Antivirus false positives w/ packers
category: general [glöplog]
Packers now getting detected as Win32/NSAnti?
Quote:
Ah, it's interesting to me that you mention AVG. Over the past couple weeks, AVG has been reporting "Win32/NSAnti" for a lot of demos and intros. If other packages aren't detecting this, then I think it's a false positive introduced by a recent update.
added on the 2007-10-14 by bigcheese [bigcheese]
Quote:
AVG reports this on the kkrunchy that ryg released pre-asm07
added on the 2007-10-14 by _-_-__ [_-_-__]
Quote:
So apparently the Win32/NSAnti signature is not for a virus at all, it's a random heuristic warning for any kind of packer which has not been identified by antivirus manufacturers. So the only way to get it fixed it is to contact those manufacturers to start handling kkrunchy packed executables correctly.
and?
Well, it's good to make it as widely known as possible if we don't want to see a comment about it on in each intro.
People with a clue won't have issues with this.
Let's send a packed exe to the AV companies so their engineers can unpack them and remove the packer sig from the AV sig engine base.
I'd seen comments about these false positives in the past, but it's the first time I've been struck by it. At first, I just erased the prods because it was only a few. Now I've got to find a new antivirus solution because it affecting too many prods (and AVG prevents me from running the prods even when I instruct it to ignore the threat).
I do remember in my Windows95 times I would not bother with an antivirus. In the end I'm actually considering removing AVG from this PC completely.
Someone claiming to use NOD32 reported a false positive on one of my intros, packed with 20to4.
i'd send some demos and kkrunchy itself to those manufacturers. i think that's the best way...
Yes, that would be a good idea! (I wouldn't like to try to show the demoscene to some people by sending them links to download intros and then they say to me "You son of a bitch, you tried to put a virus on my PC!"
Ger > Yes, NOD32 is not too much annoying with false positive, but the best way is still to submit the file to virustotal.com to clear the situation. The only way to make packers undetected as false positive is to submit them to AV company engineers. The main problem is that some real threats are using packers, thus it needs to be stopped by the heuristic engine..
i think anti-viruses are much worse than viruses.
what manko said
does than imply that anti-virus is a virus?
More like a trojan horse or worm. promises you the blue of the sky, then does nothing but sit there, slow down the system and prevent you from doing stuff.
If you don't, for example, run suspect email attachments, is there any need for anti-virus software?
Yes but at least turning your pc into a botnet is only an AV easter egg feature...
manko+1, i remember the PE GRUM virus doing crazy complex thing just to spam..
manko+1, i remember the PE GRUM virus doing crazy complex thing just to spam..
BurgrLovr: can i has cheezeburgr ?
Viruses are also coming from other source than email attachments.
_web browsing -> video/song/applet/scripts/images could be potentially malicious, you have to surf carefully
_running out-to-date softwares (including your favourite OS) over non-firewalled box/network could be potentially malicious
_always running applications with admin priviledge (i.e. with a user who is administrating your box) is a bad idea (those applications are not always bugfree)
_adding untrusted modules (i.e. third-parties add-ons) to applications could make those applications dangerous...
It is not necessary, but you have to be careful and scan your computer from time to time (i.e. using a web scanner or submitting a suspicious file to a multiple webscanner like virustotal.com). No need to say that some OS are less exposed, but never totally exempted from threats.
Viruses are also coming from other source than email attachments.
_web browsing -> video/song/applet/scripts/images could be potentially malicious, you have to surf carefully
_running out-to-date softwares (including your favourite OS) over non-firewalled box/network could be potentially malicious
_always running applications with admin priviledge (i.e. with a user who is administrating your box) is a bad idea (those applications are not always bugfree)
_adding untrusted modules (i.e. third-parties add-ons) to applications could make those applications dangerous...
It is not necessary, but you have to be careful and scan your computer from time to time (i.e. using a web scanner or submitting a suspicious file to a multiple webscanner like virustotal.com). No need to say that some OS are less exposed, but never totally exempted from threats.
I've been using NOD32 for almost 3 years now, no problems at all with any demo, not even kkrunchy ones. I made a switch now to Avast just for a change, but it will probably not be permanent. But so far so good.
I tried Avira too, but that's just a heavy crap. If at all possible, i try to avoid avg, but i have the free ver. installed in work. It seems to suit my Duron 800 the best of all these 3 :)
I tried Avira too, but that's just a heavy crap. If at all possible, i try to avoid avg, but i have the free ver. installed in work. It seems to suit my Duron 800 the best of all these 3 :)
brain.exe ftw \o/
Yesterday, we got a complaint at scene.org from someone who said that all versions of Debris which he had downloaded contained a virus, and whether we could supply a good link. Of course it was AVG again reporting a "Win32/NSAnti" infection.
Since Debris got a lot of attention outside the scene as well this may be the first time someone gets in touch with a demo... and then their virus scanner starts complaining... So yes, I agree with what others have said in this thread already, this is bad p.r. for the scene :-(
Since Debris got a lot of attention outside the scene as well this may be the first time someone gets in touch with a demo... and then their virus scanner starts complaining... So yes, I agree with what others have said in this thread already, this is bad p.r. for the scene :-(
I think it's time farbrausch releases a 128k antivirus suite.
haha :D
asking for ps_4_0 :(
asking for ps_4_0 :(
Quote:
Unfortunately, the previous virus database might have detected the
mentioned virus on some legitimate applications. We can confirm that
it was a false alarm. We have immediately released a new virus update
that removes the false positive detection on this file. Please update
your AVG and check your files again.
If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG Virus Vault (Start -> Programs -> AVG 7.5 -> AVG Virus
Vault).
- Locate the file that was incorrectly removed.
- Right click on it and choose the "Restore File(s)" option.
We are sorry for the inconvenience.
Thank you for your help.
Best regards,
Zbynek Paulen
AVG Technical Support
website: www.grisoft.com
mailto: technicalsupport@grisoft.com
On Sun Oct 21 14:41:50 CEST 2007, knos@scene.org wrote:
Sales Support Form
------------------
Name: Nicolas Léveillé
E-mail: knos@scene.org
Operating system: Other (other)
Product: Not Sure (NOT_SURE)
License number:
Country: FRANCE
Current version: Nothing (_104)
Topic: Other (_204)
More specific information: Not sure (_999)
------------------
Question:
---------
Hello Grisoft,
As a representative of scene.org, we are having a lot of enquiries from users of your antivirus regarding a recent update.
We host digital works on our archive, and they are usually packed with custom executable packers, in order to enter size-limited competitions.
Amongst them one very popular item:
FR-041 Debris.
http://www.youtube.com/watch?v=v0Eg3dBnsHk
scene.orgfile.php?file=/parties/2007/breakpoint07/demo/fr-041_debris.zip&fileinfo
Our users have started reporting false positives from AVG in the form of Win32/NSAnti warnings.
Thousands of files are now affected, we would love grisoft to find a solution to this issue.
Don't hesitate to contact us for further information.