My virus scanner, CA eTrust, is detecting the Win32/Loodok!generic.2 Trojan. This is being reported against the system.dll which gets extracted from the application launcher.
I doesn't happen on all apps; the latest ClamWin is okay, but firefox and filoezilla, for example, exhibit the problem. I have even re-downloaded the firefoxportable.paf.exe but it also shows a trojan when run, and the MD5 checksum is correct. Running the application executable directly, without the launcher, works perfectly.
I suspect that eTrust is picking up the system.dll as a false positive since I have scanned it with several virus scanners and only eTrust is detecting it, but I thought I'd report it anyway. Is this file really necessary? as the apps appear to run despite the virus scanner deleting it upon detection.
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
because System.dll interacts with the API, and the AV picks that up as a threat.
Maybe, maybe not. But PortableApps is certified 100% clean, since you can recompile the source and get the same MD5 for the launcher, therefore the source is exactly what it's doing :).
Insert original signature here with Greasemonkey Script.
"you can recompile the source and get the same MD5 for the launcher"
Is this really true, though? I thought the launchers were digitally signed now, which would change the file's MD5 hash... or is it just the installers that are signed?
its only the installers.
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
All these false positives makes me wonder how many
false negatives all these super-intelligent AV-programs
make . This is some of the things I like about Clam-AV :
1 : No "real-time protection"
2 : No "heuristics"
3 : No subscription-fee for signature-updates that don't work
properly anyway .
They don't have heuristics per say,
But they do have some options in "Advanced" settings that get many false positives.
Infact I was testing the new CWP last night and using the advanced setting it found 2 .vbs-s that were in:
C:\i386
(for those that don't know it \i386 contains the basic installation program of windows [think on board install disk].)
Anyway this means it came with the operating system!!!
I did not have time to file an FP report with them yesterday so I will do it tonight.
My point is all antimalware programs will have FPs from time to time. CW (ClamAV) actually has more of them than most others, (it's not really all their fault, they update 27 times a day) we just don't talk about it here unless it concerns a portable app.
Tim
-
Things have got to get better, they can't get worse, or can they?
Yeah, ClamWin's update cycle is ridiculous. I don't run CW for a few days and then go back to update and it takes forever downloading 100 diffs.
Which is another thing that annoys me. If there's more than about 50 diffs, it should just download the whole daily.cvd! There's so much overhead in downloading individual diffs that downloading the whole thing would actually be faster at that point.
Actually Bruce I beg to differ with you here, sorry
As someone who updates clam every day, and used to when they they "had" to do a fresh daily.cvd, the current method is much faster.
If you prefer to do it the old way, just delete the current daily.cvd (or daily.cld) and it will download the latest daily.cvd in one swoop. I think you will find it is not faster, at least on my modem. Of course the only time I would approach being 100 diffs behind would be on my work machine after the weekend, and since it is high speed I really don't notice it.
As far as the cycle of updates is concerned, as long as you know how to look for FPs the constant updating keeps you at "cutting edge" in the event of a true attack.
Just remember that "cutting edge is also "bleeding edge" if you are not careful.
All the best,
Tim
-
Things have got to get better, they can't get worse, or can they?
Broadband, like a fast flash drive, does you no good when you're downloading a bunch of individual files. There's so much overhead (and latency) that downloading 100+ diffs takes just as long as downloading the whole daily.cvd (which seems to average ~2 MB). And yes, I can say this from experience, having done just what you suggested (deleting daily.cld and then checking for updates)--the full download was faster. The diffs only really make a difference on dial-up.
And 100 diffs is not unusual. It only takes about 4 days to amass that many.
But the diffs aren't my real gripe here--it's the update cycle. 27 updates a day on average? That's one update every ~50 minutes! It would take about an hour to scan my entire 8GB drive, and then I'd have to update and do it all over again if I really cared about being protected from the latest threats (who knows, maybe there's an unknown virus on my drive just waiting to be discovered!</sarcasm>). It's one of those things that sounds good in theory, but completely pointless in actual practice.
you can have the sites like virus total and jotti scan them to see if they really are viruses.
Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world
I too would like to know more about this. CA eTrust here detected the same thing (Win32/Loodok!generic.2 Trojan in system.dll) in three temporary installation folders (ns*.tmp folders under C:\...\local settings\temp)
2 of the folders were created on 2007-12-21, one has a Keepass spalsh.jpg left in it and the other one a Notepadd++. The third folder was created 2008-04-02 and has a Keepass splash.jpg
Unfortunately, because the AV cured my system by simply deleting the system.dll files, I can't submit them to virus total or scan them with ClamWin.
It is a false positive. CA eTrust incorrectly flagged the NSIS system plugin as being a virus. Another user had the same issue here.
The developer formerly known as ZGitRDun8705