Results 1 to 3 of 3

Thread: Antivirus. This is scary...

  1. #1

    Default Antivirus. This is scary...

    All,

    Spent quite a few days debugging the current antivirus "false-positive"
    situation. I tracked it down to the SetupBuilder "stub loader". This small
    loader is responsible for the application startup process.

    The following links are the VirusTotal reports for the SetupBuilder 8.0 and
    8.5 stubs. The source code is 100% identical, but the 8.5 stub includes an
    updated manifest for Windows 10 compatibility and the file version resource
    number increased from 8.0 to 8.5. Other than that, absolutely no
    difference.

    Stub Loader 8.0:
    https://www.virustotal.com/en/file/f...is/1428135808/

    Stub Loader 8.5:
    https://www.virustotal.com/en/file/4...is/1428135963/

    The 8.0 stub loader is 100% false-positive free, but the 8.5 stub loader
    gives three false-positives. "Tencent Antivirus" introduced a new bug
    today, "TrendMicro-HouseCall" fixed their bug a few hours ago. Jiangmin is
    a story of its own.

    http://www.lindersoft.com/forums/forumdisplay.php?17

    Some antivirus products share the same detection engine or malware
    signatures. This is the result of inter-vendor partnerships. So what
    appears as a malware detection by three separate products could actually be
    the result of a single bad signature shared by all of them.

    Antivirus applications are based on file signatures on disk. They have a
    large database (definition file) of specific byte patterns, and they look
    for one or more byte patterns within a file. Some of the more advanced
    antivirus applications have additional features such as heuristics
    detection - i.e. looking for suspicious markers in what the application
    actually does.

    In our specific "false-positive" case, the antivirus pattern matcher looked
    for an unique sequence of bytes that is specific to a piece of malware. And
    found it in the stub loader.

    This time I was able to replace the sequence of "bad" bytes and it results
    again in a 100% false-positive free stub loader:
    https://www.virustotal.com/en/file/8...is/1428150197/

    All I can say at this point is; This is scary... scary as hell. Antivirus
    systems are the dark side.

    We'll make a SetupBuilder update available next week.

    Friedrich

    --
    Friedrich Linder
    Lindersoft
    www.lindersoft.com
    +1.954.252.3910

    --Helping You Build Better Installations
    --SetupBuilder "point. click. ship"
    --Create Windows 10 ready installations in minutes
    --Official COMODO Code Signing and SSL Certificate Partner

  2. #2

    Default Re: Antivirus. This is scary...

    I wish they put in half the effort you do investigating this.

    --

    Russ Eggen
    RADFusion International, LLC

  3. #3

    Default Re: Antivirus. This is scary...

    Man.

    I was just reading this article this morning. That's scary too.

    http://www.wired.com/2015/02/nsa-firmware-hacking/

    >All I can say at this point is; This is scary... scary as hell. Antivirus
    >systems are the dark side.

    Jeff Slarve
    www.jssoftware.com
    www.twitter.com/jslarve
    I'll search help files & Google for you.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •