Considered a virus by panda endpoint protection

[andrejohansson]

Unfortunately Panda Endpoint Protection considers this as a virus. :-(

[BobVul]

Hm.

If you feel you can trust me, then just whitelist it for now.

If you prefer, you can grab a copy of Visual Studio (Community) and compile it yourself. The source code is available in this repository and rather short/simple if you would like to check it for yourself. Just open the sln file and build all.

I will look into reporting this to Panda; it would be helpful if you could provide more info:

1. When does this happen? After downloading? After unzipping? When you run Growl? When you send a message?
2. What specific file is detected? The Growler DLL or Toaster exe?
3. What "type" of virus is it detected as?
4. If Panda provides some kind of report, can you screenshot it or copy the details here?

[andrejohansson]

I'll see what I can give you later, this is our companys antivirus so I do not have rights to either whitelist nor get the specifics. I doubt it helps if I build myself, I guess that things that hook into windows components easily can be considered viruses.

[BobVul]

Hm... I don't hook into Windows components anywhere... the DLL is a standard plugin built as a .NET 2.0 class library, and the exe is just a command-line program that calls into a standard Windows API. No funny injection, etc., going on.

Does Panda give you any more info at all other than "it's a virus"?

Have you been using this for a while and is this a recent detection (new definitions) or is this the first time you've tried it?

Does GrowlForWindows work with other (built-in) plugins?

[andrejohansson]

Sorry, this is the only information I get:

Events                                                  More details                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Date/Time                 Status
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Virus detected W32/Exploit.gen                          Location: C:\Users\andrej\AppData\Local\Growl\2.0.0.0\Displays\GrowlToToast\Toaster\GrowlToToast.Toaster.exe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   2017-03-16 11:37          Neutralized

• No, not used it before, just installed this and growl yesterday.
• GrowlForWindows seems to work ok with the installed plugins.

[BobVul]

Thanks!

This is ... interesting. I would've expected Toaster to be perfectly fine, since it's not much more than a very simple usage of Microsoft libraries. I'll contact Panda and see what they say.

[BobVul]

Could you tell me which version of GrowlToToast you're using? v0.1, v0.2a3? I need to figure out which one to pass on to Panda ;)

If you have the Panda engine and definition versions, that might be helpful too.

[BobVul]

Looks like it (v0.2a3) passes whichever Panda version they have over at VirusTotal... it's possible they've updated signatures since then; could you try running it again? https://www.virustotal.com/en/file/6080043d3f9a1df562fbad3ff031ff9205f8c0a44a02d7bc6a967a1f70616942/analysis/1489740704/

[BobVul]

http://support.pandasecurity.com/forum/viewtopic.php?f=13&t=6204

[andrejohansson]

Sorry, still getting snagged by panda. But it seems that I can unzip the file and nothing happens until I choose the display in growl and press "preview". Then panda reacts and nukes the component.

[BobVul]

Unfortunately, no response from Panda yet...

If you could try something:

1. Download test.txt and put it in the Toaster directory

2. Open cmd, navigate to the Toaster directory. cd %LocalAppData%\Growl\2.0.0.0\Displays\GrowlToToast\Toaster should take you there.

3. Run GrowlToToast.Toaster.exe by itself. Does Panda complain about it? When run like this, Toaster does nothing at all; just exits.

4. Run the command type test.txt | GrowlToToast.Toaster.exe. Does Panda complain about it now? This should attempt to show the preview message.

If you can test that, at least we'll know what triggers Panda:

1. The application itself
2. The attempt to show the toast
3. The Growler plugin launching Toaster (only if the other two work fine from cmd)

Unfortunately, all I can really do is pass this info along to Panda's support ... who still haven't replied... maybe I can try shifting some bits around to see if that evades detection but this is really weird.

[andrejohansson]

I just tried another windows 10 notifier and on that panda goes bluescreen...so...I guess its not anything we can do for now.

https://github.com/Jonno12345/GrowlForWindows10/releases

[BobVul]

Ouch. Yea, that does sound pretty broken.

If you want, you can join that Panda forum and help bug them... maybe they'll actually notice at some point? :P

^ If you can figure out which exact step triggers it, we can pass that along too.

[BobVul]

If you still feel like trying it a year later, the entire install process and some of the notification process has changed. Maybe it won't trigger Panda anymore.