Differences between revisions 11 and 12
Revision 11 as of 2015-02-23 20:57:15
Size: 1948
Editor: ?ilgiz
Comment: avoid sourceforge windows executables in case authors change to a closed source malware installer http://blog.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/
Revision 12 as of 2021-09-01 03:15:33
Size: 1743
Editor: PaulWise
Comment: cleanup
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
It is common for virus scanners to report false positives with win32-loader.exe because it uses the [[http://nsis.sourceforge.net/Builtin_NSISdl_plug-in|NSISdl plugin]] from [[DebianPackage:nsis|NSIS]] which is often also used by malware writers. Incompetent anti-virus authors mistake NSISdl for being part of the malware and then report it as being the virus instead of the other parts of the malware. Below are some examples of the resulting false positives. It is common for virus scanners to report false positives with win32-loader.exe because it uses the [[https://nsis.sourceforge.io/Builtin_NSISdl_plug-in|NSISdl plugin]] from [[DebianPackage:nsis|NSIS]] which is often also used by malware writers. Incompetent anti-virus authors mistake NSISdl for being part of the malware and then report it as being the virus instead of the other parts of the malware. Below are some examples of the resulting false positives.
Line 8: Line 8:
Symantec antivirus considered win32-loader.exe infected with Trojan.ADH.SMH, Symantec antivirus considered win32-loader.exe infected with Trojan.ADH.SMH:
Line 10: Line 11:
http://http.debian.net/debian/tools/win32-loader/stable/win32-loader.exe https://deb.debian.org/debian/tools/win32-loader/stable/win32-loader.exe
Line 26: Line 27:
 * My online scan of the file showed 4 scanners detecting a security issue in the file  * My online scan of the file showed 4 scanners detecting a security issue in the file:
Line 42: Line 44:
A unetbootin project worked on Windows 7,
{{{#!wiki comment/dashed
Avoid sourceforge windows executables in case authors change to a closed source malware installer http://blog.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/
}}}
A unetbootin project worked on Windows 7:

It is common for virus scanners to report false positives with win32-loader.exe because it uses the NSISdl plugin from NSIS which is often also used by malware writers. Incompetent anti-virus authors mistake NSISdl for being part of the malware and then report it as being the virus instead of the other parts of the malware. Below are some examples of the resulting false positives.

Suspected virus in win32-loader.exe

Symantec antivirus considered win32-loader.exe infected with Trojan.ADH.SMH:

https://deb.debian.org/debian/tools/win32-loader/stable/win32-loader.exe


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.ADH.SMH
File: C:\Users\XXX\Downloads\win32-loader.exe
Location: Unknown Storage
Computer: YYY
User: XXX
Action taken: Cleaned by Deletion
Date found: Wednesday, January 14, 2015  12:31:00 PM

-- ?ilgiz 2015-01-14 21:30:33

  • My online scan of the file showed 4 scanners detecting a security issue in the file:

McAfee-Gateway  906 ms  Aug 15 2014 (More than 21 weeks ago)    Artemis!37A1016D0D97

DrWebGateway    2501 ms Aug 15 2014 (More than 21 weeks ago)    Tool.Vpatch.2

Symantec        2859 ms Aug 14 2014 (More than 21 weeks ago)    Trojan.ADH.SMH

Norman  1172 ms Aug 14 2014 (More than 21 weeks ago)    winpe/Suspicious_Gen4.GUKNW

Windows 7

A unetbootin project worked on Windows 7:

https://launchpad.net/unetbootin

-- ?ilgiz