You are here

VirusScan Alert!

16 posts / 0 new
Last post
lwbbs
Offline
Last seen: 15 years 7 months ago
Joined: 2007-10-26 23:02
VirusScan Alert!

Today, McAfee VirusScan reported virus alert at the portable apps (including ThunderbirdPortable and FirefoxPortable). I download one new package from
http://portableapps.com and http://www.mozilla.com/en-US/firefox/. The package
from mozilla works fine. But VirusScan reports virus in the one from portableapps.

Please double check the portableapps application. Thanks.

The following are the virus information:

2007-10-26 19:11:49 Deleted DELL\Home E:\PortableApps\ThunderbirdPortable\ThunderbirdPortable.exe C:\Temp\nse2.tmp\registry.dll Generic StartPage.r (Trojan)
2007-10-26 20:00:54 Deleted DELL\Home E:\PortableApps\FirefoxPortable\FirefoxPortable.exe C:\Temp\nsm15.tmp\registry.dll Generic StartPage.r (Trojan)

Tim Clark
Tim Clark's picture
Offline
Last seen: 14 years 6 months ago
Joined: 2006-06-18 13:55
Probable False Alarm

This is likely a false positive.

Be assured that Official PortableApps.com programs are virus free.
Sometimes some of the things the apps need to do "look" suspicious to some antimalware programs and they need to be updated. Unfortunately, this happens more often than it should Sad

Please read the following 2 threads:
https://portableapps.com/node/9825
https://portableapps.com/node/9834

Hopefully McAfee [and AVG] will get the message and update soon,
we hope Sad

Tim

Things have got to get better, they can't get worse, or can they?

jwyanze
jwyanze's picture
Offline
Last seen: 11 years 9 months ago
Joined: 2007-08-08 00:44
Same thing happen to me

WEll it seems like it's todays McAfee update that screw up every thing. This happen every time i try to launch a portable app. It's just ah false positive. Some one want to tell McAfee bout this i really don't feel like doing that and i have allot of work to do.

Never curse the alligator till you done cross the bridge. Wink

JayPel
Offline
Last seen: 13 years 1 month ago
Joined: 2007-10-27 10:28
Re: VirusScan Alert! - AVG Now Also Reporting

-- With AVG update on 2007.10.27, the file "registry.dll" that load into P-Apps temporary directory along with splash screen for the particular application loaded is reported as "Trojan horse Startpage.BZP" -- per AVG website ((1)) the offending behavior indicated is that a startpage trojan horse changes Internet Exploler Home page.
-- Checking old P-Apps temporary start up directories left in MS Win directory "C:\Documents and Settings\(=user=)\Local Settings\Temp\... get AVG hits on the same file. Tested by trying to start up Thunderbird and Notepad++ Portable. (I'm using Firefox installed on PC to create this message, hence unable to test with P-Apps version -- won't load 2nd instance at same time.)
-- Hope this helps with trouble shooting.
FOOTNOTE:
=========
((1)) http://free.grisoft.com/doc/7/us/frt/0
i.e. -> Threat Info -> Virus Encyclopedia
---eom

rab040ma
Offline
Last seen: 1 year 4 months ago
Joined: 2007-08-27 13:35
Just because all the other

Just because all the other virus reports have been "false positives" doesn't mean that this one is not ... but the odds are slim.

If your AV program will let you, you might fire up WinMd5sum Portable and grab a hash from that dll, and post it with your message; that way the rest of us can see whether we are talking about the same file. There could be lots of different files around with that same name, but they'd all have different MD5s.

The other thing you should do is check the file with the online scanners listed on the Support page (that menu bar at the top of the screen has the link), and with
ClamWin Portable.

Registry.dll is most likely a plug-in from the Nullsoft installer.

Maybe JTH can start signing all the DLLs and other associated files, so people can confirm the signature to make sure the file hasn't been tampered with.

If the AV software deletes that registry.dll, the launcher may or may not work; it will almost definitely not be able to clean up completely when the app finishes.

MC

Lurking_Biohazard
Lurking_Biohazard's picture
Offline
Last seen: 7 years 1 month ago
Joined: 2006-02-18 18:06
Heuristic Analysis

Turn OFF Heuristic Analysis on your own machines. I did and now it is very rare that I get a false positive. It is also bad behavior for an antivirus program to delete files automatically. The file in question should be quarantined for further review by the owner/admin.

~Lurk~

Tim Clark
Tim Clark's picture
Offline
Last seen: 14 years 6 months ago
Joined: 2006-06-18 13:55
Lurk,

Lurk,

Good read at wikipedia Smile

For the moment, since we know the file in question, I prefer to just not have the file scanned. I like having Heuristics turned on myself. The only false positives that I have had over the past 2 1/2 years of using it on this machine have been from PortableApps.com and since I know they [the official releases]are safe I feel confident with this procedure.

Thanks for providing another alternative though Smile
I take it you have tested this with the McAfee 5150 dats and are having no alerts with PA.com products?

Tim

Things have got to get better, they can't get worse, or can they?

Lurking_Biohazard
Lurking_Biohazard's picture
Offline
Last seen: 7 years 1 month ago
Joined: 2006-02-18 18:06
McAfee

Personally don't care for it. Yesterday I worked on a PC that had it installed. Not thinking I plugged in my flash drive, at which point it deleted several things. Good thing I backed up! I turned off Heuristics and configured it to quarantine rather than delete.

I have been running AVG or Avast on my machines with Heuristics turned off for a long time with great success.

~Lurk~

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 16 years 3 weeks ago
Joined: 2006-01-06 21:27
Digital Signatures

AFAIK, he's only signing the installers, which should be good enough.

"If you're not part of the solution, you're part of the precipitate."

JayPel
Offline
Last seen: 13 years 1 month ago
Joined: 2007-10-27 10:28
AVG - Further Testing

-- Did more testing. The problem file may come an updated version of the loader. Some older P-Apps do not trigger the AV alerts. (See list below) As part of the test, I deleted the old Firefox (archived off to recover settings), and installed new Firefox v 2.0.0.8 ((1)) as clean install.
-- Although P-Apps loader generally deletes the temporary file after app boot up, I managed to capture a few copies ((2)) of the problem file into AVG virus vault. All are listed as 17408 bytes long. But I have a little of a learning curve to climb before I might be able to get copies safely extracted from the AVG virus vault and try getting a MD5 hash on the file.

Footnote:
=========
((1)) .paf file download today from P-Apps website reached via
Google search, vice stored URL.
((2)) Eleven copies from loading various apps, some duplicated
from same app but different load operations.

AVG alert / App
===============
yes / Audacity (v 1.2.4)
yes / Firefox (v 2.0.0.8 - 2007.10.08)
yes / Notepad++ (v 4.2.2)
yes / Thunderbird (v 2.0.0.6 - 2007.07.28)
yes / Thunderbird (v 2.0.0.8 - 2007.10.08)

no / ClamWin (v 0.91.1, Updated 19:40 20 Aug 2007)
no / GAIM (2.0.0beta5)
no / GIMP (v 2.2.17)
no / KompoZer (v 0.77 - 2006.07.23)
no / OpenOffice.org (v 2.0.4 - Writer, Base, Calc)
no / Sudoku (v 1.1.7a)
no / Sunbird (v 0.3.1 - 2007.02.13)
no / VLC (v 0.8.6a)

---eom

JayPel
Offline
Last seen: 13 years 1 month ago
Joined: 2007-10-27 10:28
Errata - Incorrect Thunderbird Version Listed

line listing
"yes / Thunderbird (v 2.0.0.8 - 2007.10.08)"
is incorrect -- apologies for inattention
(saw the 2.0.0.6 & thought I had wrong version
of Firefox listed). (Note: Firefox v 2.0.0.6
also triggered AVG alert.)

Tim Clark
Tim Clark's picture
Offline
Last seen: 14 years 6 months ago
Joined: 2006-06-18 13:55
registry.dll

"The problem file may come an updated version of the loader"

I don't think I can agree with you here.

I do not have all the apps you list in the "no" section but the ones I do have DO NOT create registry.dll in their temp folder [not every PA.com app needs it].

The apps you list in the "yes" section all seem to create it.

So I think it is registry.dll itself that is being detected, NOT the Version of the file [or as you say, "the loader"]

Tim

Things have got to get better, they can't get worse, or can they?

rab040ma
Offline
Last seen: 1 year 4 months ago
Joined: 2007-08-27 13:35
I've seen a couple of

I've seen a couple of versions of the registry.dll on my machine.

One has md5 ad0c39f7ff92b650511117ffa94d2a65 and is 16,384 bytes. It is the same as is downloaded from the SF.net as version 3.3.

The other has 1af237911f21e78a1f118b14f9da3994 and is 17,408 bytes. This latter is the one that comes with Thunderbird.

MC

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 16 years 3 weeks ago
Joined: 2006-01-06 21:27
"Healed"

One of the files may have been "healed" by your anti-virus, which I think changes the actual file, giving you a different MD5 hash.

"If you're not part of the solution, you're part of the precipitate."

rab040ma
Offline
Last seen: 1 year 4 months ago
Joined: 2007-08-27 13:35
Nope, my AV is not

Nope, my AV is not misbehaving (reporting false positives or making unrequested changes to files). As far as I can tell, these are the files as distributed.

The only way to prove or disprove your theory or my assertion would be if John distributed the MD5 for the files he is using, or signed them.

MC

Caehan
Caehan's picture
Offline
Last seen: 2 years 8 months ago
Joined: 2007-10-19 22:51
John Haller's Report...
Log in or register to post comments