I don't play Modern Warfare 2 - but some reports indicate that it has a virus in it.
What seems to be happening is that Avira is coming up with a generic detection of TR/Crypt.XPACK.Gen on a temporary file (perhaps ~B8.tmp) in C:\Documents and Settings\%USERNAME%\Local Settings\Temp.
However, "TR/Crypt.XPACK.Gen" is a generic detection - Avira is scanning the file and determining that it might be suspicious because it has been compressed with a commercial packer (a bit like a ZIP file). It is almost definitely a false positive that will be fixed quite soon.
If you like, you can head to the Avira Support Forums although where there is a short thread about it.
Sponsored by..
Showing posts with label Anti-Virus Software. Show all posts
Showing posts with label Anti-Virus Software. Show all posts
Thursday 19 November 2009
Tuesday 10 March 2009
PIFTS.EXE
Well, this is interesting. Users of Norton Antivirus are finding an application calls PIFTS.EXE that is try to call out. But every time anyone posts a query on the Norton support forum, it gets deleted immediately (see this search).
PIFTS.EXE appears to be a part of a patching application. The executable itself is unencrypted and contains several interesting bits of text such as:
One odd thing is that the PIFTS.EXE executable is padded out to precisely 100KB (102,400 bytes) with a string saying "XXPADDINGPADDINGXX" several times. Presumably Symantec have their own reason for making sure that the file is exactly this length.
PIFTS.EXE appears to be contacting a statisitical tracking server, possibly to report back on the installed version. Perhaps this violates Symantec's privacy policy, perhaps it's part of the testing process that was accidentally included in the update.
Some people might say that the way Symantec is deleting posts indicates a cover-up. It is certainly suspicious, but my best guess is that there's a quality control issue here and the PIFTS.EXE process was never meant to be released.
VirusTotal gives it a clean bill of health. ThreatExpert shows that it doesn't do much except call home.
PIFTS.EXE appears to be a part of a patching application. The executable itself is unencrypted and contains several interesting bits of text such as:
- http://stats.norton.com/n/p?module=2667
- The ping url is %s PATCH021809DB
- d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb
- SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
One odd thing is that the PIFTS.EXE executable is padded out to precisely 100KB (102,400 bytes) with a string saying "XXPADDINGPADDINGXX" several times. Presumably Symantec have their own reason for making sure that the file is exactly this length.
PIFTS.EXE appears to be contacting a statisitical tracking server, possibly to report back on the installed version. Perhaps this violates Symantec's privacy policy, perhaps it's part of the testing process that was accidentally included in the update.
Some people might say that the way Symantec is deleting posts indicates a cover-up. It is certainly suspicious, but my best guess is that there's a quality control issue here and the PIFTS.EXE process was never meant to be released.
VirusTotal gives it a clean bill of health. ThreatExpert shows that it doesn't do much except call home.
Friday 13 February 2009
BitDefender: Trojan.Generic.1423603 in winlogon.exe
This looks like a false positive: BitDefender is reporting Trojan.Generic.1423603 in C:\windows\system32\winlogon.exe. This name is sometimes used by malware, but in this case no other product is detecting anything malicious.
Current pattern is for BitDefender is 2640654, pushed out on Friday 13th February (!).
I will post the ThreatExpert prognosis when I get it.. in the mean time I would suggest that you do NOT try to remove winlogon.exe as you will render your system unbootable. (NOTE: Do NOT reboot your machine as this will most likely break it!)
Update: ThreatExpert indicates that it is clean. Several comments confirm that it is a false positive. The problem seems to be on Windows XP SP3, SP2 does not seem to have the same issue. The MD5 for this file is ed0ef0a136dec83df69f04118870003e
It seems that there are several reports at the BitDefender forum. I would guess that BitDefender are aware of the problem, temporarily disabling the anti-virus scanner may be a good idea else your system may become unusable. Usually these issues are fixed in 24 hours.
Update 2:
If you can't get the winlogon.exe out of quarantine, then this is a copy of the original (English US) file for XP SP3. Use at your own risk - password is "bitdefender".
winlogon_xpsp3.zip
Current pattern is for BitDefender is 2640654, pushed out on Friday 13th February (!).
I will post the ThreatExpert prognosis when I get it.. in the mean time I would suggest that you do NOT try to remove winlogon.exe as you will render your system unbootable. (NOTE: Do NOT reboot your machine as this will most likely break it!)
Update: ThreatExpert indicates that it is clean. Several comments confirm that it is a false positive. The problem seems to be on Windows XP SP3, SP2 does not seem to have the same issue. The MD5 for this file is ed0ef0a136dec83df69f04118870003e
It seems that there are several reports at the BitDefender forum. I would guess that BitDefender are aware of the problem, temporarily disabling the anti-virus scanner may be a good idea else your system may become unusable. Usually these issues are fixed in 24 hours.
Update 2:
If you can't get the winlogon.exe out of quarantine, then this is a copy of the original (English US) file for XP SP3. Use at your own risk - password is "bitdefender".
winlogon_xpsp3.zip
Sunday 8 February 2009
Good new. Bad news.
A couple of items of interest from The Register:
OpenDNS rolls out Conficker tracking, blocking
This seems like a great idea, especially for small organisations without IDS or traffic monitoring. The problem.. well, OpenDNS has been awfully slow recently and personally I had to stop using it.
Kaspersky breach exposes sensitive database, hacker claims
This looks like a case of an insecure SQL database, leading to a potentially nasty compromise. Kaspersky isn't the first AV vendor to be shown to have poor SQL security. Trend was hit last year, as was CA. In this case, it looks like a potential data breach which is embarrassing. There's no evidence that any Kaspersky product has been compromised, but you can see that it might be possible to leverage credentials exposed in the SQL injection attack and use them elsewhere.
OpenDNS rolls out Conficker tracking, blocking
This seems like a great idea, especially for small organisations without IDS or traffic monitoring. The problem.. well, OpenDNS has been awfully slow recently and personally I had to stop using it.
Kaspersky breach exposes sensitive database, hacker claims
This looks like a case of an insecure SQL database, leading to a potentially nasty compromise. Kaspersky isn't the first AV vendor to be shown to have poor SQL security. Trend was hit last year, as was CA. In this case, it looks like a potential data breach which is embarrassing. There's no evidence that any Kaspersky product has been compromised, but you can see that it might be possible to leverage credentials exposed in the SQL injection attack and use them elsewhere.
Tuesday 18 November 2008
Microsoft Morro: free anti-virus software for consumers
This might be a good deal for cash-strapped consumers, but a bad deal for other anti-virus companies.
Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.
I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..
Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.
I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..
Thursday 3 January 2008
JS/Exploit-BO false positive in McAfee
In what looks like a re-run of a recent false positive from eTrust, McAfee Anti-Virus is detecting JS/Exploit-BO in a number of innocent javascript applications, including Mootools. It's likely that McAfee is detecting the Dean Edwards Packer Tool as malware, although that's just an innocent application. Pattern 5197 has the problem, upgrading the signatures to pattern 5198 or later should fix it.
Unfortunately I guess this goes to show that packer tools can be a menace. There have been reports of this tool being used to obfuscate malware, so the smart advice to javascript developers is probably to not encode, compress or encrypt your code in any way if you want it to be trusted.
Unfortunately I guess this goes to show that packer tools can be a menace. There have been reports of this tool being used to obfuscate malware, so the smart advice to javascript developers is probably to not encode, compress or encrypt your code in any way if you want it to be trusted.
Subscribe to:
Posts (Atom)