SERTIFIED ANTIVIRUS SOFTWARE



  • So I opened Process Explorer, which I've configured to automatically check all running executables on VirusTotal. bmservice.exe showed up as having 0/0 virus detections, so I assumed (correctly) that the latest version wasn't uploaded to VirusTotal by anyone yet. So I did.

    As you can see, there is one antivirus software that thinks bmservice.exe is a virus, and it's Zillya. The virus it detected is Dropper.GenericCRTD.Win32.4843, so I Googled that.

    0_1500587535392_182c8f64-3a90-4e4c-b2e4-a2f6e0d8d682-image.png

    Hmm, that looks like it could be some kind of VirusTotal-like website. Let's check it out.

    It's ProGet. Another Inedo product. With three virus detections out of sixty two antivirus softwares:

    Antivirus Detection
    Avira TR/Dropper.Gen
    Endgame malicious (moderate confidence) pe1
    Zillya Dropper.GenericCRTD.Win32.4843

    There's that name again. Zillya. Let's try to find their virus explanations or a contact form or something.

    Well, I found none of that, but I did find this:

    0_1500587156349_5f2afcdd-628b-44b8-917f-32e136055e97-image.png

    THEY'RE A SERTIFIED ANTIVIRUS COMPANY!!!

    Let's check out their license agreement. Maybe there's some useful information there.

    0_1500588028237_aae56cc3-da8e-419f-949f-2dc17bcc1205-image.png

    Note: I was not redirected. The License agreement link goes to /403

    Oh, actually there is a contact page, but the button for it has a headset, so I assumed it was some for-pay live support thing. Turns out it's just a form where you can send them a plain-text email with one attachment. And for some reason the form requires both an email address and a phone number.

    0_1500588123184_9b30f7d7-a5e2-4709-86a9-123837bf0d90-image.png

    In any case, I don't actually care enough to try to get this fixed. But it looks like every single Inedo executable is detected by Zillya as Dropper.GenericCRTD.Win32.4843 and there's no explanation on what any of that means.



  • @ben_lubar wtfware



  • @ben_lubar said in SERTIFIED ANTIVIRUS SOFTWARE:

    But it looks like every single Inedo executable is detected by Zillya as Dropper.GenericCRTD.Win32.4843 and there's no explanation on what any of that means.

    Some common code in Inedo software (static library?) must be tripping their heuristics.



  • @wharrgarbl ok, I looked into it more: a dropper is apparently a thing that writes another (malicious) program to disk.

    By this logic, at least one of the files contained inside the self-extracting installer must be malicious and not a dropper. Let's check:

    This file was detected by another antivirus but has no detection by Zillya:

    These two are detected by Zillya as droppers, but they're the installer (and this version of the installer doesn't download SQL Server Express, so there's no way they could be droppers if they didn't have a malicious file in the same self-extracting archive, riiiiight?)

    This one is a library for web servers that provides some ASP.NET controls and a HTTP router. There's nothing in here that could possibly be construed as downloading or writing a malicious file to disk.

    And finally, here's the database updater, which only accesses the database you tell it to, but is somehow SEVEN antivirus programs think it's a trojan. Zillya considers it, you guessed it, Dropper.GenericCRTD.Win32.4843. That same string that a bunch of Inedo software gets detected as.

    None of the other files were detected by any antivirus programs. What does Zillya think it "drops", anyway?


  • Winner of the 2016 Presidential Election

    @ben_lubar said in SERTIFIED ANTIVIRUS SOFTWARE:

    What does Zillya think it "drops", anyway?

    Money, once you discover a client of yours has the grave misfortune to use their antivirus and now demands that you fix whatever is causing them to think it's a virus?


  • Garbage Person

    I can't remember which one it was, but you used to be able to name literally anything including a 0 byte file keygen.exe and some antivirus would trip a scary sounding heuristic.



  • @weng said in SERTIFIED ANTIVIRUS SOFTWARE:

    I can't remember which one it was, but you used to be able to name literally anything including a 0 byte file keygen.exe and some antivirus would trip a scary sounding heuristic.

    Including ssh-keygen.exe?


  • Garbage Person

    @ben_lubar unknown. When I routinely had keygen.exe's floating around I had never used SSH.



  • @ben_lubar anti-viruses usually have a white-list for known-good stuff. If they were not a total WTF you should be able to get Inedo stuff white-listed.


  • Java Dev

    @wharrgarbl said in SERTIFIED ANTIVIRUS SOFTWARE:

    @ben_lubar anti-viruses usually have a white-list for known-good stuff. If they were not a total WTF you should be able to get Inedo stuff white-listed.

    Yeah, 'Dropper' may just mean "Installs stuff and is not a known installer suite".



  • @pleegwat said in SERTIFIED ANTIVIRUS SOFTWARE:

    Dropper


  • BINNED

    @pleegwat said in SERTIFIED ANTIVIRUS SOFTWARE:

    'Dropper' may just mean

    a device to automatically raise or lower your bike saddle ...

    0_1500993717566_420a57f8-5ed4-40a6-9be1-d168818a081c-image.png


  • Discourse touched me in a no-no place

    @ben_lubar said in SERTIFIED ANTIVIRUS SOFTWARE:

    As you can see, there is one antivirus software that thinks bmservice.exe is a virus, and it's Zillya. The virus it detected is Dropper.GenericCRTD.Win32.4843, so I Googled that.

    Could be worse. Being identified as Ulrich.Dropper would be really worrying…


Log in to reply