Nmap Development mailing list archives
Re: False positives on antivirus
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 29 Jan 2010 18:23:17 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 29 Jan 2010 11:01:30 -0600 "DePriest, Jason R." <jrdepriest () gmail com> wrote:
On Fri, Jan 29, 2010 at 7:28 AM, Ron <> wrote:Fyodor <fyodor () insecure org> wrote:Note that nmap-5.21-setup.exe seems to trigger 2 false postivies. The Panda W32/Xor-encoded.A and McAfee+Artemis judges it "Suspect-D!10FC121FDD0D":Suspect-D, I like the sounds of that. It's like an action movie! But seriously, I hadn't realized it could be so easy to get a false positive removed. Maybe we should revisit the idea of submitting the original nmap_service.exe, unmodified, to the company that detected it as malware? -- Ron Bowes http://www.skullsecurity.orgWith nmap being a pretty well established legitimate program, it should be worth trying. The AV companies shouldn't have any reason to doubt our assertion that this is not really a virus. -Jason
It's nice to see that Panda fixed their signature but I think we're going to run into a time when detection is deliberate, not accidental. For example, psexec, netcat, fport, pwdump3, serv-u, enum.exe, and other legitimate tools are so frequently used by the bad guys that many AV products will label them as "hacktool" or "potentially unwanted software", or variations on this theme. We may win this battle at first but eventually we're likely to lose it. I think we should be prepared for AV products to legitimately flag Nmap as potentially unwanted. I'd suggest we put a page up on nmap.org discussing why AV product ABC flagged Nmap as XYZ. When we can't get an AV company to stop flagging Nmap we can still point concerned users at that page. I'm willing make the first draft of the page but it will take me a couple days to do so. I'm already behind getting David, Ron, and Patrik data. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAktjJ5sACgkQqaGPzAsl94KahQCgqK14FUUsQ6zmbM8LaZk0/st1 vy4AnRnTAM/wK6Ue9aXI0ITEeqDrf6t+ =6DIw -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus DePriest, Jason R. (Jan 29)
- Re: False positives on antivirus Brandon Enright (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus David Fifield (Feb 12)
- Re: False positives on antivirus Ron (Feb 12)
- Re: False positives on antivirus David Fifield (Mar 03)