Re: Nmap 4.76 detected as a Trojan by BitDefender 2009

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 1 Mar 2009 18:57:29 +0000 or thereabouts Brandon Enright
<bmenrigh () ucsd edu> wrote:

> On Sun, 01 Mar 2009 15:40:27 +0100 or thereabouts Patrick Camilleri
> <patrik.camilleri () gmail com> wrote:
>
> > When downloading http://nmap.org/dist/nmap-4.76-setup.exe
> > BitDefender detects it as Trojan.Generic.1215885. On the other hand
> > the beta version of nmap,
> > http://nmap.org/dist/nmap-4.85BETA3-setup.exe seems to be clean. Is
> > this just a false positive?
> >
> > Malware name: Trojan.Generic.1215885
> >
> > Regards,
> > Patrick
...snip...
> I just sent nmap.exe to VirusTotal and BitDefender came back clean:
>
> https://www.virustotal.com/analisis/8298d510a59b8f5c0c1d1aa7d5f01744
>
> It is possible that if you update your signatures they have already
> corrected the false positive.

I re-read your email a little more carefully.  The detection is
triggering on our executable installer, not on Nmap.exe itself.  I just
sent the whole installer to VirusTotal and the results are a little
less encouraging:

https://www.virustotal.com/analisis/9819a7c66664730b9911bbadd7d50f77

8 of then 39 products flag the installer with some heuristic.

Here they are, grouped by my guess at what Heuristic is triggering:

BitDefender     7.2     2009.03.01      Trojan.Generic.1215885
GData   19      2009.03.01      Trojan.Generic.1215885

These AV products probably share the same engine.  The heuristic could
be anything.


K7AntiVirus     7.10.649        2009.02.27      Trojan.Win32.Shutdowner.bsi
TheHacker       6.3.2.6.268     2009.03.01      Trojan/Shutdowner.awi
VBA32   3.12.10.1       2009.03.01      Trojan.Win32.Shutdowner.cog

The Nmap installer has the ability to restart the computer.  I don't
know if we make use of it or not but it is there.  It seems these
products have generic detection for some trojan that can shut down
Windows in the same way that the Nmap installer happens to use.
Clearly this heuristic is too broad and needs more context.


Panda   10.0.0.10       2009.03.01      Suspicious file

Every pre-compiled/pre-packaged executable file on any OS, especially
Windows should be treated as suspicious.  This detection is utterly
useless.  I think Panda flags all packed/compressed executables as
suspicious so this is probably just a generic packer warning.


eSafe   7.0.17.0        2009.02.26      Win32.Trojan

More information would be useful.  This heuristic could be anything.
It is probably another generic packed executable warning.


Sunbelt 3.2.1858.2      2009.02.28      <Corrupted Archive>

Clearly Sunbelt doesn't know how to extract Nullsoft Installer
executables properly.


Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmq3+0ACgkQqaGPzAsl94LmGwCgjK0ZkXnuxUFnbKQjCNIpwB+Q
GrsAn3wf1Z8kReSF8rcBD2BewEH4E50d
=WjO2
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org