Re: Nmap is detected as a trojan by avast anti-virus

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 25 Jul 2008 19:51:12 +0000
Brandon Enright <bmenrigh () ucsd edu> wrote:

> Иван,
>
> This is a false positive.  "Win32:Trojan-gen {Other}" is a heuristic
> detection and not an actual signature.  If I had to take a guess in
> the dark I'd say that they don't like the installer scripts or the
> compression used by the installer.
>
> Unfortunately as malware gets better at evading signatures AV
> companies have to resort to broader and fuzzier heuristics to keep up.
>
> I encourage you to contact Avast and notify them of the
> false-positive.  You may also be able to disable heuristics (which
> will likely severely decrease it's ability to generically detect
> malware).
>
> Brandon

BTW, for posterity sake, here is the VirusTotal analysis of the
installer:

http://www.virustotal.com/analisis/b13d0d5cbb84afb4f7403547eb9779bf

Both "TheHacker" and "CAT-QuickHeal" detect it as
"Trojan.Shutdowner.rf".

My guess is that part of the scripts in the installer have the ability
to restart the machine.  It may be dead code that doesn't get
used/presented as an option but AV isn't going to know that.

I don't have a very high opinion of techniques used by some AV
craproducts though so take everything I have to say with a grain of
salt.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkiKMEAACgkQqaGPzAsl94Jn5gCfff0wCxhadrIYcJzwuk7C/OLk
3wwAnR+jm18jsRtdORau0LEB/yCO//7y
=vbnW
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org