#46 (False) Virus alert on 4.1.0

Windows
closed
Mark Miesfeld
5
2012-08-14
2011-01-04
bugstumbler
No

Antivir Personal alerts by this message:

C:\ooRexx-4.1.0-windows.x86_64.exe
[0] Archivtyp: NSIS
[FUND] Ist das Trojanische Pferd TR/Hijacker.Gen
--> ProgramFilesDir/[PluginsDir]/ooRexxProcess.dll
[FUND] Ist das Trojanische Pferd TR/Hijacker.Gen

Please check, perhaps recode and inform users.
Thanks.

Discussion

  • bugstumbler
    bugstumbler
    2011-06-09

    Hi, Companys security officer prohibits installation of REXX 4.1 because of that virus/malware alert !
    Please check it now and return a answer to me

     
  • frank
    frank
    2011-06-24

    I can confirm the issue twice: (1) testing another A/V-software it reported the 4.1.0 win x64 uninstall.exe as infected, and several "virus total" online scanners agreed. At that time I disagreed, and uninstalled the tested A/V-software. (2) Today I intended to install 4.1.0 win x86 in a virtual PC, and the Avira x86 A/V software blocked the installation for a DLL (otherwise the same reported trojan). Now I think there are in fact at least two different infected files (one x64 + one x86).

     
  • Mark Miesfeld
    Mark Miesfeld
    2011-06-24

    The report is a false positive.

    1.) I have downloaded while the Antivirus was running; installed while the antivirus was running; and individual file scanned the Windows 4.1.0 executables with the following antivirus scanners:

    • Norton AntiVirus 2011, Norton AntiViruse 2010

    • Norton Internet Security

    • Norrton 360

    • Symantec Endpoint Protection (Enterprise)

    • •McAfee Total Protection for Secure Business

    • Kaspersky PURE Total Security

    • Kaspersky Security Applications for Enterprise Business

    None of these products reported a virus. Several of them are large scale enterprise products. They are all products that you pay a decent amount of money for.

    2.) The only report I've seen of this comes from the free Avira Personal edition. A google search shows a large number of people reporting that the free Avira Personal edition has larger than usual number of false positives.

    It may be that the free Avira product is only worth what you pay for it.

    3.) SourceForge virus scans the files on upload. They don't report a virus.

     
  • frank
    frank
    2011-06-24

    The Avira engine is the same in their commercial and business editions. The Virus Total scan of the x64 uninstall.exe reported several "hits", not only Avira -- I added an anonymous comment suggesting that this might be a false positive. With the unrelated second alert today I'm not more sure, do you try some extreme packing? Naive A/V software sometimes doesn't like that. OTOH I use Avira for almost a decade now, and that would be only the 2nd false positive for me in this time.

     
  • Mark Miesfeld
    Mark Miesfeld
    2011-06-24

    I don't believe the package has a virus.

    I believe that if it had a virus, one of the well-known antivirus packages would report it. None of them do.

    I believe that if the package had a virus, SourceForge would not have uploaded it to begin with.

    I don't believe that the free Avira product is better at detecting a virus than either the Norton or Kaspersky Lab enterprise products.

    --
    Mark Miesfeld
    --
    Mark Miesfeld

     
  • frank
    frank
    2011-06-24

    Well, it is no A/V popularity contest. My 1st ooREXX x64 uninstall.exe "hit" was by an A/V software contained in the Googlepack, and because I didn't believe them I used the Virus Total online scan to get a 2nd .. 40th opinion. More than five scanners reported malware, the rest found nothing unusual. Maybe put an info on the oorexx.org site if you're sure that this is a phantom.

     
  • Bruce
    Bruce
    2011-06-24

    It seems to me that the most straight forward path would be to ask Avira support to confirm their report of a virus. You can give them the url to sourceforge so they can get their own copy of ooRexx. Tell them that other virus checkers, and the vendors of ooRexx, claim that it is virus free. Once Avira support confirms that it is virus free, then your management should allow you to install the product.

    Avira support should be happy to do this because they want to eliminate as many false positives as possible.

    Virus checkers. 1. No virus checker will report 100% of all viruses. 2. Good virus checkers sometimes report false viruses.

     
  • bugstumbler
    bugstumbler
    2011-06-25

    @Miesfeld:

    A company with approx. 9000 employees has no room for individuality,
    a virus/malware check either is ok or not ok.

    I your company-pc is found "contaminated", you have to fill out a painful questionnaire.

    And btw.: a admin tried to download from sourceforge and get a message about "infection". ´The company do not discuss the brands of their av / firewall software, but it's for sure, they use a enterprise version.

    Joe

     
  • Mark Miesfeld
    Mark Miesfeld
    2011-06-27

    I installed the latest version of Avira and determined the specific file causing the false positive to be ooRexxProcess.dll. I submitted the Windows 4.1.0 install package as a whole and the individual ooRexxProcess.dll fuke to Avira as generating false positives.

    They declared the install package to be CLEAN and ooRexxProcess.dll as a FALSE positive, I'm pasting their response here. I believe you can also go to their website and look up the results by the tracking number.

    ==========================

    Dear Sir or Madam,

    Thank you for your email to Avira's virus lab.
    Tracking number: INC00770942.

    A listing of files alongside their results can be found below:
    File IDFilenameSize (Byte)Result
    26199138ooRexxProcess.dll4 KBFALSE POSITIVE

    Please find a detailed report concerning each individual sample below:
    FilenameResult
    ooRexxProcess.dllFALSE POSITIVE

    The file 'ooRexxProcess.dll' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Detection will be added to our virus definition file (VDF) with one of the next updates.Detection will be removed from our virus definition file (VDF) with one of the next updates.
    Please note that Avira's proactive heuristic detection module AHeAD detected this threat up front without the latest VDF update as: TR/Hijacker.Gen.
    Alternatively you can see the analysis result here:
    http://analysis.avira.com/samples/details.php?uniqueid=VQgSWKmKcF49Xd3hzsp4SvAbJgCUYN3V&incidentid=770942

    An overview of all your submissions can be found here:
    http://analysis.avira.com/samples/details.php?uniqueid=VQgSWKmKcF49Xd3hzsp4SvAbJgCUYN3V

    Please note: If you have specific questions please address them to support@avira.com
    Kind regards
    Avira Virus Lab


    Avira GmbH
    Kaplaneiweg 1, 88069 Tettnang, Germany
    Phone: +49 (0) 7542-500 0
    Fax: +49 (0) 7542-500 3000
    Internet: http://www.avira.com

    CEO: Tjark Auerbach
    Headquarter: Tettnang
    Commercial register: AG Ulm HRB 630992


    =========================

    Dear Sir or Madam,

    Thank you for your email to Avira's virus lab.
    Tracking number: INC00770938.

    A listing of files alongside their results can be found below:
    File IDFilenameSize (Byte)Result
    26199131ooRexx420_7009-x86_64.exe3.92 MBCLEAN
    26200092uninstall.exe76.52 KBCLEAN

    Please find a detailed report concerning each individual sample below:
    FilenameResult
    ooRexx420_7009-x86_64.exeCLEAN

    The file 'ooRexx420_7009-x86_64.exe' has been determined to be 'CLEAN'.Our analysts did not discover any malicious content.FilenameResult
    uninstall.exeCLEAN

    The file 'uninstall.exe' has been determined to be 'CLEAN'.Our analysts did not discover any malicious content.
    Alternatively you can see the analysis result here:
    http://analysis.avira.com/samples/details.php?uniqueid=VQgSWKmKcF49Xd3hzsp4SvAbJgCUYN3V&incidentid=770938

    An overview of all your submissions can be found here:
    http://analysis.avira.com/samples/details.php?uniqueid=VQgSWKmKcF49Xd3hzsp4SvAbJgCUYN3V

    Please note: If you have specific questions please address them to support@avira.com
    Kind regards
    Avira Virus Lab


    Avira GmbH
    Kaplaneiweg 1, 88069 Tettnang, Germany
    Phone: +49 (0) 7542-500 0
    Fax: +49 (0) 7542-500 3000
    Internet: http://www.avira.com

    CEO: Tjark Auerbach
    Headquarter: Tettnang
    Commercial register: AG Ulm HRB 630992


     


Anonymous


Cancel   Add attachments