As a few people have mentioned, McAfee and AVG are currently throwing false positives on several of the portable launchers. I'd like to address a few questions:
What is registry.dll?
It's a plugin that's part of Nullsoft Scriptable Installer System for reading, writing, exporting and importing from the registry. It's a standard plugin included with the language and is used by any NSIS-based installers (or our launchers) that do anything with the registry. (As an aside, folks like Winamp, Mozilla, Kaspersky, Google and even AVG themselves use NSIS. here's a list.)
Why is it showing up in my temp directory?
NSIS extracts its plugins to the temp directory and runs them from there while it is running. It then removes them when run is complete.
So why is it being detected as a false positive?
Most antivirus companies don't test their definitions files as well as they used to. So, we wind up with bad definitions being pushed out to millions of users that detect clean software as having a virus. This is most obvious when the antivirus software is detecting a new virus in a file that hasn't been altered since before the virus existed (though I don't think that is the case this time).
Why did my antivirus delete the file?
If it deleted it without asking you, you should switch to an antivirus product that works properly. It should ask if you'd like to delete it, quarantine it or just deny access to it.
Why don't you want reports in the forums?
Because it just gets reported over and over and over again, which accomplishes nothing.
Why don't you have the antivirus companies fix it?
Unless you are a customer of the commercial antivirus company, there's usually nothing at all you can do about it. Nothing. Even with the free companies, they often ignore messages sent to them. The only one that responded when I sent in a false-positive report was Clam and it took them a few days to fix it. Luckily, they hardly ever have false positives.
So what can we do?
If you're a customer of the antivirus company, contact them and let them know that their definitions are broken again. Other than that, not much.
The bottom line is that this is going to keep happening and there's not much of anything we can do about it. Firefox Portable accounts for 1% of all Firefox downloads each month, so we're not talking about small apps used by a handful of users. We're talking about millions here. But, the quality control at antivirus companies is slipping and that doesn't appear to be changing. So, we're stuck with it the way it is. I may create a hall of shame page that lists the companies that are messing up (NSIS does this here but only for the base product, not the included plugins).
Regards,
John
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
John,
Thank you for responding.
It might be a good idea if would could collect the URLs and/or email addresses of the big companies used for reporting false positives.
I've tried and it's not easy.
You'd think it would be something simple like:
www. [antimalwarecompy] .com \falsepostives.html
but it never is
Tim
Things have got to get better, they can't get worse, or can they?
of shame sounds good! I would also like to point out that I use F-Secure (which I believe uses the same engine as Kaspersky) and it has never had any problems.
Sorry for the nooby question, but it is something many people may want to know about. Will this false positive cause my antivirus to possibly delete programs on my thumbdrive?
So far the behavior is:
So far no one has reported that anything on the USB drive itself has been affected, just the DLL created in the temp directory.
Note that if the AV software suddently decides that your checkbook register or contact list is really a virus, it could delete it without much warning. Not hugely likely, but a possibility nonetheless. Keeping a backup somewhere safe would be a good thing.
Otherwise, we haven't seen anything on the USB drive itself being deleted.
MC
It will do so only if you (or your default settings) say it to. I use Symantec, and it gives me options to delete/quarentine/skip based on what I want. I can set this as default or as something that I can decide each time.
That's what John said in his original post, that if you can't change it, get a better AV program. Which one are you using?
Don't be an uberPr∅. They are stinky.
I use my dad's computer's often, which have Mcafee. It works okay, but don't ask sometimes if it can delete stuff. Cannot change my dad's AV around though.
EDIT: One of my dad's PC's have Symantec on it.
-- Thanx John for the quick response on this. Very helpful.
-- I tipped this info from this thread to "Castle Cops" (http://www.castlecops.com/) author of an item on "registry.dll" file with same file length (17408 bytes). (NOTE: I did run across Macafee website indication (at http://vil.nai.com/vil/content/v_99115.htm ) that there is a file: "REGISTRY.DLL" (54272 bytes) that was packed with the UPX packer program and considered a component of the "W32/Leave.worm.gen" (discovered 2001.06.22).
-- Interestingly enough, I noticed that AVG shot itself in its own foot this evening as it caught itself using the same "registry.dll" file to activate its automatic update feature. I imagine it shan't take too long for them to get this one adjusted.
that happened to me as well
Please search before posting. ~Thanks
As of 12:00pm USA Central Time:
from http://virusscan.jotti.org/
File: registry.dll
MD5: 1af237911f21e78a1f118b14f9da3994
Status: OK
(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
AVG Antivirus Found nothing
Things have got to get better, they can't get worse, or can they?
Actually Igot a warning on NSIPortable beta. It's one of the first 'false' positives... It was the registry dll and I havent actually installed it. if it's this DLL that causes a problem I would suggest UPX it using another compression sceme. Is it known what sceme was used to compress it?
Just got our network security team at work to report the false positive to McAfee.
They confirmed it is a false positive and issued a .dat file to stop the alert in McAfee.
It will be included in tonight's definition update from McAfee.
They responded within about 30 minutes, which I guess is pretty good service really!
If you want the fix right now, just save the following text in a file called "C:\Program Files\Common Files\Network Associates\Engine\EXTRA.DAT" (or wherever your install has it's Engine folder)
Then reboot your PC to pick up the change.
Alternatively, wait for the overnight update!
Here's the text for the file (strip off the quotes but keep the new lines and spaces):
I just restarted my system for the third time (had to play around with directories for Comcast McAfee (C:\Program Files\McAfee\VirusScan\DAT\5150.0\EXTRA.DAT works for me) and NO POPUP for registry.dll!!! Thanx to you martinmiles!!
aka Major PITA... ask me what it means, as you will be amused...
I actually got my first AVG false this week. Thanks for making a point about this though.
Life is about the journey not the destination!
The Kazoo Spartan
My work computer (which is limited in what I can modify in McAfee since we don't have admin rights) keeps giving virus messages with portable firefox. (Actually, it's U3's version, which I assume is the same thing as portableapps.com). I did add the DAT file as suggested and did have my virus definitions updated (one of the few things they DO allow me to do). Generic Start Page.r is the mis-identified virus.
I guess I can simply ignore them, it's just a bit disconcerting.
If you downloaded one of the 2.0 Firefox for U3 releases floating around, it's unofficial and unsupported (and it does immature undocumented things like remove PortableApps.com bookmarks from your bookmark files... nice huh?). It's based on an old version of Firefox Portable's code and has known bugs (like leaving stuff behind on each PC you run it on).
Sometimes, the impossible can become possible, if you're awesome!
I guess I should change to your portableapps firefox instead. Is there some way I could simply swap the executable without doing a full uninstall/reinstall? -- EDIT, no appears I need to separately install Portable Firefox and uninstall the U3 one...