I developed a macro that has been compiled in Macro Scheduler Pro and deployed to workstations. This macro has been in use for over 2 years.
Recently the new version of Antivirus software became more 'aggressive' in stopping various programs from executing. Antivirus log shows messages like this:
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Documents and Settings\\Local Settings\Temp\GetWordNT.dll Common Standard Protection:Prevent common programs from running files from the Temp folder Action blocked : Execute
Marcus - could you please clarify if this DLL is legitimately executed in Temp folder?
Best regards,
Tomek
GetWordNT.dll blocked by Antivirus
Moderators: Dorian (MJT support), JRL
-
Marcus Tettmar
- Site Admin
- Posts: 7391
- Joined: Thu Sep 19, 2002 3:00 pm
- Location: Dorset, UK
- Contact:
Yes, it is legitimate. If you're using the text capture functions then the EXE needs it, so it extracts it from itself and temporarily stores it in the temp folder (the only place it can guarantee it is able to do so). The compiler will stuff the EXE with the text capture DLLs if the script requires them.
Marcus Tettmar
http://mjtnet.com/blog/ | http://twitter.com/marcustettmar
Did you know we are now offering affordable monthly subscriptions for Macro Scheduler Standard?
http://mjtnet.com/blog/ | http://twitter.com/marcustettmar
Did you know we are now offering affordable monthly subscriptions for Macro Scheduler Standard?
I have one follow-up comment and a question: the message captured by Antivirus shows that Outlook.exe is trying to run this DLL and this is confusing. The macro that I developed has nothing to do with Outlook or sending/receiving emails. Would there be any possibility of exploiting this DLL from Outlook because it is avaliable in Temp folder?
There are no messages about the actual macro trying to run this DLL. I am leaning towards keeping these attempts blocked and checking with the users who get this message if they see any problems with the macro (probably not: it is heavily used every day and I would hear about the problems right away)
Tomek
There are no messages about the actual macro trying to run this DLL. I am leaning towards keeping these attempts blocked and checking with the users who get this message if they see any problems with the macro (probably not: it is heavily used every day and I would hear about the problems right away)
Tomek
-
Marcus Tettmar
- Site Admin
- Posts: 7391
- Joined: Thu Sep 19, 2002 3:00 pm
- Location: Dorset, UK
- Contact:
There is nothing to worry about.
The way the text capture DLLs work - the ONLY way they can work - is by creating very low level system hooks which hook into Windows text output functions. Therefore they end up in the hook chain and listen to EVERY process in the system. That includes Outlook. Also, if you have DLL caching enabled the DLL will stay in memory after the macro has finished. So it will appear as if Outlook is "using" the DLL. In fact all of Windows is using it and any process that outputs text will show the DLL in it's module list.
Your Antivirus product is wrong. There is no threat from this file. All it does is monitor the text output functions so that Macro Scheduler can "see" text that apps write to the screen.
The way the text capture DLLs work - the ONLY way they can work - is by creating very low level system hooks which hook into Windows text output functions. Therefore they end up in the hook chain and listen to EVERY process in the system. That includes Outlook. Also, if you have DLL caching enabled the DLL will stay in memory after the macro has finished. So it will appear as if Outlook is "using" the DLL. In fact all of Windows is using it and any process that outputs text will show the DLL in it's module list.
Your Antivirus product is wrong. There is no threat from this file. All it does is monitor the text output functions so that Macro Scheduler can "see" text that apps write to the screen.
Marcus Tettmar
http://mjtnet.com/blog/ | http://twitter.com/marcustettmar
Did you know we are now offering affordable monthly subscriptions for Macro Scheduler Standard?
http://mjtnet.com/blog/ | http://twitter.com/marcustettmar
Did you know we are now offering affordable monthly subscriptions for Macro Scheduler Standard?
