On 25/01/2010, at 17.00, G.W. Haywood wrote:
> Hi there,
>
> On Sun, 24 Jan 2010 Jon Bendtsen wrote:
>
>> On 23/01/2010, at 15.11, G.W. Haywood wrote:
>>
>>> You have omitted important information from your posts ...
>>
>> It was not intentional. Which important information are you missing?
>
> Details like operating systems, the names of the software packages
> that you're scanning, software versions (of everything), the commands
> you used to do the things that you've been doing... look at this:
>
> http://catb.org/~esr/faqs/smart-questions.html
noted.
>> A false positive is what i think we have here.
>
> At this stage I think you're probably right, but as you said you need
> to be sure. If you're using NSIS, why not just try removing it from
> the equation?
I have since then made a installation of the software on a virtual windows
XP and then run ClamAV using SystemRescueCd-x86-1.3.4 with freshclam
being executed just before.
clamscan -r -i --remove=no /mnt 2> /tmp/clam.err 1> clam.out
It only found the same setup.exe file and Uninstall.exe file which setup.exe
creates. ClamAV probably detected Uninstall.exe inside setup.exe
/mnt/Documents and Settings/admin/Local Settings/Temp/~nsu.tmp/Au_.exe:
Trojan.Agent-136369 FOUND
/mnt/System Volume
Information/_restore{AD244353-0DCC-47F4-A918-997317E0E020}/RP52/A0012614.exe:
Trojan.Agent-136369 FOUND
Running Uninstall.exe inside the virtual machine and then again scanning the
system reported 2 other files as the same trojan, but they are identical to
Uninstall.exe, or cmp -s says they are.
Uninstall.exe: Trojan.Agent-136369 FOUND
>> ... false positive, because that is what i believe we have since
>> only ClamAV detects it.
>
> This seems to conflict with what you said on both Thursday and Friday
> of last week.
yes, that is correct. But i understood your email on the 22. january at
16.18 CET that those others that detected was based on ClamAV
"Make sure that different virus scanning engines give positive results
on any given file. Then start to worry. Look into the activities of
the virus as reported by the anti-virus software suppliers and see if
you can match what you're seeing with what they say."
And this was right under where i listed the engines from virustotal.com that
found something. So i assumed that you were telling me that it was the same
engine.
We scan our desktops using Norton. Upon releases we also use AVG & AVAST.
Neither of they have found anything, and most of virustotal.com did not either.
For some reason virustotal.com shows that 2 others also get a hit on
Uninstall.exe as a trojan.
Antiy-AVL 2.0.3.7 2010.01.27 Trojan/Win32.Shutdowner.gen
McAfee-GW-Edition 6.8.5 2010.01.27
Heuristic.BehavesLike.Win32.Trojan.B
>>> ... By default, rsync checks only the file size and the last
>>> modified time. You need to force it to run checksums on the files
>>> to be sure that actual data changes will be noticed ...
>>
>> You already warned me of that privately, and i did answer.
>
> I think you must be confusing me with someone else. I didn't reply to
> you privately, I wouldn't want to do that without your invitation. In
> general I like to keep this sort of thing on the list, so that others
> can benefit (that's also why I tend to put more explanation into my
> posts than apparently you're keen to read. :)
yes, i can see that now, i am sorry for the confusion.
>>> ... obvious ... how to keep archives ... which cannot be changed
>>> ... For example ... a write-once-only medium such as CD-ROM ...
>>
>> We have self burned DVD-ROM images, and naturally i have scanned
>> those. With the same result. I did not mean any harm, but i simply
>> forgot to mention this
>
> In this context I'm surprised that anyone would forget to mention
> that. Remember next time that you use a mailing list that although
> the readers might be more familiar with some package than you are,
> they probably aren't clairvoyant.
I probably should not even have mentioned rsync because it is not
importent how i detected it.
>> While it is rather easy to trust what you read in your own source
>> code, modern software contains a lot of libraries, and lots of tools
>> are used in the building process. Some of these tools, if not most,
>> are binary and much harder to 100% prove secure.
>
> It's impossible to prove secure. You can be 100% sure that there are
> security problems in the tools and the libraries that you use. You
> can take steps to be reasonably confident that faults in the tools are
> not distributed with your code, but if you distribute binary code from
> other organizations to your paying customers then I fear you might be
> taking on maintenance responsibilities which are difficult to perform.
> At least if you used open source libraries you would have a fighting
> chance of fixing things if, say, your supplier went out of business.
> I'm afraid all that is off-topic for this list.
>
>> naturally we scan all software going out, the coder machines, the
>> builder machines, the servers and the DVD burner. But it was last
>> year. While nothing was found back then, that could just be because
>> the trojan in question is newly found.
>
> Yes, that's just about possible. I think in the circumstances it's
> unlikley, but you have to reach your own conclusion. Google can be
> very helpful, and if you'd told us the name of the software packages
> that you're worried about I could have suggested a few searches. :)
At the moment we are not worried, we truely believe this is a false positive.
I have submitted the Uninstall.exe file as a false positive to
http://clamav.net/sendvirus
>> Our intention is to be responsible and investigate until we are 100%
>> certain nothing is wrong.
>
> Excellent. In restrospect, I can understand a reluctance to voice
> fears about one of your own products in public. I forgive you. :)
Thank you.
>> This is why i asked, because i dont work with viruses and trojans
>> all day, like i expect you guys to do. So maybe you knew some method
>> that i did not think of myself.
>
> Just to set you straight on something about users' mailing lists like
> this one: it's mostly users of the package that are helping each other,
> although on this list a few of the developers do read the list too. So
> in my case I'm not knee-deep in viruses all day long, in fact I haven't
> seen one since November last year - and that was at a customer's site,
> not one of mine. But you're right, there might be a lot of experienced
> people reading your post so it's good to ask. It just might be better
> if you were a little more experienced in asking. :)
We learn all the time. Asking the right question in the correct way apparently
takes considerably thought about what to include and what not to include.
I hope i got it better this time.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
