Attempted Download of CCS 5.1 Triggered Norton Internet Security "High-Risk Threat" and When Threat Blocked, the download failed

Hi,

It is actually the first time I hear this; could you provide the exact steps that caused Symantec to trigger this threat warning? Also, what was the filename and the URL that showed this behaviour? When did you download the software? What was the exact error message? Can you try to download the offline installer and see if the threat is triggered?

I use Symantec in several machines and never saw that, but the information above may help identify what could cause this issue.

FYI, TI would never lure customers into downloading our software tools and surreptitiously include spyware software. This is not the way we do business.

CCSv5.1 is not ad-based nor carries any spyware software together with it.

Regards,

Rafael

Rafael:

When I started the CCS 5.1 installer, and after the agreement part, it started downloading.

First there was a Norton Internet Security pop-up that asked what to do about the Texas Instruments intrusion, and it recommended "always allow ...", indicating Symantec thinks TI is a safe source, so I proceeded as recommended.

Then, about 10 minutes into the download, after several modules had been installed, and after an Eclipse module had just completed downloading and was starting to install, there was another Norton Internet Security (NIS) pop-up regarding Eclipse, and it was a "high-risk threat" with the recommendation to "always block .....", so I proceeded as recommended and clicked to block it. Then after a few seconds an error was reported, then after another few seconds another error was reported, then after another few seconds, the download terminated. The error messaged indicated to look at log files located in the C:\ti\ccsv5\eclipse\configuration directory. There are 7 log files in that directory generated at the time of the incident. If you provide me with an email address, I'd be glad to sent those files to you by email attachment.

My assumption is that some Eclipse executable included in the download wants to download some files directly from some non-TI server, and when NIS blocked it from doing so, the Eclipse files did not get downloaded, then another Eclipse executable decided that wasn't acceptable, and terminated the download.

My problem is that I have no choice but to trust Symantec NIS, because if I don't, I'd have to give up accessing the Internet. I don't know anything about Eclipse, and assuming they are the source for free software, I'd be inclined to agree with Symantec that free software should not be trusted. Running free software on a micro-controller that has no sensitive files is not very dangerous to me, but running some free executable that functions to download other executables from who-knows-where to my PC is highly risky. It's called a Trojan horse.

In fact, I'd be violating the very agreement from TI regarding the CCS 5.1 download  I just agreed to if I allowed some unknown Trojan horse to download whatever it wants to my PC; or upload whever it wants, how should I know? So what can I do?

I assume if I do the "full DVD image" download and install offline, then the same Eclipse executable would get executed, and probably trigger the same Symantec NIS pop-up. That download is so huge, I am reluctant to subject my PC to it (for hours), especially when I expect it to yield the same failed result. Is there a way to get the actual DVD and install CCS 5.1 with no Internet downloading allowed? That's the only secure way to do it. Seriously, are there people at TI who think their software is secure from being copied when it's loaded on customers' Internet-connected computers that have free-software Trojan horses on them? But then you can't control where a DVD might end up.

Which brings me back to Semantec NIS. Someone has to be responsible for monitoring internet communications to and from customer's PCs, or there is no securinty for your software. If the guys at Eclipse have the security procedures in place to make sure all their executables are safe, then they should be able to convince Symantec of that, and then NIS would recommend to "allow ....". If not Symantec NIS, then who? Microsoft? McAffee?

I don't know what to do here. I really like TI's Stellaris uCs, and I'd like to standardize on them for embedded server applications. CCS is a cost-effective solution for development, but I need, and TI should require, a secure installation. Any further suggestions?

Hi,

As mentioned in the download page, the CCSv5 web installer downloads the packages selected during install. This implies that it will download the components from a given server (which also belongs to the ti.com domain) and run its installers in your system. In its internals it runs the component Eclipse P2 that manages the download and install of each package selected during install. This component is completely configured by our installer and only downloads and installs trusted components from trusted sources (the ti.com domain), which does not constitute a Trojan Horse.

What it seems to be triggering Symantec is the Eclipse P2 component, therefore the logs will not help.

The offline installer, on the other hand, is designed to allow installation across multiple workstations (without the need to download the components multiple times) and to systems without internet access. Although the same Eclipse P2 component will still run, no download during install will take place, which may prevent Symantec from triggering.

A physical DVD will be identical to an offline installer, and will be subject to the same possibilities as above.

So unfortunately this is a matter of trust: if downloaded from our servers, any CCSv5 installer (web or offline) is safe and does not pose a threat to our customers' systems. As with anything that is related to the internet, only download software from trusted domains and sources.

Again, TI neither uses nor is in the business of creating viruses, ad-based software, spywares, trojan horses or other malicious software. Don't insist.

Regards,

Rafael

Rafael:

Thanks for the helpful details. I have also read up some about Eclipse since my last post. I am a bit more trusting of Eclipse now, but still have some concern as to why Symantec would consider their loader a "high-risk threat". I think someone should address that issue with Eclipse and Semantec, or if as you say it's configured by TI, then TI should be able to address that issue directly with Semantec.

With regard to my use of the term "Trojan Horse", I consider any automatic-updating program that has the ability to download software from the Internet automatically without first asking the user to be a Trojan Horse. Even if the source is generally trustworthy, having such a program running on customers' PCs provides a seriously dangerous tool for those who want to diseminate malware. In the same eclipse\configuration\ directory as the error log files is a file named "org.eclipse.update", and it was that file that made me suspicious that Eclipse was installing an automatic-updating program, or may be going out at the time of the install to aquire newly-updated files. If that were true, then it may be aquiring files that TI has not examined, and therefore could be malicious. Even if Eclipse is a reputable firm, the possibility still exisits for someone in their organization to introduce malware into the system. That's why I consider automatic updating programs to be Trojan Horses, even if that's not the original intent, because they can be used that way, so customers should never enable automatic updates, and aquire updates as rarely as is practical.

If, as you say, the Eclipse loader on the DVD image is only loading files from the image, and not aquiring any new files from the Internet, then that solves my problem. Your detailed reply is sufficiently helpul for me to proceed using the DVD image, because NIS will prevent the loader from aquiring files from the Internet. If the install fails, then we'll know it's doing that. However, I am still concerned about the download time and the wear on my hard drive of such a huge lengthy process. So...

1. What would it take to get an actual DVD?, and regardless of how I proceed....

2. Since my download got interrupted, and some modules are already installed, is this going to cause a problem if I start another install?

2a.. That is to say, do I need to do any uninstall of what is already here?

3. What about the license and agreement? Will duplicating that part of the procedure create any problems?

Sorry this is getting so complicated, but hopefully that's all the questions.

Thanks,

Tom Cramer, Embedtec Corp.

Tom,

I understand your concerns regarding a new software downloaded from the Internet; surely it is not as safe as it used to be.

Regarding automatic updates, CCSv5.1 comes with this feature disabled by default, thus avoiding the risk in having undesired internet accesses.

1. Unfortunately there's way to obtain a DVD without purchasing a license of CCSv5. If you are interesting in doing so, many ways are available to do this: either via a local distributor or directly from TI's estore. (for a single computer you would purchase the TMDSCCS-ALLN01).

2. I strongly suggest manually removing the remnants of the faulty installation before proceeding with the new one. The reason is because I am not sure if the uninstaller will understand what pieces of software were installed due to the interference of the external program.

3. Although I am not a lawyer, the license agreement shown in the installer (check the Free License at this link) grants the use for a single-user host computer, therefore I don't see an issue in reinstalling.

Regards,

Rafael

Rafael:

Thanks for the fast response, and for answering all my questions.

My plan is to use the board-locked license with the two TI evaluation boards I have purchased before buying a license for individual parts. I'd like to try everything out before purchasing the license, so I'll go ahead and try the DVD-image download.

I do have one more question regarding using two different TI evaluation boards with the board-locked license. How does that work? I asume I only install CCS one time, but if it identifies with one board, what will happen when I switch to another board?

I'll let you know if the install works or not, since I have not removed the NIS rule to block Eclipse from Internet access.

Tom Cramer, Embedtec Corp.

Tom,

The license is actually node-locked (not board-locked). What it means is that it is locked to the host PC and not to the target board you are using. In this case, you can configure CCS to use one each board (one at a time) and thus perform your development without having to install it twice (or purchase two licenses).

For usage details and configuration, I strongly suggest you check the CCSv5 Getting Started Guide at:

http://processors.wiki.ti.com/index.php/CCSv5_Getting_Started_Guide

Regards,

Rafael