Nmap Development mailing list archives
Re: Latest dist v5.2
From: Fyodor <fyodor () insecure org>
Date: Thu, 21 Jan 2010 16:37:13 -0800
On Thu, Jan 21, 2010 at 09:19:51AM -0600, Ron wrote:
So my question is, what do we do? The best bet might be to include nmap_service.exe separately. When somebody runs the script the first time, it checks if the file exists (and maybe checks the hash of the file, too, to make sure it wasn't tampered/deleted/etc), and then does the upload/etc. If the file doesn't exist, the user is told to download it from somewhere else. The other option is to tell the a/v vendor to cut it out, but I can't see that working. :) Opinions?
Hi Ron. I have received a report or two about this, so I compiled a little bit of information: One screenshot sent to me showed Astaro Security Gateway refusing the download because nmap-5.20-setup.exe supposedly matched "ADSPY/AdSpy.Gen". That signature seems to be from the Avira AntiVir antivirus software and is described here: http://www.avira.com/en/threats/section/fulldetails/id_vir/3906/adspy_adspy.gen.html Note that it is "A generic detection routine designed to detect common family characteristics" of adware/spyware/viruses. Interestingly, an nmap-5.20-setup.exe analysis from VirusTotal doesn't raise any flags: http://www.virustotal.com/analisis/6699d317cd85de68886631f3f2f44f26884491952809482a65bf8070890bddd9-1264033632 But with just nmap_services.exe, two products flag it as a virus (AntiVir 7.9.1.146 and McAfee GW Edition 6.8.5): http://www.virustotal.com/analisis/a15a993f4fd85a0e3104727c201dd571498191ac0d2842f96058fdd2be5db193-1264100266 Those two are probably sharing the same signature. I agree with people that the best way to resolve this would be for the Antivirus makers to fix the signature so it no longer flags on nmap_services.exe, and then upgrade all their users. But realistically, that would most likely be more work for us and take longer than changing the Nmap package to no longer cause the alerts. Fortunately, AntiVir isn't detecting Nmap proper, but just this relatively obscure file. I think the best solutions I've heard so far are: o Remove nmap_services.exe and just provide a link to it when needed (I can host it on nmap.org somewhere). o Or ship an encoded version which is decoded on the fly. Those should solve the immediate issue. Then if anyone wants to try filing bug reports against the AV vendors related to the 5.20 packages, I'm all for it! If the AV vendors actually take heed, we may be able to return the file to its full, packaged, unencoded glory. I'm considering making a 5.21 release in the next week which consists of just 5.20 plus resolves the few material issues which have come up. So far the list of candidates issues are: o The HTTP pipelining bug fixed by David this morning o The AV false positive issue Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Latest dist v5.2, (continued)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 DePriest, Jason R. (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 DePriest, Jason R. (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 Michael Pattrick (Jan 21)
- Re: Latest dist v5.2 Michael Pattrick (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 21)
- AW: Latest dist v5.2 Wissmann, Dirk (Jan 21)
- Re: Latest dist v5.2 Fyodor (Jan 21)
- Re: Latest dist v5.2 Tom Sellers (Jan 21)
- Re: Latest dist v5.2 David Fifield (Jan 25)
- Re: Latest dist v5.2 Ron (Jan 25)
- Re: Latest dist v5.2 David Fifield (Jan 26)
- Re: Latest dist v5.2 Ron (Jan 26)
- Re: Latest dist v5.2 Fyodor (Jan 27)
- Re: Latest dist v5.2 Brandon Enright (Jan 27)
- Re: Latest dist v5.2 Ron (Jan 27)
- Re: Latest dist v5.2 Fyodor (Jan 27)