Today, McAfee VirusScan reported virus alert at the portable apps (including ThunderbirdPortable and FirefoxPortable). I download one new package from
http://portableapps.com and http://www.mozilla.com/en-US/firefox/. The package
from mozilla works fine. But VirusScan reports virus in the one from portableapps.
Please double check the portableapps application. Thanks.
The following are the virus information:
2007-10-26 19:11:49 Deleted DELL\Home E:\PortableApps\ThunderbirdPortable\ThunderbirdPortable.exe C:\Temp\nse2.tmp\registry.dll Generic StartPage.r (Trojan)
2007-10-26 20:00:54 Deleted DELL\Home E:\PortableApps\FirefoxPortable\FirefoxPortable.exe C:\Temp\nsm15.tmp\registry.dll Generic StartPage.r (Trojan)
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
This is likely a false positive.
Be assured that Official PortableApps.com programs are virus free.
Sometimes some of the things the apps need to do "look" suspicious to some antimalware programs and they need to be updated. Unfortunately, this happens more often than it should
Please read the following 2 threads:
https://portableapps.com/node/9825
https://portableapps.com/node/9834
Hopefully McAfee [and AVG] will get the message and update soon,
we hope
Tim
Things have got to get better, they can't get worse, or can they?
WEll it seems like it's todays McAfee update that screw up every thing. This happen every time i try to launch a portable app. It's just ah false positive. Some one want to tell McAfee bout this i really don't feel like doing that and i have allot of work to do.
Never curse the alligator till you done cross the bridge.
-- With AVG update on 2007.10.27, the file "registry.dll" that load into P-Apps temporary directory along with splash screen for the particular application loaded is reported as "Trojan horse Startpage.BZP" -- per AVG website ((1)) the offending behavior indicated is that a startpage trojan horse changes Internet Exploler Home page.
-- Checking old P-Apps temporary start up directories left in MS Win directory "C:\Documents and Settings\(=user=)\Local Settings\Temp\... get AVG hits on the same file. Tested by trying to start up Thunderbird and Notepad++ Portable. (I'm using Firefox installed on PC to create this message, hence unable to test with P-Apps version -- won't load 2nd instance at same time.)
-- Hope this helps with trouble shooting.
FOOTNOTE:
=========
((1)) http://free.grisoft.com/doc/7/us/frt/0
i.e. -> Threat Info -> Virus Encyclopedia
---eom
Just because all the other virus reports have been "false positives" doesn't mean that this one is not ... but the odds are slim.
If your AV program will let you, you might fire up WinMd5sum Portable and grab a hash from that dll, and post it with your message; that way the rest of us can see whether we are talking about the same file. There could be lots of different files around with that same name, but they'd all have different MD5s.
The other thing you should do is check the file with the online scanners listed on the Support page (that menu bar at the top of the screen has the link), and with
ClamWin Portable.
Registry.dll is most likely a plug-in from the Nullsoft installer.
Maybe JTH can start signing all the DLLs and other associated files, so people can confirm the signature to make sure the file hasn't been tampered with.
If the AV software deletes that registry.dll, the launcher may or may not work; it will almost definitely not be able to clean up completely when the app finishes.
MC
Turn OFF Heuristic Analysis on your own machines. I did and now it is very rare that I get a false positive. It is also bad behavior for an antivirus program to delete files automatically. The file in question should be quarantined for further review by the owner/admin.
~Lurk~
Lurk,
Good read at wikipedia
For the moment, since we know the file in question, I prefer to just not have the file scanned. I like having Heuristics turned on myself. The only false positives that I have had over the past 2 1/2 years of using it on this machine have been from PortableApps.com and since I know they [the official releases]are safe I feel confident with this procedure.
Thanks for providing another alternative though
I take it you have tested this with the McAfee 5150 dats and are having no alerts with PA.com products?
Tim
Things have got to get better, they can't get worse, or can they?
Personally don't care for it. Yesterday I worked on a PC that had it installed. Not thinking I plugged in my flash drive, at which point it deleted several things. Good thing I backed up! I turned off Heuristics and configured it to quarantine rather than delete.
I have been running AVG or Avast on my machines with Heuristics turned off for a long time with great success.
~Lurk~
AFAIK, he's only signing the installers, which should be good enough.
"If you're not part of the solution, you're part of the precipitate."
-- Did more testing. The problem file may come an updated version of the loader. Some older P-Apps do not trigger the AV alerts. (See list below) As part of the test, I deleted the old Firefox (archived off to recover settings), and installed new Firefox v 2.0.0.8 ((1)) as clean install.
-- Although P-Apps loader generally deletes the temporary file after app boot up, I managed to capture a few copies ((2)) of the problem file into AVG virus vault. All are listed as 17408 bytes long. But I have a little of a learning curve to climb before I might be able to get copies safely extracted from the AVG virus vault and try getting a MD5 hash on the file.
Footnote:
=========
((1)) .paf file download today from P-Apps website reached via
Google search, vice stored URL.
((2)) Eleven copies from loading various apps, some duplicated
from same app but different load operations.
AVG alert / App
===============
yes / Audacity (v 1.2.4)
yes / Firefox (v 2.0.0.8 - 2007.10.08)
yes / Notepad++ (v 4.2.2)
yes / Thunderbird (v 2.0.0.6 - 2007.07.28)
yes / Thunderbird (v 2.0.0.8 - 2007.10.08)
no / ClamWin (v 0.91.1, Updated 19:40 20 Aug 2007)
no / GAIM (2.0.0beta5)
no / GIMP (v 2.2.17)
no / KompoZer (v 0.77 - 2006.07.23)
no / OpenOffice.org (v 2.0.4 - Writer, Base, Calc)
no / Sudoku (v 1.1.7a)
no / Sunbird (v 0.3.1 - 2007.02.13)
no / VLC (v 0.8.6a)
---eom
line listing
"yes / Thunderbird (v 2.0.0.8 - 2007.10.08)"
is incorrect -- apologies for inattention
(saw the 2.0.0.6 & thought I had wrong version
of Firefox listed). (Note: Firefox v 2.0.0.6
also triggered AVG alert.)
"The problem file may come an updated version of the loader"
I don't think I can agree with you here.
I do not have all the apps you list in the "no" section but the ones I do have DO NOT create registry.dll in their temp folder [not every PA.com app needs it].
The apps you list in the "yes" section all seem to create it.
So I think it is registry.dll itself that is being detected, NOT the Version of the file [or as you say, "the loader"]
Tim
Things have got to get better, they can't get worse, or can they?
I've seen a couple of versions of the registry.dll on my machine.
One has md5 ad0c39f7ff92b650511117ffa94d2a65 and is 16,384 bytes. It is the same as is downloaded from the SF.net as version 3.3.
The other has 1af237911f21e78a1f118b14f9da3994 and is 17,408 bytes. This latter is the one that comes with Thunderbird.
MC
One of the files may have been "healed" by your anti-virus, which I think changes the actual file, giving you a different MD5 hash.
"If you're not part of the solution, you're part of the precipitate."
Nope, my AV is not misbehaving (reporting false positives or making unrequested changes to files). As far as I can tell, these are the files as distributed.
The only way to prove or disprove your theory or my assertion would be if John distributed the MD5 for the files he is using, or signed them.
MC
https://portableapps.com/node/9846