Problems with Keepass and Keeform

Discontinued Products Comodo BOClean Anti-Malware
1

I have been using KeePass together with KeeForm for over a year now. Until yesterday I did not have an issue clicking a http link within KeePass to open IE, which launches the URL, enters the user id and password. It is an automation that I have gotten used to over time. For some strange reason it has stopped working. I’m not sure whether it is the Firewall or CAVS or BOClean that is causing this. For the first time in months I have had a strange message about BOClean asking me to send a report to Microsoft, but I answered NO.

Does anyone out here know about this and have a way to resolve this. I hate to remove COMODO security products just because of this one small issue.

There is a work-around … I can still type the URL into the browser and drag/drop the user and password data. I really would like to have the automation back.

Help me, please!

KeePass 1.07
KeeForm 1.06
CFP 2.4.18.184
BOClean {latest update/version}
CAVS 2.0.14.50 w/Vi Db 2.0.0.197 w/Sl Db 2.0.11.43
Win XP w/SP2
IE 7

2

PROBLEM SOLVED!!!

I found that the KeeForm.exe file was not to be found on my drive. I don’t know how it went missing. I’m suspecting that there is an “cybertruder”. At any rate it is now back to normal.

3

Problem has not been solved … in fact just got bigger. (:AGY)

It is now confirmed that BOClean is after many weeks of co-existing with KeePass and KeeForm has suddenly started to flag KeeForm as having a trojan. It also flags ‘Auoit’ as a worm. KeeForm has been coded using ‘Autoit’. But why is this being flagged only now? Could this be a false positive?

Another interesting thing happened at the same time BOClean flagged this worm when I clicked on a link in KeePass, the process BOC432 ended and the following was displayed. I had to restart BOClean and I was able to use KeePass and KeeForm as normal again.

Experts please confirm if I have been infected or if this is a false alarm.

Thanks.

POST SCRIPT:
I forgot to paste the BOClean report …

06/18/2007 10:19:44: WORM-AUTOIT VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
à contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: xxxxxxxxxxxxxxxxxxx

06/18/2007 12:42:26: WORM-AUTOIT VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
i contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: xxxxxxxxxxxxxxxxxxx

06/19/2007 13:22:40: WORM-AUTOIT VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
¯! contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: xxxxxxxxxxxxx

06/19/2007 13:22:44: WORM-AUTOIT MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
…\PROGRAM FILES\KEEPASS\KEEFORM.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: xxxxxxxxxxxxxxx

06/19/2007 17:57:08: WORM-AUTOIT VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
‘ contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: xxxxxxxxxxxxxxxx

06/19/2007 20:53:47: WORM-AUTOIT VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
­ contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: xxxxxxxxxxxxxxxx

06/19/2007 20:56:59: WORM-AUTOIT VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
;
contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: xxxxxxxxxxxxxxx

[attachment deleted by admin]

4

I wasn’t sure if the issue which product was causing the problem so I posted it under firewall help. I have finally nailed the problem down. It is BOClean 4.23; I just learned that the newer version was released today. I have since downloaded and installed it. At least BOC crashing has been resolved but it still is suggesting that KeeForm is a trojan and Autoit is a worm, see below. It has removed the ‘exe’ file. Is it really a threat because I have been using KeeForm and KeePrg for a while now and it has gone undetected until now. Please advise. Thanks.

BOreport

06/19/2007 22:40:34: WORM-AUTOIT VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
Ù contained the trojan.
Active trojan horse WAS shut down. System safe.

06/19/2007 22:40:37: WORM-AUTOIT MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\PROGRAM FILES\KEEPASS\KEEFORM.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.

5

Hi snyder,
I’ve merged your topics to keep it together in the right forum.
Have you looked at the FAQ on submitting false positives?
False Positives…where to send?

6

Thanks for merging the two posts and pointing me in the right direction. I do have a question though, what do I need to send? Is it the evidence.boc file or do I have to send the file that was identified as a trojan or both?

In addition to KeeForm, there is another script written by the same author KeePrg2 that is used for automating username and password for non web based logins. Although that was written by the same author and using autoit that has not been flagged as a trojan. I’m not saying it is or otherwise. I just want a thorough assessment.

Here are the web links to KeePass (a excellent free alternate to RoboForm)

7

AutoIT is an extremely troublesome little witch. AutoIT is a program that compiles a batch file into an executable, sort of a “I don’t know anything about writing programs, but I can write a script and this will make it into a program.” It’s VERY difficult to find where the script part of the code it generates is versus its own bits of code and therefore very hard to pin down as a generic “zero day” kind of detect.

The big problem with AUTOIT is that it’s also used by some very nasty nasties to do things such as deleting an entire system in a flash, or getting into the registry and numerous other malicious acts. There are a lot of nasties built using it. So while this program may be harmless, AutoIT itself is used frequently for some mighty serious bad stuff.

So in a situation like this, much like a number of other “harmless” things which have been turned malicious, we’d very much like to keep that detection in there on this basis. Therefore, the solution here is to drag that program into BOClean’s “excluder” so that BOClean will ignore it for you and we can continue to detect zero-day threats built with AutoIT for when it’s really needed.

8

Thanks a lot Kevin (:CLP).

I think you have put things in the right perspective. I’ll mark the file, KeeForm.exe for exclusion, and I really hope it is safe as the author claims it to be.

Is it possible to get you to have a look under the hood of KeeForm and KeePrg2 that was written by Dave_Keepass (May not be his real name) using AutoIt? The zip is available for download and includes the source that a knowledgeable user can review and compile (which clearly eliminates me).

(S) (L)

9

You’re MOST welcome … already went and looked it over before posting since the last thing I’d want to do is recommend excluding an actual nasty. :slight_smile:

There’s quite a few things put into an AutoIT wrapper … wish folks would learn to write their own code tho’ … but yeah, those are harmless …

10

Yeah right … me and my computer skills; maybe in my next life. Sometimes I really wish I could write my own code. Thanks a bunch. It is really late now and I have to get to work early in the morning.

PS … PS:

Pardon my ignorance, but I don’t quite understand why KeeRun nor KeePrg2 (Version 1.05) was not identified as Trojan/Worm. Despite the fact that all these have been compiled using AutoIt. Why?

11

I use KeePass 1.07. I’m running CBOClean 4.24 so yesterday I downloaded and tried KeeForm w/KeeRun plugin by doubleclicking the url in the bottom of KeePass and did not have any problem with BOClean terminating or deleting it. But KeeForm only works with IE and since I refuse to use IE I won’t continue to use the KeeForm plugin. :wink:

12

The problem is not with KeePass. It is with “AutoIt”, a scripting tool with which KeeForm, KeePrg and KeeRun were written. Unfortunately AutoIt can be used for other malicious intents.

Yes you are correct that KeeForm will not work on browsers like Firefox, it works only with IE. Hence a non issue for users like you.

I wish KeePass developer Dominik creates something like RoboForm. RoboForm automates password management like no other I have seen. The only thing I don’t like is the price tag.

13

LOTS of anti-crapware has problems with AutoIt and also with exes packed with “exotic”
packers like FSG . The problem is that they cant decompress the exe properly and therefore
flag them as a “threat” or “worm” or something else instead of telling the truth :
Unable to scan file-content …
Why this is AutoIt’s or FSG’s etc problem I don’t understand.
They are not the ones making software that is supposed to be able to scan a file for “nastyness” .

14

Yep, and I just recently switched from Roboform (that I used for a few years) to KeePass in preporation to switch from a WinPC to a Mac so I can easily migrate from KeePass to KeePassX. :slight_smile:

15

I have been using KeePass latest release and portable for a good while now and haven’t had any prompts from Comodo BOClean.

Strange that you got alerts.