security warning re: flashgot.exe

[coastsider]

Hi - I get a warning from my security agent software when I start up Firefox:
7/25/2009 8:02:48 PM: The process 'C:\Documents and Settings\USERXXX\Application Data\Mozilla\Firefox\Profiles\xxxxxx.default\FlashGot.exe' (as user XXXXX) attempted to access 'C:\DOCUMENTS AND SETTINGS\USERXXX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.OST'. The attempted access was a read (operation = OPEN/READ). The operation was denied.

Why would Flashgot try to access my offline outlook file? This strange behavior for a download manager.

Thanks for any input on why this might be happening.

[Giorgio Maone]

This is strange, indeed.
What external download manager are you using?
Is the FlashGot.exe you've got digitally signed by "InformAction Soc. Coop." as it should?

[proft]

This happened to me as of v1.2.0.4, upgraded today from addons.mozilla.org.

9/9/2009 9:23:28 PM: The process 'C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\2il5q3gh.default\FlashGot.exe' (as user MYDOMAIN\username) attempted to access 'C:\DOCUMENTS AND SETTINGS\username\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.OST'. The attempted access was a read (operation = OPEN/READ). The operation was denied. [2435]

Luckily my security agent prohibited the action. So are you saying that you did not recently change your software to behave this way?

[Giorgio Maone]

No, I did not.
Again, what download manager are you using?
FlashGot.exe (whose source code is included in the FlashGot XPI) instantiates the COM automation objects of installed download managers for auto-detecting purpose, so the most likely cause is one of them (or one of its dependency) attempting to read that file as part of its initialization routine.

[Anonymous User]

Hi, I got the same warning/issue as those above today when I launched Firefox.

12/4/2009 9:05:48 AM: The process 'C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\ptqkq3o6.Firefox_Profile\FlashGot.exe' (as user <DOMAIN\username>) attempted to access 'C:\DOCUMENTS AND SETTINGS\<USERNAME>\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.OST'. The attempted access was a read (operation = OPEN/READ). The operation was denied. [2435]

12/4/2009 9:05:48 AM: The process 'C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\ptqkq3o6.Firefox_Profile\FlashGot.exe' (as user <DOMAIN\username>) attempted to access 'C:\DOCUMENTS AND SETTINGS\<USERNAME>\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\INTERNET CALENDAR SUBSCRIPTIONS.PST'. The attempted access was a read (operation = OPEN/READ). The operation was denied. [2435]

I am not sure what you mean by "download manager", since the only download manager 'type' plugin I have is flashgot. Other than the built in Firefox download manager itself, I am not understanding your explanation above, in WHY flashgot.exe would be attempting to open outlook files. BTW, I did in fact check the exe file and verified that it contained a valid and signed certificate.

Issuer:
CN = UTN-USERFirst-Object
OU = http://www.usertrust.com
O = The USERTRUST Network
L = Salt Lake City
S = UT
C = US
Valid To: Friday, July 23, 2010 3:59:59 PM
Subject:
CN = InformAction
O = InformAction
STREET = via Emilia 33
L = Palermo
S = Palermo
PostalCode = 90144
C = IT
Serial Number: 00 d0 31 6b bf 54 b9 d3 10 ea e4 64 f1 e0 76 01 6f
Thumbprint: 6c 71 71 ec d6 64 a6 83 22 bb c7 ed f3 ff 42 08 e0 3e e9 3e

Are you suggesting that some other plugin within Firefox is using flashgot.exe to attempt to access Outlook files?

[Giorgio Maone]

I am not sure what you mean by "download manager", since the only download manager 'type' plugin I have is flashgot.

Download managers are those listed here.
As I said, upon initialization FlashGot.exe tries to instantiate the Internet Explorer COM integration objects provided by any of them if installed.

I am not understanding your explanation above, in WHY flashgot.exe would be attempting to open outlook files.

In fact, there no reason for FlashGot.exe doing that and no code in it (the full source files, FlashGot.h, FlashGot.cpp and DAP.cpp, are provided inside the XPI) is actually doing that.

Therefore, the only thing I can think of doing that is one of the aforementioned COM integration objects.
Are you sure you never installed any download manager?

Oh and, BTW, what's this "security agent" reporting this issue?

[Anonymous User]

Hi Giorgio,
Thank you for your quick reply.

Download managers are those listed here.

In looking at the link to sample download managers, that confirms what I mentioned earlier in that I do not have ANY download managers installed (not those listed nor any others), neither for IE or Firefox or anything else.

As I said, upon initialization FlashGot.exe tries to instantiate the Internet Explorer COM integration objects provided by any of them if installed.

Thus, it seems that this info may not be applicable?

In fact, there no reason for FlashGot.exe doing that and no code in it (the full source files, FlashGot.h, FlashGot.cpp and DAP.cpp, are provided inside the XPI) is actually doing that.

Therefore, the only thing I can think of doing that is one of the aforementioned COM integration objects.

Understand your thought process here, but trying to understand what's going on since I do not have any download managers installed at all.

Are you sure you never installed any download manager?

Yes. Unless you consider the Firefox built in "download manager" a type which could be initiating this. E.g. if another plugin installed in Firefox itself (non-download manager type plugins are all I have installed) would attempt to access/use Outlook files, and for some reason Firefox would use flashgot.exe to fulfill the request. FYI - I only have Flashgot installed in Firefox.

The example I mentioned above is what I am suspecting, so would like to know if that is truly a possibility. I do have one addin in Firefox (and IE) that would need to communicate with Outlook: Webex OneClick / Productivity Tools

This addin provides ability to start or schedule a Webex meeting, which can integrate with either Outlook or Lotus Notes to create calendar invites. Thought it strange however that flashgot.exe would somehow be used by that addin in Firefox to open/read those Outlook files. Is this possible? BTW, am using Firefox 3.0.15.

Oh and, BTW, what's this "security agent" reporting this issue?

Cisco Security Agent 6.0.0.220

Thank you for your help

[Giorgio Maone]

OK, I'd like you to try the following:

1. Extract FlashGot.exe from the XPI and run it alon. Does it trigger the warning?
2. Try to uninstall the WebEx plugin from both IE and Firefox, checking if anything changes

[Anonymous User]

The mystery deepens...

OK, I'd like you to try the following:

1. Extract FlashGot.exe from the XPI and run it alon. Does it trigger the warning?

Took me a while to figure this out as I am not a developer, but found and downloaded the xpi file, renamed the extension to a .zip, extracted the flashgot.jar file and used winrar to extract the flashgot.exe.

When running the extracted flashgot.exe that I downloaded, in an empty temporary directory, the Security Agent did not detect any issues (i.e. did not attempt to open an Outlook file).

When running the flashgot.exe that was located in the Firefox profile directory (Firefox and IE not running), it DID attempt to open the Outlook files.

In running FC /B (MS file compare command doing a binary comparison) for the two flashgot.exe files, they are identical. Executing the file with no parameters, within the Firefox profile directory, seems to trigger the event. Also, I omitted earlier that this message also gets triggered along with the report about flashgot.exe:

12/4/2009 9:05:50 AM: The process 'C:\Program Files\Java\jre6\bin\jqsnotify.exe' (as user <DOMAIN\username>) attempted to access 'C:\DOCUMENTS AND SETTINGS\<USERNAME>\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\INTERNET CALENDAR SUBSCRIPTIONS.PST'. The attempted access was a read (operation = OPEN/READ). The operation was denied. [2435]

I apologize for forgetting to include that earlier. So, each time I launch Firefox, the two messages (in my original post) plus the one above occur (3 total). I am assuming that since Flashgot uses Java scripting, that it may somehow be related.

2. Try to uninstall the WebEx plugin from both IE and Firefox, checking if anything changes

Before trying to uninstall the software, I wanted to try simply disabling the plugins. I disabled both in IE as well as in Firefox.

1. Closed and re-launched Firefox, and the event did NOT occur.
2. Tried running the flashgot.exe directly from the Firefox profile directory, and again the issue did NOT occur.
3. (Now this is where it gets "fun".) I re-enabled the Webex plugin in Firefox, relaunched Firefox, and now it is no longer trying to access Outlook files.
4. Tried the Webex plugin features, and it appears to be working just fine.
5. Tried running the flashgot.exe directly from the profile directory, and still NO issue.
6. I then re-enabled the plugin in IE, relaunched Firefox and also tried running the .exe from the profile directly, and again, still no attempt to access Outlook file.

So now, the "issue" has "gone away". Would be nice to know why it occurred in the first place though, since the old adage that "problems that go away by themselves, come back by themselves" could be true in this case. Hopefully something in my testing results above may be helpful in understanding WHY simply running the flashgot.exe in the Firefox profile directory, when no browsers are running and no download managers installed, could have triggered this event. In any case, if you need any more info from me, or for me to test anything else, please let me know. Also, if this ever DOES start re-occurring, I will definitely post here again.

Thanks again for your help Giorgio.

[Giorgio Maone]

Did you try to enable back the IE version of the plugin?
My suspect is that it mimicks one of the download manager integration COM interfaces (shouldn't happen, since GUID should be... well Global Unique IDentifiers, but sometimes people copies & pastes too much), gets instantiated and accesses those files.

[therube]

So this "jqsnotify" (Java Quick Starter) is a plugin in FF, that can be disabled?
(Probably wouldn't hurt to disable that .NET plugin too.)

And through your last testing, it is enabled or disabled (I'm not clear on that) in FF.
(Noted that you did re-enable it in IE.)

Another possibility that I would consider would be (Java?) malware related. Not an end-all, but download & run a Quick Scan with Malwarebytes' Anti-Malware. A visual search for something out of the ordinary in your FF (install) /components/ directory. A search in your %TEMP% directory for misplaced install.rdf, overlay.xul or the like.

[Anonymous User]

Did you try to enable back the IE version of the plugin?

Yes. Please see step 6 from my most recent post. I basically backed out all changes I made in disabling plugins for both IE and Firefox. So as far as I can tell, I should be in the same state that I was before, but now the problem has gone away.

My suspect is that it mimicks one of the download manager integration COM interfaces (shouldn't happen, since GUID should be... well Global Unique IDentifiers, but sometimes people copies & pastes too much), gets instantiated and accesses those files.

Not too sure about this one. No way for me to know, but in theory it could happen I suppose.

Any suggestions about anything else to check? I think it's particularly interesting that the exact same flashgot.exe file would act differently depending on which directory it was executed from (see notes from my previous post).

[Giorgio Maone]

I think it's particularly interesting that the exact same flashgot.exe file would act differently depending on which directory it was executed from (see notes from my previous post).

It's a mistery, actually. Especially sice FlashGot.exe knows absolutely nothing about the path where it's executed from...

[Anonymous User]

I think it's particularly interesting that the exact same flashgot.exe file would act differently depending on which directory it was executed from (see notes from my previous post).

It's a mistery, actually. Especially sice FlashGot.exe knows absolutely nothing about the path where it's executed from...

Well, thanks for your consideration on this Giorgio. My assumption is that there was some sort of glitch in the interaction with the WebEx tools, Sun Java, and Flashgot. If it ever does re-occur, I'll re-post in here.

In response to therube..

So this "jqsnotify" (Java Quick Starter) is a plugin in FF, that can be disabled?
(Probably wouldn't hurt to disable that .NET plugin too.)

Yes, it can be, though it seems that in my case is wasn't necessary since disabling and re-enabling the WebEx extension/plugin seems to have cleared the "glitch"

And through your last testing, it is enabled or disabled (I'm not clear on that) in FF.
(Noted that you did re-enable it in IE.)

It has been re-enabled (again, I only disabled and re-enabled the WebEX plugin in both IE and FF).

Another possibility that I would consider would be (Java?) malware related. Not an end-all, but download & run a Quick Scan with Malwarebytes' Anti-Malware. A visual search for something out of the ordinary in your FF (install) /components/ directory. A search in your %TEMP% directory for misplaced install.rdf, overlay.xul or the like.

One can never rule this out (and I did consider this a possibility), though considering I am running McAfee Enterprise anti-virus and Antispyware, Cisco Security Agent, and, because my usage/browsing habits never (intentionally) bring me to any questionable sites, etc., the likelihood is low. Nonetheless, I did download and run Malwarebytes anti-malware and it came back clean on a complete scan.

[Guest]

I just upgraded to the latest FireFox and I am sure this is related.

Whenever I open firefox, my security softare blocks flashgot.exe because it says it is trying to modify my Windows Systems files. I have the option to tell my software to unblock the program, but I'm not sure if I should.

I don't like unknown software changing my windows systems files without my permission and without explaining why.

What gives here?