Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan detected by avg in automotive software purchased, false positive?


  • Please log in to reply
3 replies to this topic

#1 oirish71

oirish71

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 30 July 2009 - 03:57 AM

Need some guidance in how to proceed with an automotive diagnostic tool I purchased on e-bay. The tool is designed to retrieve module coding from volkswagen instrument clusters and electronic control modules. The software provided on a disc when scanned on one computer with AVG free, and on another computer with avast antivirus both detect the software as a trojan horse. Is it because of the nature of the software as a diagnostic/interrogative tool that it is detected as a trojan, in other words a false positive. Or should I be concerned. I have not installed the software yet. On virscan.org the software file is in its history and shows about 50% of antivirus programs detecting a trojan. The software was purchased on e-bay and the sellers feedback is excellent, which makes me tend towards trusting the software. The file name is VWTester.exe
The sellers supplier sent me the software as an e-mail attachment also if anyone would like me to forward it for checking. I am wondering how does one confirm a false positive virus detection? I just remembered that norton antivirus also detects as a trojan, I could add a screenshot of the norton detection but I don't see any option for attaching a photo. Here is a link to the virscan.org report.
http://virscan.org/report/50f23db14c8b25f4...c582155c61.html
Would appreciate any suggestions on what to do to determine if this software really does contain a trojan or if it is a false positive. This is getting a bit out of my league. Thanks.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 AM

Posted 30 July 2009 - 08:41 AM

It looks like most of the detections are generic, Heuristic, packed.

Generic detections are usually a heuristics detection of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware.

Certain embedded files that are part of legitimate programs, may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Packed files use a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself and often trigger alerts by anti-virus software using heuristic detection because they are resistant to scanning (difficult to read).

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or it can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

Submit a sample directly to the vendor so they can investigate further. Be sure to provide them with any descriptive information you have in regards to that file and what it is used for.

AVG
If you suspect a detection was a "false positive", then you should submit a sample to the vendor so they can investigate and take corrective action. Please refer to: Symantec (Norton)
If you suspect a detection was a "false positive", then you should submit a sample to the vendor so they can investigate and take corrective action. Upload a suspected infected file or Submit Virus Samples. Corporate users, can refer to How to submit a file to Symantec Security Response using Scan and Deliver.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 oirish71

oirish71
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 31 July 2009 - 12:45 AM

Many thanks for the advice Quietman7 ( any reference to the John Wayne movie? )
Interesting how the antivirus programs actually work. Something I would have assumed is very black and white actually can be pretty grey. I will submit the file to norton for further invetigation.
The tool the software is used for is I guess in essence a kind of hack tool to obtain certain code from automotive computers.
To put in context, I am an automotive mechanic and to perform a simple procedure such as coding an ignition key to a volkswagen cars instrument cluster which contains the engine immobiliser( antitheft ) requires a trip to the dealer. In our remote location that necessitates driving or in the case of lost keys towing the vehicle 1800km down the highway to the nearest dealer. In such circumstances I am appreciative that far more tech savvy people than I have developed such (hack) tools to work around this. As with anything there is potential for abuse of such knowledge, but for me this provides an option for me to help out my customers and myself as a volkswagen owner to be independent of the dealer monopoly.
Not quite sure how this turned into an ethical/philosophical post but again thanks for all the advice and info on how antivirus software works.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 AM

Posted 31 July 2009 - 05:36 AM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users