Jump to content


Photo

Installation Trojan


12 replies to this topic

#1 Parsley

Parsley

    Newbrie

  • Members
  • 3 posts

Posted 17 February 2009 - 10:28 AM

Hi, I was wondering if anyone else has seen this. I have just purchased the Pro version of Sourceboost from a reputable source (Farnell). When I attempt to install it, my copy of Norton stops the installation, reporting a trojan.

The file in question is is-jiev3.tmp which is found in C:\program files\sourceboost.

My boss needs this to be clarified before I can proceed with the installation. Is this really a trojan, or is Norton being over cautious? I can find nothing about this file.

Many thanks & best regards.

#2 Pavel

Pavel

    Super Maniac

  • Administrators
  • PipPipPipPipPip
  • 1,441 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 17 February 2009 - 11:14 AM

This is not a trojan. Looks like a drawback of heuristic trojan detection algorithm used by Norton that can sometimes report false positives. To be sure please check the linker file yourself on:

http://www.virustotal.com

Regards,
Pavel

#3 DPB

DPB

    Newbrie

  • Members
  • 2 posts

Posted 17 February 2009 - 11:22 AM

Thanks for your prompt reply Pavel, much appreciated.

Best regards.

#4 Fizzel

Fizzel

    Newbrie

  • EstablishedMember
  • 14 posts

Posted 14 January 2011 - 08:09 AM

Hello there,

I installed Sourceboost 6.xx and upgrade it to 7.xx. Now I have a lot of Trojan-Messages everytime I start my computer. They all link to sourceboost install directory => "preg.exe", "is-HTMM1.temp", "is-NPNOL.tmp", "is-4FRNT.tmp", "is-ANU6A.tmp", "is-W5MPL.tmp" and Symantec told me it is a Trojan-Gen.2 infection.

How can i get rid of this? My pc is in a network and the administrator wount be very amused about that :unsure:

#5 Pavel

Pavel

    Super Maniac

  • Administrators
  • PipPipPipPipPip
  • 1,441 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 14 January 2011 - 08:17 AM

Hello there,

I installed Sourceboost 6.xx and upgrade it to 7.xx. Now I have a lot of Trojan-Messages everytime I start my computer. They all link to sourceboost install directory => "preg.exe", "is-HTMM1.temp", "is-NPNOL.tmp", "is-4FRNT.tmp", "is-ANU6A.tmp", "is-W5MPL.tmp" and Symantec told me it is a Trojan-Gen.2 infection.

How can i get rid of this? My pc is in a network and the administrator wount be very amused about that :unsure:


preg.exe is part of SourceBoost installation and there are no trojans in it. Other files that you listed (.tmp ones) are not from SourceBoost. Do you know where they come from?

Regards,
Pavel

#6 Fizzel

Fizzel

    Newbrie

  • EstablishedMember
  • 14 posts

Posted 14 January 2011 - 09:17 AM

No i don't know where they came from. After installation it was only the preg.exe symantec identify as a trojan. today i start my pc and the .tmp-files appears. Now symantec put these files into quarantine. Do i need the preg.exe to run sourceboost correctly? I already registered my sb-version...

#7 IanM

IanM

    Enthusiast

  • EstablishedMember
  • PipPip
  • 161 posts
  • Gender:Male
  • Location:UK

Posted 14 January 2011 - 11:40 AM

No i don't know where they came from. After installation it was only the preg.exe symantec identify as a trojan. today i start my pc and the .tmp-files appears. Now symantec put these files into quarantine. Do i need the preg.exe to run sourceboost correctly? I already registered my sb-version...


Symantec have a certain reputation for false positives. Programs that patch or generate windows executables or DLLs frequently are misdetected as after all that is what viruses are trying to do. Anyone who has used a PC C compiler regularly will know that the output directory usually needs excluding from any virus scans. I GUESS that PREG may be doing something to the windows binaries so that they can be traced back to a particular licence number and customer for obvious licensing reasons and this is what has triggered it. IMHO you should report the false positive to Symantec in the hope that the next update will fix the problem. If the network administrator doesn't have established procedures in place for dealing with false positives, you need to change your network administrator! Cant help with how essential PREG is, but has its quarantining broken either the IDE or the compilers?

#8 Fizzel

Fizzel

    Newbrie

  • EstablishedMember
  • 14 posts

Posted 14 January 2011 - 12:31 PM

till now i havent any problems with sb v7.xx IDE after quarantining preg.exe. I will contact Symantec maybe they can help. But is is allowed to send Symantec the preg.exe if they ask for?

Thx for RE

#9 tsmith35

tsmith35

    Newbrie

  • EstablishedMember
  • 10 posts

Posted 14 January 2011 - 10:32 PM

I had a similar problem with Avira AntiVir detecting preg.exe as being infected. I submitted the file to Avira and they told me it was not infected, but they also said:

The file 'preg.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will not be removed due to the fact that the file does not belong to a regular piece of software. This software can be used for an evasion of security protections in several computer programs. If we will find some malicious code inside the suspicious file anyway, we will integrate the pattern recognition in one of our next updates. In case AntiVir can detect this file we will not change or remove our detection.

I resubmitted the file and this time explained that it DOES belong to a regular piece of software. I guess they thought it was a crack or something. I included a link to the SourceBoost download and a link to the forum. It would help if the use of preg.exe was documented somewhere on the SourceBoost site, but it is not. In any case, I had to add preg.exe to the ignore list in Avira to get it to run.

Edited by tsmith35, 14 January 2011 - 10:34 PM.


#10 Dave

Dave

    Super Maniac

  • Administrators
  • PipPipPipPipPip
  • 2,091 posts
  • Gender:Male
  • Location:UK
  • Interests:How things work, Electronics, Software, Cycling.

Posted 15 January 2011 - 08:57 PM

McAfee is also generating false reports of a trojan in preg.exe

If in doubt check the files here:http://www.virustotal.com

Regards
Dave

#11 tsmith35

tsmith35

    Newbrie

  • EstablishedMember
  • 10 posts

Posted 18 January 2011 - 05:30 AM

McAfee is also generating false reports of a trojan in preg.exe

If in doubt check the files here:http://www.virustotal.com

Regards
Dave

I wrote to Avira support and explained what was going on. They removed the false positive. A number of other antivirus softwares still detect a trojan in preg.exe. I plan to email a few of them and request removal as a false detection.

Edit: The following companies have agreed to remove the false positive detection in their next updates: Kaspersky, VirusBuster, Jiangmin, VirusLab, McAfee, Quick Heal, and Ikarus

ClamAV's detection simply reports that the file is compressed with Armadillo, and CP Secure was bought by Netgear and doesn't appear to have a means of reporting false positives.

Edit: VBA32 has fixed the false positive as well. I tried to get through to Antiy-AVL, but they haven't bothered to respond and their site doesn't appear to provide any means of reporting false positives (or new viruses). Not very impressive.

Edited by tsmith35, 21 January 2011 - 06:19 PM.


#12 tsmith35

tsmith35

    Newbrie

  • EstablishedMember
  • 10 posts

Posted 26 January 2011 - 01:25 PM

Edit: VBA32 has fixed the false positive as well. I tried to get through to Antiy-AVL, but they haven't bothered to respond and their site doesn't appear to provide any means of reporting false positives (or new viruses). Not very impressive.

Panda was reporting preg.exe as a suspicious file (on VirusTotal), and after a dozen emails back and forth with them, I finally got ahold of someone who knew where to send false positive submissions. They checked it and removed it from their "suspicious" list.

A scan of preg on VirusTotal now only has 4 detections:
Antiy-AVL: Backdoor/Win32.Bifrose.gen (VirusTotal)
CAT-QuickHeal: (Suspicious) - DNAScan (VirusTotal)
ClamAV: PUA.Packed.Armadillo (VirusTotal and Jotti)
CP Secure: Packed.W32.Black.d (Jotti)

Antiy Labs, a Chinese company famous for being the first to detect Stuxnet, is the worse AV company I've dealt with so far. I sent emails to all of the email addresses listed on their site, but I haven't received even one response. They appear have no way to send them suspicious files or false positives.

CAT-QuickHeal removed their original detection, but it seems their heuristic detection sees preg as suspicious. I may re-submit a FP report to try and get that fixed.

ClamAV detects Armadillo protection, but it's not a virus detection per se, and they don't remove file protection reports (per their site). They also didn't bother to respond to my requests.

CP Secure doesn't appear to have any means to submit suspicious files or false positives either. CP Secure was recently bought by Netgear, and Netgear support has no idea how or where to send them samples. At least they responded to my questions.

After a total of 49 emails and a half dozen online sample submission forms, I learned a lot from my attempts to get this false positive detection removed from the numerous antivirus companies. Some companies make it easy, some make it impossible, and most are willing to help if you can find the right person. I just hope the next version of SourceBoost doesn't get detected as a virus or trojan... :lol:

Edited by tsmith35, 26 January 2011 - 01:26 PM.


#13 Dave

Dave

    Super Maniac

  • Administrators
  • PipPipPipPipPip
  • 2,091 posts
  • Gender:Male
  • Location:UK
  • Interests:How things work, Electronics, Software, Cycling.

Posted 26 January 2011 - 09:58 PM

tsmith35,

After a total of 49 emails and a half dozen online sample submission forms, I learned a lot from my attempts to get this false positive detection removed from the numerous antivirus companies. Some companies make it easy, some make it impossible, and most are willing to help if you can find the right person. I just hope the next version of SourceBoost doesn't get detected as a virus or trojan... :lol:

Thanks for all your efforts.

Regards
Dave



Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users