Warn by default when certain DLL conflicts exist on XP.

chrome/browser/enumerate_modules_model_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/enumerate_modules_model_win.h"
 
 #include <Tlhelp32.h>
 #include <wintrust.h>
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/environment.h"
 #include "base/file_version_info_win.h"
 #include "base/files/file_path.h"
 #include "base/i18n/case_conversion.h"
 #include "base/metrics/histogram.h"
 #include "base/string_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/time.h"
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
 #include "base/version.h"
 #include "base/win/registry.h"
 #include "base/win/scoped_handle.h"
+#include "base/win/windows_version.h"
 #include "chrome/browser/net/service_providers_win.h"
 #include "chrome/common/chrome_constants.h"
 #include "chrome/common/chrome_notification_types.h"
 #include "chrome/common/chrome_switches.h"
 #include "content/public/browser/notification_service.h"
 #include "crypto/sha2.h"
 #include "grit/generated_resources.h"
+#include "grit/google_chrome_strings.h"
 #include "ui/base/l10n/l10n_util.h"
 
 using content::BrowserThread;
 
 // The period of time (in milliseconds) to wait until checking to see if any
 // incompatible modules exist.
-static const int kModuleCheckDelayMs = 60 * 1000;
+static const int kModuleCheckDelayMs = /*60*/ 3 * 1000;
 
 // The path to the Shell Extension key in the Windows registry.
 static const wchar_t kRegPath[] =
     L"Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";
 
 // Short-hand for things on the blacklist you should simply get rid of.
 static const ModuleEnumerator::RecommendedAction kUninstallLink =
     static_cast<ModuleEnumerator::RecommendedAction>(
         ModuleEnumerator::UNINSTALL | ModuleEnumerator::SEE_LINK);
 
@@ skipping 58 matching lines @@
 // with a slash and use environments variables (or just look at one of the
 // comments below and keep it consistent with that). When adding an entry with
 // an environment variable not currently used in the list below, make sure to
 // update the list in PreparePathMappings. Filename, Description/Signer, and
 // Location must be entered as hashes (see GenerateHash). Filename is mandatory.
 // Entries without any Description, Signer info, or Location will never be
 // marked as confirmed bad (only as suspicious).
 const ModuleEnumerator::BlacklistEntry ModuleEnumerator::kModuleBlacklist[] = {
   // NOTE: Please keep this list sorted by dll name, then location.
 
+  // "apphelp.dll", "%systemroot%\\system32\\"
+  { "f5fda581", "23d01d5b", "", "", "", XP,
+      static_cast<RecommendedAction>(UPDATE | SEE_LINK | NOTIFY_USER) },
+
   // Version 3.2.1.6 seems to be implicated in most cases (and 3.2.2.2 in some).
   // There is a more recent version available for download.
   // accelerator.dll, "%programfiles%\\speedbit video accelerator\\".
-  { "7ba9402f", "c9132d48", "", "", "", kInvestigatingLink },
+  { "7ba9402f", "c9132d48", "", "", "", ALL, kInvestigatingLink },
 
   // apiqq0.dll, "%temp%\\".
-  { "26134911", "59145acf", "", "", "", kUninstallLink },
+  { "26134911", "59145acf", "", "", "", ALL, kUninstallLink },
 
   // arking0.dll, "%systemroot%\\system32\\".
-  { "f5d8f549", "23d01d5b", "", "", "", kUninstallLink },
+  { "f5d8f549", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // arking1.dll, "%systemroot%\\system32\\".
-  { "c60ca062", "23d01d5b", "", "", "", kUninstallLink },
+  { "c60ca062", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // Said to belong to Killer NIC from BigFoot Networks (not verified). Versions
   // 6.0.0.7 and 6.0.0.10 implicated.
   // bfllr.dll, "%systemroot%\\system32\\".
-  { "6bb57633", "23d01d5b", "", "", "", kInvestigatingLink },
+  { "6bb57633", "23d01d5b", "", "", "", ALL, kInvestigatingLink },
 
   // clickpotatolitesahook.dll, "". Different version each report.
-  { "0396e037.dll", "", "", "", "", kUninstallLink },
+  { "0396e037.dll", "", "", "", "", ALL, kUninstallLink },
 
   // cvasds0.dll, "%temp%\\".
-  { "5ce0037c", "59145acf", "", "", "", kUninstallLink },
+  { "5ce0037c", "59145acf", "", "", "", ALL, kUninstallLink },
 
   // cwalsp.dll, "%systemroot%\\system32\\".
-  { "e579a039", "23d01d5b", "", "", "", kUninstallLink },
+  { "e579a039", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // datamngr.dll (1), "%programfiles%\\searchqu toolbar\\datamngr\\".
-  { "7add320b", "470a3da3", "", "", "", kUninstallLink },
+  { "7add320b", "470a3da3", "", "", "", ALL, kUninstallLink },
 
   // datamngr.dll (2), "%programfiles%\\windows searchqu toolbar\\".
-  { "7add320b", "7a3c8be3", "", "", "", kUninstallLink },
+  { "7add320b", "7a3c8be3", "", "", "", ALL, kUninstallLink },
 
   // dsoqq0.dll, "%temp%\\".
-  { "1c4df325", "59145acf", "", "", "", kUninstallLink },
+  { "1c4df325", "59145acf", "", "", "", ALL, kUninstallLink },
 
   // flt.dll, "%programfiles%\\tueagles\\".
-  { "6d01f4a1", "7935e9c2", "", "", "", kUninstallLink },
+  { "6d01f4a1", "7935e9c2", "", "", "", ALL, kUninstallLink },
 
   // This looks like a malware edition of a Brazilian Bank plugin, sometimes
   // referred to as Malware.Banc.A.
   // gbieh.dll, "%programfiles%\\gbplugin\\".
-  { "4cb4f2e3", "88e4a3b1", "", "", "", kUninstallLink },
+  { "4cb4f2e3", "88e4a3b1", "", "", "", ALL, kUninstallLink },
 
   // hblitesahook.dll. Each report has different version number in location.
-  { "5d10b363", "", "", "", "", kUninstallLink },
+  { "5d10b363", "", "", "", "", ALL, kUninstallLink },
 
   // icf.dll, "%systemroot%\\system32\\".
-  { "303825ed", "23d01d5b", "", "", "", INVESTIGATING },
+  { "303825ed", "23d01d5b", "", "", "", ALL, INVESTIGATING },
 
   // idmmbc.dll (IDM), "%systemroot%\\system32\\". See: http://crbug.com/26892/.
-  { "b8dce5c3", "23d01d5b", "", "", "6.03",
+  { "b8dce5c3", "23d01d5b", "", "", "6.03", ALL,
       static_cast<RecommendedAction>(UPDATE | DISABLE) },
 
   // imon.dll (NOD32), "%systemroot%\\system32\\". See: http://crbug.com/21715.
-  { "8f42f22e", "23d01d5b", "", "", "4.0",
+  { "8f42f22e", "23d01d5b", "", "", "4.0", ALL,
       static_cast<RecommendedAction>(UPDATE | DISABLE) },
 
   // is3lsp.dll, "%commonprogramfiles%\\is3\\anti-spyware\\".
-  { "7ffbdce9", "bc5673f2", "", "", "",
+  { "7ffbdce9", "bc5673f2", "", "", "", ALL,
       static_cast<RecommendedAction>(UPDATE | DISABLE | SEE_LINK) },
 
   // jsi.dll, "%programfiles%\\profilecraze\\".
-  { "f9555eea", "e3548061", "", "", "", kUninstallLink },
+  { "f9555eea", "e3548061", "", "", "", ALL, kUninstallLink },
 
   // kernel.dll, "%programfiles%\\contentwatch\\internet protection\\modules\\".
-  { "ead2768e", "4e61ce60", "", "", "", INVESTIGATING },
+  { "ead2768e", "4e61ce60", "", "", "", ALL, INVESTIGATING },
 
   // mgking0.dll, "%systemroot%\\system32\\".
-  { "d0893e38", "23d01d5b", "", "", "", kUninstallLink },
+  { "d0893e38", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // mgking0.dll, "%temp%\\".
-  { "d0893e38", "59145acf", "", "", "", kUninstallLink },
+  { "d0893e38", "59145acf", "", "", "", ALL, kUninstallLink },
 
   // mgking1.dll, "%systemroot%\\system32\\".
-  { "3e837222", "23d01d5b", "", "", "", kUninstallLink },
+  { "3e837222", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // mgking1.dll, "%temp%\\".
-  { "3e837222", "59145acf", "", "", "", kUninstallLink },
+  { "3e837222", "59145acf", "", "", "", ALL, kUninstallLink },
 
   // mstcipha.ime, "%systemroot%\\system32\\".
-  { "5523579e", "23d01d5b", "", "", "", INVESTIGATING },
+  { "5523579e", "23d01d5b", "", "", "", ALL, INVESTIGATING },
 
   // mwtsp.dll, "%systemroot%\\system32\\".
-  { "9830bff6", "23d01d5b", "", "", "", kUninstallLink },
+  { "9830bff6", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // nodqq0.dll, "%temp%\\".
-  { "b86ce04d", "59145acf", "", "", "", kUninstallLink },
+  { "b86ce04d", "59145acf", "", "", "", ALL, kUninstallLink },
 
   // nProtect GameGuard Anti-cheat system. Every report has a different
   // location, since it is installed into and run from a game folder. Various
   // versions implicated.
   // npggnt.des, no fixed location.
-  { "f2c8790d", "", "", "", "", kInvestigatingLink },
+  { "f2c8790d", "", "", "", "", ALL, kInvestigatingLink },
 
   // nvlsp.dll,
   // "%programfiles%\\nvidia corporation\\networkaccessmanager\\bin32\\".
-  { "37f907e2", "3ad0ff23", "", "", "", INVESTIGATING },
+  { "37f907e2", "3ad0ff23", "", "", "", ALL, INVESTIGATING },
 
   // post0.dll, "%systemroot%\\system32\\".
-  { "7405c0c8", "23d01d5b", "", "", "", kUninstallLink },
+  { "7405c0c8", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // questbrwsearch.dll, "%programfiles%\\questbrwsearch\\".
-  { "0953ed09", "f0d5eeda", "", "", "", kUninstallLink },
+  { "0953ed09", "f0d5eeda", "", "", "", ALL, kUninstallLink },
 
   // questscan.dll, "%programfiles%\\questscan\\".
-  { "f4f3391e", "119d20f7", "", "", "", kUninstallLink },
+  { "f4f3391e", "119d20f7", "", "", "", ALL, kUninstallLink },
 
   // radhslib.dll (Naomi web filter), "%programfiles%\\rnamfler\\".
   // See http://crbug.com/12517.
-  { "7edcd250", "0733dc3e", "", "", "", INVESTIGATING },
+  { "7edcd250", "0733dc3e", "", "", "", ALL, INVESTIGATING },
 
   // rlls.dll, "%programfiles%\\relevantknowledge\\".
-  { "a1ed94a7", "ea9d6b36", "", "", "", kUninstallLink },
+  { "a1ed94a7", "ea9d6b36", "", "", "", ALL, kUninstallLink },
 
   // rooksdol.dll, "%programfiles%\\trusteer\\rapport\\bin\\".
-  { "802aefef", "06120e13", "", "", "3.5.1008.40", UPDATE },
+  { "802aefef", "06120e13", "", "", "3.5.1008.40", ALL, UPDATE },
 
   // scanquery.dll, "%programfiles%\\scanquery\\".
-  { "0b52d2ae", "a4cc88b1", "", "", "", kUninstallLink },
+  { "0b52d2ae", "a4cc88b1", "", "", "", ALL, kUninstallLink },
 
   // sdata.dll, "%programdata%\\srtserv\\".
-  { "1936d5cc", "223c44be", "", "", "", kUninstallLink },
+  { "1936d5cc", "223c44be", "", "", "", ALL, kUninstallLink },
 
   // searchtree.dll,
   // "%programfiles%\\contentwatch\\internet protection\\modules\\".
-  { "f6915a31", "4e61ce60", "", "", "", INVESTIGATING },
+  { "f6915a31", "4e61ce60", "", "", "", ALL, INVESTIGATING },
 
   // sgprxy.dll, "%commonprogramfiles%\\is3\\anti-spyware\\".
-  { "005965ea", "bc5673f2", "", "", "", INVESTIGATING },
+  { "005965ea", "bc5673f2", "", "", "", ALL, INVESTIGATING },
 
   // sprotector.dll, "". Different location each report.
-  { "24555d74", "", "", "", "", kUninstallLink },
+  { "24555d74", "", "", "", "", ALL, kUninstallLink },
 
   // swi_filter_0001.dll (Sophos Web Intelligence),
   // "%programfiles%\\sophos\\sophos anti-virus\\web intelligence\\".
   // A small random sample all showed version 1.0.5.0.
-  { "61112d7b", "25fb120f", "", "", "", kInvestigatingLink },
+  { "61112d7b", "25fb120f", "", "", "", ALL, kInvestigatingLink },
 
   // twking0.dll, "%systemroot%\\system32\\".
-  { "0355549b", "23d01d5b", "", "", "", kUninstallLink },
+  { "0355549b", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // twking1.dll, "%systemroot%\\system32\\".
-  { "02e44508", "23d01d5b", "", "", "", kUninstallLink },
+  { "02e44508", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // vksaver.dll, "%systemroot%\\system32\\".
-  { "c4a784d5", "23d01d5b", "", "", "", kUninstallLink },
+  { "c4a784d5", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // vlsp.dll (Venturi Firewall?), "%systemroot%\\system32\\".
-  { "2e4eb93d", "23d01d5b", "", "", "", INVESTIGATING },
+  { "2e4eb93d", "23d01d5b", "", "", "", ALL, INVESTIGATING },
 
   // vmn3_1dn.dll, "%appdata%\\roaming\\vmndtxtb\\".
-  { "bba2037d", "9ab68585", "", "", "", kUninstallLink },
+  { "bba2037d", "9ab68585", "", "", "", ALL, kUninstallLink },
 
   // webanalyzer.dll,
   // "%programfiles%\\contentwatch\\internet protection\\modules\\".
-  { "c70b697d", "4e61ce60", "", "", "", INVESTIGATING },
+  { "c70b697d", "4e61ce60", "", "", "", ALL, INVESTIGATING },
 
   // wowst0.dll, "%systemroot%\\system32\\".
-  { "38ad9963", "23d01d5b", "", "", "", kUninstallLink },
+  { "38ad9963", "23d01d5b", "", "", "", ALL, kUninstallLink },
 
   // wxbase28u_vc_cw.dll, "%systemroot%\\system32\\".
-  { "e967210d", "23d01d5b", "", "", "", kUninstallLink },
+  { "e967210d", "23d01d5b", "", "", "", ALL, kUninstallLink },
 };
 
 // Generates an 8 digit hash from the input given.
 static void GenerateHash(const std::string& input, std::string* output) {
   if (input.empty()) {
     *output = "";
     return;
   }
 
   uint8 hash[4];
@@ skipping 35 matching lines @@
 ModuleEnumerator::ModuleStatus ModuleEnumerator::Match(
     const ModuleEnumerator::Module& module,
     const ModuleEnumerator::BlacklistEntry& blacklisted) {
   // All modules must be normalized before matching against blacklist.
   DCHECK(module.normalized);
   // Filename is mandatory and version should not contain spaces.
   DCHECK(strlen(blacklisted.filename) > 0);
   DCHECK(!strstr(blacklisted.version_from, " "));
   DCHECK(!strstr(blacklisted.version_to, " "));
 
+  base::win::Version version = base::win::GetVersion();
+  switch (version) {
+    // case base::win::VERSION_XP:  // This is what I'll check in.
+    case base::win::VERSION_WIN7:  // This is so I can test on Win7.
+      if (!(blacklisted.os & XP)) return NOT_MATCHED;
+      break;
+    default:
+      break;
+  }
+
   std::string filename_hash, location_hash;
   GenerateHash(WideToUTF8(module.name), &filename_hash);
   GenerateHash(WideToUTF8(module.location), &location_hash);
 
   // Filenames are mandatory. Location is mandatory if given.
   if (filename_hash == blacklisted.filename &&
           (std::string(blacklisted.location).empty() ||
           location_hash == blacklisted.location)) {
     // We have a name match against the blacklist (and possibly location match
     // also), so check version.
@@ skipping 422 matching lines @@
   return subject_name;
 }
 
 //  ----------------------------------------------------------------------------
 
 // static
 EnumerateModulesModel* EnumerateModulesModel::GetInstance() {
   return Singleton<EnumerateModulesModel>::get();
 }
 
+// static
+void EnumerateModulesModel::RecordLearnMoreStat(bool from_menu) {
+  UMA_HISTOGRAM_ENUMERATION("ConflictingModule.UserSelection",
+      from_menu ? ACTION_MENU_LEARN_MORE : ACTION_BUBBLE_LEARN_MORE,
+      ACTION_BOUNDARY);
+}
+
 bool EnumerateModulesModel::ShouldShowConflictWarning() const {
   // If the user has acknowledged the conflict notification, then we don't need
   // to show it again (because the scanning only happens once per the lifetime
   // of the process). If we were to run the scanning more than once, then we'd
   // need to clear the flag somewhere when we are ready to show it again.
   if (conflict_notification_acknowledged_)
     return false;
 
   return confirmed_bad_modules_detected_ > 0;
 }
@@ skipping 105 matching lines @@
                       ConstructHelpCenterUrl(*module).spec().c_str());
     }
 
     list->Append(data);
   }
 
   lock->Release();
   return list;
 }
 
+GURL EnumerateModulesModel::GetFirstNotableConflict() {
+  lock->Acquire();
+  GURL url;
+
+  if (enumerated_modules_.empty()) {
+    lock->Release();
+    return GURL();
+  }
+
+  for (ModuleEnumerator::ModulesVector::const_iterator module =
+           enumerated_modules_.begin();
+       module != enumerated_modules_.end(); ++module) {
+    if (!(module->recommended_action & ModuleEnumerator::NOTIFY_USER))
+      continue;
+
+    url = ConstructHelpCenterUrl(*module);
+    DCHECK(url.is_valid());
+    break;
+  }
+
+  lock->Release();
+  return url;
+}
+
+
 EnumerateModulesModel::EnumerateModulesModel()
     : limited_mode_(false),
       scanning_(false),
       conflict_notification_acknowledged_(false),
       confirmed_bad_modules_detected_(0),
-      suspected_bad_modules_detected_(0) {
+      suspected_bad_modules_detected_(0),
+      modules_to_notify_about_(0) {
   const CommandLine& cmd_line = *CommandLine::ForCurrentProcess();
-  if (cmd_line.HasSwitch(switches::kConflictingModulesCheck)) {
+
+  if (cmd_line.HasSwitch(switches::kConflictingModulesCheck) ||
+      // base::win::GetVersion() == base::win::VERSION_XP) {  // For checkin.
+      base::win::GetVersion() == base::win::VERSION_WIN7) {   // For debugging.
     check_modules_timer_.Start(FROM_HERE,
         base::TimeDelta::FromMilliseconds(kModuleCheckDelayMs),
         this, &EnumerateModulesModel::ScanNow);
   }
 
   lock = new base::Lock();
 }
 
 EnumerateModulesModel::~EnumerateModulesModel() {
   delete lock;
 }
 
 void EnumerateModulesModel::DoneScanning() {
   confirmed_bad_modules_detected_ = 0;
   suspected_bad_modules_detected_ = 0;
+  modules_to_notify_about_ = 0;
   for (ModuleEnumerator::ModulesVector::const_iterator module =
     enumerated_modules_.begin();
     module != enumerated_modules_.end(); ++module) {
-      if (module->status == ModuleEnumerator::CONFIRMED_BAD)
+      if (module->status == ModuleEnumerator::CONFIRMED_BAD) {
         ++confirmed_bad_modules_detected_;
-      if (module->status == ModuleEnumerator::SUSPECTED_BAD)
+        if (module->recommended_action & ModuleEnumerator::NOTIFY_USER)
+          ++modules_to_notify_about_;
+      } else if (module->status == ModuleEnumerator::SUSPECTED_BAD) {
         ++suspected_bad_modules_detected_;
+        if (module->recommended_action & ModuleEnumerator::NOTIFY_USER)
+          ++modules_to_notify_about_;
+      }
   }
 
   scanning_ = false;
   lock->Release();
 
   UMA_HISTOGRAM_COUNTS_100("Conflicts.SuspectedBadModules",
                            suspected_bad_modules_detected_);
   UMA_HISTOGRAM_COUNTS_100("Conflicts.ConfirmedBadModules",
                            confirmed_bad_modules_detected_);
 
@@ skipping 29 matching lines @@
   GenerateHash(WideToUTF8(module.name), &filename);
   GenerateHash(WideToUTF8(module.location), &location);
   GenerateHash(WideToUTF8(module.description), &description);
   GenerateHash(WideToUTF8(module.digital_signer), &signer);
 
   string16 url = l10n_util::GetStringFUTF16(IDS_HELP_CENTER_VIEW_CONFLICTS,
       ASCIIToUTF16(filename), ASCIIToUTF16(location),
       ASCIIToUTF16(description), ASCIIToUTF16(signer));
   return GURL(UTF16ToUTF8(url));
 }