You are here

False Positive: Trojan: Downloader.Zlob (Sep 11)

10 posts / 0 new
Last post
John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 26 min ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
False Positive: Trojan: Downloader.Zlob (Sep 11)

The AVG Free Antivirus program's definitions went a bit wonky (technical term) today and it decided that every single portable app launcher contains a trojan. Rest assured that this is just yet *another* issue with a free antivirus program's virus definitions and there's nothing wrong with any of the portable apps. As for what to do to fix the issue, you should contact AVG and ask them to fix their mistake. Don't click 'Heal' as, to AVG, that means 'Delete the file'.

Update Sep 12 - AVG has already confirmed that this was an issue with their morning virus definitions update and has released a new definition set that fixes this problem. Also, from AVG: "If you need to restore deleted files from AVG Virus Vault you can do it this way: open AVG Virus Vault (Start -> Programs -> AVG Antivirus -> AVG Virus Vault). Locate the file that was removed, right click on it and choose "Restore File(s)" option."

Update Sep 13 - Looks like Kaspersky is now having an issue with false positives in all NSIS-based apps. Same trojan. They've been informed of their issue.

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 26 min ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
And here come the emails...

As usual, when there's a false positive with one of the free antivirus programs (AVG, AntiVir, Avast), people end up sending email about it. This, despite the fact that it's addressed right here in the forums. And, the contact page makes it exceedingly clear *NOT* to send emails about things like this. (as seen here) Can anyone think of a way to stop people from sending support requests via email? It's already grown beyond a little problem and has impeded my ability to keep up with email from the site.

Sometimes, the impossible can become possible, if you're awesome!

twnty3svn
Offline
Last seen: 13 years 7 months ago
Joined: 2006-04-10 03:24
You could try....

having an automated reply stating something like, "please ensure you have throughly read through our forums" or direct them to a page with all FAQ's which most probably answeres 99% of their quesitons. If this does not answer their quetions, only then are they to reply to the email, leaving eveything as is.

What you will then need to do is setup a automatic relpy, with a keyword/content/ticket number which u filter, and have only these email come automatically into your inbox if it satify's this creiteria. I know Runbox uses this system, and i beleive it is quite effective.

May be effective.... but you can't account for ignorance if the people don't read!

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 26 min ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
Not an option

Auto-responders shouldn't really be used anymore, since they can result in your server being blacklisted. I have finally started using pre-compiled response in TB with the QuickText extension, but I still have like 311 emails sitting around awaiting response. And there are always people that, when they don't get a reply in a day or two, send another email... and then another... and then another.

I think I may have to do what Lawrence Lessig did 5 years ago and declare email bankruptcy. He auto-responded to every unanswered email that he was overloaded and reseting his inbox, listed common issues and what to do, and offered people to send a new email if, and only if, it genuinely require a personal response.

Sometimes, the impossible can become possible, if you're awesome!

twnty3svn
Offline
Last seen: 13 years 7 months ago
Joined: 2006-04-10 03:24
Didn't konw about....

the blacklisting. Your second option may be your only solution, but i guess "every email someone sends you at one time or another, is deemed to need a personal response". However unless someone suggests a better alternative, might be the way to go.

KevinTMC
Offline
Last seen: 5 years 10 months ago
Joined: 2006-04-14 10:45
F-Secure

This morning F-Secure, on my work PC, did the same thing, "finding" Trojan-Downloader.Win32.Zlob.akd in every single portable app launcher.

Including all the launchers in OpenOffice, that's 15 of them. And I later discovered that, even after I told F-Secure to leave them alone, it renamed all the files from *.exe to *.0xe anyway. What a pain.

Odd how so many different anti-virus programs would start finding the same false positives at the same time. I guess development of these tools isn't all that diversified, no matter how many brand names are out there...

Buckbeak
Offline
Last seen: 14 years 10 months ago
Joined: 2006-01-11 07:56
John, how do you know for

John, how do you know for sure that it is not a trojan? It happens to the best of us.

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 26 min ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
Simple

Each of these times, it's been a *SINGLE* A/V product that royally screws up. And then the NSIS wiki and forums are updated to indicate that this affects ALL NSIS products (including the installers for OpenOffice.org and Winamp, for instance). And then the vendor realizes their issue and updates their definitions the same day. Basically, there's a lot going on behind the scenes that isn't detailed in the forums here.

In the past couple days... first AVG did this. Then Norman. Then Kaspersky. And now F-Secure. Each a false positive with the same thing (NSIS installers using LZMA compression... simply because the actual trojan used something similar).

You can check multiple engines here:
http://virusscan.jotti.org/

Sometimes, the impossible can become possible, if you're awesome!

Bitman
Offline
Last seen: 3 years 8 months ago
Joined: 2006-01-17 15:56
Antivir

Antivir is reporting the same trojan for clamwin too John.

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 26 min ago
AdminDeveloperModerator
Joined: 2005-11-28 22:21
AntiVir Recurrence

AntiVir does that a lot. In all the launchers.

Sometimes, the impossible can become possible, if you're awesome!

Topic locked