Re: Nmap 4.76 detected as a Trojan by BitDefender 2009

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 2 Mar 2009 13:10:24 -0800
Fyodor <fyodor () insecure org> wrote:

> On Sun, Mar 01, 2009 at 07:20:12PM +0000, Brandon Enright wrote:
> > I just sent the whole installer to VirusTotal and the results are a
> > little less encouraging:
> >
> > https://www.virustotal.com/analisis/9819a7c66664730b9911bbadd7d50f77
> >
> > 8 of then 39 products flag the installer with some heuristic.
>
> Good find.  Interestingly, the newer nmap-4.85BETA3-setup.exe only has
> 1/37 flags (and that is the "corrupted archive" by Sunbelt):
>
> http://www.virustotal.com/analisis/a9be2056e8d94963c4e9e8858b4c1678
>
> In case this was due to signature updates since yesterday rather than
> the different file, I ran it again against nmap-4.76-setup.exe:
>
> http://www.virustotal.com/analisis/f62ab34ac2cd64d2ca49789fa843d72b
>
> This time it shows 6/34 as flagged.  So the 4.85BETA installer really
> does seem to be treated as more clean, for some reason.
>
> Cheers,
> -F

You're right that the new installer isn't triggering the same
heuristics.  I don't know why.  I'll send a note to a few private lists
that these AV companies have researchers on, asking about this.

On a semi-related note, Alex Eckelberry has a excellent blog post today
about the the AV industry and its use of heuristics:

http://sunbeltblog.blogspot.com/2009/03/heuristics-are-dead.html

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmsYPkACgkQqaGPzAsl94JeQQCgkXsXSlf9skXYDEAQrtQX+eBU
oWoAn0GV9XaawtH/DBfU/fwlv05cr/KE
=YGt8
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org