Re: Latest dist v5.2

[Tom Sellers <nmap () fadedcode net>]

On 1/21/2010 6:37 PM, Fyodor wrote:
> On Thu, Jan 21, 2010 at 09:19:51AM -0600, Ron wrote:
> > So my question is, what do we do? The best bet might be to include
> > nmap_service.exe separately. When somebody runs the script the first
> > time, it checks if the file exists (and maybe checks the hash of the
> > file, too, to make sure it wasn't tampered/deleted/etc), and then does
> > the upload/etc. If the file doesn't exist, the user is told to download
> > it from somewhere else.
> >
> > The other option is to tell the a/v vendor to cut it out, but I can't
> > see that working. :)
> >
> > Opinions?
>
> Hi Ron.  I have received a report or two about this, so I compiled a
> little bit of information:
>
> One screenshot sent to me showed Astaro Security Gateway refusing the
> download because nmap-5.20-setup.exe supposedly matched
> "ADSPY/AdSpy.Gen".  That signature seems to be from the Avira AntiVir
> antivirus software and is described here:
>
> http://www.avira.com/en/threats/section/fulldetails/id_vir/3906/adspy_adspy.gen.html
>
> Note that it is "A generic detection routine designed to detect common
> family characteristics" of adware/spyware/viruses.
>
> Interestingly, an nmap-5.20-setup.exe analysis from VirusTotal doesn't
> raise any flags:
>
> http://www.virustotal.com/analisis/6699d317cd85de68886631f3f2f44f26884491952809482a65bf8070890bddd9-1264033632
>
> But with just nmap_services.exe, two products flag it as a virus
> (AntiVir 7.9.1.146 and McAfee GW Edition 6.8.5):
>
> http://www.virustotal.com/analisis/a15a993f4fd85a0e3104727c201dd571498191ac0d2842f96058fdd2be5db193-1264100266
>
> Those two are probably sharing the same signature.
>
> I agree with people that the best way to resolve this would be for the
> Antivirus makers to fix the signature so it no longer flags on
> nmap_services.exe, and then upgrade all their users.
>
> But realistically, that would most likely be more work for us and take
> longer than changing the Nmap package to no longer cause the alerts.
> Fortunately, AntiVir isn't detecting Nmap proper, but just this
> relatively obscure file.  I think the best solutions I've heard so far
> are:
>
> o Remove nmap_services.exe and just provide a link to it when needed
>    (I can host it on nmap.org somewhere).
>
> o Or ship an encoded version which is decoded on the fly.
>
> Those should solve the immediate issue.  Then if anyone wants to try
> filing bug reports against the AV vendors related to the 5.20
> packages, I'm all for it!  If the AV vendors actually take heed, we
> may be able to return the file to its full, packaged, unencoded glory.
>
> I'm considering making a 5.21 release in the next week which consists
> of just 5.20 plus resolves the few material issues which have come up.
> So far the list of candidates issues are:
>
> o The HTTP pipelining bug fixed by David this morning
> o The AV false positive issue
>
> Cheers,
> Fyodor


You may also want to test and see what happens when you remove the .exe on
the end.  Some AV only scans executables by default...

Tom
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/