Nmap Development mailing list archives
Re: Nmap 4.76 detected as a Trojan by BitDefender 2009
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sun, 1 Mar 2009 19:20:12 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 1 Mar 2009 18:57:29 +0000 or thereabouts Brandon Enright <bmenrigh () ucsd edu> wrote:
On Sun, 01 Mar 2009 15:40:27 +0100 or thereabouts Patrick Camilleri <patrik.camilleri () gmail com> wrote:When downloading http://nmap.org/dist/nmap-4.76-setup.exe BitDefender detects it as Trojan.Generic.1215885. On the other hand the beta version of nmap, http://nmap.org/dist/nmap-4.85BETA3-setup.exe seems to be clean. Is this just a false positive? Malware name: Trojan.Generic.1215885 Regards, Patrick
...snip...
I just sent nmap.exe to VirusTotal and BitDefender came back clean: https://www.virustotal.com/analisis/8298d510a59b8f5c0c1d1aa7d5f01744 It is possible that if you update your signatures they have already corrected the false positive.
I re-read your email a little more carefully. The detection is triggering on our executable installer, not on Nmap.exe itself. I just sent the whole installer to VirusTotal and the results are a little less encouraging: https://www.virustotal.com/analisis/9819a7c66664730b9911bbadd7d50f77 8 of then 39 products flag the installer with some heuristic. Here they are, grouped by my guess at what Heuristic is triggering: BitDefender 7.2 2009.03.01 Trojan.Generic.1215885 GData 19 2009.03.01 Trojan.Generic.1215885 These AV products probably share the same engine. The heuristic could be anything. K7AntiVirus 7.10.649 2009.02.27 Trojan.Win32.Shutdowner.bsi TheHacker 6.3.2.6.268 2009.03.01 Trojan/Shutdowner.awi VBA32 3.12.10.1 2009.03.01 Trojan.Win32.Shutdowner.cog The Nmap installer has the ability to restart the computer. I don't know if we make use of it or not but it is there. It seems these products have generic detection for some trojan that can shut down Windows in the same way that the Nmap installer happens to use. Clearly this heuristic is too broad and needs more context. Panda 10.0.0.10 2009.03.01 Suspicious file Every pre-compiled/pre-packaged executable file on any OS, especially Windows should be treated as suspicious. This detection is utterly useless. I think Panda flags all packed/compressed executables as suspicious so this is probably just a generic packer warning. eSafe 7.0.17.0 2009.02.26 Win32.Trojan More information would be useful. This heuristic could be anything. It is probably another generic packed executable warning. Sunbelt 3.2.1858.2 2009.02.28 <Corrupted Archive> Clearly Sunbelt doesn't know how to extract Nullsoft Installer executables properly. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmq3+0ACgkQqaGPzAsl94LmGwCgjK0ZkXnuxUFnbKQjCNIpwB+Q GrsAn3wf1Z8kReSF8rcBD2BewEH4E50d =WjO2 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap 4.76 detected as a Trojan by BitDefender 2009 Patrick Camilleri (Mar 01)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 01)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 01)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Patrick Camilleri (Mar 01)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Rob Nicholls (Mar 02)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Fyodor (Mar 02)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 02)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 01)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 01)