Flashgot.exe keeps re-appearing in pending files

Hello folks,

I use firefox with the Flashgot extension which places flashgot.exe in the \documents and settings<user>\application data\mozilla\profile<profile> directory… Every time I start firefox this is listed as a modified pending file Defense+ and I have to keep moving it to my safe files. I have verified that the file is not changing by taking the md5 sum for the exe. Is there a way to stop this particular file being repeatedly flagged?



It is likely that the file is being created for each download and is removed after use. The Pending files list shows newly created files on your HD. To check, open the Pending Files page and click Purge. If flashgot.exe appears on the purge list, it is no longer on your HD. If it not there, moving it to the Safe files list or submitting it etc. will not work - nothing to work with. Just ignore it and use the Purge button. There are a number of programs that use temporary files for some reason or another. I used to worry about these files, but I’ve grown accustomed to seeing randomly named files created in my Temp directory.

Unfortunately that is not the case as it is a permanent file that gets detected as modified but as I said maintains the same mfd5 checksum which would indicate that it hasn’t physically changed. Looking more closely the modified date does seem to be updated on the executable (as well as the last access time which one would expect) which might explain why it is being detected as modified although I would hope more sophisticated methods than simply checking the file modification date such as a checksum are in use to determine if files have been modified within the Defense+ module.

Is there an exclusions list that I am missing that I can place this file in?


Sorry you are right it is being recreated over the version from its previous invocation, it just never deletes the old one hence it being modified and the creation date is statically set as what was probably the installation date/release date of this version.

However the question about an exclusion list still stands,



The only thing that would help would be if the file were digitally signed. If it were, you could put it on the Trusted Vendors list. Since most files are not signed (making life more difficult for virus tracking) this is a slim hope. You can check by right-clicking the file and looking at Properties. If it is signed, there will be a Signatures tab on the Properties dialog.

it is not removed after use. Also, I just launched Firefox and closed it (I had sent flahgot.exe to the safe file list before). I didn’t download anything,(just a flashgot.exe.test is generated in the temp folder everytime firefox is launched) , I checked the modified and access dates, nothing has changed, and Flashgot.exe appears again in the pending file list, as modified. Oh, the file is not signed so nothing to expect from that.

And Sandman:
as for checksum verification, Def+ just doesn’t do that; it is supposed to be implemented through Image Execution Control Setting but some users of the forum have proved by modifying an executable with an Hex editor that nothing was detected by Def+. It doesn’t even verify a signature change after a software update for instance, what CFP 2.4 was able to do without a so called “HIPS”.


I believe that the Pending Files list only records newly written files. This includes files that have been moved or copied from another location. I was just wondering if the file is being copied from a master copy elsewhere for some reason. I don’t think that a checksum is done, because it is only recording new disk writes and most of those would be files that are not recorded anywhere.