Author Topic: The OpenVPN Project (openvpn.exe) part of Avast's installation.  (Read 25214 times)

0 Members and 1 Guest are viewing this topic.

rusty07

  • Guest
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #15 on: April 18, 2014, 09:44:42 PM »
     

Update:
Someone already mentioned the "workaround" at Secunia -> http://secunia.com/community/forum/thread/show/14894/open_vpn2_x.


Maurice Joyce locked the thread for some reason.

That's a very poor showing of cooperation on their part.

Offline CaptainLeonidas

  • Jr. Member
  • **
  • Posts: 75
  • Security rests between the display and the chair.
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #16 on: April 18, 2014, 09:58:01 PM »
     

Update:
Someone already mentioned the "workaround" at Secunia -> http://secunia.com/community/forum/thread/show/14894/open_vpn2_x.


Maurice Joyce locked the thread for some reason.

That's a very poor showing of cooperation on their part.

That can be explained in many ways. I myself still see the issue to be resolved by Avast!.
The openvpn.exe seems to have been compiled by Avast!. It's up to them to correct issue's. Asking others (Secunia) to ignore it is just bad taste.
OS's used: Windows 10 Pro (x64) 1607 <-> Windows 7 Ult (x64) <-> Windows 8.1 Ult (x64) <-> Windows 2012 Essentials R2 (x64)
Avast Internet Security (sub for 10 PC's), HPM.Alert, Malwarebytes, Asus-x99 Deluxe/U3.1 (Intel Core i7 X980 EE - 64Gb Ram - NVidia Geforce x980 - Samsung PCI-e 950Pro 512 SSD), Microsoft Surface Pro 4 (6th Gen Intel Core i7 CPU - 16Gb Ram - 512 SSD)
When installing Avast! be sure to use the custom install... never the default!

Offline drake127

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #17 on: April 18, 2014, 10:12:28 PM »
Guys, I do not consider it a workaround. We fixed the security vulnerability in OpenSSL libraries (I personally did so) and now we have to talk it through with Secunia folks because this is clear false positive if I use AV term. Updating the OpenVPN executable to the latest version is completely another matter and we will do so when there is any advantage in doing so.

Now it seems to me that I am just adding fuel to the flames by any statement I make. I am sorry if I sound harsh but I kinda know what I am doing and to be honest, yes I am fairly confident there is no known security vulnerability in OpenVPN.exe 2.3.0 (do not confuse with OpenVPN software or OpenSSL libraries). OpenVPN.exe is just poorly chosen anchor to OpenVPN product and from my point of view it's a bug in Secunia PSI detection.
« Last Edit: April 18, 2014, 10:24:57 PM by drake127 »

Offline CaptainLeonidas

  • Jr. Member
  • **
  • Posts: 75
  • Security rests between the display and the chair.
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #18 on: April 18, 2014, 10:32:51 PM »
When I removed the unwanted SecureLine software I stopped getting flags
Works for me.. Besides if indeed SecureLine is not to be removed then pray tell why I can uncheck it in your Avast! Custom Installation?
« Last Edit: April 18, 2014, 10:48:16 PM by CaptainLeonidas »
OS's used: Windows 10 Pro (x64) 1607 <-> Windows 7 Ult (x64) <-> Windows 8.1 Ult (x64) <-> Windows 2012 Essentials R2 (x64)
Avast Internet Security (sub for 10 PC's), HPM.Alert, Malwarebytes, Asus-x99 Deluxe/U3.1 (Intel Core i7 X980 EE - 64Gb Ram - NVidia Geforce x980 - Samsung PCI-e 950Pro 512 SSD), Microsoft Surface Pro 4 (6th Gen Intel Core i7 CPU - 16Gb Ram - 512 SSD)
When installing Avast! be sure to use the custom install... never the default!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #19 on: April 18, 2014, 10:46:10 PM »
Of course you can remove the SecureLine feature if you don't [intend to] use it - it's the same as with many other optional avast! features. Then the related files are removed from avast! installation folder.
On the other hand, if you don't use SecureLine, then the openvpn.exe file is not used anyway (so even if it were vulnerable, the problem could never manifest, i.e. you'd be safe).

Offline CaptainLeonidas

  • Jr. Member
  • **
  • Posts: 75
  • Security rests between the display and the chair.
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #20 on: April 18, 2014, 10:51:56 PM »
Of course you can remove the SecureLine feature if you don't [intend to] use it - it's the same as with many other optional avast! features. Then the related files are removed from avast! installation folder.
On the other hand, if you don't use SecureLine, then the openvpn.exe file is not used anyway (so even if it were vulnerable, the problem could never manifest, i.e. you'd be safe).

The issue is being up-to-date and when you do use it having the most recent version without possible overlooked exploits.
Perhaps it is better to make all the "added" features an opt-in then by your own words?
If that's the case I am all for it.
OS's used: Windows 10 Pro (x64) 1607 <-> Windows 7 Ult (x64) <-> Windows 8.1 Ult (x64) <-> Windows 2012 Essentials R2 (x64)
Avast Internet Security (sub for 10 PC's), HPM.Alert, Malwarebytes, Asus-x99 Deluxe/U3.1 (Intel Core i7 X980 EE - 64Gb Ram - NVidia Geforce x980 - Samsung PCI-e 950Pro 512 SSD), Microsoft Surface Pro 4 (6th Gen Intel Core i7 CPU - 16Gb Ram - 512 SSD)
When installing Avast! be sure to use the custom install... never the default!

nigel mansel

  • Guest
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #21 on: April 18, 2014, 10:53:45 PM »
Thanks for the info guys,removed openvpn.exe as i will never use it and secunia warning now gone.  :)

rusty07

  • Guest
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #22 on: April 18, 2014, 10:54:34 PM »
When I removed the unwanted SecureLine software I stopped getting flags
Works for me.. Besides if indeed SecureLine is not to be removed then pray tell why I can uncheck it in your Avast! Custom Installation?

Thanks for the heads up.

I removed SecureLine from my installation, too, and the Secunia flags stopped.


rusty07

  • Guest
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #23 on: April 18, 2014, 10:57:08 PM »
Thanks for the info guys,removed openvpn.exe as i will never use it and secunia warning now gone.  :)


I tried that last night, and Windows 7 blocked me.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #24 on: April 18, 2014, 11:00:58 PM »
The issue is being up-to-date and when you do use it having the most recent version without possible overlooked exploits.
Perhaps it is better to make all the "added" features an opt-in then by your own words?
If that's the case I am all for it.

I didn't say that. As said before, we are not aware of any "overlooked exploit". Assuming that you know better just by reading the change log... well, I'm not gonna argue with that.

The funny thing is that there are tens of libraries compiled inside of the code (say ZLIB, BZIP2 and similar) - and nobody is worried about those being the latest versions, even though they are definitely riskier than this one (because they are processing the potentially evil scanned files) - because nobody knows about them (isn't notified by PSI, if you wish). And then one executable, detected probably by something as weak as the version info (here I'm guessing, I admit) suddenly becomes a problem.
[Disclaimer: of course we are keeping the important libraries up-to-date - I'm just trying to show the point.]

Offline CaptainLeonidas

  • Jr. Member
  • **
  • Posts: 75
  • Security rests between the display and the chair.
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #25 on: April 18, 2014, 11:15:03 PM »
When dealing with software, even unused, one still needs to be aware of alternative attack vectors.

This might be a poor example but lets put it out there anyway.
We all know Java runtimes are not allways that secure.
We allso know Java versions can be installed alongside.
Or when uninstalled poorly stay behind op a PC.

Somewhere along the line certain persons were clever enough to have their code look for outdated versions "left" on PC's and still be able to use those older versions when done proper.

Also just making a piont.

OS's used: Windows 10 Pro (x64) 1607 <-> Windows 7 Ult (x64) <-> Windows 8.1 Ult (x64) <-> Windows 2012 Essentials R2 (x64)
Avast Internet Security (sub for 10 PC's), HPM.Alert, Malwarebytes, Asus-x99 Deluxe/U3.1 (Intel Core i7 X980 EE - 64Gb Ram - NVidia Geforce x980 - Samsung PCI-e 950Pro 512 SSD), Microsoft Surface Pro 4 (6th Gen Intel Core i7 CPU - 16Gb Ram - 512 SSD)
When installing Avast! be sure to use the custom install... never the default!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #26 on: April 18, 2014, 11:50:30 PM »
While doable for Java, I don't really see the case here. I mean, if you have a program searching your disk for older versions of openvpn so that it can use it and exploit its vulnerabilities... then you already have a malicious piece of code running in the first place, so it doesn't have to look for vulnerabilities.

Look, I'm not saying that the library should never get updated. But you always need to consider the risks, such as
- the risk that the old library contains a vulnerability
- the risk that this vulnerability affects your particular usage of that library
- the risk that the new updated version contains a newly introduced vulnerability
- the risk that you break something during the integration of the new library, causing a completely different vulnerability or simply a malfunction.
...

The last point here is significant. You are concerned about the particular library not being the latest version - OK, I get that. But if we take a library update one day old (just an example) and put it into our release the next day - now that is something you should be concerned about, because that would be irresponsible (and likely to cause more harm than good).
The risks have been considered here - we fixed the real important issue by including a new version of OpenSSL library. We believe the other changes in that library are not important for us at the moment - i.e. that it would be more risky (less secure) to include them than not. Delaying the update release to thoroughly test all the other changes would also be more dangerous - and it would leave the users unprotected from the OpenSSL problem (and other unrelated issues the program update has fixed) longer.

Yes, maybe we should have changed the name/version of that executable to make it clear that it's not the virgin vulnerable copy PSI is reporting, but something else...

MikePerry

  • Guest
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #27 on: April 21, 2014, 05:07:24 PM »
I feel this thread has moved too far away from the original question and issue.  Avast installed OpenVPN for some reason and it is now out of date. 

Three questions (plus a supplimentary):
Why did Avast install third party software without the express permission of the user? (And they didn't tell us they were doing that either!)
Why did Avast install software that users do not need, use nor want if they never use a VPN?
Is it safe to simply delete the whole directory at C\:Programs\Avast Software\Avast\OpenVPN - it does not appear in the Windows 7 'Uninstall or change program' listing (why not?).  Would I then need to run a registry check (CCleaner?) to ensure all references to this have been removed?

I feel in this instance Avast have made an incorrect assumption that users of Avast want OpenVPN without considering those of us who do not use a VPN of any sort.

And please stick to the point of the question asked without going of at a 'techy' tangent that you may find interesting but doesn't help us users.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation.
« Reply #28 on: April 21, 2014, 08:07:37 PM »
It is not a "general" installation of OpenVPN that the user is supposed to use directly. It's simply a supporting module for one avast! feature - avast! SecureLine (i.e. part of avast! installation). So, it naturally doesn't appear in Add/Remove program itself (just as every single DLL in avast! installation folder doesn't show there).
You can go to Add/Remove programs, select avast! Antivirus, choose Change and Change - and then you can tell avast! to uninstall the feature(s) you don't want.

TCCTech

  • Guest
Re: The OpenVPN Project (openvpn.exe) part of Avast's installation. (FIX)
« Reply #29 on: April 21, 2014, 11:04:04 PM »
Hello all while I was messing around on my computer today I figured out a solution to this problem. My Secunia is all GREEN now after doing this so I hope it works for others.

First off I downloaded:

avast! cleaner:
http://files.avast.com/iavs9x/avastclear.exe

and then I downloaded: (grab whatever version you have)

Download locations
http://files.avast.com/iavs9x/avast_free_antivirus_setup.exe
http://files.avast.com/iavs9x/avast_pro_antivirus_setup.exe
http://files.avast.com/iavs9x/avast_internet_security_setup.exe
http://files.avast.com/iavs9x/avast_premier_antivirus_setup.exe


I then ran avastclear.exe as ADMIN (Right click on Avastclear.exe to select Run as Administrator), it suggested I restart in safe mode to do the removal so I clicked "YES" it restarted the computer in SAFE MODE for me
prompted me to remove avast so I did. Once that was done I rebooted back into NORMAL Windows.

DO NOT REBOOT UNTIL AVAST IS REINSTALLED

I then Ran Secunia and it showed  OpenVPN and OpenSSL needed to be updated, I then right clicked on OpenVPN and OpenSSL in Secunia and Selected SHOW Details, it gave me the path to the FILEs that were out dated so I navigated to the directory it said which in my case was C:\Windows\SysWOW64\

I made a Back Up directory called OPENSSL BU, I then moved the following three files (libeay32.dll, libssl32.dll, ssleay32.dll) out of my directory into the back up directory.

I rescanned with Secunia to make sure it was all GREEN now, which it was,

I then proceeded with the NEW Install of Avast and everything is working perfectly fine now, no more Secunia ALERTS

I hope this helps, do not attempt this is you are not somewhat computer Savvy.