You are here

Notepad++ 5.0.3 - false positive?

7 posts / 0 new
Last post
Karsten
Offline
Last seen: 16 years 3 months ago
Joined: 2008-08-07 15:29
Notepad++ 5.0.3 - false positive?

The file

Notepad++Portable\App\Notepad++\plugins\NppExec.dll

was recognized by my GData AV program to be infected with some generic trojan. I sent the file to virustotal.com, where it has been scanned two days ago with 2 infections. I started a new scan and now 4 infections where reported. F-Prot reports "W32/Agent.BP.gen!Eldorado".

John T. Haller
John T. Haller's picture
Offline
Last seen: 12 hours 31 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Checked

I checked the full installer on Virus Total and Avast and TrendMicro both yielded a false positive (see the results) which isn't that unusual as they've both had bad definition sets in the past. Running the installer on Jotti yielded no false positives. Even Avast was clean (they don't use TrendMicro).

Scanning the nppexec.dll directly yielded 4 false positives (see results) on Avast, eSafe, F-Prot and GData. On Jotti, only Avast had a false positive.

I also uncompressed the DLL and re-submitted it (you can do this by running the App Compactor in reverse) and it came up clean (see results).

So, what's the conclusion? It's absolutely a false positive. First off, only a few minor antiviruses are detecting it, none of the big boys. This is usually the picture with false positives. (As a general rule, the smaller antivirus products have far more issues with bad definitions and false positives. They simply don't have the resources or take the time to fully test their updates to ensure quality.) Second, we can see that when uncompressed, it's clean and when recompressed, it again shows as a false positive.

Another thing to note is that eSafe, F-Prot and GData are unreliable because they gave a clean bill of health to the installer and false positived on the file that came from it.

One other thing to explore is whether you have heuristic detection enabled. This is pretty buggy in most products and shouldn't usually be trusted.

Please report this issue to GData so they can fix their bug.

Sometimes, the impossible can become possible, if you're awesome!

John.S.Hendry
Offline
Last seen: 4 years 4 months ago
Joined: 2008-04-22 17:49
I hate to disagree...

I turned off Avast to download the file and install it. Once installed, I turned avast back on and scanned the folder. It reported the virus in nppexec.dll. I downloaded the zip file from the authors website and installed their version of nppexec.dll since it did not report any virus.

John T. Haller
John T. Haller's picture
Offline
Last seen: 12 hours 31 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Re-Read

Re-read my post and you'll see that UPX compressing the DLL causes Avast to false positive. If you uncompress it (using the App Compactor I linked), Avast will think it's fine. If you then compress it again, Avast will once again think it is a virus.

Please contact Avast to make them aware of their mistake. Unlike some other vendors, Avast does not seem to make any mechanism for the report of false positives available.

Sometimes, the impossible can become possible, if you're awesome!

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 7 months ago
Joined: 2006-06-18 13:55
From Avast Support Fourm

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Was the only thing I could find Sad

Tim

Things have got to get better, they can't get worse, or can they?

netbuddy
netbuddy's picture
Offline
Last seen: 10 years 9 months ago
Joined: 2008-08-09 04:18
Usually spot on

I would like to say that anyone trying to say that an item is a false positive to please THINK AGAIN.

Example, I had a U3 flash drive and downloaded the Firefox browser, it was not until I had checked it against an up to date AV signature in my AV scanner that this embedded virus came to light.

I went to Mozilla and complained about this issue. The reply came back that Mozilla does not make or release versions of its browser for either U3.com or PortableApps.com

Notepadd++ is opensource as is firefox.

Theirs nothing to stop someone modifying an opensource program and posting it on a site that offers applications that run from a flash drive.

This is not the first virus I have been subjected to from a site like this one.

What does portable apps do to verify that the release is an official release of said wares?

If its a toss up between believing my AV scanner and a post in a thread telling me its a false positive, I would believe my AV Scanner above all else, this is based on actual experience of one of these portable apps being a virus.

I would suggest that portable apps take on board this nugget and start to protect the people who visit by verifying these coders, as soon as you get people reporting a virus, lock out any downloads until it has been evaluated as safe. If not, deal with the hacker that uploaded it.

People are too trusting and given that this site has a reputation to keep, are portable apps prepared to put that reputation at risk over the applications it shares? it only takes one person to get hit and that person will usually tell everyone they know uses a computer to "avoid 'potableApps' site as its virus riddled."

Bad news travels faster than the speed of light my friends and can PA afford to have its currently good reputation damaged beyond recover, that's all that will happen if PA does not put in any safety checks to weed out these rogue individuals.

When it comes to programs, always err on the side of caution when things like AV software kicks in, they are 99.999% right, this is based on 21 years in computers.

I laughed that hard I burst my colostomy bag...

John T. Haller
John T. Haller's picture
Offline
Last seen: 12 hours 31 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Again

Again, there's NOTHING more we can do about badly behaving antivirus programs like Avast. Every official app is scanned using VirusTotal and Jotti as well as multiple local antivirus and antispyware programs. We also digitally sign the launcher (FirefoxPortable.exe) and the installer using the Rare Ideas, LLC (PortableApps.com's legal entity) digital signature. PortableApps.com has *NEVER* released an official stable release with a virus, spyware or malware. None of the other portable software sites including U3, Ceedo, etc do anything like this level of verification and authentication.

And the unofficial releases in the forums, we've never had a virus or spyware in anything contributed by our coders. There was an unknown 3rd party once who submitted a package that had a virus within an ISO image in it and we removed the link.

The bottom line is that there's nothing we can do about the fact that your antivirus software is making a mistake. You'll just have to wait and hope they fix it.

As a side note... there will always be people who think they're right and everyone else is wrong (and I don't mean you). We had one with the PortableApps.com Suite 1.0 release on Download.com who insisted there was a virus by his software. Even after proved wrong by multiple 3rd parties including VirusTotal and Jotti, he still insisted he was right and that there was a virus and spamming the comments with negative reviews to the point that it was libel. That's something else there's not much we can do about. Sometimes competitors claim their are viruses in their competition's product to try and ruin their reputation.

Sometimes, the impossible can become possible, if you're awesome!

Log in or register to post comments