Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SumatraPDF Reader Suspicious Behavior


  • Please log in to reply
3 replies to this topic

#1 Touchito

Touchito

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada
  • Local time:08:22 PM

Posted 11 January 2013 - 06:44 PM

Hello Everyone!

The following should be addressed to the producer(s) of SumatraPDF Reader, but since they don’t seem to be interested in keeping in touch with the users of his/their product (the main con of whatever is free) I’ll really appreciate this forum’s members help. Thanks in advance.

Since I never have downloaded SumatraPDF (I didn’t even know it existed) when my Secunia 2.00 started showing it long, long time ago but I couldn’t find it anywhere in my computer, I worried because I didn’t know if it was a part of a program (so I shouldn’t uninstall it) or if it was some kind of malware disguised as a program.

According to Secunia 3.0 (the new version), it is always updating without (never) completing the process nor letting me do it manually, so it is a security weak point in my computer (permanently out of date/unpatched). One night I clicked my Windows Start and surprise! its icon was there! I clicked on “all programs” and yes! it was listed there! I went to “Program Files (x86) and yes! it was there too! It didn’t seem to me to be tied somehow to another program as part of it, so I took my chances and used my Revo Uninstaller to kick it out (at last!). The next day it was there again! It wasn’t only a shortcut, it was in Program Files (x86) again and it was working! It (downloaded? and) re-installed by itself! The worse thing was that it wasn’t even the latest version but the same old one that I uninstalled the night before.

I was going to uninstall it again and install the newest version to see what happened, so I tried to download the latest version, first, directly from its own homepage, but I couldn’t; something went wrong (rarely, because it didn’t happen while downloading anything else before). Then I tried at MajorGeeks website and I got it, but when I tried to install it (after uninstalling the old one) my F-Secure Internet Security alerted me about it this way:

“DeepGuard has noticed that an application is trying to manipulate or terminate another process, which is potentially dangerous. This application is SumatraPDF. Rating: Suspicious. Target: C:\program files (x86)\f-secure\fshoster32.exe”
It was trying not only to manipulate or terminate another process, but targeting precisely my antivirus, which is typical to malware. Coincidence? I did what you or anybody else would: I blocked it. A little while later that out of date version was back in its place again! So it re-installed it by itself twice already!

I downloaded Kaspersky Security Scan to have a “second opinion scan” and installed Comodo Firewall (I turned F-Secures’s firewall off). Kaspersky detected SumatraPDF and listed it under “Vulnerabilities” as a part of my NovaBackup, and my Comodo detected it too and listed it as an unknown file (so, potentially dangerous). I asked NovaStor about it and they said “yes, it is a part of your NovaBACKUP software” (it is PDF reader that works from Boot CD to Display Help File in Disaster Recovery Backup CD).

Now, at least, I know where it came from and, if it is part of a reputable, trusted program as it is to me NovaBACKUP, then it must be safe but, at the same time, now new questions have arisen. The very first: Is it really safe? (I probably should use another backup software)

1. Why that decidedly suspicious behavior?
2. Why it is now installed in my computer separately from NovaBACKUP too?
3. I understand why I can’t update the SumatraPDF that is part of NovaBACKUP (I don’t even know if it is out of date or not) but why I can’t update that SumatraPDF that is installed separately from NovaBACKUP? And
4. Why (and how) it re-installs by itself?

Thanks again for your time and help, and I hope it helps others.
Touchito

BC AdBot (Login to Remove)

 


#2 Nanobyte

Nanobyte

  • Members
  • 431 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 15 January 2013 - 08:27 AM

As far as I am aware there is nothing wrong with SumatraPDF. I have the portable version on a USB stick (mine installed with no security issues). It's Open Source software so nothing to hide. I'm guessing your other apps use it because there's not licensing fee as there would be with Adobe. If those apps use it, they should have built-in code to update Sumatra if necessary. If they don't, that's their problem, not Sumatra. I get warnings from my AV software on nearly everything I install (typically access to protected interfaces etc). If I heeded all, I would not have much on my PC.

Regarding the re-installing itself, your description were a bit too long to plough through. Perhaps your main apps are re-installing it because you are continually blocking the application?

#3 buddy215

buddy215

  • Moderator
  • 13,516 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:22 PM

Posted 15 January 2013 - 12:02 PM

I've used Sumatra on Windows for a few years....no problem.

Here is a report on the latest SumatraPDF reader 2.2.1 that was released just 3 days ago.
You can see that the Sumatra.exe was scanned with 46 different security programs and none reported anything suspicious.
If another program is installing it, possibly for reading help files, then that is another issue. Anyone can alter or add to the
program as stated on the its website....QUOTE: You can also download the sources and contribute your code to Sumatra PDF.

Posted Image SHA256: ea5ec739d95f9a6a828ef602015377a7b94eb80b920a2fd283cf34da6090be24 File name: SumatraPDF-2.2.1-install.exe Detection ratio: 0 / 46 Analysis date: 2013-01-15 11:20:47 UTC ( 5 hours, 30 minutes ago )
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 Touchito

Touchito
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada
  • Local time:08:22 PM

Posted 03 February 2013 - 12:38 PM

Thanks Nanobyte and buddy215,
Your answers have been really helpful. Now I can leave SumatraPDF alone without worries.
Best Regards.
Touchito




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users