Nmap Development mailing list archives

Re: False positives on antivirus

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 29 Jan 2010 18:23:17 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 29 Jan 2010 11:01:30 -0600
"DePriest, Jason R." <jrdepriest () gmail com> wrote:

On Fri, Jan 29, 2010 at 7:28 AM, Ron <> wrote:

Fyodor <fyodor () insecure org> wrote:

Note that nmap-5.21-setup.exe seems to trigger 2 false postivies.
 The Panda W32/Xor-encoded.A and McAfee+Artemis judges it
"Suspect-D!10FC121FDD0D":

Suspect-D, I like the sounds of that. It's like an action movie!

But seriously, I hadn't realized it could be so easy to get a false
positive removed. Maybe we should revisit the idea of submitting
the original nmap_service.exe, unmodified, to the company that
detected it as malware? -- Ron Bowes http://www.skullsecurity.org


With nmap being a pretty well established legitimate program, it
should be worth trying.

The AV companies shouldn't have any reason to doubt our assertion that
this is not really a virus.

-Jason



It's nice to see that Panda fixed their signature but I think we're
going to run into a time when detection is deliberate, not accidental.

For example, psexec, netcat, fport, pwdump3, serv-u, enum.exe,
and other legitimate tools are so frequently used by the bad guys that
many AV products will label them as "hacktool" or "potentially unwanted
software", or variations on this theme.

We may win this battle at first but eventually we're likely to lose
it.  I think we should be prepared for AV products to legitimately flag
Nmap as potentially unwanted.

I'd suggest we put a page up on nmap.org discussing why AV product ABC
flagged Nmap as XYZ.  When we can't get an AV company to stop flagging
Nmap we can still point concerned users at that page.  I'm willing make
the first draft of the page but it will take me a couple days to do
so.  I'm already behind getting David, Ron, and Patrik data.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAktjJ5sACgkQqaGPzAsl94KahQCgqK14FUUsQ6zmbM8LaZk0/st1
vy4AnRnTAM/wK6Ue9aXI0ITEeqDrf6t+
=6DIw
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
  - Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
  - Re: False positives on antivirus Ron (Jan 29)
    - Re: False positives on antivirus DePriest, Jason R. (Jan 29)
    - Re: False positives on antivirus Brandon Enright (Jan 29)
    - Re: False positives on antivirus Fyodor (Jan 29)
    - Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Fyodor (Feb 02)
  - Re: False positives on antivirus David Fifield (Feb 12)
    - Re: False positives on antivirus Ron (Feb 12)
    - Re: False positives on antivirus David Fifield (Mar 03)