GetWordNT.dll blocked by Antivirus

Technical support and scripting issues

Moderators: Dorian (MJT support), JRL

Post Reply
twardega
Newbie
Posts: 15
Joined: Fri Oct 12, 2007 5:54 pm

GetWordNT.dll blocked by Antivirus

Post by twardega » Mon Jul 13, 2009 6:45 pm

I developed a macro that has been compiled in Macro Scheduler Pro and deployed to workstations. This macro has been in use for over 2 years.

Recently the new version of Antivirus software became more 'aggressive' in stopping various programs from executing. Antivirus log shows messages like this:

C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Documents and Settings\\Local Settings\Temp\GetWordNT.dll Common Standard Protection:Prevent common programs from running files from the Temp folder Action blocked : Execute

Marcus - could you please clarify if this DLL is legitimately executed in Temp folder?

Best regards,

Tomek

User avatar
Marcus Tettmar
Site Admin
Posts: 7395
Joined: Thu Sep 19, 2002 3:00 pm
Location: Dorset, UK
Contact:

Post by Marcus Tettmar » Mon Jul 13, 2009 6:56 pm

Yes, it is legitimate. If you're using the text capture functions then the EXE needs it, so it extracts it from itself and temporarily stores it in the temp folder (the only place it can guarantee it is able to do so). The compiler will stuff the EXE with the text capture DLLs if the script requires them.
Marcus Tettmar
http://mjtnet.com/blog/ | http://twitter.com/marcustettmar

Did you know we are now offering affordable monthly subscriptions for Macro Scheduler Standard?

twardega
Newbie
Posts: 15
Joined: Fri Oct 12, 2007 5:54 pm

Post by twardega » Mon Jul 13, 2009 7:08 pm

Thanks! I will forward your reply to our security staff.

Tomek

twardega
Newbie
Posts: 15
Joined: Fri Oct 12, 2007 5:54 pm

Post by twardega » Mon Jul 13, 2009 7:55 pm

I have one follow-up comment and a question: the message captured by Antivirus shows that Outlook.exe is trying to run this DLL and this is confusing. The macro that I developed has nothing to do with Outlook or sending/receiving emails. Would there be any possibility of exploiting this DLL from Outlook because it is avaliable in Temp folder?

There are no messages about the actual macro trying to run this DLL. I am leaning towards keeping these attempts blocked and checking with the users who get this message if they see any problems with the macro (probably not: it is heavily used every day and I would hear about the problems right away)

Tomek

User avatar
Marcus Tettmar
Site Admin
Posts: 7395
Joined: Thu Sep 19, 2002 3:00 pm
Location: Dorset, UK
Contact:

Post by Marcus Tettmar » Mon Jul 13, 2009 8:33 pm

There is nothing to worry about.

The way the text capture DLLs work - the ONLY way they can work - is by creating very low level system hooks which hook into Windows text output functions. Therefore they end up in the hook chain and listen to EVERY process in the system. That includes Outlook. Also, if you have DLL caching enabled the DLL will stay in memory after the macro has finished. So it will appear as if Outlook is "using" the DLL. In fact all of Windows is using it and any process that outputs text will show the DLL in it's module list.

Your Antivirus product is wrong. There is no threat from this file. All it does is monitor the text output functions so that Macro Scheduler can "see" text that apps write to the screen.
Marcus Tettmar
http://mjtnet.com/blog/ | http://twitter.com/marcustettmar

Did you know we are now offering affordable monthly subscriptions for Macro Scheduler Standard?

twardega
Newbie
Posts: 15
Joined: Fri Oct 12, 2007 5:54 pm

Post by twardega » Mon Jul 13, 2009 8:46 pm

Thanks again for the explanation - now I understand what is going on.

Best regards,

Tomek

Post Reply
Sign up to our newsletter for free automation tips, tricks & discounts