Nmap Development mailing list archives

Re: Nmap 4.76 detected as a Trojan by BitDefender 2009

From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Mon, 2 Mar 2009 15:45:50 -0000 (UTC)

Off the top of my head, it could be flagging it for a couple of
malicious-looking reasons:

 - The Nmap installer will stop/start the "npf" service (and create it).

 - The WinPcap installer (within the Nmap installer) uses a couple of
Win32 API calls (Wow64EnableWow64FsRedirection) on x64 versions of
Windows in order to stick a 64 bit file in the the right place (and
delete it in the uninstaller).

However, these shouldn't have changed between versions.

I suspect the NSIS based installer has the generic ability to restart the
computer, but I don't remember seeing anything in the NSIS file used to
create our installer that ever causes a restart. The installers can also
be run silently, but that also hasn't changed between versions.

Nmap 4.76 doesn't contain Ncat, but 4.83BETA does; I would have expected
to see the heuristics spot Ncat (which could be used to listen for a
connection, but can't execute a command yet) and flag the newer installer
as evil instead.

Aren't heuristics great? :)

Rob



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Nmap 4.76 detected as a Trojan by BitDefender 2009 Patrick Camilleri (Mar 01)
- Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 01)
  - Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 01)
    - Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Patrick Camilleri (Mar 01)
    - Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Rob Nicholls (Mar 02)
    - Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Fyodor (Mar 02)
    - Re: Nmap 4.76 detected as a Trojan by BitDefender 2009 Brandon Enright (Mar 02)