Re: [Windows] ClamAV detects Meld as a Trojan.

From: "Matias N. Goldberg" <dark_sylinc yahoo com ar>
To: "meld-list gnome org" <meld-list gnome org>
Subject: Re: [Windows] ClamAV detects Meld as a Trojan.
Date: Mon, 3 Feb 2014 16:41:01 -0800 (PST)

Hi! Thanks for the quick version

The new version is no longer detected by my ClamAV as a virus.

What's very strange is that I re-run the test in virustotal for meld.exe. Same hash, same filename, but now with 6/51 detection rate

https://www.virustotal.com/en/file/eb273111729694a5c98e5b0e133f73ff2405a6004187fba2b6637abf304538e6/analysis/1391472821/

meldc.exe however, has much lower detection ratio (3/50)

It may be worth noticing that none of the antivirus agrees on the type of virus being detected, meaning it's a high chance of being a false positive (one of the initial fears is that the uploader/packager's PC is infected).

Compressed files are always hard to detect by antiviruses. Is the compression ratio really that high to justify UPX/MPRESS?

Cheers

Matías

IMPORTANT:
The information contained in this email may be commercially sensitive and/or legally privileged.
It is intended solely for the person(s) to whom it is addressed. If the reader of this message is not the intended recipient, you are on notice of its status and hereby notified that your access is unauthorized, and any review,
dissemination, distribution, disclose or copying of this message including any attachments is strictly prohibited.
Please notify the sender immediately by reply e-mail and then delete this message from your system.

De: Keegan Witt <keeganwitt gmail com>
Para: Meld List <meld-list gnome org>
Enviado: domingo, 2 de febrero de 2014 23:46
Asunto: Re: [Windows] ClamAV detects Meld as a Trojan.

Thank you for pointing this out. For what it's worth, I assure you it's clean :) I did some Googling, it seems antivirus programs have been flagging executables compressed with UPX as being trojans. I updated my AutoHotkey I've been using to compile meld.exe and meldc.exe, the new version now uses MPRESS for compression instead of UPX. When I re-ran the scan with the recompiled versions, it looked cleaner, but there were engines that kept timing out. But when I ran the scan on just meld.exe, only Rising and VBA32 complained so I think I'm on to something here. Could you see if you are able to get a complete result with the test versions I've uploaded here: https://sourceforge.net/projects/meld-installer/files/Testing/? If it looks like this improves the false positives (which given what I saw with meld.exe results, it should) I'll go ahead and move these out of testing as an official release.

-Keegan

On Sun, Feb 2, 2014 at 5:19 PM, Michael Mientus <mmientus eagleseven com> wrote:

I have not had a problem with the Windows installer from SourceForge.

http://sourceforge.net/projects/meld-installer/

You might open a ticket with your vendor to have them take a look at it. And make an exception in your antivirus software as a workaround.

Mike

From: meld-list [mailto:meld-list-bounces gnome org] On Behalf Of Matias N. Goldberg
Sent: Sunday, February 02, 2014 1:45 PM
To: meld-list gnome org
Subject: [Windows] ClamAV detects Meld as a Trojan.

Hi everyone!

I'm new to this newslist. Please, excuse me if I'm in the wrong place.

I've subscribed just to report that ClamAV detects "meld-1.8.4.0.exe" as a Trojan:

D:\Downloads\meld-1.8.4.0.exe: Win.Trojan.Autoit-734 FOUND

I downloaded the Zip version and the problem persisted:

D:\Downloads\meld-1.8.4.0\meld\meld.exe: Win.Trojan.Autoit-734 FOUND

D:\Downloads\meld-1.8.4.0\meld\meldc.exe: Win.Trojan.Autoit-734 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 3099685

Engine version: 0.98

Scanned directories: 771

Scanned files: 12171

Infected files: 2

I uploaded the file meld.exe to virustotal.com 5/49 and out of them reported as Trojan:

Antivirus           Result

            Update

Kingsoft Win32.Troj.IAgent.wt.(kcloud) 20130829

McAfee-GW-Edition Heuristic.BehavesLike.Win32.ModifiedUPX.C    20140202

Rising   PE:Spyware.KeyLogger!1.9F7B           20140202

TheHacker         Trojan/AutoHK.ed            20140202

TrendMicro-HouseCall TROJ_GEN.F47V1205 20140202

Interestingly their ClamAV didn't detect it (my definitions are up to date).

I did not research into whether this is a false positive or actual infected files.

Looks like I will have to try compiling from source, which doesn't look straightforward.

Cheers

Matias

IMPORTANT:
The information contained in this email may be commercially sensitive and/or legally privileged.
It is intended solely for the person(s) to whom it is addressed. If the reader of this message is not the intended recipient, you are on notice of its status and hereby notified that your access is unauthorized, and any review,
dissemination, distribution, disclose or copying of this message including any attachments is strictly prohibited.
Please notify the sender immediately by reply e-mail and then delete this message from your system.

_______________________________________________
meld-list mailing list
meld-list gnome org
https://mail.gnome.org/mailman/listinfo/meld-list

_______________________________________________
meld-list mailing list
meld-list gnome org
https://mail.gnome.org/mailman/listinfo/meld-list

Follow-Ups:
- Re: [Windows] ClamAV detects Meld as a Trojan.
  - From: Keegan Witt

References:
- [Windows] ClamAV detects Meld as a Trojan.
  - From: Matias N. Goldberg
- RE: [Windows] ClamAV detects Meld as a Trojan.
  - From: Michael Mientus
- Re: [Windows] ClamAV detects Meld as a Trojan.
  - From: Keegan Witt

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]