Nzbdrone.exe randomly being deleted

kevindd992002 · August 14, 2017, 8:58am

Sonarr version (exact version): 2.0.04949
OS: Windows 10 x64
((Debug logs)): Not sure if applicable
(Make sure debug logging is enabled in settings and post the full log to hastebin/pastebin/dropbox/google drive or something similar, do not post them directly here)
Description of issue:

I’m not sure why but I’ve had this issue once a few months ago when Nzbdrone.exe is deleted for some reason and the service gone. I reinstalled Sonarr to fix this and thought that it was a one time thing so I did not dwell into it much deeper.

Now for the past two weeks, this random occurrence has happened three times and I keep reinstalling Sonarr. I checked my antivirus (Avast Free) and it didn’t delete anything related to Sonarr.

Can you help me get to the bottom of this? Thanks.

markus101 · August 16, 2017, 5:28am

Sonarr’s updater isn’t going to delete the executable and not replace it unless it runs into an error, which would be logged, so what do the update logs show?

My money is on anti-virus or anti-malware falsely identifying the executable as dangerous and deleting it, adding an exclusion (based on location, not the specific executable hash) may help or try another AV.

Taloth · August 16, 2017, 6:06am

I had a coworker where (iirc avast) terminated & deleted the Updater midway, but the update logs will show that.

kevindd992002 · August 16, 2017, 7:44am

I thought of that possibility the first time around. But for it to happen three random times is saying that this potential cause is unlikely. I’ll check the update logs.

If it was the AV then it would delete it every single time the system accesses the exe file. But that is not the case.

kevindd992002 · August 16, 2017, 7:59am

Since this has happened randomly, I’m not sure which dates I’m looking for but the latest one happened between last week and this week. I’m not sure what I’m looking for in the logs but can you guys help me out?

Here are the Update Logs: https://www.dropbox.com/s/bf0g9bm0w11zerd/UpdateLogs.zip?dl=0

Taloth · August 16, 2017, 8:56am

The update logs show that the update went fine and that the NzbDrone.exe was deployed properly.

Sonarr wouldn’t go around deleting itself (in fact, it simply can’t), ergo something else is doing it. 99% that it’s an antivir or something like it doing that.

kevindd992002 · August 16, 2017, 9:53am

Ok, I feel dumb. I found another storage that Avast uses when it detects something and it does detect nzbdrone.udpate.exe and nzbdrone.console.exe as viruses! I’ll have them excluded. Thanks.

kevindd992002 · August 16, 2017, 10:02am

I have one question though. Is the nzbdrone.update.exe a temporary file (since it’s in c:\windows\temp)? Even when I restored it from Avast’s virus chest, it doesn’t restore that exe file. Is that exe only available when there’s a new Sonarr update?

Taloth · August 16, 2017, 2:27pm

The update gets downloaded and extracted into a %TEMP%/nzbdrone_update directory and run from there. iirc it’s not actually deleted after update, simply replaced on the next update. But in that sense it is temporary.
And on itself it’s useless, you can’t actually run it coz it requires several cmdline arguments.

Btw. What error did Avast give? The log file indicates that the update went fine, which means that at another time Avast
suddenly decided it was bad.
A theory I and my coworker had was that Avast didn’t like an executable from temp replacing and running another binary, but then I would’ve expected issues during update. Afaik he reported it as a false positive but I still wonder.

kevindd992002 · August 16, 2017, 3:35pm

Just as I thought.

Those two executables were detected as viruses by Avast. Here’s a pic of the virus chest:

I guess the timing I gave you was off by a few days. Did you look at all of the logs or just the logs applicable to the time range I gave initially? The timestamps on the pic above says it all.

Taloth · August 16, 2017, 5:57pm

I only looked at the last couple of updates earlier. But seeing the timestamps, it’s quite literally deleting the updater AFTER it finishes and closes, based on the logs.

IDP.* is behavioral. So Avast is saying it’s doing something suspicious. It’s not looking at the file and recognizing it as bad, it’s just monitoring what it did.
For the first (NzbDrone.Console) it’s IDP.ALEXA.51, no idea why it’s detecting that.
The others are just generic, but no details as usual.

@markus101 we really, REALLY should start using code-signing certs. either self-signed or paid. From what I understand it’ll make reported false-positives stick better.
We should also create a self-contained exe that contains Sonarr and the updater, which runs through the entire update process. Basically, NzbDrone.exe --installupdate={path to zip} so it mimics normal behavior. That might allow us to let virustotal test the update with all those different antivir.

kevindd992002 · August 16, 2017, 7:27pm

Gotcha. I worked for Trend Micro before and I understand how behavior monitoring applies in this case.

I agree that you should, at the very least, sign your code with a self-signed cert or better yet with a paid cert like you said.

system · October 15, 2017, 7:27pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.