Differences between revisions 10 and 12 (spanning 2 versions)
Revision 10 as of 2015-01-25 13:58:40
Size: 1740
Comment: Discussion subpage should be used for discussion on page content (AFAIK) not for additional info.
Revision 12 as of 2021-09-01 03:15:33
Size: 1743
Editor: PaulWise
Comment: cleanup
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
It is common for virus scanners to report false positives with win32-loader.exe because it uses the [[http://nsis.sourceforge.net/Builtin_NSISdl_plug-in|NSISdl plugin]] from [[DebianPackage:nsis|NSIS]] which is often also used by malware writers. Incompetent anti-virus authors mistake NSISdl for being part of the malware and then report it as being the virus instead of the other parts of the malware. Below are some examples of the resulting false positives. It is common for virus scanners to report false positives with win32-loader.exe because it uses the [[https://nsis.sourceforge.io/Builtin_NSISdl_plug-in|NSISdl plugin]] from [[DebianPackage:nsis|NSIS]] which is often also used by malware writers. Incompetent anti-virus authors mistake NSISdl for being part of the malware and then report it as being the virus instead of the other parts of the malware. Below are some examples of the resulting false positives.
Line 8: Line 8:
Symantec antivirus considered win32-loader.exe infected with Trojan.ADH.SMH, Symantec antivirus considered win32-loader.exe infected with Trojan.ADH.SMH:
Line 10: Line 11:
http://http.debian.net/debian/tools/win32-loader/stable/win32-loader.exe https://deb.debian.org/debian/tools/win32-loader/stable/win32-loader.exe
Line 26: Line 27:
 * My online scan of the file showed 4 scanners detecting a security issue in the file  * My online scan of the file showed 4 scanners detecting a security issue in the file:
Line 42: Line 44:
A unetbootin project worked on Windows 7. A unetbootin project worked on Windows 7:
Line 44: Line 46:
http://unetbootin.sourceforge.net/ https://launchpad.net/unetbootin

It is common for virus scanners to report false positives with win32-loader.exe because it uses the NSISdl plugin from NSIS which is often also used by malware writers. Incompetent anti-virus authors mistake NSISdl for being part of the malware and then report it as being the virus instead of the other parts of the malware. Below are some examples of the resulting false positives.

Suspected virus in win32-loader.exe

Symantec antivirus considered win32-loader.exe infected with Trojan.ADH.SMH:

https://deb.debian.org/debian/tools/win32-loader/stable/win32-loader.exe


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.ADH.SMH
File: C:\Users\XXX\Downloads\win32-loader.exe
Location: Unknown Storage
Computer: YYY
User: XXX
Action taken: Cleaned by Deletion
Date found: Wednesday, January 14, 2015  12:31:00 PM

-- ?ilgiz 2015-01-14 21:30:33

  • My online scan of the file showed 4 scanners detecting a security issue in the file:

McAfee-Gateway  906 ms  Aug 15 2014 (More than 21 weeks ago)    Artemis!37A1016D0D97

DrWebGateway    2501 ms Aug 15 2014 (More than 21 weeks ago)    Tool.Vpatch.2

Symantec        2859 ms Aug 14 2014 (More than 21 weeks ago)    Trojan.ADH.SMH

Norman  1172 ms Aug 14 2014 (More than 21 weeks ago)    winpe/Suspicious_Gen4.GUKNW

Windows 7

A unetbootin project worked on Windows 7:

https://launchpad.net/unetbootin

-- ?ilgiz