Thursday, November 3, 2011

Windows Firewall blocked netsession_win.exe - Akamai NetSession Installware

Recently I had a Windows 7 user who told me that Windows Firewall had blocked an outgoing connection for a program called "netsession_win.exe" which was in the directory "C:\Users\<username>\AppData\Local\Akamai", and wanted to know if it was a virus.

Of course, we all know Akamai, one of the leading providers of content caching and distribution networks among other things.

Upon further review, it appears that the Akamai NetSession Interface is some sort of download accelerator/caching tool, but it is not clear how the user got that particular tool on their system.  It does have an entry in the Windows control panel with some administrative tools.

This app appears to be installware - i.e. a program, not necessarily malicious (but annoying) that was installed without the user's knowledge or direct consent, but included with some other download or via an automatic download mechanism.  There is a long list of companies that appear to use this tool.

If you have a legitimate install of this program, and don't want it on your machine, there is a simple uninstaller (as well as a README.txt that explains what the program is) in the same folder it is installed in.  The program does mention that it might just get installed again via some other download or site.  Uh, hello, that's annoying!

The Akamai website also includes another uninstallation method:

"How do I uninstall the Akamai NetSession Interface?
Windows: The Akamai NetSession Interface is a network library integrated into other applications. When you uninstall any of those applications, the library uninitializes. If you wish to uninstall the Akamai NetSession Interface, go to the AdminTool found at C:\Program Files\Common Files\Akamai\AdminTool.exe"

UPDATE 11/8/2011: It is clear by now that a huge number of people experienced this issue.  Over the last weekend, I put in a call to Akamai Customer Technical Support - (877) 4-AKATEC (US and Canada only) or (617) 444-4699.  Surprisingly, I was put through directly to a tech within minutes of calling.  I suggest if you are seriously concerned about this, that you give them a call and report the problem.  The tech I spoke to made a note of the issue, and gave me the same information that is listed on their website - that Akamai does not actually directly install this software, but that their partners (see the list of companies) do often bundle the installer.

The interesting thing is, I can actually verify through the Windows Event Log that this installer started on 11/3/2011 at 5:59 PM Pacific Daylight Savings Time (PDT).  There is an event ID 1040 with the message "Beginning a Windows Installer transaction: C:\Users\<USERNAME>\AppData\Local\Temp\RarSFX0\installer_msi_win.msi. Client Process Id: 41500.".

Furthermore, this user happens to track their time for billing purposes using tools that record what programs they are working in, so I know exactly what programs they were actively using at this point in time.  This user was browsing the Microsoft Healthvault website in Google Chrome immediately before this installer process started at the time mentioned above.  That doesn't scream to me to be a particularly clear infection route.

It seems almost a guarantee that something automatically triggered the installer, whether it was timed, an update of some sort, or some other process.