[clamav-users] vistumbler as false positive
Eero Volotinen
eero.volotinen at iki.fi
Fri Apr 9 13:31:48 UTC 2021
Well, wifi scanning tool is not really hacking tool.
Eero
On Fri 9. Apr 2021 at 15.59, Arnaud Jacques <webmaster at securiteinfo.com>
wrote:
> Anyway, according to the official website "Vistumbler is wireless
> network scanner", aka a hack tool and should be detected as PUA at minimum.
>
> https://www.clamav.net/documents/potentially-unwanted-applications-pua
>
>
> Le 09/04/2021 à 05:59, Eero Volotinen a écrit :
> > got response:
> >
> > ” There are three downloads available for 10.7 The SHA256 of those files
> > should be
> >
> > Vistumbler_v10-7.exe -
> > ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01
> > Vistumbler_v10-7.zip -
> > 7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0
> > Vistumbler_v10-7_Portable.zip -
> > F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C
> >
> > All 3 should contain the same files.
> >
> > * the non portable zip is just vistumbler with default settings
> > (storing data in your profile temp directory and documents folder)
> > * the exe file is just the zip file packed into an installer with NSIS
> > ( https://nsis.sourceforge.io/Main_Page
> > <https://nsis.sourceforge.io/Main_Page> )
> > * the portable version has different settings which cause temp files
> > and save files to be stored inside the same directory as the program
> > (better for portable use) instead of inside your windows profile.
> >
> > I went and reanalyzed the file you submitted to virus total and it looks
> > like bitdefender no longer considers them viruses, so it seems they
> > consider it a false positive. You can see if you go to the link you
> > posted above,
> >
> https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection
> > <
> https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection>bitdefender
>
> > has removed the detection”
> >
> >
> > Eero
> >
> >
> > On Thu 8. Apr 2021 at 17.02, Andrew C Aitchison via clamav-users
> > <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>>
> > wrote:
> >
> >
> > On Thu, 8 Apr 2021, Eero Volotinen wrote:
> >
> > >
> >
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> > <
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> >
> > >
> > > Looks like this is (vistumbler) detected as false positive.
> >
> > and
> >
> > On Thu, 8 Apr 2021, Arnaud Jacques wrote:
> > > At first look, ClamAV is not the only one that flags it as
> malware :
> > >
> >
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
> > <
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
> >
> >
> > and https://vistumbler.en.lo4d.com/virus-malware-tests
> > <https://vistumbler.en.lo4d.com/virus-malware-tests>
> > but that has a different sha256sum.
> > Hmm.
> >
> > If I feed the github URL into virustotal it comes up clean
> >
> https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
> > <
> https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
> >
> >
> > but if I download the file and give that to virustotal I get
> >
> https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
> > <
> https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
> >
> > (the bit between file/ and /detection matches the sha256sum of my
> > file and that on https://vistumbler.en.lo4d.com/virus-malware-tests
> > <https://vistumbler.en.lo4d.com/virus-malware-tests> ).
> >
> > Initially that page reported
> > 19 security vendors flagged this file as malicious
> > Size 6.92 MB
> > direct-cpu-clock-access invalid-signature
> > nsis overlay peexe runtime-modules signed
> > but when I asked virustotal to rescan, "19 security vendors" changed
> > to "16 security vendors".
> >
> > I have put my copy at:
> >
> https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
> > <
> https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
> >
> >
> > I think this means that raw.github.com <http://raw.github.com> has
> > given out at least three
> > different versions of this file. Eero, could you pass this back to
> > the Vistumbler developer "Andrew" (Calcutt?) please ?
> >
> > # file Vistumbler_v10-7.exe
> > Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS
> Windows,
> > Nullsoft Installer self-extracting archive
> >
> > # host raw.github.com <http://raw.github.com>
> > raw.github.com <http://raw.github.com> has address 185.199.108.133
> > raw.github.com <http://raw.github.com> has address 185.199.109.133
> > raw.github.com <http://raw.github.com> has address 185.199.110.133
> > raw.github.com <http://raw.github.com> has address 185.199.111.133
> >
> > On Thu, 8 Apr 2021, Eero Volotinen wrote:
> >
> > > comment from developer
> > >
> > > "Unfortunately autoit, which vistumbler is written in, gets
> flagged
> > > as a false positive a lot. Vistumbler has struggled with this
> since
> > > the beginning.
> > >
> > > I recently submitted the 10.7 release files to microsoft for false
> > > detection and they removed the false detection, so i think these
> > > files are fine. However I have also just submitted a false
> positive
> > > report to bitdefender, so we can see if they remove it too.
> > >
> > > If vistumbler gets flagged by your AV company, my suggestion is to
> > > submit it as a false positive to them. I really don't have the
> time
> > > to chase down all these AV companies.
> > >
> > > -Andrew"
> >
> > Not sure about this as it is open source, but if I were paying for
> > the software I would expect them to liase with the AV companies.
> >
> > --
> > Andrew C. Aitchison Kendal, UK
> > andrew at aitchison.me.uk <mailto:andrew at aitchison.me.uk>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> >
> > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> >
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj at securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210409/ce658e24/attachment.htm>
More information about the clamav-users
mailing list