You are here

False Positive from enterprise level anti-viruses

4 posts / 0 new
Last post
Selvec
Offline
Last seen: 10 years 7 months ago
Joined: 2012-07-02 19:33
False Positive from enterprise level anti-viruses

Hi Guys

Recently I installed Portableapps.exe to my pen drive which I use at work. Its very useful for my job as the app's it allows me to run don't leave any mark on the local registry or HD. However, recently IT's Anti-virus marked the base .exe file as a possible threat. This is of course a false positive, however it could cause issues for anyone else using this in a business environment.

Threat detected: Suspicious Behaviour: HIPS/RemFileMod-002

I have a picture sent from IT, but can't upload at work so I'll have to do this later.

Could anyone please enlighten me as to why our anti-virus would pick up a false positive from this program?

Aluísio A. S. G.
Offline
Last seen: 6 years 6 months ago
DeveloperTranslator
Joined: 2010-11-09 17:43
Safe

Sophos database
Runtime behavior alerts of this type inform the user that an attempt has been made to write an autorun file to an attached removable drive. Any attempt at this behavior by an unauthorized program could indicate a malware infection.

Please note that the behavior of some legitimate product installers can sometimes resemble that of malware.

I know the Platform allows you to rename the drive. The drive name is stored in the autorun file.

Previously known as kAlug.

gluxon
gluxon's picture
Offline
Last seen: 2 years 4 months ago
Developer
Joined: 2008-06-21 19:26
One of the methods Anti-Virus

One of the methods Anti-Virus software utilizes in its scanning is to "dissect" executables in order to find out what "functions" it's runing.

Many of our launcher executables (ex: FirefoxPortable.exe) manipulate registry entries, redirect environment variables, and many other actions required to move personal data. Overall, the intention is good, but each function looked at individually represent actions a virus would typically execute.

As even high-end Anti-Virus can't efficiently manage a large database of known viruses, they often resort to this tactic in order to help identify new ones.

That explains why our base exe's come up in your scanner, but I'm afraid there isn't a very good solution other than reporting the file as a false positive and keeping your virus definitions/database up to date.

Aluísio A. S. G.
Offline
Last seen: 6 years 6 months ago
DeveloperTranslator
Joined: 2010-11-09 17:43
Not heuristics

Read my post above. The problem (this time) is that the Platform (= base exe) writes to the autorun file.

Previously known as kAlug.

Log in or register to post comments