LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 

DLL injection into Trellix SYSPREP

Hi all,

I have virtually zero experience with NI so forgive my ignorance of the products. I am a Security Architect, working mainly with Trellix products. They have a product called SYSPREP which detects injections and this is reporting attempts from NI software. Such injections can be blocked of course, but they can still cause issues with the Trellix software. One instance implicates 

nimdnsNSP.dll

Trellix have ask me to ask why it might be doing this. Let me know what further information I can supply accordingly. Thanks

0 Kudos
Message 1 of 6
(1,005 Views)

What is this Trellix software? What does it? How is it used?

 

nimdnsNSP is part of the National Instruments Zeroconf Namespace Service Provider, the NI variant of similar services like Bonjour or Universal Plug and Play. How it could try to attach itself to other software would seem hard to understand, unless that software is itself installing network service providers such as Winsock extensions or similar.

Rolf Kalbermatter
My Blog
0 Kudos
Message 2 of 6
(1,001 Views)

Hi and thanks for the fast reply. Sorry, I assumed that Trellix would be a familiar name. They are McAfee, re-branded. So the software is essentially the Endpoint Security suite, encompassing firewall, EDR etc. I agree it is hard to understand why - hence my post.

0 Kudos
Message 3 of 6
(975 Views)

Hmmm McAfee. That explains a lot. 😀

That's actually a bloatware/scareware/virus in its own! 😁

Rolf Kalbermatter
My Blog
0 Kudos
Message 4 of 6
(954 Views)

The other day I came across  a post about firefox offering to block third party injections. Those dlls are listed in about:third-party. I was kinda surprised that besides the graphics driver, nimdnsResponder.dll and nimdnsNSP.dll were injected. I guess NI injects the library anywhere that might handle mDNS requests?

0 Kudos
Message 5 of 6
(936 Views)

That's interesting. I will look at what else Firefox shows as NI is certainly not the only offender. I dont know anything about mDNS apart from having seen plentiful references to it in various guises in the firewall logs, so I guess it is time for me to read up on that. I have no idea if we actually need it, if it is an integral part of NI or there is NI config to turn it off somewhere if it isn't. If anybody has deeper knowledge and can help, I would appreciate it.

 

And yes.....McAfee\Trellix.......you understand now why I am having to post here rather than them being helpful.

0 Kudos
Message 6 of 6
(918 Views)