Windows Defender and Vivaldi browser find Woreflint.A!cl

leecher1337 / ntvdmx64

Run Microsoft Windows NTVDM (DOS) on 64bit Editions

793 stars 81 forks source link

Windows Defender and Vivaldi browser find Woreflint.A!cl #77

Closed SysopSolaris closed 2 years ago

SysopSolaris commented 4 years ago

Windows defender and Vivaldi Browser find Woreflint.A!cl

containerfile: C:\Users\Sysop\Downloads\ntvdmx64.7z

file: C:\Users\Sysop\Downloads\ntvdmx64.7z->ldntvdm/syswow64/6.2/ldntvdm.dll webfile:

C:\Users\Sysop\Downloads\ntvdmx64.7z|http://www.columbia.edu/~em36/ntvdmx64.7z|pid:10324,ProcessStart:132272806148697102

False positive ?

leecher1337 commented 4 years ago

Sure, it's a false positive.. I think the problem is that loader has to use Metasploit Shellcode for 32->64bit transition and some malware might use the same shellcode too, so Antiviruses then flag it as malware, even though it is not malware. At least I suspect that this is the reason for the detection. Interestingly, only Win7 loader is detected? If you are planning to use it on Win10, you can delete 6.2 loader, if you want, only 10.0 loader gets used on Win10.

peter8777555 commented 4 years ago

I use Symantec Endpoint Protection and "ldntvdm.dll" is OK.

By the way, Symantec Endpoint Protection show C:\work\ntvdmpatch\util\settsaware.exe --> Heur.AdvML.C

I know this is false positive.

leecher1337 commented 2 years ago

I think we are all used to these stupid false positives now.