Open Discussion → avast! detecting trojan horses in POPFile executables!

avast! detecting trojan horses in POPFile executables!

I'm sure this is a false positive, but avast! has started to detect trojan horses in POPFile's executables such as adduser.exe, stop_pf.exe etc. Should I be worried?!!?

Thanks
Steven

  • Message #434

    The programs you mentioned are all built using NSIS, the Nullsoft Scriptable Install System. NSIS is a popular open source program which was SourceForge “Project of the Month” for January 2006.

    Sometimes anti-virus packages mistakenly detect threats in programs built using NSIS as mentioned in the "Does POPFile contain a virus/trojan/adware ?" page in the POPFile wiki.

    If you are still concerned then you can get a second opinion at http://www.virustotal.com/

    Here is a sample report from that site:

    Antivirus           Version         Last Update   Result
    ----------------    -----------     -----------   ----------
    AhnLab-V3           2008.9.13.0     2008.09.12       -
    AntiVir             7.8.1.28        2008.09.12	     -
    Authentium          5.1.0.4         2008.09.13	     -
    Avast               4.8.1195.0      2008.09.13    Win32:Agent-ABNY
    AVG                 8.0.0.161       2008.09.13	     -
    BitDefender         7.2             2008.09.13	     -
    CAT-QuickHeal       9.50            2008.09.13	     -
    ClamAV              0.93.1          2008.09.13	     -
    DrWeb               4.44.0.09170    2008.09.13	     -
    eSafe               7.0.17.0        2008.09.11	     -
    eTrust-Vet          31.6.6087       2008.09.12	     -
    Ewido               4.0             2008.09.13	     -
    F-Prot              4.4.4.56        2008.09.12	     -
    F-Secure            8.0.14332.0     2008.09.13	     -
    Fortinet            3.113.0.0       2008.09.13	     -
    GData               19              2008.09.13    Win32:Agent-ABNY
    Ikarus              T3.1.1.34.0     2008.09.13	     -
    K7AntiVirus         7.10.454        2008.09.13	     -
    Kaspersky           7.0.0.125       2008.09.13	     -
    McAfee              5383            2008.09.12	     -
    Microsoft           1.3903          2008.09.13	     -
    NOD32v2             3440            2008.09.13	     -
    Norman              5.80.02         2008.09.12	     -
    Panda               9.0.0.4         2008.09.13	     -
    PCTools             4.4.2.0         2008.09.13	     -
    Prevx1              V2              2008.09.13	     -
    Rising              20.61.42.00     2008.09.12	     -
    Sophos              4.33.0          2008.09.13	     -
    Sunbelt             3.1.1633.1      2008.09.13	     -
    Symantec            10              2008.09.13	     -
    TheHacker           6.3.0.9.081     2008.09.13	     -
    TrendMicro          8.700.0.1004    2008.09.12	     -
    VBA32               3.12.8.5        2008.09.13	     -
    ViRobot             2008.9.12.1375  2008.09.12	     -
    VirusBuster         4.5.11.0        2008.09.13	     -
    Webwasher-Gateway   6.6.2           2008.09.13      -
    

    I used adduser.exe stop_pf.exe from the 1.1.0 RC3 release to get those results.

    Brian

    (edit: when I double-checked the results from VirusTotal I found that I had actually submitted stop_pf.exe instead of adduser.exe)

    • Message #456

      Thanks Brian, sorry for the delay in replying.

      Looks like avast! have updated their virus definitions, as when I rescan the one file I did move to the Chest (I didn't believe the other files were infected so left them alone), avast! now reports no virus. Therefore I've moved it back to its normal location.

      Cheers
      Steven