Hi @ll, Heimdal.SetupLauncher.exe, available from is (surprise.-) vulnerable to DLL hijacking: it loads (at least) WINSPOOL.DRV from its "application directory" instead Windows "system directory". For downloaded applications like Heimdal.SetupLauncher.exe the "application directory" is Windows' "Downloads" folder. See and plus , , and for more information. On their web site Heimdal Security brags^Wlies: | Online criminals hate us. We protect you from attacks that antivirus | can't block. The opposite is but true: every online criminal loves "security" products because of such trivial to exploit vulnerabilities! DLL hijacking is a 20 year old, well-known and well-documented vulnerability, and a typical beginner's error: see , , , and . for more information. Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See and plus alias for more information. * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". * Use SAFER alias Software Restriction Policies or AppLocker to enforce W^X alias "write Xor execute" in the NTFS file system: allow execution only below %SystemRoot% and %ProgramFiles% and deny it everywhere else. See or alias for more information. * Stay FAR away from so-called "security" products! See (for example) and for more information. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-01-13 vulnerability report sent to vendor no reply, not even an acknowledgement of receipt 2017-01-21 vulnerability report resent to vendor no reply, not even an acknowledgement of receipt 2017-01-31 report published # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-02]