You are here

!! Libreoffice 3.3.3 Download Virus TR/Kazy.21485.7 found from Avira

15 posts / 0 new
Last post
Hollihome
Offline
Last seen: 13 years 4 months ago
Joined: 2011-07-11 04:53
!! Libreoffice 3.3.3 Download Virus TR/Kazy.21485.7 found from Avira

I started this morning
Manage Apps -- Check for updates
I have got LibreOffice 3.3.3 and via downloading my virus scanner stoped the action and gives the following Virus error:

TR/Kazy.21485.7

Whats up?

is PortableApps hacked?

Chris Morgan
Chris Morgan's picture
Offline
Last seen: 9 years 5 months ago
Joined: 2007-04-15 21:08
False positive

That will be a false positive. Take a look at https://portableapps.com/support#false_positive for more information and what you can do about it.

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

PatPend
Offline
Last seen: 13 years 1 week ago
Joined: 2011-11-18 07:10
Not a false positive

It's not a false positive. I downloaded LibO_3.4.4_Win_x86_install_multi.exe from the LibreOffice site. Running this installer caused a browser hijack to be installed. This hijack caused search result links to be redirected to get-answers-fast.com. It's apparently a clickthrough scam. TrendMicro detected the exploit but could not remove it. ComboFix got rid of it. Beware.

Chris Morgan
Chris Morgan's picture
Offline
Last seen: 9 years 5 months ago
Joined: 2007-04-15 21:08
But that's not this

That's nothing to do with what was reported here. And it's nothing to do with PortableApps.com.

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

John T. Haller
John T. Haller's picture
Offline
Last seen: 7 hours 58 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Not Us

The download you are referring to is the LibreOffice installer (not LibreOffice Portable). We have nothing to do with the LibreOffice installer.

Additionally, I find it exceedingly unlikely that LibreOffice would have anything bad in it and far more likely that TrendMicro detected a browser hijack installer in some other product, not in LibreOffice. TrendMicro often has issues. If LibreOffice itself had a browser hijack in it, EVERYONE would be screaming about it as it's used by millions.

Sometimes, the impossible can become possible, if you're awesome!

PatPend
Offline
Last seen: 13 years 1 week ago
Joined: 2011-11-18 07:10
No offense or accusation

No offense or accusation intended - just reporting my experience. Chill.

tapsklaps
Offline
Last seen: 6 years 1 month ago
Developer
Joined: 2010-10-17 08:11
Check the virus message

In addition to the website Virustotal Avira also provides an Upload page of the virus lab. Do you suspect that Avira mistakenly identify a clean file as malware, you can choose the entry "Verdacht auf Fehlalarm" of the pull-down menu.

As can be expected in the present case with very high probability of a false alarm, there is the possibility of preventing the display of such false alarms. As described below, this can be set via the configuration of your Avira antivirus program:

  1. Double-click the Avira icon in the systray bottom right
  2. Click on the link "Konfiguration" above right
  3. Activation of the "Expertenmodus" at the top left via the corresponding checkbox
  4. Click the plus sign in front of "Scanner"
  5. Click the plus sign in front of "Suche"
  6. Click on "Ausnahmen"
  7. Click on the button "..."
  8. Selecting the folder "LibreOfficePortable" and click on the button "Hinzufügen"
  9. Click the plus sign in front of "Guard"
  10. Click the plus sign in front of "Suche"
  11. Click on "Ausnahmen"
  12. Click on the button "..." in the section "Vom Guard auszulassende Dateiobjekte"
  13. Selecting the folder "LibreOfficePortable" and click on the button "Hinzufügen"

With the measures described under No. 1 -13 are now no files in the folder "LibreOfficePortable" ckecked for viruses.

Tipps
Offline
Last seen: 13 years 4 months ago
Joined: 2011-07-11 08:38
I have also a problem with

I have also a problem with the installation !!! On my system is the G Data Internet Security2012 running.

Virus: Gen:Variant.Kazy.21485 (Engine A)
Datei: regmerge.exe
Prozess: LibreOfficePortable_3.3.3_MultilingualNormal.paf.exe

tapsklaps
Offline
Last seen: 6 years 1 month ago
Developer
Joined: 2010-10-17 08:11
superficial analysis

Unfortunately, the mode of operation of some antivirus programs is very superficial. In particular, erroneously interpreted some portable programs from this website because their file structure (these are NSIS-based programs) as a virus.

Similarly, many programs made ​​by NirSoft be interpreted as a virus, although these utilities are all clean. The reason for the classification of such tools as a virus or trojan is the fact, that it can be used by bad guys, even when most users need it and use it for good purposes. For more information about this topic I recommend that you read the article Antivirus companies cause a big headache to small developers by NirSoft.

munged
Offline
Last seen: 3 years 9 months ago
Joined: 2011-07-12 17:09
Also McAfee Detects Possible Trojan?

Artemis ("enhanced heuristic detection component") flagged both regview.exe and regmerge.exe. I've submitted the report to McAfee for analysis, along with a pointer to portableapps.com. If I get a response, I'll post it here.

Mark

munged
Offline
Last seen: 3 years 9 months ago
Joined: 2011-07-12 17:09
No Response from McAfee

No response from McAfee. Installed 3.4.1 without any complaints.

eltonbrad
Offline
Last seen: 11 years 3 months ago
Joined: 2007-09-21 03:41
Norton Internet Security 2011 Found Threats

I installed the new 2.0 preview yesterday and when I used the Manage Apps -> Get More Apps to download and install apps, when it came up to LibreOffice, Norton Internet Security came up with something above the Notification Area (I use Windows 7 Home Premium 64bit) saying that Auto Protect was processing threats. When it finished putting the threats in Quarantine, I clicked for more details and this is what came up (the Get More Apps program still kept installing LibreOffice and other programs afterwards, I guess Norton found the files after LibreOffice files were put on the USB):

Security History (left pane of screen)
=========================
Severity Activity Status Date & Time

* High scalc.exe (Suspicious.Cloud) Quarantined Thursday, 21 July 2011
detected by Auto-Protect 10:28 PM
* High sbase.exe (Suspicious.Cloud) Quarantined Thursday, 21 July 2011
detected by Auto-Protect 10:28 PM

Details (when scalc.exe is clicked)
========================
Recommended Action:
Resolved - No Action Required

scalc.exe contained threat
Suspicious.Cloud

Risk: High

Origin:
Not Available

Activity:
Threat Actions performed: 6

Details (when sbase.exe is clicked)
========================
Recommended Action:
Resolved - No Action Required

scalc.exe contained threat
Suspicious.Cloud

Risk: High

Origin:
Not Available

Activity:
Threat Actions performed: 1

When clicking More Details for scalc.exe, NIS 2011 brings up File Insight, which shows:

scalc.exe (Suspicious.Cloud)

This threat has been removed.
No further action is needed.

Details button shows:

(Left Column)
On computers as of:
21/07/2011 at 10:26:49 PM

Last Used:
21/07/2011 at 10:28:40 PM

Startup Item:
No

Launched:
No

(Right Column)
Very Few Users
Fewer than 5 users in the Norton Community have used this file.

High
This file risk is high.

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.

Origin button shows:

Source: External Media

Source File: scalc.exe

Activity button shows:
This file has performed 6 actions.

File: k:\portableapps\libreofficeportable\app\libreoffice\program\scalc.exe
Removed
File: k:\portableapps\libreofficeportable\app\libreoffice\program\sdraw.exe
Removed
File: k:\portableapps\libreofficeportable\app\libreoffice\program\simpress.exe
Removed
File: k:\portableapps\libreofficeportable\app\libreoffice\program\smath.exe
Removed
File: k:\portableapps\libreofficeportable\app\libreoffice\program\sweb.exe
Removed
File: k:\portableapps\libreofficeportable\app\libreoffice\program\swriter.exe
Removed

When clicking More Details for sbase.exe, NIS 2011 brings up File Insight, which shows:

sbase.exe (Suspicious.Cloud)

This threat has been removed.
No further action is needed.

Details button shows:

(Left Column)
On computers as of:
21/07/2011 at 10:26:29 PM

Last Used:
21/07/2011 at 10:28:29 PM

Startup Item:
No

Launched:
No

(Right Column)
Very Few Users
Fewer than 5 users in the Norton Community have used this file.

High
This file risk is high.

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.

Origin button shows:

Source: External Media

Source File: sbase.exe

Activity button shows:
This file has performed 1 action.

File: k:\portableapps\libreofficeportable\app\libreoffice\program\sbase.exe
Removed

Sorry if this is too long, but I thought I'd put in all I could. I don't know if this is a false positive on Norton Internet Security 2011's part, regardless, I've removed the LibreOffice directory from my USB.

thanks for any responses!

Bradley Eaton
(eltonbrad)

solanus
solanus's picture
Offline
Last seen: 10 years 1 month ago
Joined: 2006-01-21 19:12
Frankly, Norton blows.

It just marked and removed all the executables for no good reason.
There are no viruses in those files if you got them from this site.

I made this half-pony, half-monkey monster to please you.

eltonbrad
Offline
Last seen: 11 years 3 months ago
Joined: 2007-09-21 03:41
What Should I Do?

Thanks for your reply!

Yeah, I used the PortableApps 2.0 PR1.1 Menu's "Get More Apps" app download it, so I'm assuming it was downloading the files from this site. I don't know what I should do because I'm sure Norton will pick those files up as threats again. I'm downloading OpenOffice.org (through the same program), so I'm hoping Norton won't pick up anything in that, otherwise I won't know what to do.

Any suggestions what I should do about LibreOffice files Norton thinks are threats?

Mum used to use Norton years ago, but after hearing bad things about the new version of Norton (at the time), she changed to AVG and had been happy with that until we both got our new computers at the beginning of the year, which had NIS 2010, we've like Norton ever since, even upgrading to NIS 2011, mainly because of the Norton toolbar for Firefox 4. This is the first time this has happened to me since using Norton again, so it saddens me to think it marked those files as threats for no good reason as it is always scary when this kind of thing happens.

Bradley Eaton
(eltonbrad)

solanus
solanus's picture
Offline
Last seen: 10 years 1 month ago
Joined: 2006-01-21 19:12
If you want to keep using Norton

You should report the problem to Symantec as a false positive. From the forum posts I've seen on the Symantec site, though, other people have been submitting this as a false positive for months now and no action from Norton.
There are ways of configuring these files as exceptions in Norton, but it's kind of a pain in the @$$.
I used to like Norton back in the day, but their overly aggressive software doesn't let you decide to keep files if it considers them "high risk", and add to that their poor customer service, and I won't even touch it.
At this point, I think the only way they keep market share is because they've made deals with computer manufacturers to pre-install their product onto new computers.

I made this half-pony, half-monkey monster to please you.

Log in or register to post comments