zainul / phpdesktop

Automatically exported from code.google.com/p/phpdesktop
0 stars 0 forks source link

Virustotal.com false/positive for PHP Desktop MSIE 1.14 #139

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
https://www.virustotal.com/en/file/b0f9441de1fe1d20b67cb7555e6547de95fd52f60a6c5
58becdaf5c26e849247/analysis/1414646423/

Detection ratio:    1 / 52
AegisLab    Troj.W32.Gen    20141030

Using UPX packer did not help, it caused an additional false/positive:

  McAfee-GW-Edition   BehavesLike.Win32.Downloader.cc   20141029

Not sure on how to fix that. The only option for now I see is to vote +1 
harmless using the link above.

Original issue reported on code.google.com by czarek.t...@gmail.com on 30 Oct 2014 at 5:30

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
PHP Desktop MSIE 1.13 scan results were OK:
https://www.virustotal.com/en/file/dbd569836d38f61d85476c40677c9be6c662dcecf478a
c55f9e4e58a24dce419/analysis/1414658395/

There were only cosmetic changes between 1.13 and 1.14 versions. It doesn't 
make sense for AegisLab to report Troj.W32.Gen.

Scanned phpdesktop-msie 1.14 DEBUG version of the executable and scan results 
are OK:
https://www.virustotal.com/en/file/9b7783243dc33d2af142ef271f3538d3de7b5c9f852cb
001c1ac189a5c3d4ab7/analysis/1414658783/

So looks like this is some random behavior on AegisLab side.

Original comment by czarek.t...@gmail.com on 30 Oct 2014 at 8:51

GoogleCodeExporter commented 9 years ago
Did some google for "Troj.W32.Gen":

  Whenever you see antivirus software identify something with "Gen" (which is short for "Generic"),
  it means it hasn't actually identified a virus, just that it's heuristics (which is the magic 
  that tries to guess if something might contain some new currently unknown malware) flagged it 
  as a possible suspect.

Reference: 
http://steamcommunity.com/app/223510/discussions/0/540732596816138479/

So the solution seems to be to try recompile phpdesktop executable with some 
different build options, until its binary code path changes enough for the 
Troj.W32.Gen heuristics not to flag it anymore.

Original comment by czarek.t...@gmail.com on 30 Oct 2014 at 9:03

GoogleCodeExporter commented 9 years ago
After exposing additional environment variables in mongoose.c (Issue 136), 
binary code path changed enough so that Troj.W32.Gen is no more detected, see: 
https://www.virustotal.com/en/file/018e3950bd20f6cf74f68c4ec7746a569715f86e0b55f
122ed0d426a5993165d/analysis/1414661811/

Original comment by czarek.t...@gmail.com on 30 Oct 2014 at 9:48