• State Suggested Answer
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 434 subscribers
  • Views 4227 views
  • Users 0 members are here
Options
Related

Strange behavior while installing SDLTradosStudio2017_5746

Hiro O

Hello,

I found some random keys are added to the registry while installing SDL Trados Studio 2017.
I'm not allowed to install this kind of program due to security policy.
Does anyone have the information about this issue?

Thanks,

Hiro

---
The steps to reproduce this issue.
1. Prepare install program(*1) and Windows system(*2).
2. Shutdown Windows system after applying all of Windows Update.
3. Take a snapshot (Snapshot1).
* I recommend to remove/disable network adapter before taking a snapshot.
4. Start Windows system.
5. Start Registry Editor and verify the keys under HKEY_CURRENT_USER are normal.
6. Run install program.
7. Take a snapshot (Snapshot2) just before selecting "I accept..." checkbox.
8. Select "I accept the terms of the license agreement" checkbox and click "Next>".
9. After completing the installation, verify the keys under HKEY_CURRENT_USER.

If this issue is reproduced, you'll see some random keys (e.g. aishwarya).

If this issue is not reproduced, back to Snapshot2 and repeat step 8-9.
Note: This issue is not 100% reproducable(*3).

If you get an error after step 8, back to Snapshot1 and repeat step 4-6 & 8-9.

(*1) SDLTradosStudio2017_5746.exe, from SDL website.
(signed by SDL PLC; md5 = 25c7699c9e8b8871af5f5639591bdccb)

(*2) I used three newly created virtual machines for this test:
SYS1 - Windows 7 Enterprise SP1 x86;
SYS2 - Windows 7 Professional SP1 x64;
SYS3 - Windows 10 Pro x64.

(*3) 22%(11/50) on SYS1; 24%(6/25) on SYS2; 30%(6/20) on SYS3 in my test.
---
Rate translation
×
Suggest better translation
×
Moderator UI
×
  • Get AI Suggestion
Parents
  • 0

    Hi,
    I don't see these on my machine (I have not yet run a install test to verify on a clean vm but I will).

    I am not aware of the installation process writing to the user hive as it is not appropriate for a per-machine installation. User based settings are usually only added when Studio starts with the startup wizard.

    A quick search seems to indicate that the KEY_CURRENT_USER\aishwarya\Value key may be related to the Virus:Win32/Sality.AT
    totalhash.cymru.com/.../

    Did you download Studio from the OOS site, or a reseller?

    You should re-download Studio directly from SDL and check that the package you have been testing is not compromised, you can see if the package is digitally signed by checking for the Digital Signature Tab for errors.

    You can also calculate the hashes of the download and compare to the following values:-
    sdltradosstudio2017_5746.exe MD5 - 25c7699c9e8b8871af5f5639591bdccb SHA-1 - 31f9b1813c272ae0586075ca6caec6d9915a7ff1

    A hash calculation tool in case you do not have one - www.microsoft.com/.../details.aspx

    I would also suggest running some AV scans, but it seems like that virus is quite complex and disables some AV software.

    David Watson
    Trados Development Team

  • 0 in reply to David Watson
    Hello Daivd,

    Thanks you very much for the reply.

    > I don't see these on my machine...
    As I noted, this issue is not 100% reproducable (was around 25% in my test).
    If you are at 34th below, you need 13 more tries to reproduce this issue.

    log on SYS1 (11/50)
    -+------+----+--+-+-+-----+--+--+-------------++--
    (+ reproduced, - not reproduced)
    02: alra02z and other random keys are added
    09: aishwarya and other random keys are added
    14: aishwarya and other random keys are added
    17: aishwarya and other random keys are added
    19: alra02z and other random keys are added
    21: alra02z and other random keys are added
    27: aishwarya and other random keys are added
    30: aishwarya and other random keys are added
    33: aishwarya and other random keys are added
    47: alra02z and other random keys are added
    48: jpra00b and other random keys are added

    > You should re-download Studio directly from SDL...
    I re-downloaded .exe directly from SDL before this test.
    - md5 value (already noted) is matched
    - sha1 value (31f9b1813c272ae0586075ca6caec6d9915a7ff1) as well
    - This digital signature is OK

    I'm very glad, now I could know I'm using right .exe file.

    Thanks,

    Hiro
  • 0 in reply to Hiro O

    Hi Hiro,

    I think you should check your own machine following advice you have already received.

    Unknown said:

    A quick search seems to indicate that the KEY_CURRENT_USER\aishwarya\Value key may be related to the Virus:Win32/Sality.AT
    totalhash.cymru.com/.../

    ....

    I would also suggest running some AV scans, but it seems like that virus is quite complex and disables some AV software.


    We have checked our downloads, installer, and there is no virus associated with the installer at all.  It may be that you have been infected from somewhere and you should try to remove it, or at the very least check it.

    Regards

    Paul

    Paul Filkin | RWS Group

    ________________________
    Design your own training!
    You've done the courses and still need to go a little further, or still not clear? 
    Tell us what you need in our Community Solutions Hub

  • 0 in reply to Paul
    Hi Paul,

    Thank you very much for the reply.

    I can understand almost everyone will say "It may be that you have been infected ..."

    I may need to tell more details.

    When I found this behavior while installing program on my machine (Win7 x86), I thought my machine had been infected from somewhere.
    After recovering (I always create a system backup just before installing new software), I tested my machine using several AV scans. No virus found.

    I installed SDLTradosStudio2017_5746 on my machine again. Same behavior happened.

    Then, I installed SDLTradosStudio2017_5746 on second machine (Win8.1 x86). Nothing happened. I got confused.

    Just in case, I installed SDLTradosStudio2017_5746 on third machine (Win10 x64). Same behavior happened.

    I decided to repeat installation process on 'newly created' virtual machines.
    All of posted results are from these vms on two different machines.

    I don't think there is any 'active' virus in SDLTradosStudio2017_5746.exe.
    However, I can't say "This behavior is normal."
    I believe some strange code is in there.

    Thanks,

    Hiro
Reply
  • 0 in reply to Paul
    Hi Paul,

    Thank you very much for the reply.

    I can understand almost everyone will say "It may be that you have been infected ..."

    I may need to tell more details.

    When I found this behavior while installing program on my machine (Win7 x86), I thought my machine had been infected from somewhere.
    After recovering (I always create a system backup just before installing new software), I tested my machine using several AV scans. No virus found.

    I installed SDLTradosStudio2017_5746 on my machine again. Same behavior happened.

    Then, I installed SDLTradosStudio2017_5746 on second machine (Win8.1 x86). Nothing happened. I got confused.

    Just in case, I installed SDLTradosStudio2017_5746 on third machine (Win10 x64). Same behavior happened.

    I decided to repeat installation process on 'newly created' virtual machines.
    All of posted results are from these vms on two different machines.

    I don't think there is any 'active' virus in SDLTradosStudio2017_5746.exe.
    However, I can't say "This behavior is normal."
    I believe some strange code is in there.

    Thanks,

    Hiro
Children