Kaseya Community

New Folder On Clients

  • I see we're now getting a new folder on our clients which appears to be dropped by the LiveConnect process:

    C:ProgramData\boost_interprocess\59689BDD732ECF01

    With some files with data like:

       ,  
       Р                                 (   ü  Р ¤  x  L'   /  ô6  È>  œF  B       {"inputParameters":{"parameterPtrList":[]},"methodName":"IsDone"}
    alue":"-s kserver_name:5721,ip_address:5721 -p 0 -l 802600981 -d 5250-5266 -k f25a7a4d1fb6443fa45d66574a7f3d58707caf35399b4c0aba874aba49b1e669 -a 0 -b 1 -dll LiveConnectRelayService"}]},"methodName":"SendMessage"}

    Our anti-virus sees this as a possible PUP. Anyone else have these new folders appearing? Would be nice if Kaseya processes could write into their own folders such as the "kworking" folder instead of spreading themselves throughout the system...
       

  • I have seen this found as PUP very often... I never looked closely at it though, so I never realized it was related to LiveConnect.

  • Apparently, some malware writes to this folder as well:

    about-threats.trendmicro.com/.../WORM_KELIHOS.SM

    And, of course, the LiveConnect process has to use a different file name each time it writes to that folder for some reason.

  • We were seeing that too.  We were beta-testing the Kaseya Remote Control (KRC (Italian Remote Control)) and it too wrote some files to that C:\ProgramData\boost_interprocess folder.

    I just Live Connected to myself, and I see some KLC-related files in that directory.

    I don't think that this folder creation and files/folders being plunked down inside it is a Kaseya-specific problem; however, Kaseya do write to that folder as well.

    Google searches for this are damn near useless, with everybody posting their HijackThis logs and such.  As  points out, some viruses/malware also live in this folder, so it's "guilt by association" in some capacity.

    If anyone knows what boost_interprocess is for "officially" (i.e. direct from Microsoft or Kaseya), I'm all ears, as this is causing a bit of a kerfuffle in our Service Desk at the moment as well Smile

  • "I don't think that this folder creation and files/folders being plunked down inside it is a Kaseya-specific problem; however, Kaseya do write to that folder as well."

    It's new and it's unannounced (that I can find anyway) and it's caused me to have to waste my time tracking down what's going on. It does not inspire "Trust" in me when this sort of thing occurs.

  • zippo
    It's new

    Not new.  Here's my chrome://extensions:

    ...and I confirmed that even in IE the files below are created when the LC session is established:

    If I'm wrong, let me know...



    Should mention... we're on 6.3 at the moment.
    [edited by: Brian Dagan at 2:33 PM (GMT -8) on Feb 20, 2014]
  • It's the writing to the "boost_interprocess" folder that is new.

  • Just tested now and this also happens from a 6.3 installation.

  • Thanks, Neal. I appreciate the info. I'm a in house IT guy and I don't have the number of machines that many of you have but I do know my machines well. Google has little to say about the "boost_interprocess" folder and much of what it does say relates to malware. This folder has not been on any of my workstations until recently and none of them, to the best of my knowledge and given my multi-layer defense, has any malware on them. However, Google does have one reference that also indicates that this folder is used by Dropbox, Skydrive, and the like and we did institute a Dropbox for Business account here in the last month or so and I'm betting that this is where that folder originated and I'm also betting that LiveConnect is using that folder if it's there and dropping those files somewhere else, if it isn't. I'll test this theory tomorrow by renaming the folder and opening a few LiveConnect sessions and post the results.

    I hate new things! <waaaah>   :-)

  • Near as I can tell from my testing, the "boost_interprocess" folder is created on a Windows 7 machine by LiveConnect. The folder does not appear to be created by or used by Dropbox or Skydrive. The folder is not created by LiveConnect on a WindowsXP machine. Blocking the creation of this folder or blocking any attempt to write to it also blocks LiveConnect (again, Windows 7 - not WindowsXP). I don't have any Win8 machines so can't test it there. Neal says that this folder also appears on Win7 machines for 6.3. I don't recall seeing it on mine but I'll certainly take Neal's word for it.

  • I think this XKCD is relevant when it comes to Googling the purpose of the boost_interprocess folder:


    So, to recap:

    • boost_interprocess appears to be created by and/or written to from other applications (not just Live Connect)
    • This folder is created for 6.3 users as well (so not just a 6.5 change)
    • Malware and other baddies like to hide in this folder as well

    Left Hug If anyone else wants to weigh in on boost_interprocess, what it does, why it's there, and why Live Connect writes to it, please chime in! Right Hug

  • LOL. That's a good one and oh, so appropriate. However, your recap doesn't match my testing:

    "•boost_interprocess appears to be created by and/or written to from other applications (not just Live Connect)"

    Not according to my testing. The folder was created by and written to by LiveConnect and only LiveConnect. I tested Skydrive and Dropbox and neither one used it (contrary to what my Googling in the vast wasteland indicated)

    "•This folder is created for 6.3 users as well (so not just a 6.5 change)"

    Yes, apparently.

    "•Malware and other baddies like to hide in this folder as well"

    Yes, apparently.

    Also, the folder is not created by LiveConnect on WindowsXP. And the "KLC-" files are not created on WindowsXP.

  • You guys managed to peak my interest with the ongoing discussion in this thread, so I had to test my Google FU.

    I managed to find this site, which appears to be related to the folder, and seems to indicate it is created by processes using the "Boost" C++ library... http://www.boost.org/

    Specifically on this page: www.boost.org/.../sharedmemorybetweenprocesses.html

    It is indicated that this folder is used to emulate the POSIX shared memory, about 1/4th of the way down that page:

    Boost.Interprocess provides portable shared memory in terms of POSIX semantics. Some operating systems don't support shared memory as defined by POSIX:

    • Windows operating systems provide shared memory using memory backed by the paging file but the lifetime semantics are different from the ones defined by POSIX (see Native windows shared memorysection for more information).
    • Some UNIX systems don't fully support POSIX shared memory objects at all.

    In those platforms, shared memory is emulated with mapped files created in a "boost_interprocess" folder created in a temporary files directory. In Windows platforms, if "Common AppData" key is present in the registry, "boost_interprocess" folder is created in that directory (in XP usually "C:\Documents and Settings\All Users\Application Data" and in Vista "C:\ProgramData"). For Windows platforms without that registry key and Unix systems, shared memory is created in the system temporary files directory ("/tmp" or similar).

    Because of this emulation, shared memory has filesystem lifetime in some of those systems.

  • I should also admit.. Unfortunately for Google... I found much better more accurate results by using the search terms boost_interprocess folder in Bing, than I did with the same terms in google :(

  • Great info and nice find, Jonathan. Thank you. And thanks for the search reminder. I'm so used to Google giving me what I'm looking for that I often forget there are other search engines out there.