Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [EXTERNAL] Re: Safety and integrity of npcap-0.99-r3.exe

From: "Lamsoge, Abhijit" <Abhijit.Lamsoge () harman com>
Date: Thu, 19 Apr 2018 12:01:13 +0000
Murphy Said “Anything that can go wrong will go wrong”
Now apply it to false positives.
If some AV’s are meant to raise flags for legitimate content, then in fact they will ??

From: dev [mailto:dev-bounces () nmap org] On Behalf Of Yuri Slobodyanyuk
Sent: Thursday, April 19, 2018 11:46 AM
To: Daniel Miller <bonsaiviking () gmail com>
Cc: bf1783 () gmail com; Nmap-dev <dev () nmap org>
Subject: [EXTERNAL] Re: Safety and integrity of npcap-0.99-r3.exe

(Rant) Sorry for barging in but couldn't resist - absurdity of the anti-virus vendors first made me laugh then made me 
turn off all of them.
According to VirusTotal I host on my site a very bad malware (confess,  also written by me):
https://www.virustotal.com/en/file/b98b9d144ad0edbc6be5e73ad0ab06cc2bc15816df509369f3e38e8917f62970/analysis/1524117706/<https://clicktime.symantec.com/a/1/6p_nU5ICiDse-U7vRHv4RIvFa4nJ3FLDxVorlDxaGow=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fwww.virustotal.com%2Fen%2Ffile%2Fb98b9d144ad0edbc6be5e73ad0ab06cc2bc15816df509369f3e38e8917f62970%2Fanalysis%2F1524117706%2F>
Only that this executable is a product of compiling (with MS VS 2015)  this 'malicious' code LOL:


#include "stdafx.h"

#include <stdio.h>

#include <string.h>

// this example and all the following will be posted on my site ....



int main()

{

          char serial_input[6] = "";

          char serial_correct[6] = "23845";

          int result = 0;

                   printf("Please enter the serial of 5 numbers:");

          fgets(serial_input, 6, stdin);

          result = strncmp(serial_input, serial_correct, 5);

                   if (result != 0)

          {

                   printf("Wrong serial!, quitting ..\n");

                   return 1;

          }

          else { printf("Great, you have the correct serial !\n"); }

    return 0;

}


On Mon, Apr 9, 2018 at 5:00 PM, Daniel Miller <bonsaiviking () gmail com<mailto:bonsaiviking () gmail com>> wrote:
Thanks for reporting this. This is indeed a false positive. I have verified the integrity of the files on the Nmap web 
server, and you can verify that all binaries including the installer are signed with Insecure.org LLC's EV code signing 
certificate. I reported this to F-Secure and will be reporting it to other vendors as I am able. They sent this 
response:

Greetings,
Thank you for bringing this to our attention. Our analysis indicates that the file you submitted is clean.

We have identified the issue as a False Positive, which will be resolved in an upcoming database update.

In the meantime, you may exclude this file from further scanning by the security product. You can do so using the 
following instructions:

Internet Security 2015:
https://community.f-secure.com/t5/F-Secure-SAFE/How-do-I-exclude-a-file-or/ta-p/56363<https://clicktime.symantec.com/a/1/esYqsni7r_wUN1qevkzLOgNYDdD1egDXA1Tah75cDVY=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fcommunity.f-secure.com%2Ft5%2FF-Secure-SAFE%2FHow-do-I-exclude-a-file-or%2Fta-p%2F56363>
Client Security:
https://help.f-secure.com/product.html#business/client-security/12.00/en/task_13205052E3D44C44BA2491A55A7F818F-12.00-en<https://clicktime.symantec.com/a/1/XArjMQWOIJbii-QJj63SliHqKHL5bxgtKKI-mNW-eUo=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fhelp.f-secure.com%2Fproduct.html%23business%2Fclient-security%2F12.00%2Fen%2Ftask_13205052E3D44C44BA2491A55A7F818F-12.00-en>
Policy Manager and PSB Workstation:
https://community.f-secure.com/t5/Management/Excluding-objects-from-Real-Time/ta-p/66013<https://clicktime.symantec.com/a/1/nylf3GP2vMmthGzqeRk7knwNPPvIld3kleyyPkQfaMQ=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fcommunity.f-secure.com%2Ft5%2FManagement%2FExcluding-objects-from-Real-Time%2Fta-p%2F66013>

If you wish to manually update your security product's database, you can use the tools and instructions at:
https://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/140<https://clicktime.symantec.com/a/1/WrEiAXt8JOr5dqKeeqAVyrelQFCSPmEdNAhFFSqIeY4=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fwww.f-secure.com%2Fen%2Fweb%2Flabs_global%2Fremoval-tools%2F-%2Fcarousel%2Fview%2F140>

We apologize for any inconveniences that this false positive may have caused. If there is anything else we can help you 
with, please do not hesitate to contact us again.

Best regards,
Azim
Malware Analyst
F-Secure Security Labs

Dan

On Sun, Apr 8, 2018 at 1:52 AM, bf <bf1783 () gmail com<mailto:bf1783 () gmail com>> wrote:
My apologies if this is the wrong list for this topic.  False positives? Or?:

https://www.virustotal.com/en/file/8aa79474c8187c0702b824d63195a0cbce69cddf1094990e4eb819900da9dd75/analysis/1523168786/<https://clicktime.symantec.com/a/1/2r_oQI3ukA_2DkiHlxXG6Vw9QZjuxBzjcNnZnxLQ7xg=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fwww.virustotal.com%2Fen%2Ffile%2F8aa79474c8187c0702b824d63195a0cbce69cddf1094990e4eb819900da9dd75%2Fanalysis%2F1523168786%2F>


Regards,
                   b.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev<https://clicktime.symantec.com/a/1/ThiM-EK8JjE2TQi6nA_4PgsFzm1i9rT6Ha83YnrBjTI=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fnmap.org%2Fmailman%2Flistinfo%2Fdev>
Archived at 
http://seclists.org/nmap-dev/<https://clicktime.symantec.com/a/1/yGOV8fuet3nSomxjljGLyrezEi2XJ5gltQ7GdyyGyIQ=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=http%3A%2F%2Fseclists.org%2Fnmap-dev%2F>


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev<https://clicktime.symantec.com/a/1/ThiM-EK8JjE2TQi6nA_4PgsFzm1i9rT6Ha83YnrBjTI=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=https%3A%2F%2Fnmap.org%2Fmailman%2Flistinfo%2Fdev>
Archived at 
http://seclists.org/nmap-dev/<https://clicktime.symantec.com/a/1/yGOV8fuet3nSomxjljGLyrezEi2XJ5gltQ7GdyyGyIQ=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=http%3A%2F%2Fseclists.org%2Fnmap-dev%2F>



--
Taking challenges one by one.
http://yurisk.info<https://clicktime.symantec.com/a/1/SUpnTcCGVuksCgji357xlBvblwWa-M6V7IT6jhYBa5o=?d=ZGDALzSKWl8DS3rzOrxKdVjv-U6cbuw8A6yUto5D2r_HLPIF0kTR0OWpAKqHeW9Cl0OPJPhv-kJuF8CEeaD5WyVS7Rw28fND9_6nNOIJbFW-sHOcUMhWRy5t1EGNzDMghR8ReEnlJxKkvmlvXAOTbgVHdyhXoZJl6EMEpbG7_UczROQBzWCP8gJnnYbAfajrrOgU_J1cbZx8LlR7oLSQeKxG9lB6IHxjNqdY0JZ-UBXDaeXO1kHYCiTgiQI0Jw3aFPTGYjYP3sJRoXrzpqtM60q7fMCBss2eXnkMj2fY0iB1cZJEWWVRF-6kBcWeELpYOADDnkX5fBzQ_fusTcbCC2x02KgwMhJB0AyZuPXebX8kYSSjZJoDD3hxXNx1SIohaHYK2L3uRDdBm93jLZS7drK4C4-8PO3ezw%3D%3D&u=http%3A%2F%2Fyurisk.info%2F>


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: