DOWNLOADS WORKING AGAIN: After some earlier issues, file downloads from SourceForge.net are working again. We apologize for the inconvenience.
ApplicationsVote for PortableApps.comWhat is a portable app?
Find out on the What is a portable app? page.
User loginSponsored Links |
Registry.dll False Positive (October 2007) Submitted by John T. Haller on October 27, 2007 - 3:37pm
As a few people have mentioned, McAfee and AVG are currently throwing false positives on several of the portable launchers. I'd like to address a few questions: What is registry.dll? It's a plugin that's part of Nullsoft Scriptable Installer System for reading, writing, exporting and importing from the registry. It's a standard plugin included with the language and is used by any NSIS-based installers (or our launchers) that do anything with the registry. (As an aside, folks like Winamp, Mozilla, Kaspersky, Google and even AVG themselves use NSIS. here's a list.) Why is it showing up in my temp directory? NSIS extracts its plugins to the temp directory and runs them from there while it is running. It then removes them when run is complete. So why is it being detected as a false positive? Most antivirus companies don't test their definitions files as well as they used to. So, we wind up with bad definitions being pushed out to millions of users that detect clean software as having a virus. This is most obvious when the antivirus software is detecting a new virus in a file that hasn't been altered since before the virus existed (though I don't think that is the case this time). Why did my antivirus delete the file? If it deleted it without asking you, you should switch to an antivirus product that works properly. It should ask if you'd like to delete it, quarantine it or just deny access to it. Why don't you want reports in the forums? Because it just gets reported over and over and over again, which accomplishes nothing. Why don't you have the antivirus companies fix it? Unless you are a customer of the commercial antivirus company, there's usually nothing at all you can do about it. Nothing. Even with the free companies, they often ignore messages sent to them. The only one that responded when I sent in a false-positive report was Clam and it took them a few days to fix it. Luckily, they hardly ever have false positives. So what can we do? If you're a customer of the antivirus company, contact them and let them know that their definitions are broken again. Other than that, not much. The bottom line is that this is going to keep happening and there's not much of anything we can do about it. Firefox Portable accounts for 1% of all Firefox downloads each month, so we're not talking about small apps used by a handful of users. We're talking about millions here. But, the quality control at antivirus companies is slipping and that doesn't appear to be changing. So, we're stuck with it the way it is. I may create a hall of shame page that lists the companies that are messing up (NSIS does this here but only for the base product, not the included plugins). Regards, ( categories: )
|
Contact List ?
John,
Thank you for responding.
It might be a good idea if would could collect the URLs and/or email addresses of the big companies used for reporting false positives.
I've tried and it's not easy.
You'd think it would be something simple like:
www. [antimalwarecompy] .com \falsepostives.html
but it never is :(
Tim
"freenode, it's Not as Free as it used to be, Free as in Freedom" :-(
Hall
of shame sounds good! I would also like to point out that I use F-Secure (which I believe uses the same engine as Kaspersky) and it has never had any problems.
'...and do the other things, not because they are easy, but because they are hard...' JFK
Harmful?
Sorry for the nooby question, but it is something many people may want to know about. Will this false positive cause my antivirus to possibly delete programs on my thumbdrive?
...But the gift of God is eternal life through Christ. Romans 6:23
So far the behavior is: The
So far the behavior is:
So far no one has reported that anything on the USB drive itself has been affected, just the DLL created in the temp directory.
Note that if the AV software suddently decides that your checkbook register or contact list is really a virus, it could delete it without much warning. Not hugely likely, but a possibility nonetheless. Keeping a backup somewhere safe would be a good thing.
Otherwise, we haven't seen anything on the USB drive itself being deleted.
MC
about deleting files
It will do so only if you (or your default settings) say it to. I use Symantec, and it gives me options to delete/quarentine/skip based on what I want. I can set this as default or as something that I can decide each time.
That's what John said in his original post, that if you can't change it, get a better AV program. Which one are you using?
Don't be an uberPr∅. They are stinky.
AV
I use my dad's computer's often, which have Mcafee. It works okay, but don't ask sometimes if it can delete stuff. Cannot change my dad's AV around though. :)
EDIT: One of my dad's PC's have Symantec on it.
...But the gift of God is eternal life through Christ. Romans 6:23
Re: registry.dll
-- Thanx John for the quick response on this. Very helpful.
-- I tipped this info from this thread to "Castle Cops" (http://www.castlecops.com/) author of an item on "registry.dll" file with same file length (17408 bytes). (NOTE: I did run across Macafee website indication (at http://vil.nai.com/vil/content/v_99115.htm ) that there is a file: "REGISTRY.DLL" (54272 bytes) that was packed with the UPX packer program and considered a component of the "W32/Leave.worm.gen" (discovered 2001.06.22).
-- Interestingly enough, I noticed that AVG shot itself in its own foot this evening as it caught itself using the same "registry.dll" file to activate its automatic update feature. I imagine it shan't take too long for them to get this one adjusted.
lol
that happened to me as well
Please search before posting. ~Thanks
Updated Information
As of 12:00pm USA Central Time:
from http://virusscan.jotti.org/
File: registry.dll
MD5: 1af237911f21e78a1f118b14f9da3994
Status: OK
(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
AVG Antivirus Found nothing <-----------------
Apparently Jotti does not currently use McAfee VirusScan
======================================
and from
http://www.virustotal.com/
registry.dll
MD5: 1af237911f21e78a1f118b14f9da3994
SHA1: b26a3ae43c22758a551744fdce89d8290b7e0059
AVG 7.5.0.503 2007.10.28 -[nothing] <-------------
McAfee 5150 2007.10.26 Generic StartPage.r <--------
Sunbelt 2.2.907.0 2007.10.27 Trojan-StartPage <---------
So it looks like AVG fixed the false positive with yesterdays defs :).
VirusTotal is still using the McAfee 5150 defs so I will retest on Monday after McAfee updates :(
I don't know anything about Sunbelt :(
Anybody contacted them yet?
Hopefully this will all be over with by Monday afternoon :),
until the next time :(
Tim
"freenode, it's Not as Free as it used to be, Free as in Freedom" :-(
Actually Igot a warning on
Actually Igot a warning on NSIPortable beta. It's one of the first 'false' positives... It was the registry dll and I havent actually installed it. if it's this DLL that causes a problem I would suggest UPX it using another compression sceme. Is it known what sceme was used to compress it?
Fixed in McAfee
Just got our network security team at work to report the false positive to McAfee.
They confirmed it is a false positive and issued a .dat file to stop the alert in McAfee.
It will be included in tonight's definition update from McAfee.
They responded within about 30 minutes, which I guess is pretty good service really!
If you want the fix right now, just save the following text in a file called "C:\Program Files\Common Files\Network Associates\Engine\EXTRA.DAT" (or wherever your install has it's Engine folder)
Then reboot your PC to pick up the change.
Alternatively, wait for the overnight update!
:-)
Here's the text for the file (strip off the quotes but keep the new lines and spaces):
Confirmed works
I just restarted my system for the third time (had to play around with directories for Comcast McAfee (C:\Program Files\McAfee\VirusScan\DAT\5150.0\EXTRA.DAT works for me) and NO POPUP for registry.dll!!! Thanx to you martinmiles!!
aka Major PITA... ask me what it means, as you will be amused...
Thanks John
I actually got my first AVG false this week. Thanks for making a point about this though.
Life is about the journey not the destination!
The Kazoo Spartan
I'm still getting false positives
My work computer (which is limited in what I can modify in McAfee since we don't have admin rights) keeps giving virus messages with portable firefox. (Actually, it's U3's version, which I assume is the same thing as portableapps.com). I did add the DAT file as suggested and did have my virus definitions updated (one of the few things they DO allow me to do). Generic Start Page.r is the mis-identified virus.
I guess I can simply ignore them, it's just a bit disconcerting.
U3 unsupported
If you downloaded one of the 2.0 Firefox for U3 releases floating around, it's unofficial and unsupported (and it does immature undocumented things like remove PortableApps.com bookmarks from your bookmark files... nice huh?). It's based on an old version of Firefox Portable's code and has known bugs (like leaving stuff behind on each PC you run it on).
Live with purpose.
Thanks for the quick reply
I guess I should change to your portableapps firefox instead. Is there some way I could simply swap the executable without doing a full uninstall/reinstall? -- EDIT, no appears I need to separately install Portable Firefox and uninstall the U3 one...