NSIS - False Positives?

[John259]

I've got NSIS installed (Nullsoft Scriptable Install System).

MS AntiSpyware lists the following NSIS files as being
malicious:

C:\Program Files\NSIS\Plugins\Math.dll
C:\Program Files\NSIS\Plugins\nsis.dll
C:\Program Files\NSIS\Plugins\nsisdll.dll

While NSIS could be used to create malicious software, I
don't think NSIS itself could be categorised as being
malicious. So is it safe to assume that these alerts are
false positives? If so, is there any chance of this
situation being corrected in the future please?

Also, is there a confusion with NSIS in the "Next Steps in
Signaling" protocol sense, maybe?

I'd greatly appreciate any comments.

John

 

[Jason McKinnon]

As much as I hate "me too" postings, I have to agree that this is getting
particularly annoying. I have reported this countless times through the
false positives reporting page, as well as posted a number of times to the
newsgroups. The ironic part is that after reporting the false positive in
5717, in which it was detected as threat level "High", it got upgraded to
threat level "Severe" in 5719. And after pressing ignore every morning for
the past few weeks, I was really hoping that when 5721 was installed this
morning, it would finally go away. Well, it didn't - it's still coming up
as severe. This is almost like saying that InstallShield and Windows
Update, or even Microsoft's XML Parser are trojans because they can download
and execute files directly from the web. There are very legitimate reasons
why an installer might need to download files from the web and I have
difficulty seeing why the signature developers are having a hard time with
this.

NSIS went through this very same battle with most of the antivirus vendors
in August last year (including McAfee and Symantec), and they all finally
fixed their signatures and all was well until now.

Here is the confirmation from McAfee that it is indeed a false positive:
http://vil.nai.com/vil/content/v_127777.htm

Here is the message from Nullsoft asking users to contact vendors of
software detecting their software as a virus / trojan:
http://nsis.sourceforge.net/index.php?id=2&backPID=2&tt_news=14

Here is a link to the source code for NSISdl (if someone can point out where
it's doing something "bad", I will gladly get onto the developers' case
about it):
http://cvs.sourceforge.net/viewcvs.py/nsis/NSIS/Contrib/NSISdl/nsisdl.cpp
http://cvs.sourceforge.net/viewcvs.py/nsis/NSIS/Contrib/NSISdl/nsisdl.cpp?view=markup

Looking forward to resolution.

Thanks
Jason

 

[Steve Dodson [MSFT]]

I am investigating.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.