Virus Warning: Plugin 'Expander'

[MVV]

I still can't enter totalcmd.net/wincmd.ru...

Looking forward to the day when Symantec prevents me from logging in to my own notebook, because my reputation is too bad.

No, it will quarantine your OS because of too bad reputation.

[ghisler(Author)]

Even worse - Symantec "bad reputation" only means that there were only few downloads from systems with Symantec, so the file is essentially unknown.

[karlchen]

Just to illustrate Christian's words, here is Symantec's own diagnostic screen: Symantec on bad reputation
For more than a year they have known this file, but not been bothered to analyze it. Instead they come up with this braindead nonsense. (Cf. screenshot, please.) Unbelievable.

[Hacker]

karlchen,
Yeah, Symantec itself does not really have a good reputation.
Their firewall blocked IP's that tried to connect to some well-known trojan ports, so if you wanted to cut a system with Symantec off the internet, you just created one packet with a faked source IP (which would be the DNS server of the target) and sent it to a well-known trojan port on the target machine. Symantec would see the packet and block all traffic to the (faked) source IP, thus blocking all communications with the DNS server, effectively cutting the machine off the internet. Well done!

Roman

[karlchen]

Hi, Hacker.

They all - the producers of AV software - do not earn their money by protecting us from malware efficiently, but just by giving us the feeling they were really trying hard to protect us.
Heuristics and reputation checks are poor marketing lies to make us believe they were able to detect so far unknown malware, too, whereas in fact their detection still depends on ever growing antivirus definition files (their mug shots), which is only too easily fooled by changing the internal structure of an existing malware programme only slightly.
In brief they sell us the false feeling of being secure, but no real security.

Cheers,
Karl

[MVV]

They all - the producers of AV software - do not earn their money by protecting us from malware efficiently, but just by giving us the feeling they were really trying hard to protect us.

Of course, and only complete fools release new viruses w/o checking them on most popular or all AVs...
Well, heuristics and proactive defence systems are generally able to protect by restricting usage of harmful system functions... but it is very hard to detect which application may be trusted and which not (so many AVs simply treat any unknown piece of software untrusted). E.g. recently on some machine I've noticed that Avast completely blocks signed Process Hacker's driver (it is a real pain at all to tell Avast not to block something because it never asks you, it informs you that it have deleted/blocked something, but here even ignore list didn't help)!

[dschordsch]

Four months later: the expander plugin still has 14 detections, including detections by Avast, AVG, McAfee, Microsoft, Symantec.

Is anyone using the latest version of this plugin? Has anyone successfully installed it? I am too scared to try it out.

[Horst.Epp]

Four months later: the expander plugin still has 14 detections, including detections by Avast, AVG, McAfee, Microsoft, Symantec.

Is anyone using the latest version of this plugin? Has anyone successfully installed it? I am too scared to try it out.

The actual version of my Bitdefender Antivirus Pro doesn't find anything.
Also the files are from 2014 so there can be no new unknown virus in it.
So I would trust it.

[Dalai]

2dschordsch
The 32 bit plugin file is clean if you want to believe the VirusTotal scans. The scanners are bothered by the 64 bit plugin file. If the 64 bit plugin file is compiled from the same source (which I assume but don't know for sure) it's also pretty sure that it's clean.

Regards
Dalai

[dschordsch]

So i just tried the plugin with Sandboxie and it did not create any files inside the sandbox, after i installed and used it. What do you think, is this an indicator that it is safe?

[Stefan2]

<deleted>

Hello MVV, my search for an thread about expander2 found only this, so I use this to inform you....


This is related to the Expander2 version of 2016 as found at https://totalcmd.net/plugring/expander2.html

With that plugin comes no description how to use and there is at first no "Expander2.ini" for to see the syntax and use itself as INI.
Only if you actively install that plugin per double click or if one open one time the wdx plugin dialog in TC to execute the WDX, that ini file is created.

But if you configure that plugin by hand for some reason, you will be lost if you doesn't happend to have the older 2010-version with the "Expander2.lng" as guideline.



Maybe you want to include the "Expander2.ini" into the download archive or add a small how-to.


For all others , here is the content of that "Expander2.ini" text file, just created it in the same folder as the "Expander2.wdx":

Code: Select all

[Main]
FieldCount=64
Divider=" "
OldStyle=0
CaseSensitive=1

This is not needed if you install this plugin as you should, that is by double clicking on the downloaded wdx_Expander2_0.5.1.zip



Thank you MVV for maintaining this plugin!


That came up in this Thread in German with some more information:
https://ghisler.ch/board/viewtopic.php?p=427080#p427080






 

[Vingolf]

Only if you actively install that plugin per double click [...] that ini file is created.

But if you configure that plugin by hand for some reason,
you will be lost if you doesn't happend to have the older 2010-version with the "Expander2.lng" as guideline.
This is not needed if you install this plugin as you should, that is by double clicking on the downloaded wdx_Expander2_0.5.1.zip

Thank you MVV for maintaining this plugin
 

Installing per double click is not sufficient, at least, in my case it was not