PDA

View Full Version : Antivirus. This is scary...



NewsArchive
04-04-2015, 08:31 AM
All,

Spent quite a few days debugging the current antivirus "false-positive"
situation. I tracked it down to the SetupBuilder "stub loader". This small
loader is responsible for the application startup process.

The following links are the VirusTotal reports for the SetupBuilder 8.0 and
8.5 stubs. The source code is 100% identical, but the 8.5 stub includes an
updated manifest for Windows 10 compatibility and the file version resource
number increased from 8.0 to 8.5. Other than that, absolutely no
difference.

Stub Loader 8.0:
https://www.virustotal.com/en/file/f69e55a42ea13350d7911b96c466e2b2797db19a5af59a5ef7 0aa40363c98c6d/analysis/1428135808/

Stub Loader 8.5:
https://www.virustotal.com/en/file/42764462063f137354f803337f1319dfbb90e239bd02b0e84b e6f132311aae3e/analysis/1428135963/

The 8.0 stub loader is 100% false-positive free, but the 8.5 stub loader
gives three false-positives. "Tencent Antivirus" introduced a new bug
today, "TrendMicro-HouseCall" fixed their bug a few hours ago. Jiangmin is
a story of its own.

http://www.lindersoft.com/forums/forumdisplay.php?17

Some antivirus products share the same detection engine or malware
signatures. This is the result of inter-vendor partnerships. So what
appears as a malware detection by three separate products could actually be
the result of a single bad signature shared by all of them.

Antivirus applications are based on file signatures on disk. They have a
large database (definition file) of specific byte patterns, and they look
for one or more byte patterns within a file. Some of the more advanced
antivirus applications have additional features such as heuristics
detection - i.e. looking for suspicious markers in what the application
actually does.

In our specific "false-positive" case, the antivirus pattern matcher looked
for an unique sequence of bytes that is specific to a piece of malware. And
found it in the stub loader.

This time I was able to replace the sequence of "bad" bytes and it results
again in a 100% false-positive free stub loader:
https://www.virustotal.com/en/file/8f4529285b48ca5755a30aa39a44ed62100239130f8fbdd061 659e2865da1712/analysis/1428150197/

All I can say at this point is; This is scary... scary as hell. Antivirus
systems are the dark side.

We'll make a SetupBuilder update available next week.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
04-04-2015, 11:45 AM
I wish they put in half the effort you do investigating this.

--

Russ Eggen
RADFusion International, LLC

NewsArchive
04-04-2015, 11:46 AM
Man.

I was just reading this article this morning. That's scary too.

http://www.wired.com/2015/02/nsa-firmware-hacking/

>All I can say at this point is; This is scary... scary as hell. Antivirus
>systems are the dark side.

Jeff Slarve
www.jssoftware.com
www.twitter.com/jslarve
I'll search help files & Google for you.