Nmap Development mailing list archives
False positives on antivirus
From: Ron <ron () skullsecurity net>
Date: Thu, 28 Jan 2010 09:57:15 -0600
Hey all, As you know, we've had some issues with antivirus detecting my original version of nmap_service.exe and the modified version. Here are some of the solutions: 1. Encode the file in a simple way --> Didn't work in the simplest case, because some a/v still detects it --> It's possible to make it work, but as Fyodor stated it's only a matter of time before a real piece of malware uses the same obfuscation and we get hosed 2. Encrypt the file properly --> No reason that it wouldn't work (though I've said that before and was very wrong ;) ) --> Dependency on OpenSSL (dependency already exists) --> Will take me awhile to implement (I'm going to be rather busy for the next month or so) 3. Include the file separately --> The most obvious solution --> Adds some burden to the user, but it would be minimal --> Could run into versioning pains (though I can't see it being updated too much) Right now, I propose we go with #3, at least for the short term. I've attached a patch that'll do exactly that (with the URL blocked out with TODO for now). It'd probably be a good idea to tweak the output a bit, but this is what it does right now: Host script results: | smb-psexec: | ERROR: Couldn't find the service file: nmap_service.exe (or nmap_service) | ERROR: Due to false positives in antivirus software, this module is no longer included by default | ERROR: Please download it from TODO | ERROR: And place it in: nselib/data/psexec/ |_ ERROR: Under c:\Program Files\Nmap or /usr/share/nmap. Note that this, like all my errors, only displays if debugging() >= 1. I didn't delete nmap_service.exe in the patch -- we'd have to do that and upload it somewhere. I could technically host it, but it'd probably better to host it on nmap.org. I'll work on solution #2, code name "nuke it from orbit" when I have some more time. -- Ron Bowes http://www.skullsecurity.org
Attachment:
proposed-av-fix.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus DePriest, Jason R. (Jan 29)
- Re: False positives on antivirus Brandon Enright (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus David Fifield (Feb 12)