Antivirus triggered by current binary distribution

[Laro88]

mCtrl was red flagged by our company firewalls, TREND Micro detects two trojans in the example files.

[mity]

Interesting.

I have just downloaded http://www.mctrl.org/download/0.11.3/mCtrl-0.11.3-bin.zip and verified it is the same as an archived package from time I was uploading it. It is exactly the same.

I have also analyzed the package on virustotal.com: https://www.virustotal.com/cs/file/2e3928cd519cbc47bd29123873e916ebab97af606d8c0d0932f6f8a7da64a8fa/analysis/1540893019/

The engine of TrendMicro seems to be content there but there are some other vendors detecting it. Given how similarly they report name of the threat, most of them likely uses the same AV engine under the hood.

Given all the limited info, I would currently guess there is something wrong with the latest update of virus database of the given anti-virus products, introducing some false positives.

An open question is whether the virustotal.com has newer or older virus database then you. I.e. whether they already know and fixed it or not.

So, right now, I shall wait and see tomorrow whether virustotal.com report changes, and it would be good if you can also recheck after your AV gets new virus database update.

[mity]

Forgot to mention I tried to upload there also fresh rebuild of mCtrl from sources and it gets similar result. If there would be really some infection then:

1. My machine would have to be infected in such obscure way my gcc compiler generates infected binaries (but not all of them, because only some executables in the package are detected).
2. My machine would have to be infected in the same way two years ago when I was uploading the package.

Given also I did complete OS reinstall in the mean time, and that there were no such report in the mean time, I really believe it is false positive detection.

[Laro88]

It actually seems a bit wierd, false positive most likely (although widespread) Microsofts defender upload site also said that something is rotten in the zip file. Kasperskys on demand report that the zip content is safe.

[mity]

although widespread

Many AV vendors just buy scanning engine from other vendors (and then they usually also share virus database; there may be just some delay when distributing their updates). Many vendors also share/exchange virus patterns.

So false positives can spread from product to product quite easily. Sometimes the people (or AI) analyzing some real infection make a byte signature pattern for detection of it (something similar to regexp, but binary-oriented) which is not specific enough to identify just the given threat and they then by mistake catch also clean files.

That's how the AV industry works. There is huge pressure to release virus DB updates for new threats ASAP and pressure to make the patterns so that they ideally cover whole family/version history of the threat or even deal with some code self-modification to avoid bloating of the virus database too much, because smaller DB generally improves the performance and eats less disk/memory. Occasional mistakes are then inevitable. I used to work for Avast for some years so I could tell stories ;-)

[Laro88]

Closed - mctrl is still blacklisted in symantec / trend micro but it will hopefully be fixed. I have send a "false positive" filing to Symantec.