pouët.net

Go to bottom

Antivirus false positives w/ packers

category: general [glöplog]
Packers now getting detected as Win32/NSAnti?

Quote:

Ah, it's interesting to me that you mention AVG. Over the past couple weeks, AVG has been reporting "Win32/NSAnti" for a lot of demos and intros. If other packages aren't detecting this, then I think it's a false positive introduced by a recent update.
added on the 2007-10-14 by bigcheese [bigcheese]

Quote:

AVG reports this on the kkrunchy that ryg released pre-asm07
added on the 2007-10-14 by _-_-__ [_-_-__]

Quote:

So apparently the Win32/NSAnti signature is not for a virus at all, it's a random heuristic warning for any kind of packer which has not been identified by antivirus manufacturers. So the only way to get it fixed it is to contact those manufacturers to start handling kkrunchy packed executables correctly.
added on the 2007-10-14 09:48:48 by _-_-__ _-_-__
and?
added on the 2007-10-14 09:58:11 by v3nom v3nom
Well, it's good to make it as widely known as possible if we don't want to see a comment about it on in each intro.
added on the 2007-10-14 10:04:25 by _-_-__ _-_-__
People with a clue won't have issues with this.
added on the 2007-10-14 10:22:52 by Preacher Preacher
Let's send a packed exe to the AV companies so their engineers can unpack them and remove the packer sig from the AV sig engine base.
added on the 2007-10-14 10:31:03 by SilkCut SilkCut
I'd seen comments about these false positives in the past, but it's the first time I've been struck by it. At first, I just erased the prods because it was only a few. Now I've got to find a new antivirus solution because it affecting too many prods (and AVG prevents me from running the prods even when I instruct it to ignore the threat).
added on the 2007-10-14 10:48:27 by bigcheese bigcheese
I do remember in my Windows95 times I would not bother with an antivirus. In the end I'm actually considering removing AVG from this PC completely.
added on the 2007-10-14 10:54:15 by _-_-__ _-_-__
Try NOD32 or Avast. These perform well in recognition tests, too. I recently switched from Avira/AntiVir to NOD32 and I get no false positives now. Mem use decreased from 60-70mb to <25mb. And it's even a bit strange that I don't need to pay so much attention to AV troubles anymore ;)
added on the 2007-10-14 12:29:22 by Ger Ger
Someone claiming to use NOD32 reported a false positive on one of my intros, packed with 20to4.
added on the 2007-10-14 13:02:45 by _-_-__ _-_-__
i'd send some demos and kkrunchy itself to those manufacturers. i think that's the best way...
Yes, that would be a good idea! (I wouldn't like to try to show the demoscene to some people by sending them links to download intros and then they say to me "You son of a bitch, you tried to put a virus on my PC!"
added on the 2007-10-14 13:26:58 by Optimus Optimus
Ger > Yes, NOD32 is not too much annoying with false positive, but the best way is still to submit the file to virustotal.com to clear the situation. The only way to make packers undetected as false positive is to submit them to AV company engineers. The main problem is that some real threats are using packers, thus it needs to be stopped by the heuristic engine..
added on the 2007-10-14 13:44:59 by SilkCut SilkCut
i think anti-viruses are much worse than viruses.
added on the 2007-10-14 14:04:58 by jmagic jmagic
what manko said
added on the 2007-10-14 15:03:45 by lorents lorents
does than imply that anti-virus is a virus?
More like a trojan horse or worm. promises you the blue of the sky, then does nothing but sit there, slow down the system and prevent you from doing stuff.
added on the 2007-10-14 15:47:58 by kb_ kb_
If you don't, for example, run suspect email attachments, is there any need for anti-virus software?
Yes but at least turning your pc into a botnet is only an AV easter egg feature...

manko+1, i remember the PE GRUM virus doing crazy complex thing just to spam..
added on the 2007-10-14 16:57:25 by SilkCut SilkCut
BurgrLovr: can i has cheezeburgr ?
Viruses are also coming from other source than email attachments.
_web browsing -> video/song/applet/scripts/images could be potentially malicious, you have to surf carefully
_running out-to-date softwares (including your favourite OS) over non-firewalled box/network could be potentially malicious
_always running applications with admin priviledge (i.e. with a user who is administrating your box) is a bad idea (those applications are not always bugfree)
_adding untrusted modules (i.e. third-parties add-ons) to applications could make those applications dangerous...

It is not necessary, but you have to be careful and scan your computer from time to time (i.e. using a web scanner or submitting a suspicious file to a multiple webscanner like virustotal.com). No need to say that some OS are less exposed, but never totally exempted from threats.
added on the 2007-10-14 17:11:54 by SilkCut SilkCut
I've been using NOD32 for almost 3 years now, no problems at all with any demo, not even kkrunchy ones. I made a switch now to Avast just for a change, but it will probably not be permanent. But so far so good.
I tried Avira too, but that's just a heavy crap. If at all possible, i try to avoid avg, but i have the free ver. installed in work. It seems to suit my Duron 800 the best of all these 3 :)

added on the 2007-10-14 21:02:42 by F-T-L F-T-L
brain.exe ftw \o/
Yesterday, we got a complaint at scene.org from someone who said that all versions of Debris which he had downloaded contained a virus, and whether we could supply a good link. Of course it was AVG again reporting a "Win32/NSAnti" infection.

Since Debris got a lot of attention outside the scene as well this may be the first time someone gets in touch with a demo... and then their virus scanner starts complaining... So yes, I agree with what others have said in this thread already, this is bad p.r. for the scene :-(
added on the 2007-10-21 13:58:26 by sparcus sparcus
I think it's time farbrausch releases a 128k antivirus suite.
haha :D






asking for ps_4_0 :(
added on the 2007-10-22 17:33:41 by SilkCut SilkCut
Quote:
Unfortunately, the previous virus database might have detected the
mentioned virus on some legitimate applications. We can confirm that
it was a false alarm. We have immediately released a new virus update
that removes the false positive detection on this file. Please update
your AVG and check your files again.

If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG Virus Vault (Start -> Programs -> AVG 7.5 -> AVG Virus
Vault).
- Locate the file that was incorrectly removed.
- Right click on it and choose the "Restore File(s)" option.

We are sorry for the inconvenience.

Thank you for your help.

Best regards,

Zbynek Paulen
AVG Technical Support

website: www.grisoft.com
mailto: technicalsupport@grisoft.com
On Sun Oct 21 14:41:50 CEST 2007, knos@scene.org wrote:

Sales Support Form
------------------

Name: Nicolas Léveillé
E-mail: knos@scene.org
Operating system: Other (other)
Product: Not Sure (NOT_SURE)
License number:
Country: FRANCE

Current version: Nothing (_104)
Topic: Other (_204)
More specific information: Not sure (_999)

------------------

Question:
---------
Hello Grisoft,

As a representative of scene.org, we are having a lot of enquiries from users of your antivirus regarding a recent update.

We host digital works on our archive, and they are usually packed with custom executable packers, in order to enter size-limited competitions.

Amongst them one very popular item:

FR-041 Debris.
http://www.youtube.com/watch?v=v0Eg3dBnsHk
scene.orgfile.php?file=/parties/2007/breakpoint07/demo/fr-041_debris.zip&fileinfo

Our users have started reporting false positives from AVG in the form of Win32/NSAnti warnings.

Thousands of files are now affected, we would love grisoft to find a solution to this issue.

Don't hesitate to contact us for further information.
added on the 2007-10-29 16:40:38 by _-_-__ _-_-__

login

Go to top