may have experienced a similar situation when their antivirus solution is detecting the executable as being possibly malicious.
Additional context
The text was updated successfully, but these errors were encountered: