OpenDNS updater

Follow

winndb1

June 18, 2016 19:18

When I start this program my antivirus system issues a HIPS warning that OpenDNSupdater is modifying the registry to auto-start terminal services. Is this normal behavior or has a trojan or malware commandiered OpenDNSupdater.exe?

I have analyzed the file with AV and Antimalware scans..nothing indicated..

Surprisingly, even though it was downloaded from the Opendns.com site..it lacks a digital certificate.

Please see the attachment.

Opendnsupdater.exe HIPS WARNING.jpg

0

• 

  mattwilson9090 June 19, 2016 00:37

  Yes, this is normal. In order for the Updater to do it's job effectively it needs to start with Windows.

  0

  Comment actions Permalink
• 

  winndb1 June 19, 2016 10:57

  Thanks for your response mattwilson9090, but My question is why does opendnsupdater.exe attempt to autostart Terminal Services. OpendnsUpdater still loads and functions if I deny the attempt to autostart Terminal Services . The attempt seems to originate elsewhere and is being routed through opendnsupdater.exe.

  0

  Comment actions Permalink
• 

  cobalt-phoenix June 19, 2016 19:24

  The Updater does not attempt to auto-start Terminal Services.  This is just what your Avast HIPS thing reports.  It seems you trust this application too much...

  0

  Comment actions Permalink
• 

  mattwilson9090 June 19, 2016 22:49

  That Avast window is actually very non-informative. Although it implicates the OpenDNS Updater specifically, it doesn't give a specific link to the resource, so I'm not certain what is trying to be started here. Also, I can't see the full path to the Target Object, making it uncertain what is going on. I'm not certain if a function within the OpenDNS software is being called, or if something else is being called, let alone Terminal Services (not the capitalized letters that you added, whereas the Avast message does not include those. That could be a significant difference.)

  That said, if you think "The attempt seems to originate elsewhere and is being routed through opendnsupdater.exe." then you need to identify what that elsewhere is.

  0

  Comment actions Permalink
• 

  winndb1 June 20, 2016 10:43

  cobalt-phoenix

  It is not a matter of trust, it is a matter of being educated.
  You can find a good explanation of what the
  "hips thing" is:
  
  http://www.techsupportalert.com/content/hips-explained.htm

  ..get busy...

  0

  Comment actions Permalink
• 

  cobalt-phoenix June 20, 2016 14:46

  This didn't give me new insights.  It was my understanding that this tool does what it does.  And it is nice and useful that the program reports if and when another program attempts to configure its auto-start with Windows, as already explained by mattwilson9090.  And it provides the option to allow it.  If you don't allow it, then the Updater doesn't start automatically, and you must start it manually each time.  And in this case you will be confronted with the notification again.  It's your choice.  Do what you want.  You do not need to use this Updater.  You could also use another update client like the built-in one in your router, NAS, DVR, IP camera, etc.  This would not be recognized by HIPS.

  The only confusing point is this "(terminal services)" as part of the notification message.  You could allow the Updater to do what it wants and then see if the terminal services are really actually started.  I would think they are not started.  So, this part of the message is a well known thing with such programs: a false positive.  If you use such programs, you have to live also with false positives and misleading messages.  You may want to report this bug to the author of HIPS or to the community feeding HIPS with data.

  That would be all of it.  Nuff said.

  0

  Comment actions Permalink
• 

  cobalt-phoenix June 20, 2016 14:47

  This didn't give me new insights.  It was my understanding that this tool does what it does.  And it is nice and useful that the program reports if and when another program attempts to configure its auto-start with Windows, as already explained by mattwilson9090.  And it provides the option to allow it.  If you don't allow it, then the Updater doesn't start automatically, and you must start it manually each time.  And in this case you will be confronted with the notification again.  It's your choice.  Do what you want.  You do not need to use this Updater.  You could also use another update client like the built-in one in your router, NAS, DVR, IP camera, etc.  This would not be recognized by HIPS.

  0

  Comment actions Permalink
• 

  cobalt-phoenix June 20, 2016 14:48

  This didn't give me new insights.  It was my understanding that this tool does what it does.  And it is nice and useful that the program reports if and when another program attempts to configure its auto-start with Windows, as already explained by mattwilson9090.  And it provides the option to allow it.  If you don't allow it, then the Updater doesn't start automatically, and you must start it manually each time.  And in this case you will be confronted with the notification again.  It's your choice.  Do what you want.

  0

  Comment actions Permalink
• 

  cobalt-phoenix June 20, 2016 14:50

  I knew, no new insights.  The correct expression for this symptom is: false positive.

  0

  Comment actions Permalink
• 

  cobalt-phoenix June 20, 2016 14:51

  The forum doesn't let me reply.

  0

  Comment actions Permalink
• 

  discloser June 20, 2016 15:18

  I knew it.  It's just a false positive.

  0

  Comment actions Permalink
• 

  discloser June 20, 2016 15:18

  I knew it.  You'll have to live with it.

  0

  Comment actions Permalink
• 

  discloser June 20, 2016 15:19

  Good.

  0

  Comment actions Permalink
• 

  rotblitz June 21, 2016 14:13

  Sorry for the many replies, but these had been queued for review and were all released by OpenDNS staff now. :(
  Please just take the first from June 20, 2016, 07:46 as being meant and ignore the later ones.

  0

  Comment actions Permalink

Please sign in to leave a comment.