Lars said:
That's a case for my Linux box I guess - as the windows system here will
refuse to open the link as long as VirusScan is up
Otoh we already kinda know it's a false positive thanks to Ant, and
David also found it reported by AntiVir...
Why was it a "false" positive if you find another highly regarded AV
program also alerting on the same suspect file? virustotal shows the
file was already submitted so I looked at the last report which showed
SEVERAL anti-malware products alerted on this file. I requested a
reanalyze and again SEVERAL anti-malware products alerted on this file.
I see nothing in Ant's or David's response that proves this file is not
infected or malware. Running through a debugger means looking at the
code as it currently chooses to execute. If the malware is currently
quiescent (i.e., it is dormant), the code won't proceed into the block
containing the malware. It may get triggered by some event later. Ant
did not claim to analyze all the code (unless that what was meant by
"file structure") but just traced its execution using a debugger as it
happened to run that time on his host.
With several anti-virus programs alerting on this file, it could still
be a false positive but not likely after 19 days later for when the
malware's signature was added to several AV programs and when more than
one AV program issues an alert.
What's so special about this 3rd party executable that you MUST have it?
It's possible the file is benign but with so many AV programs saying
otherwise then perhaps you should reevalute if you really need this file
or should get any more of them from that source.
Edit: Virustotal reports a lot of false positives... Since the file has
been around for a loooong time,
You said you JUST downloaded the file. I don't know what are
"messagemates" coming from a site titled screenmates. Since you are
downloading the file, how old it is (the one you presume that you are
downloading) is irrelevant. It could've been infected right before you
downloaded it or a second after the prior time you downloaded it. The
datestamp is irrelevant because, one, you are downloading the file and
will get a new timestamp and, two, the timestamp can be altered using
the touch or other similar command to alter that file attribute.
If there's so many viruses that pose a threat, that you cannot
sensibly protect people against most of them without reporting false
positives, then something is wrong with operating systems
There is no problem with embedded, single-purpose, or closed operating
systems. You are using one of those. You are using a general-purpose
OS that is designed to be modified, adapted, or extended.
Maybe create the next generation OS of each type in a way that all
executables run in a sandbox with restrictive settings by default, that
only permits read access to input devices and write access to graphics
and sound output, as well as file creation rights in a sandbox folder
(or the program folder) and read rights to application-owned files...
Sandboxes aren't perfect. Malware can detect they are running under a
virtualized environment and remain quiescent so the user and
anti-malware programs don't detect through heuristics their malicous
behavior. The user then moves the malware to their non-sandboxed
environment and then the malware engages. Sandboxes are just more
software and it is still possible to leak outside of a sandbox.
http://taviso.decsystem.org/virtsec.pdf
http://www.seclab.tuwien.ac.at/papers/detection.pdf
A little old but still applicable. I also watched a recorded seminar
where the speaker showed many principles possible (by malware) to detect
if running in a virtualized environment and also how to leak out of it.
(It was a webcast but several months later when I wanted to see it again
I couldn't find it again.)
The locks on your house doors and perhaps a siren alarm (and maybe even
connected to a security service) is probably all you use to protect your
home because it is sufficient security without getting excessively in
your way. Do you want to get out of your car or reach out a opened
window for a handprint reader at an electrified gate to enter your
premises, review or pay someone to monitor cameras all over your yard
and inside your house, turn off ground vibration and pressure sensors
and have guards run outside when you need to let the kids or dog out
into the yard, use a keypad to get from the garage into your house,
remember to use another keypad and retinal scanner once inside the house
to keep the alarms from going off, remember to reactivate the alarms and
be sure to run back to your bedroom before the timer expires for the
laser beams, infrared sensors, temperature change sensors, vibration
sensors, and motion sensors, replace all windows with bullet-proof glass
along with lining the walls with metal sheets to prevent assassination,
and so on just to go home? Well, all that is possible but it's not
reasonable or feasible for most of us.
You get a level of security with which you are comfortable and will
tolerate. Security should, at best, be transparent and not interfere
with your host. Since security and ease-of-use are the antithesis of
each other, you have to sacrifice one to have the other.
I do use anti-virus, HIPS, Returnil, daily image backups, VMs, LUA
tokens on Internet-facing apps, and some other methods for securing my
host. Most of that runs in the background without interferring with my
use of my computer. My purpose in using my host isn't to spend lots of
time on securing it and then having to maintain that security. My
purpose is to *use* my computer.
If the security gets in the way of me using my host then it gets
discarded. There is always the performance impact on a host when adding
security but that I'm willing to tolerate but only if the impact to
responsiveness is just noticeable. A general-purpose computer is
vulnerable. Sorry, but I don't want a fixed OS, like what might be in
my washing machine or TV, for use with most apps and games.
I don't really want to get into a lengthy discussion of how to prevent
malware but so securing a general-purpose OS that it becomes a burden or
near impossible for use by its owner. I just wanted to express my
opinion this one time. My original intent was only to address your
concern about the suspect file and that it appears more than one
anti-virus program is alerting on it and to ponder why you really think
you need this file which looks to be non-critical and perhaps not even
really that important.
