Nmap Development mailing list archives

False positives on antivirus

From: Ron <ron () skullsecurity net>
Date: Thu, 28 Jan 2010 09:57:15 -0600

Hey all,

As you know, we've had some issues with antivirus detecting my original version of nmap_service.exe and the modified 
version. Here are some of the solutions:

1. Encode the file in a simple way
--> Didn't work in the simplest case, because some a/v still detects it
--> It's possible to make it work, but as Fyodor stated it's only a matter of time before a real piece of malware uses 
the same obfuscation and we get hosed

2. Encrypt the file properly
--> No reason that it wouldn't work (though I've said that before and was very wrong ;) )
--> Dependency on OpenSSL (dependency already exists)
--> Will take me awhile to implement (I'm going to be rather busy for the next month or so)

3. Include the file separately
--> The most obvious solution
--> Adds some burden to the user, but it would be minimal
--> Could run into versioning pains (though I can't see it being updated too much)

Right now, I propose we go with #3, at least for the short term. I've attached a patch that'll do exactly that (with 
the URL blocked out with TODO for now). It'd probably be a good idea to tweak the output a bit, but this is what it 
does right now:

Host script results:
| smb-psexec:  
|   ERROR: Couldn't find the service file: nmap_service.exe (or nmap_service)
|   ERROR: Due to false positives in antivirus software, this module is no longer included by default
|   ERROR: Please download it from TODO
|   ERROR: And place it in: nselib/data/psexec/
|_  ERROR: Under c:\Program Files\Nmap or /usr/share/nmap.

Note that this, like all my errors, only displays if debugging() >= 1. 

I didn't delete nmap_service.exe in the patch -- we'd have to do that and upload it somewhere. I could technically host 
it, but it'd probably better to host it on nmap.org. 

I'll work on solution #2, code name "nuke it from orbit" when I have some more time. 

-- 
Ron Bowes
http://www.skullsecurity.org

Attachment: proposed-av-fix.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
  - Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
  - Re: False positives on antivirus Ron (Jan 29)
    - Re: False positives on antivirus DePriest, Jason R. (Jan 29)
    - Re: False positives on antivirus Brandon Enright (Jan 29)
    - Re: False positives on antivirus Fyodor (Jan 29)
    - Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Fyodor (Feb 02)
  - Re: False positives on antivirus David Fifield (Feb 12)

(Thread continues...)