Webroot SecureAnywhere doesn't at all like
\portableapps\libreofficeportable\app\libreoffice\ure\bin\regcomp.exe
\portableapps\libreofficeportable\app\libreoffice\program\gengal.exe
\portableapps\libreofficeportable\app\libreoffice\program\soffice.exe
It appears to strip them out.
I'm not sure how crippling this is - and I don't know what to make of it.
I've trusted PortableApps for a long time... It's not clear whether it considers these files as PUPs or actual virus or trojan.
I've seen the previous posts regarding Symantec and yet another file in earlier versions of LibreOffice. I've also noted LibreOffice Portable 'Known Issues' regarding Avast and AntiVir.
I've contacted Webroot reporting what I believe to be the false positives. But I wonder whether anyone has any more information other than 'it's all rubbish' and 'they need to get their act together' kind of stuff I've read so far on this site?
Best
David
You are here
Webroot SecureAnywhere False Positives?
February 9, 2014 - 1:24pm
#1
Webroot SecureAnywhere False Positives?
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
Webroot likely doesn't like the fact that they are compressed EXEs to save space. This can throw off some of the heuristic abilities of antivirus scanners. Heuristic scanners have much higher false positive rates than regular scanners because they 'guess' about a file possibly being bad based on certain criteria as opposed to it matching a definition of a known virus (what a standard scanner does). Most antivirus apps include both and will distinguish between the two based on the results (specific codes for one or the other).
As an example of the files you are worried about, here's soffice.exe on VirusTotal. Note that there are 2 heuristic results from lesser scanners. They'll likely fix their issue via whitelisting within a few days.
It helps to keep in mind that PortableApps.com has never packaged and distributed an infected app. Not once since I started working on Portable Firefox on my own personal site in 2004. The closest we came was when utorrent.com was hacked and sending out fake utorrent.exe files to people downloading. We moved to self-hosting utorrent.exe and hash matching it to mitigate that as a possibility as well for both platform and direct download users.
Sometimes, the impossible can become possible, if you're awesome!
Avast has stopped the installation of LibreOffice update because it believes the file is infected. The infection it identifies is Win32:Evo-gen [Susp]
from http://mirror.nexcess.net/tdf/libreoffice/portable/4...
today 140222 02/22/2014
Why didn't I think of that?
Did you note the file it alerted on? Did you let them know of their latest false positive?
Sometimes, the impossible can become possible, if you're awesome!
same thing for me today. can't update because of virus, even when i download the PAF manualy
I was finally able to update.
I'm wondering: Can you and do you submit your files to virus total to see if they pop on any virus scanners?
This is practically difficult. The major antivirus vendors make it difficult to check files without having their apps (and a license). We do check occasionally with VirusTotal.com which checks many antivirus though the definitions are often 24-48 hours out of date. Unfortunately, it doesn't support apps as large as LibreOffice. Plus the ratings by the heuristics engines change and are exceedingly flaky, as you saw here (the 'Susp' part means it was a "guess" by your antivirus, not a real detection).
We're investigating using the whitelisting services of the major antivirus engines at some point. They let you submit your software to them to analyze. But it adds some time to each release. And only the major antivirus engines have this service (Norton, Kaspersky, etc) and they aren't the ones that are throwing heuristic false positives on us.
Sometimes, the impossible can become possible, if you're awesome!