Why doesn't ESET catch Bonjour?

[Super_Spartan 56]

A few years ago, when computers were not as fast as today so any process or program that causes a slowdown would be easily identifiable since one would know that his system is running slower than usual. Nowadays it's hard to tell because today's computers are really fast.

 

This brings me to how I caught this spyware.......

 

After a format, installing Windows, updates, etc....... after installing iTunes, I would notice a huge slowdown in my computer and / or the internet connection. I checked the running processes and found something called mDNSresponder.exe

 

upon researching, it appears to be a spyware injected by Apple with anything you install from them, iTunes, iCloud, etc.

 

What they claim that it does that it helps in discovering media on the network (bunch of lies), what it really does is send all user activities / browsing habits to apple to help in user studies and targeted spam

 

If I'd uninstall Bonjour, the speed of my computer would be back to normal and the only issue I will get is an error message upon first starting iTunes saying that the Bonjour Service is missing but iTunes will continue to work perfectly fine! To make things worse, every time iTunes or any Apple product gets updated and you install the update, Bonjour slips in and gets installed again.

 

Now Logitech also started doing the same thing, in their latest Logitech Gaming Software it silently installs Bonjour as well so I had to revert to an older version as I don't want it even installed on my system in the first place nor do I want any traces of it.

 

Can you please start detecting / blocking it as part of the PUP/PUA thing?

[rugk 397]

Well.. according to small look at the Wikipedia article Bonjour is a legitimate software and not a kind of PUA. If something should be detected then maybe an installer which install this (potentially unwanted) software.

However if the software is needed or used by other software then it may not really be a PUA as it can be considered as wanted by the user.

It's the same with Google software and their Google Updater. Google Updater is just a part of their other software and needed/used (although someone may argue he wouldn't think this) so it would even be really difficult to classify this as a PUA - I think also for legal purposes as the explanation has to be waterproof for this.

Some things which doesn't apply to Bonjour which are characteristics of PUA:

• unexpected
• third-party software bundled (it's the same "author")
• it's not a part of an ad(-network)
• unexpected/unwanted changes (no, just sitting on your disk and maybe in RAM)

So basically if you're installing iTunes you have to expect that this is also installed. Show your complaints to Apple and not to ESET...

[Super_Spartan 56]

Well.. according to small look at the Wikipedia article Bonjour is a legitimate software and not a kind of PUA. If something should be detected then maybe an installer which install this (potentially unwanted) software.

However if the software is needed or used by other software then it may not really be a PUA as it can be considered as wanted by the user.

It's the same with Google software and their Google Updater. Google Updater is just a part of their other software and needed/used (although someone may argue he wouldn't think this) so it would even be really difficult to classify this as a PUA - I think also for legal purposes as the explanation has to be waterproof for this.

Some things which doesn't apply to Bonjour which are characteristics of PUA:

• unexpected
• third-party software bundled (it's the same "author")
• it's not a part of an ad(-network)
• unexpected/unwanted changes (no, just sitting on your disk and maybe in RAM)

So basically if you're installing iTunes you have to expect that this is also installed. Show your complaints to Apple and not to ESET...

Well technically it may not be classified as a PUA but what it does is similar, that is, track users' usage behaviors of their computers which in turn causes a good amount of slowdown. I'm not complaining to EST, I asm asking them if they can include it or block its installation if one chooses to have PUA detection on because it is installed silently. Like with this latest Logitech Gaming Software, I wanted to install my Logitech G602 mouse driver, but I got a Bonjour installed with it as a bonus! really ticked me off and I wish there was some IP address to place in the hosts file or some way to block its installation completely like one can block OpenCandy

[planet 232]

A few years ago, when computers were not as fast as today so any process or program that causes a slowdown would be easily identifiable since one would know that his system is running slower than usual. Nowadays it's hard to tell because today's computers are really fast.

 

This brings me to how I caught this spyware.......

 

After a format, installing Windows, updates, etc....... after installing iTunes, I would notice a huge slowdown in my computer and / or the internet connection. I checked the running processes and found something called mDNSresponder.exe

 

upon researching, it appears to be a spyware injected by Apple with anything you install from them, iTunes, iCloud, etc.

 

What they claim that it does that it helps in discovering media on the network (bunch of lies), what it really does is send all user activities / browsing habits to apple to help in user studies and targeted spam

 

If I'd uninstall Bonjour, the speed of my computer would be back to normal and the only issue I will get is an error message upon first starting iTunes saying that the Bonjour Service is missing but iTunes will continue to work perfectly fine! To make things worse, every time iTunes or any Apple product gets updated and you install the update, Bonjour slips in and gets installed again.

 

Now Logitech also started doing the same thing, in their latest Logitech Gaming Software it silently installs Bonjour as well so I had to revert to an older version as I don't want it even installed on my system in the first place nor do I want any traces of it.

 

Can you please start detecting / blocking it as part of the PUP/PUA thing?

 

Bonjour is apparently open source and is used by developers, with links, guides, libraries as well as the SDK and source code: https://developer.apple.com/bonjour/index.html

 

Here's a high level overview too: https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/NetServices/Introduction.html

 

Here they provide examples and more about Bonjour's operations: https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/NetServices/Articles/NetServicesArchitecture.html#//apple_ref/doc/uid/20001074-SW1

 

Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks. Bonjour uses industry standard IP protocols to allow devices to automatically discover each other without the need to enter IP addresses or configure DNS servers. Specifically, Bonjour enables automatic IP address assignment without a DHCP server, name to address translation without a DNS server, and service discovery without a directory server. Bonjour is an open protocol which Apple has submitted to the IETF as part of the ongoing standards-creation process. To learn more, check out the Bonjour Protocol Specifications which detail the technologies that make up Link-Local and Wide-Area Bonjour.

 

Bonjour is not only based on open Internet standards, our implementation is also available as Open Source under the Apache 2.0 license. It is built into most modern printers and many other consumer products.

 

The above might explain why Logitech is now also using Bonjour with some of their software. It's like how some apps require another thing (.NET Framework for some software, or Flash Player/Unity for a game online). iTunes needs it to communicate with Apple devices over your local network and possibly for other iTunes features (like sharing your library over the local network and syncing your Apple devices over Wi-Fi). Logitech uses it for network discovery for their Arx Control feature.

 

mDNSresponder.exe is similar to mDNSresponser on OS X, which has Bonjour built in. I would not be too sure that it is 'spyware' and that they are lying about what Bonjour does and is trying to do the suspicious activities you mentioned. 

 

They are using this technology for their Logitech Arx Control, and removing it may cause issues if Logitech (or Apple's iTunes) depends on it. That is probably why it couldn't be classified as a PUA.

 

From Logitech's website: hxxp://support.logitech.com/software/gaming-software

 

Logitech Gaming Software lets you customize Logitech G gaming mice, keyboards and headsets.

 

Logitech Gaming Software includes third party software components, libraries, and frameworks, including, but not limited to, the third party software listed below. These included third party software components provide key functionality to Logitech Gaming Software and are included in the software installation package.

• Digia QT - Application and User Interface Framework

• Microsoft Runtime Libraries - Application and Hardware Support

• Apple Bonjour - Network Discovery Support for Logitech Arx Control

 

It seems to just be for Logitech Arx Control which has network discovery support, which is why Bonjour is installed along with two other third party software.

 

Here is more information about Arx Control: hxxp://gaming.logitech.com/articles/arx-control

 

Win the information war and stay ahead of the competition with critical in-game information on your tablet or smartphone. "Arx Control introduces second screen capability that allows iOS and Android mobile devices to display in-game info, vital system statistics and more."

 

Which is probably why they use Bonjour, to use iPads or iPhones for this feature.

I'm not sure that ESET should prevent Bonjour as a PUA so users can't use products and services that depend on it.

Edited May 30, 2015 by planet

[Super_Spartan 56]

Thanks a lot for the explanation Mr. Planet