DragDropConfirm icon indicating copy to clipboard operation
DragDropConfirm copied to clipboard
verified publisher icon broken-e

Installer flagged as low risk malicious indicators

Open dave80586 opened this issue 1 year ago • 3 comments

Because of this I am not allowed to install it-

https://www.virustotal.com/gui/file/59b28f8bc0967f78c3c1e7f997825c79887bf42339f1c72ebd859e82a9e28786/detection

https://www.hybrid-analysis.com/sample/59b28f8bc0967f78c3c1e7f997825c79887bf42339f1c72ebd859e82a9e28786 What does the installer do - do I need the installer?

dave80586 avatar Apr 11 '24 17:04 dave80586

Most likely a wrong positive by the antivirus software. If DragDropConfirm were a threat all antivirus-engines would flag it as virus after so many years.

I use this software since May 2017 (see my comments in issue #11 and #27) and had never any problems regarding unwanted behavior with it! In fact it has saved my ass in uncounted situations! A HUGE thank you to bduffek for this gadget!

As I understand it, the installer has the task to install the .DLL that handles the interception of the right-click context menu to the 'Move here' execution. I do not know (but i doubt it), if it is possible to do a manual install. If your antivirus really prevents the installer from running it might be an idea to disable it during the installation - and to re-enable it immediately after the installation. I assume the installed .DLL will not interfere with the antivirus.

TerraD avatar Apr 12 '24 09:04 TerraD

Most likely a wrong positive by the antivirus software. If DragDropConfirm were a threat all antivirus-engines would flag it as virus after so many years.

I use this software since May 2017 (see my comments in issue #11 and #27) and had never any problems regarding unwanted behavior with it! In fact it has saved my ass in uncounted situations! A HUGE thank you to bduffek for this gadget!

As I understand it, the installer has the task to install the .DLL that handles the interception of the right-click context menu to the 'Move here' execution. I do not know (but i doubt it), if it is possible to do a manual install. If your antivirus really prevents the installer from running it might be an idea to disable it during the installation - and to re-enable it immediately after the installation. I assume the installed .DLL will not interfere with the antivirus.

I have used it in a previous environment - I KNOW it is safe. I have been testing with my current environment for months and have installed it on both Win10 and Win11 systems. I just have a very heave handed cyber security department which I have or my direct mgmt have very little say in getting something "approved". I'm not a VB coder so I have not an idea what it is doing - but does look like it is copying some cpp files (where?) and registering the dll (with regsrv?) is it doing anything else? Can I hack something together with powershell and push it out? Cybersec doesn't have an issue with the code or files - JUST the installer.

dave80586 avatar Apr 12 '24 16:04 dave80586

Sorry, I have no idea. I did not even realize that the installer is written in VB... I had a quick look inside the code (dragdropconfirm.nsi and I think it is in fact not VB but a script for the 'Nullsoft Scriptable Install System'.

I think all needed for make DragDropConfirm install is this part of dragdropconfirm.nsi:

!define LIBRARY_SHELL_EXTENSION
${If} ${RunningX64}	
	!define LIBRARY_X64
	!insertmacro InstallLib REGDLL       NOTSHARED REBOOT_PROTECTED      DragDropConfirm_64.dll $INSTDIR\DragDropConfirm_64.dll $INSTDIR
${EndIf}  
!insertmacro InstallLib REGDLL       NOTSHARED REBOOT_PROTECTED      DragDropConfirm_32.dll $INSTDIR\DragDropConfirm_32.dll $INSTDIR

I have no idea what LIBRARY_SHELL_EXTENSION does, after this it seems to register both .dll for x64 systems and only the 32-bit-dll for x32. I do not think any .cpp needs to be copied - that stuff is only used to create the .dll. Maybe someone of the Nullsoft user community may be able to help you:

NSIS: Nullsoft Scriptable Install System says the best way to get help with its software is by visiting http://forums.winamp.com/forumdisplay.php?forumid=65. and you may consult https://nsis.sourceforge.io/Docs/AppendixB.html

MAYBE it is a simple as to only register the .dll: https://www.wikihow.com/Register-a-DLL . However I would never dare to test that in a running environment - use a Virtual-PC (Virtualbox?) instead. After the installation there should be a configuration in [HKL\SOFTWARE\DragDropConfirm] - if you do not find it, it must be some code elsewhere that adds it...

I think that is all I can do for you - maybe @bduffek will be on sometime and can give you more information. And please: do post your findings here!

TerraD avatar Apr 13 '24 08:04 TerraD