Warning from AV software about kill.exe

Warning from AV software about kill.exe

[Erik Blake]

I'm running git under Win7 64. As I selected "Repository|Visualize all 
branch history" in the git gui, my AV software (Trustport) trapped the 
bin\kill.exe program for "trying to modify system global settings (time, 
timezone, registry quota, etc.)"

Does anyone know the details of this process and what it's function is? 
First time I've seen it, though I'm a relatively new user.

Cheers,
e.

Re: Warning from AV software about kill.exe

[Thomas Rast]

Erik Blake <erik@icefield.yk.ca> writes:

> I'm running git under Win7 64. As I selected "Repository|Visualize all
> branch history" in the git gui, my AV software (Trustport) trapped the
> bin\kill.exe program for "trying to modify system global settings
> (time, timezone, registry quota, etc.)"
>
> Does anyone know the details of this process and what it's function
> is? First time I've seen it, though I'm a relatively new user.

'kill' is a standard unix utility that sends signals to processes, in
particular signals that cause the processes to exit or be killed
forcibly by the kernel, hence the name.  (I don't know how the windows
equivalent works under the hood, but presumably it's something similar.)

git-gui and gitk use kill to terminate background worker processes that
are no longer needed because you closed the window their output would
have been displayed in, etc.

-- 
Thomas Rast
trast@{inf,student}.ethz.ch

Re: Warning from AV software about kill.exe

[Pat Thoyts]

Thomas Rast <trast@student.ethz.ch> writes:

>Erik Blake <erik@icefield.yk.ca> writes:
>
>> I'm running git under Win7 64. As I selected "Repository|Visualize all
>> branch history" in the git gui, my AV software (Trustport) trapped the
>> bin\kill.exe program for "trying to modify system global settings
>> (time, timezone, registry quota, etc.)"
>>
>> Does anyone know the details of this process and what it's function
>> is? First time I've seen it, though I'm a relatively new user.
>
>'kill' is a standard unix utility that sends signals to processes, in
>particular signals that cause the processes to exit or be killed
>forcibly by the kernel, hence the name.  (I don't know how the windows
>equivalent works under the hood, but presumably it's something similar.)
>
>git-gui and gitk use kill to terminate background worker processes that
>are no longer needed because you closed the window their output would
>have been displayed in, etc.

You might try replacing the command in the tcl scripts with 'exec
taskkill /f /pid $pid' and see if that avoids the error. taskkill is
present on XP and above as part of the OS distribution so shouldn't
suffer any AV complaints.

-- 
Pat Thoyts                            http://www.patthoyts.tk/
PGP fingerprint 2C 6E 98 07 2C 59 C8 97  10 CE 11 E6 04 E0 B9 DD

Re: Warning from AV software about kill.exe

[Erik Blake]

Another way to implement this (on Windows) would be for the git programs 
to tag themselves with a mutex. Then the "kill" program can determine 
which git programs are running and send them user-defined windows 
messages to shut themselves down. Alternatively, you could send the 
programs the standard windows WM_CLOSE message, but the OS or an AV 
program might still be troubled by that behaviour.

This is how we implement this type of behaviour in our windows programs. 
It does not raise the ire of the OS or AV since you do not have one 
process trying to shut down another. It also bypasses all issues with 
process privileges etc.

Erik

On 2011-12-22 19:19, Pat Thoyts wrote:
> Thomas Rast<trast@student.ethz.ch>  writes:
>
>> Erik Blake<erik@icefield.yk.ca>  writes:
>>
>>> I'm running git under Win7 64. As I selected "Repository|Visualize all
>>> branch history" in the git gui, my AV software (Trustport) trapped the
>>> bin\kill.exe program for "trying to modify system global settings
>>> (time, timezone, registry quota, etc.)"
>>>
>>> Does anyone know the details of this process and what it's function
>>> is? First time I've seen it, though I'm a relatively new user.
>> 'kill' is a standard unix utility that sends signals to processes, in
>> particular signals that cause the processes to exit or be killed
>> forcibly by the kernel, hence the name.  (I don't know how the windows
>> equivalent works under the hood, but presumably it's something similar.)
>>
>> git-gui and gitk use kill to terminate background worker processes that
>> are no longer needed because you closed the window their output would
>> have been displayed in, etc.
> You might try replacing the command in the tcl scripts with 'exec
> taskkill /f /pid $pid' and see if that avoids the error. taskkill is
> present on XP and above as part of the OS distribution so shouldn't
> suffer any AV complaints.
>

Re: Warning from AV software about kill.exe

[Erik Faye-Lund]

On Wed, Jan 4, 2012 at 10:15 AM, Erik Blake <erik@icefield.yk.ca> wrote:
> On 2011-12-22 19:19, Pat Thoyts wrote:
>> Thomas Rast<trast@student.ethz.ch>  writes:
>>> Erik Blake<erik@icefield.yk.ca>  writes:
>>>
>>>> I'm running git under Win7 64. As I selected "Repository|Visualize all
>>>> branch history" in the git gui, my AV software (Trustport) trapped the
>>>> bin\kill.exe program for "trying to modify system global settings
>>>> (time, timezone, registry quota, etc.)"
>>>>
>>>> Does anyone know the details of this process and what it's function
>>>> is? First time I've seen it, though I'm a relatively new user.
>>>
>>> 'kill' is a standard unix utility that sends signals to processes, in
>>> particular signals that cause the processes to exit or be killed
>>> forcibly by the kernel, hence the name.  (I don't know how the windows
>>> equivalent works under the hood, but presumably it's something similar.)
>>>
>>> git-gui and gitk use kill to terminate background worker processes that
>>> are no longer needed because you closed the window their output would
>>> have been displayed in, etc.
>>
>> You might try replacing the command in the tcl scripts with 'exec
>> taskkill /f /pid $pid' and see if that avoids the error. taskkill is
>> present on XP and above as part of the OS distribution so shouldn't
>> suffer any AV complaints.
>>
>
> Another way to implement this (on Windows) would be for the git programs to
> tag themselves with a mutex. Then the "kill" program can determine which git
> programs are running and send them user-defined windows messages to shut
> themselves down. Alternatively, you could send the programs the standard
> windows WM_CLOSE message, but the OS or an AV program might still be
> troubled by that behaviour.
>
> This is how we implement this type of behaviour in our windows programs. It
> does not raise the ire of the OS or AV since you do not have one process
> trying to shut down another. It also bypasses all issues with process
> privileges etc.
>
> Erik
>

No thanks. A process is allowed to terminate another process on
Windows (as long as they are running as the same user, and the access
token has not been messed with). If your AV detects this and prevents
it, then your AV is broken. Re-building a kind of cooperative process
termination for that reason is not the way forward.

But the problem might be that MSYS' kill does more than it's supposed
to (or misbehaves in some other way). This is, however, something you
should take up with the MSYS developers, not the git development
community.

I would take this up with Trustport support. Overly eager AV
heuristics is a fairly common problem, and usually gets fixed quickly.

Re: Warning from AV software about kill.exe

[Erik Blake]

On 2012-01-05 17:33, Erik Faye-Lund wrote:
> On Wed, Jan 4, 2012 at 10:15 AM, Erik Blake<erik@icefield.yk.ca>  wrote:
>> On 2011-12-22 19:19, Pat Thoyts wrote:
>>> Thomas Rast<trast@student.ethz.ch>    writes:
>>>> Erik Blake<erik@icefield.yk.ca>    writes:
>>>>
>>>>> I'm running git under Win7 64. As I selected "Repository|Visualize all
>>>>> branch history" in the git gui, my AV software (Trustport) trapped the
>>>>> bin\kill.exe program for "trying to modify system global settings
>>>>> (time, timezone, registry quota, etc.)"
>>>>>
>>>>> Does anyone know the details of this process and what it's function
>>>>> is? First time I've seen it, though I'm a relatively new user.
>>>> 'kill' is a standard unix utility that sends signals to processes, in
>>>> particular signals that cause the processes to exit or be killed
>>>> forcibly by the kernel, hence the name.  (I don't know how the windows
>>>> equivalent works under the hood, but presumably it's something similar.)
>>>>
>>>> git-gui and gitk use kill to terminate background worker processes that
>>>> are no longer needed because you closed the window their output would
>>>> have been displayed in, etc.
>>> You might try replacing the command in the tcl scripts with 'exec
>>> taskkill /f /pid $pid' and see if that avoids the error. taskkill is
>>> present on XP and above as part of the OS distribution so shouldn't
>>> suffer any AV complaints.
>>>
>> Another way to implement this (on Windows) would be for the git programs to
>> tag themselves with a mutex. Then the "kill" program can determine which git
>> programs are running and send them user-defined windows messages to shut
>> themselves down. Alternatively, you could send the programs the standard
>> windows WM_CLOSE message, but the OS or an AV program might still be
>> troubled by that behaviour.
>>
>> This is how we implement this type of behaviour in our windows programs. It
>> does not raise the ire of the OS or AV since you do not have one process
>> trying to shut down another. It also bypasses all issues with process
>> privileges etc.
>>
>> Erik
>>
> No thanks. A process is allowed to terminate another process on
> Windows (as long as they are running as the same user, and the access
> token has not been messed with). If your AV detects this and prevents
> it, then your AV is broken. Re-building a kind of cooperative process
> termination for that reason is not the way forward.
>
> But the problem might be that MSYS' kill does more than it's supposed
> to (or misbehaves in some other way). This is, however, something you
> should take up with the MSYS developers, not the git development
> community.
>
> I would take this up with Trustport support. Overly eager AV
> heuristics is a fairly common problem, and usually gets fixed quickly.
>
Either solution should work, but "trying to modify system global 
settings (time, timezone, registry quota, etc.)" suggests kill.exe is 
overstepping the requirements for terminating another process. As you 
suggest, I'll send a note to the MSYS developers. Maybe also ask 
Trustport for details on that triggers this message.

e.