Well, wifi scanning tool is not really hacking tool.

Eero

On Fri 9. Apr 2021 at 15.59, Arnaud Jacques <webmaster@securiteinfo.com> wrote:
Anyway, according to the official website "Vistumbler is wireless
network scanner", aka a hack tool and should be detected as PUA at minimum.

https://www.clamav.net/documents/potentially-unwanted-applications-pua


Le 09/04/2021 à 05:59, Eero Volotinen a écrit :
> got response:
>
> ” There are three downloads available for 10.7 The SHA256 of those files
> should be
>
> Vistumbler_v10-7.exe -
> ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01
> Vistumbler_v10-7.zip -
> 7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0
> Vistumbler_v10-7_Portable.zip -
> F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C
>
> All 3 should contain the same files.
>
>   * the non portable zip is just vistumbler with default settings
>     (storing data in your profile temp directory and documents folder)
>   * the exe file is just the zip file packed into an installer with NSIS
>     ( https://nsis.sourceforge.io/Main_Page
>     <https://nsis.sourceforge.io/Main_Page> )
>   * the portable version has different settings which cause temp files
>     and save files to be stored inside the same directory as the program
>     (better for portable use) instead of inside your windows profile.
>
> I went and reanalyzed the file you submitted to virus total and it looks
> like bitdefender no longer considers them viruses, so it seems they
> consider it a false positive. You can see if you go to the link you
> posted above,
> https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection
> <https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection>bitdefender
> has removed the detection”
>
>
> Eero
>
>
> On Thu 8. Apr 2021 at 17.02, Andrew C Aitchison via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
> wrote:
>
>
>     On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
>      >
>     https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
>     <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>
>      >
>      > Looks like this is (vistumbler) detected as false positive.
>
>     and
>
>     On Thu, 8 Apr 2021, Arnaud Jacques wrote:
>      > At first look, ClamAV is not the only one that flags it as malware :
>      >
>     https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
>     <https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection>
>
>     and https://vistumbler.en.lo4d.com/virus-malware-tests
>     <https://vistumbler.en.lo4d.com/virus-malware-tests>
>     but that has a different sha256sum.
>     Hmm.
>
>     If I feed the github URL into virustotal it comes up clean
>     https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
>     <https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection>
>
>     but if I download the file and give that to virustotal I get
>     https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
>     <https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection>
>     (the bit between file/ and /detection matches the sha256sum of my
>     file and that on https://vistumbler.en.lo4d.com/virus-malware-tests
>     <https://vistumbler.en.lo4d.com/virus-malware-tests> ).
>
>     Initially that page reported
>            19 security vendors flagged this file as malicious
>            Size 6.92 MB
>             direct-cpu-clock-access invalid-signature
>             nsis overlay peexe runtime-modules signed
>     but when I asked virustotal to rescan, "19 security vendors" changed
>     to "16 security vendors".
>
>     I have put my copy at:
>     https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
>     <https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe>
>
>     I think this means that raw.github.com <http://raw.github.com> has
>     given out at least three
>     different versions of this file. Eero, could you pass this back to
>     the Vistumbler developer "Andrew" (Calcutt?) please ?
>
>     # file Vistumbler_v10-7.exe
>     Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows,
>     Nullsoft Installer self-extracting archive
>
>     # host raw.github.com <http://raw.github.com>
>     raw.github.com <http://raw.github.com> has address 185.199.108.133
>     raw.github.com <http://raw.github.com> has address 185.199.109.133
>     raw.github.com <http://raw.github.com> has address 185.199.110.133
>     raw.github.com <http://raw.github.com> has address 185.199.111.133
>
>     On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
>      > comment from developer
>      >
>      > "Unfortunately autoit, which vistumbler is written in, gets flagged
>      > as a false positive a lot. Vistumbler has struggled with this since
>      > the beginning.
>      >
>      > I recently submitted the 10.7 release files to microsoft for false
>      > detection and they removed the false detection, so i think these
>      > files are fine. However I have also just submitted a false positive
>      > report to bitdefender, so we can see if they remove it too.
>      >
>      > If vistumbler gets flagged by your AV company, my suggestion is to
>      > submit it as a false positive to them. I really don't have the time
>      > to chase down all these AV companies.
>      >
>      > -Andrew"
>
>     Not sure about this as it is open source, but if I were paying for
>     the software I would expect them to liase with the AV companies.
>
>     --
>     Andrew C. Aitchison                                     Kendal, UK
>     andrew@aitchison.me.uk <mailto:andrew@aitchison.me.uk>
>
>
>     _______________________________________________
>
>     clamav-users mailing list
>     clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>     https://lists.clamav.net/mailman/listinfo/clamav-users
>     <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
>     Help us build a comprehensive ClamAV guide:
>     https://github.com/vrtadmin/clamav-faq
>     <https://github.com/vrtadmin/clamav-faq>
>
>     http://www.clamav.net/contact.html#ml
>     <http://www.clamav.net/contact.html#ml>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml