2. NSIS Discussion
  3. Antivir : new false positive on nsExec ?

Archive: Antivir : new false positive on nsExec ?


Nicolas Cuny
27th June 2007 14:39 UTC

Antivir : new false positive on nsExec ?
Hi guys,


This morning my AntiVir Guard (on-access virus scanner) detected some malware 'TR/Agent.ame' in some of my NSIS installers. The files were compile with NSIS 2.27 and hadn't changed for months so I immediately thought of a False Positive. I stripped down my scripts to this :

Name "Example1"
OutFile "example1.exe"
InstallDir $PROGRAMFILES\Example1

Page directory
Page instfiles


Section ""

  SetOutPath $INSTDIR
  File example1.nsi

  ; this line generates a false positive with Antivir
  nsExec::ExecToStack 'C:\Windows\Notepad.exe'
  
SectionEnd


I then submitted the result file to virustotal.com (as suggested on the False Positives pagehttp://nsis.sourceforge.net/NSIS_False_Positives ) and here are the results :

Antivirus Version Update Result
AhnLab-V3 2007.6.27.0 06.27.2007 no virus found
AntiVir 7.4.0.34 06.27.2007 TR/Agent.ame
Authentium 4.93.8 06.26.2007 no virus found
Avast 4.7.997.0 06.26.2007 no virus found
AVG 7.5.0.476 06.27.2007 no virus found
BitDefender 7.2 06.27.2007 no virus found
CAT-QuickHeal 9.00 06.26.2007 no virus found
ClamAV devel-20070416 06.27.2007 no virus found
DrWeb 4.33 06.27.2007 no virus found
eSafe 7.0.15.0 06.26.2007 no virus found
eTrust-Vet 30.8.3744 06.26.2007 no virus found
Ewido 4.0 06.27.2007 no virus found
FileAdvisor 1 06.27.2007 no virus found
Fortinet 2.91.0.0 06.27.2007 no virus found
F-Prot 4.3.2.48 06.26.2007 no virus found
F-Secure 6.70.13030.0 06.27.2007 no virus found
Ikarus T3.1.1.8 06.27.2007 no virus found
Kaspersky 4.0.2.24 06.27.2007 no virus found
McAfee 5061 06.26.2007 no virus found
Microsoft 1.2701 06.27.2007 no virus found
NOD32v2 2358 06.27.2007 no virus found
Norman 5.80.02 06.27.2007 no virus found
Panda 9.0.0.4 06.26.2007 Suspicious file
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 06.26.2007 no virus found
Symantec 10 06.27.2007 no virus found
TheHacker 6.1.6.139 06.27.2007 no virus found
VBA32 3.12.0.2 06.26.2007 no virus found
VirusBuster 4.3.23:9 06.27.2007 no virus found
Webwasher-Gateway 6.0.1 06.27.2007 Trojan.Agent.ame


Only AntiVir and Panda find the file offensive. Seems like a false positive to me ! Can anyone notify Avira ? I think the faulty update is this one : http://original.avira.com/en/threats...ml?id_vdf=4020

FoBoT
27th June 2007 23:37 UTC

yes, anyone can. perhaps you should.
with Symantec, it has a way to submit files built into the software, perhaps AntiVir has that option?

Brummelchen
28th June 2007 09:08 UTC

Antivir - nothing found, nsis 2.28

BUILD.DAT : 284 15691 Bytes 16.04.2007 16:23:00
AVSCAN.EXE : 7.0.4.13 282664 Bytes 02.04.2007 08:36:40
AVSCAN.DLL : 7.0.4.0 41000 Bytes 07.03.2007 07:39:18
LUKE.DLL : 7.0.4.11 143400 Bytes 27.03.2007 11:26:00
LUKERES.DLL : 7.0.4.0 10792 Bytes 27.02.2007 10:19:06
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31.05.2006 12:14:26
ANTIVIR1.VDF : 6.38.1.170 5569024 Bytes 21.05.2007 07:31:40
ANTIVIR2.VDF : 6.39.0.51 779776 Bytes 25.06.2007 07:31:40
ANTIVIR3.VDF : 6.39.0.69 162816 Bytes 28.06.2007 07:31:40
AVEWIN32.DLL : 7.4.0.34 2478592 Bytes 19.06.2007 08:47:34
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26.02.2007 09:36:23
AVPREF.DLL : 7.0.2.1 24616 Bytes 27.03.2007 11:20:44
AVREP.DLL : 7.0.0.1 155688 Bytes 28.06.2007 07:30:20
AVPACK32.DLL : 7.3.0.13 360488 Bytes 27.06.2007 12:29:12
AVREG.DLL : 7.0.1.2 31784 Bytes 15.03.2007 08:05:04
AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 27.03.2007 11:16:01
AVARKT.DLL : 1.0.0.12 274472 Bytes 27.03.2007 11:31:08
NETNT.DLL : 7.0.0.0 7720 Bytes 08.03.2007 10:09:03
RCIMAGE.DLL : 7.0.1.15 2461736 Bytes 13.03.2007 10:07:33
RCTEXT.DLL : 7.0.45.0 86056 Bytes 16.03.2007 12:59:16
DrWeb - nothing found
McAfee - nothing found

NOD32 is fine, nothing found
(3*portable, NOD installed)

Nicolas Cuny
28th June 2007 10:18 UTC

Aaaaaaallright ! Looks like Antivir corrected its definition file with today's update.

Thank you very much :)

Fork me on GitHub