SERTIFIED ANTIVIRUS SOFTWARE
-
So I opened Process Explorer, which I've configured to automatically check all running executables on VirusTotal. bmservice.exe showed up as having 0/0 virus detections, so I assumed (correctly) that the latest version wasn't uploaded to VirusTotal by anyone yet. So I did.
As you can see, there is one antivirus software that thinks bmservice.exe is a virus, and it's Zillya. The virus it detected is
Dropper.GenericCRTD.Win32.4843
, so I Googled that.Hmm, that looks like it could be some kind of VirusTotal-like website. Let's check it out.
It's ProGet. Another Inedo product. With three virus detections out of sixty two antivirus softwares:
Antivirus Detection Avira TR/Dropper.Gen Endgame malicious (moderate confidence) pe1 Zillya Dropper.GenericCRTD.Win32.4843 There's that name again. Zillya. Let's try to find their virus explanations or a contact form or something.
Well, I found none of that, but I did find this:
THEY'RE A SERTIFIED ANTIVIRUS COMPANY!!!
Let's check out their license agreement. Maybe there's some useful information there.
Note: I was not redirected. The License agreement link goes to
/403
Oh, actually there is a contact page, but the button for it has a headset, so I assumed it was some for-pay live support thing. Turns out it's just a form where you can send them a plain-text email with one attachment. And for some reason the form requires both an email address and a phone number.
In any case, I don't actually care enough to try to get this fixed. But it looks like every single Inedo executable is detected by Zillya as
Dropper.GenericCRTD.Win32.4843
and there's no explanation on what any of that means.
-
@ben_lubar wtfware
-
@ben_lubar said in SERTIFIED ANTIVIRUS SOFTWARE:
But it looks like every single Inedo executable is detected by Zillya as Dropper.GenericCRTD.Win32.4843 and there's no explanation on what any of that means.
Some common code in Inedo software (static library?) must be tripping their heuristics.
-
@wharrgarbl ok, I looked into it more: a dropper is apparently a thing that writes another (malicious) program to disk.
By this logic, at least one of the files contained inside the self-extracting installer must be malicious and not a dropper. Let's check:
This file was detected by another antivirus but has no detection by Zillya:
These two are detected by Zillya as droppers, but they're the installer (and this version of the installer doesn't download SQL Server Express, so there's no way they could be droppers if they didn't have a malicious file in the same self-extracting archive, riiiiight?)
This one is a library for web servers that provides some ASP.NET controls and a HTTP router. There's nothing in here that could possibly be construed as downloading or writing a malicious file to disk.
And finally, here's the database updater, which only accesses the database you tell it to, but is somehow SEVEN antivirus programs think it's a trojan. Zillya considers it, you guessed it,
Dropper.GenericCRTD.Win32.4843
. That same string that a bunch of Inedo software gets detected as.
None of the other files were detected by any antivirus programs. What does Zillya think it "drops", anyway?
-
@ben_lubar said in SERTIFIED ANTIVIRUS SOFTWARE:
What does Zillya think it "drops", anyway?
Money, once you discover a client of yours has the grave misfortune to use their antivirus and now demands that you fix whatever is causing them to think it's a virus?
-
I can't remember which one it was, but you used to be able to name literally anything including a 0 byte file keygen.exe and some antivirus would trip a scary sounding heuristic.
-
@weng said in SERTIFIED ANTIVIRUS SOFTWARE:
I can't remember which one it was, but you used to be able to name literally anything including a 0 byte file keygen.exe and some antivirus would trip a scary sounding heuristic.
Including ssh-keygen.exe?
-
@ben_lubar unknown. When I routinely had keygen.exe's floating around I had never used SSH.
-
@ben_lubar anti-viruses usually have a white-list for known-good stuff. If they were not a total WTF you should be able to get Inedo stuff white-listed.
-
@wharrgarbl said in SERTIFIED ANTIVIRUS SOFTWARE:
@ben_lubar anti-viruses usually have a white-list for known-good stuff. If they were not a total WTF you should be able to get Inedo stuff white-listed.
Yeah, 'Dropper' may just mean "Installs stuff and is not a known installer suite".
-
-
@pleegwat said in SERTIFIED ANTIVIRUS SOFTWARE:
'Dropper' may just mean
a device to automatically raise or lower your bike saddle ...
-
@ben_lubar said in SERTIFIED ANTIVIRUS SOFTWARE:
As you can see, there is one antivirus software that thinks bmservice.exe is a virus, and it's Zillya. The virus it detected is
Dropper.GenericCRTD.Win32.4843
, so I Googled that.Could be worse. Being identified as
Ulrich.Dropper
would be really worrying…