PortableApps.com Carbide driveThe PortableApps.com Carbide is here! The Safest, Most Secure USB Flash Drive on Earth.
Military-grade hardware-encryption, water/shock/dust/tamper-resistant, 5 years of commercial USB antivirus, 5 year warranty, personalized, and PortableApps.com! 8GB, 16GB and 32GB starting at $89.95! Learn more and buy today!
Also: PA.c Companion (fast, affordable, colorful) | Please donate, so we can update & release new awesome apps!

Home » Forums » Support Forums » PortableApps.com Platform

False Positive from enterprise level anti-viruses

Selvec - July 2, 2012 - 7:44pm

Hi Guys

Recently I installed Portableapps.exe to my pen drive which I use at work. Its very useful for my job as the app's it allows me to run don't leave any mark on the local registry or HD. However, recently IT's Anti-virus marked the base .exe file as a possible threat. This is of course a false positive, however it could cause issues for anyone else using this in a business environment.

Threat detected: Suspicious Behaviour: HIPS/RemFileMod-002

I have a picture sent from IT, but can't upload at work so I'll have to do this later.

Could anyone please enlighten me as to why our anti-virus would pick up a false positive from this program?

‹ Scan/Repair disk Error when I plug in file not compatible ›

»
  • Login or register to post comments
  • Share this
( categories: )

Safe

Aluísio A. S. G.'s picture
Aluísio A. S. G.
Developer
- July 2, 2012 - 7:57pm

Sophos database
Runtime behavior alerts of this type inform the user that an attempt has been made to write an autorun file to an attached removable drive. Any attempt at this behavior by an unauthorized program could indicate a malware infection.

Please note that the behavior of some legitimate product installers can sometimes resemble that of malware.

I know the Platform allows you to rename the drive. The drive name is stored in the autorun file.

GENERATION -705 - 991i: The first time you see this, copy it into your sig on any forum. Square it, and then add i to the generation.

Previously known as kAlug.

One of the methods Anti-Virus

gluxon's picture
gluxon
Developer
(Homepage) - July 3, 2012 - 1:00am

One of the methods Anti-Virus software utilizes in its scanning is to "dissect" executables in order to find out what "functions" it's runing.

Many of our launcher executables (ex: FirefoxPortable.exe) manipulate registry entries, redirect environment variables, and many other actions required to move personal data. Overall, the intention is good, but each function looked at individually represent actions a virus would typically execute.

As even high-end Anti-Virus can't efficiently manage a large database of known viruses, they often resort to this tactic in order to help identify new ones.

That explains why our base exe's come up in your scanner, but I'm afraid there isn't a very good solution other than reporting the file as a false positive and keeping your virus definitions/database up to date.

Siggys waste bandwidth... that's why I have one.

Not heuristics

Aluísio A. S. G.'s picture
Aluísio A. S. G.
Developer
- July 3, 2012 - 11:02am

Read my post above. The problem (this time) is that the Platform (= base exe) writes to the autorun file.

GENERATION -705 - 991i: The first time you see this, copy it into your sig on any forum. Square it, and then add i to the generation.

Previously known as kAlug.

©2004-2013  |  Privacy Policy  |  Developed by Rare Ideas, LLC
Designed by DIVIDED and Rare Ideas, LLC  |  Powered by Drupal
World's Best Flash Drive