Jump to content
Sign in to follow this  
Parsley

Installation Trojan

Recommended Posts

Hi, I was wondering if anyone else has seen this. I have just purchased the Pro version of Sourceboost from a reputable source (Farnell). When I attempt to install it, my copy of Norton stops the installation, reporting a trojan.

 

The file in question is is-jiev3.tmp which is found in C:\program files\sourceboost.

 

My boss needs this to be clarified before I can proceed with the installation. Is this really a trojan, or is Norton being over cautious? I can find nothing about this file.

 

Many thanks & best regards.

Share this post


Link to post
Share on other sites

This is not a trojan. Looks like a drawback of heuristic trojan detection algorithm used by Norton that can sometimes report false positives. To be sure please check the linker file yourself on:

 

http://www.virustotal.com

 

Regards,

Pavel

Share this post


Link to post
Share on other sites

Hello there,

 

I installed Sourceboost 6.xx and upgrade it to 7.xx. Now I have a lot of Trojan-Messages everytime I start my computer. They all link to sourceboost install directory => "preg.exe", "is-HTMM1.temp", "is-NPNOL.tmp", "is-4FRNT.tmp", "is-ANU6A.tmp", "is-W5MPL.tmp" and Symantec told me it is a Trojan-Gen.2 infection.

 

How can i get rid of this? My pc is in a network and the administrator wount be very amused about that :unsure:

Share this post


Link to post
Share on other sites
Hello there,

 

I installed Sourceboost 6.xx and upgrade it to 7.xx. Now I have a lot of Trojan-Messages everytime I start my computer. They all link to sourceboost install directory => "preg.exe", "is-HTMM1.temp", "is-NPNOL.tmp", "is-4FRNT.tmp", "is-ANU6A.tmp", "is-W5MPL.tmp" and Symantec told me it is a Trojan-Gen.2 infection.

 

How can i get rid of this? My pc is in a network and the administrator wount be very amused about that :unsure:

 

preg.exe is part of SourceBoost installation and there are no trojans in it. Other files that you listed (.tmp ones) are not from SourceBoost. Do you know where they come from?

 

Regards,

Pavel

Share this post


Link to post
Share on other sites

No i don't know where they came from. After installation it was only the preg.exe symantec identify as a trojan. today i start my pc and the .tmp-files appears. Now symantec put these files into quarantine. Do i need the preg.exe to run sourceboost correctly? I already registered my sb-version...

Share this post


Link to post
Share on other sites
No i don't know where they came from. After installation it was only the preg.exe symantec identify as a trojan. today i start my pc and the .tmp-files appears. Now symantec put these files into quarantine. Do i need the preg.exe to run sourceboost correctly? I already registered my sb-version...

 

Symantec have a certain reputation for false positives. Programs that patch or generate windows executables or DLLs frequently are misdetected as after all that is what viruses are trying to do. Anyone who has used a PC C compiler regularly will know that the output directory usually needs excluding from any virus scans. I GUESS that PREG may be doing something to the windows binaries so that they can be traced back to a particular licence number and customer for obvious licensing reasons and this is what has triggered it. IMHO you should report the false positive to Symantec in the hope that the next update will fix the problem. If the network administrator doesn't have established procedures in place for dealing with false positives, you need to change your network administrator! Cant help with how essential PREG is, but has its quarantining broken either the IDE or the compilers?

Share this post


Link to post
Share on other sites

till now i havent any problems with sb v7.xx IDE after quarantining preg.exe. I will contact Symantec maybe they can help. But is is allowed to send Symantec the preg.exe if they ask for?

 

Thx for RE

Share this post


Link to post
Share on other sites

I had a similar problem with Avira AntiVir detecting preg.exe as being infected. I submitted the file to Avira and they told me it was not infected, but they also said:

 

The file 'preg.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will not be removed due to the fact that the file does not belong to a regular piece of software. This software can be used for an evasion of security protections in several computer programs. If we will find some malicious code inside the suspicious file anyway, we will integrate the pattern recognition in one of our next updates. In case AntiVir can detect this file we will not change or remove our detection.

 

I resubmitted the file and this time explained that it DOES belong to a regular piece of software. I guess they thought it was a crack or something. I included a link to the SourceBoost download and a link to the forum. It would help if the use of preg.exe was documented somewhere on the SourceBoost site, but it is not. In any case, I had to add preg.exe to the ignore list in Avira to get it to run.

Edited by tsmith35

Share this post


Link to post
Share on other sites
McAfee is also generating false reports of a trojan in preg.exe

 

If in doubt check the files here:http://www.virustotal.com

 

Regards

Dave

I wrote to Avira support and explained what was going on. They removed the false positive. A number of other antivirus softwares still detect a trojan in preg.exe. I plan to email a few of them and request removal as a false detection.

 

Edit: The following companies have agreed to remove the false positive detection in their next updates: Kaspersky, VirusBuster, Jiangmin, VirusLab, McAfee, Quick Heal, and Ikarus

 

ClamAV's detection simply reports that the file is compressed with Armadillo, and CP Secure was bought by Netgear and doesn't appear to have a means of reporting false positives.

 

Edit: VBA32 has fixed the false positive as well. I tried to get through to Antiy-AVL, but they haven't bothered to respond and their site doesn't appear to provide any means of reporting false positives (or new viruses). Not very impressive.

Edited by tsmith35

Share this post


Link to post
Share on other sites
Edit: VBA32 has fixed the false positive as well. I tried to get through to Antiy-AVL, but they haven't bothered to respond and their site doesn't appear to provide any means of reporting false positives (or new viruses). Not very impressive.

Panda was reporting preg.exe as a suspicious file (on VirusTotal), and after a dozen emails back and forth with them, I finally got ahold of someone who knew where to send false positive submissions. They checked it and removed it from their "suspicious" list.

 

A scan of preg on VirusTotal now only has 4 detections:

Antiy-AVL: Backdoor/Win32.Bifrose.gen (VirusTotal)

CAT-QuickHeal: (Suspicious) - DNAScan (VirusTotal)

ClamAV: PUA.Packed.Armadillo (VirusTotal and Jotti)

CP Secure: Packed.W32.Black.d (Jotti)

 

Antiy Labs, a Chinese company famous for being the first to detect Stuxnet, is the worse AV company I've dealt with so far. I sent emails to all of the email addresses listed on their site, but I haven't received even one response. They appear have no way to send them suspicious files or false positives.

 

CAT-QuickHeal removed their original detection, but it seems their heuristic detection sees preg as suspicious. I may re-submit a FP report to try and get that fixed.

 

ClamAV detects Armadillo protection, but it's not a virus detection per se, and they don't remove file protection reports (per their site). They also didn't bother to respond to my requests.

 

CP Secure doesn't appear to have any means to submit suspicious files or false positives either. CP Secure was recently bought by Netgear, and Netgear support has no idea how or where to send them samples. At least they responded to my questions.

 

After a total of 49 emails and a half dozen online sample submission forms, I learned a lot from my attempts to get this false positive detection removed from the numerous antivirus companies. Some companies make it easy, some make it impossible, and most are willing to help if you can find the right person. I just hope the next version of SourceBoost doesn't get detected as a virus or trojan... :lol:

Edited by tsmith35

Share this post


Link to post
Share on other sites

tsmith35,

After a total of 49 emails and a half dozen online sample submission forms, I learned a lot from my attempts to get this false positive detection removed from the numerous antivirus companies. Some companies make it easy, some make it impossible, and most are willing to help if you can find the right person. I just hope the next version of SourceBoost doesn't get detected as a virus or trojan... :lol:
Thanks for all your efforts.

 

Regards

Dave

Share this post


Link to post
Share on other sites

Your content will need to be approved by a moderator

Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoticons maximum are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×