Sandbox Avast 5.0 re Wordfast and Trados translators' software.

[HPY]

Removed as irrelevant see next Virus Total result.

[DavidR]

You cant run virustotal on drive C, you upload a 'specific' file for scanning, namely the pdftotext.exe file.

[HPY]

DavidR

The pdftotext.exe comes from Google Desktop. Virus Total flagged it 4 times as follows: see screenshot - which didn't load - do you recommend deleting it or perhaps quaranting it with SAS (which flagged in in list below)?


File name:
pdftotext.exe
Submission date:
2011-09-22 20:50:43 (UTC)
Current status:
finished
Result:
4/ 44 (9.1%)
   
VT Community

not reviewed
 Safety score: -
Compact
Print results
Antivirus    Version    Last Update    Result
AhnLab-V3   2011.09.22.02   2011.09.22   -
AntiVir   7.11.15.17   2011.09.22   -
Antiy-AVL   2.0.3.7   2011.09.22   -
Avast   4.8.1351.0   2011.09.22   -
Avast5   5.0.677.0   2011.09.22   -
AVG   10.0.0.1190   2011.09.22   -
BitDefender   7.2   2011.09.22   -
ByteHero   1.0.0.1   2011.09.13   -
CAT-QuickHeal   11.00   2011.09.22   -
ClamAV   0.97.0.0   2011.09.22                   PUA.Packed.PECompact-1
Commtouch   5.3.2.6   2011.09.22   -
Comodo   10208   2011.09.22   -
DrWeb   5.0.2.03300   2011.09.22   -
Emsisoft   5.1.0.11   2011.09.22   -
eSafe   7.0.17.0   2011.09.20                              Suspicious File
eTrust-Vet   36.1.8576   2011.09.22   -
F-Prot   4.6.2.117   2011.09.22   -
F-Secure   9.0.16440.0   2011.09.22   -
Fortinet   4.3.370.0   2011.09.22   -
GData   22   2011.09.22   -
Ikarus   T3.1.1.107.0   2011.09.22   -
Jiangmin   13.0.900   2011.09.22   -
K7AntiVirus   9.113.5179   2011.09.22   -
Kaspersky   9.0.0.837   2011.09.22   -
McAfee   5.400.0.1158   2011.09.22   -
McAfee-GW-Edition   2010.1D   2011.09.22            Heuristic.BehavesLike.Win32.Packed.A
Microsoft   1.7702   2011.09.22   -
NOD32   6486   2011.09.22   -
Norman   6.07.11   2011.09.22   -
nProtect   2011-09-22.01   2011.09.22   -
Panda   10.0.3.5   2011.09.22   -
PCTools   8.0.0.5   2011.09.22   -
Prevx   3.0   2011.09.22   -
Rising   23.76.03.01   2011.09.22   -
Sophos   4.69.0   2011.09.22   -
SUPERAntiSpyware   4.40.0.1006   2011.09.22                    Trojan.Dropper/Gen
Symantec   20111.2.0.82   2011.09.22   -
TheHacker   6.7.0.1.307   2011.09.22   -
TrendMicro   9.500.0.1008   2011.09.22   -
TrendMicro-HouseCall   9.500.0.1008   2011.09.22   -
VBA32   3.12.16.4   2011.09.22   -
VIPRE   10549   2011.09.22   -
ViRobot   2011.9.22.4683   2011.09.22   -
VirusBuster   14.0.227.0   2011.09.22   -

[DavidR]

Whilst pdftotext.exe is detected 4 times, the detections in themselves aren't conclusive:
1. PUA.Packed.PECompact-1 - This one is having a moan about the fact that it is a packed file - which in itself is no indication it is malicious as not all PECompact files (many .exe files are packed in this way), though generally I would have though it is used to install a program.

2. Suspicious and Heuristic detections are more prone to false positive, plus the heuristic detection is another concern about it being packed.

3. The Trojan.Dropper/Gen is a generic (the Gen bit at the end) detections are also more prone to false positive.

So unfortunately nothing conclusive.

What I can't get my head round is, if pdftotext.exe is a part of the google desktop, how is it involved with Wordfast (my only knowledge of what that does comes from a google search http://en.wikipedia.org/wiki/Wordfast), if it is a part of the google desktop. What and why is it called in a translation service/application.

So can you take me through this step by step of what you are doing and at what point the pdftotext.exe is launched and intercepted by the autosandbox ?

If you have never used this program, then I would seriously consider uninstalling/removing it from the google desktop. The problem being if this file not being run as you have mentioned has an impack on the Wordfast software and that I really can't understand.

[HPY]

DavidR

Thank you for the thoughtful reply.

In my panic to get Wordfast (central to doing the potential translation jobs) I am overlooking how I, as you suspect, jumped to a wild conclusion in thinking that pdftotext.exe had anything to do with the Wordfast to Word interface, or indeed with the downloading and unpacking of the ZIP files.

Now I step back -after following our thread - what happened was: these Sandbox alerts (winampa.exe was another - so I de-installed Winamp) drew my attention to Sandbox, therefore I disabled it to see if it had anything to do with the Wordfast/MSO 2010 interplay.

Hey presto, WF started offering phrases shaded in the appropriate colours that represent near or 100% matches to the translation of a given segment of the job(drawing from the lexicon in the TMs - this is how software Trados operates too).

At any rate it certainly seemed to me that WF started giving me its input as a result of disabling Sandbox (forget pdf.exe or winampa.exe).

The comment of a local IT man who has his own business "that Wordfast must be weird if it is compatible with MSO 2007 and not 2010". I agree, but the potential employer tell me that they only use 2007 for both WF and Trados for that reason.

[DavidR]

That is why I suggested you look in the autosandbox.txt to see if there are any files from any program files in the log.

This is one reason why the default setting on the autosandbox is set to Ask, so that the user is aware of any interest in a file that they are using (or want to use) by the autosandbox. If it is set to automatic then the user doesn't see this interest by the autosandbox and that file may be run in the sandbox.

This could result in an essential file being in the sandbox, isolated from the live system and the application that requires it.

If you know which file that is, from the autosandbox.txt log file then you can check the measures mentioned before and if happy add it to the autosandbox, settings, files to be excluded from automatic sandboxing.

This retains the additional protection from the autosandbox, but you would first have to know about the file and that really only comes with the autosandbox set to Ask (default).

[HPY]

DavidR

This still does not tell me why disabling the Sandbox enabled the Wordfast processes mentioned above.

This is all the Sandbox log was showing (plus the winampa.exe which I de-installed a few days ago):

21.09.2011 10:34:43   Autosandbox candidate: C:\Program Files\Google\Google Desktop Search\pdftotext.exe
   [Source: ]
   [Opened by: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe]
    --> Result: Sandboxing (because policy set to Auto).

21.09.2011 19:28:49   Autosandbox candidate: C:\Program Files\Google\Google Desktop Search\pdftotext.exe
   [Source: ]
   [Opened by: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe]
    --> Result: Sandboxing (because policy set to Auto).

21.09.2011 19:35:00   Autosandbox candidate: C:\Program Files\Google\Google Desktop Search\pdftotext.exe
   [Source: ]
   [Opened by: C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe]
    --> Result: Sandboxing (because policy set to Auto).

22.09.2011 22:52:18   Autosandbox candidate: C:\Program Files\Google\Google Desktop Search\pdftotext.exe
   [Source: ]
   [Opened by: C:\Windows\Explorer.EXE]
    --> Result: Sandboxing (based on user's decision).

[DavidR]

To me that is obvious, autosandbox stopped, no interest in any possible file/program by the autosandbox, no file sandboxed or delayed from loading, the program doesn't have an isolated/delayed file and can run.

Setting it to Auto effectively keeps its decisions hidden, so you aren't aware of that interest.

But I don't see anything in the extract you have posted (or mentioned) about and files that may be related to the wordfast program, so I'm at a loss why wordfast has a problem.

Whilst the files and data listed here is effectively for files that were sent to the sandbox, I don't believe it lists files that were allowed to run normally when set to Auto. There is a possibility that in the time whilst a file is investigated, that a program might consider the file missing and report a failure.

These are my thoughts as an avast user, I'm not an avast developer so I don't know the intricacies of the autosandbox function.

[HPY]

Then I can only conclude that pdftotext.exe is necessary for the functioning of Wordfast. I noticed the Wiki page said something about it being a "browser-based TM tool". Which by disabling sandbox was allowed to function instantly on downloading the .txt TM and TG files.

[DavidR]

Sorry but that doesn't follow for me; given that it is part of the google desktop (in this case), I can't see how wordfast could rely on google desktop and pdftotext.exe being present on a system or it wouldn't work even without the presence of avast/autosandbox.

If the Wiki page is correct and I did notice the comment about it being "browser-based TM tool" then there would be more of a likelihood that the web shield would become involved as it would scan its scan any browser-based activity. If it were that becoming involved then I wouldn't expect that to change when stopping the autosandbox.

Again if it were "browser-based" then there is the likelihood of it running scripts and the script shield being involved, so again I wouldn't expect that to change when stopping the autosandbox.

So this is more complex and beyond my user knowledge of how avast works.

[HPY]

Thank you. I think we have exhausted the topic until there are other takers.

I deinstalled NoScript when Avast introduced its own shield - don't want to over-egg the omelette (must update my profile).

All I can say for sure is that WF started working the moment I disabled Sandbox (or of you like allowed pdftotext.exe to execute).

Any translators out there!!!?

Thank you very much DavidR - you should be paid!

[DavidR]

NoScript in my option is a somewhat different beast as it doesn't actually scan script, just blocks them, so there is no cross over really.

Avast's script shield would scan the scripts on the page even if they aren't actually run. This could give you an indication of a malicious script on the site which NoScript doesn't do.

[HPY]

I also neutralised ABP on the company's site page from which to download the trials.

I cannot remember how I set NoScript - as I say, I de-installed it some time ago.

[DavidR]

You can allow the particular site in NoScript.