Virus Warning: Plugin 'Expander'

dschordsch · Post by *dschordsch » 2016-10-22, 02:12 UTC

http://totalcmd.net/plugring/expander2.html

this plugin seems to contain a virus.

Do not install it!

i contacted Flint here, but he has not answered yet, so i thought i post a warning here.

Post by *Hacker » 2016-10-22, 10:45 UTC

dschordsch,

this plugin seems to contain a virus.

Does not really look like it.

Roman

MVV · Post by *MVV » 2016-10-22, 16:16 UTC

Interesting why AVs find 64-bit versios so much suspicious...

ZoSTeR · Post by *ZoSTeR » 2016-10-23, 00:01 UTC

Dalai · Post by *Dalai » 2016-10-23, 00:33 UTC

2ZoSTeR
I don't think so. Every executable (EXE, DLL etc) compiled with a newer Delphi version has this "signature". This applies to my own plugins, too, which have never been flagged as suspicious.

Regards
Dalai

dschordsch · Post by *dschordsch » 2016-10-26, 14:45 UTC

I just see that even for the Total Commander there is one Virus Warning reported by ClamAV (which is an AV Software known to be ineffective).

I reported this here and wrote a comment and upvoted the file as not dangerous.

Still, the Expander plugin has 15 detections. The AskParam pluging has 6 detections, both including detections by Avast, which performs good in AV Software tests.

karlchen · Post by *karlchen » 2016-10-26, 15:49 UTC

dschordsch wrote:I just see that even for the Total Commander there is one Virus Warning reported by ClamAV [...]
I reported this here and wrote a comment and upvoted the file as not dangerous.

In fact, ClamAV has flagged each and every Total Commander 9.0 beta and RC installation package, 32-bit+64-bit, as "Win.Trojan.Ramnit-5647".
Roughly 5 weeks ago I had reported this as "false positives" to them just like you and told them they were the only ones to identify the TC installers as malicious.
I vaguely suspect such feedback messages are sent to /dev/null immediately.

dschordsch · Post by *dschordsch » 2016-10-26, 18:31 UTC

karlchen wrote:Roughly 5 weeks ago I had reported this as "false positives" to them just like you

five weeks and nothing happened? thats bad. Do you have a link to your post? I would add this as information to my post here, if you agree.

karlchen · Post by *karlchen » 2016-10-27, 08:38 UTC

Hi, dschordsch.

Actually I have not kept the link. Had not thought it would be necessary. 1st wrong assumption.

Also had expected to get some kind of automatic receipt confirmation by e-mail. 2nd wrong assumption.

Hey, by the way. By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as malicious. Last night ClamAV was still alone.

Some heuristical analysis has finally realized how malicious this harmless looking installer is. Viciously overwrites the previous release candidate. OMG!

Virustotal: tc900x32_rc3.exe
Virustotal: tc900x32_64_rc3.exe

Waiting for more smart sophisticated AV products to follow ...

Cheers,
Karl

dschordsch · Post by *dschordsch » 2016-10-27, 12:05 UTC

Hi,

karlchen wrote:By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as maliciousl

Oh my. I have sent reports to both AV Vendors now. See here.

Regards, dschordsch (aka Nille in the ClamWin forum).

Horst.Epp · Post by *Horst.Epp » 2016-10-27, 12:10 UTC

karlchen wrote:Hi, dschordsch.

Actually I have not kept the link. Had not thought it would be necessary. 1st wrong assumption.
Also had expected to get some kind of automatic receipt confirmation by e-mail. 2nd wrong assumption.

Hey, by the way. By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as malicious. Last night ClamAV was still alone.
Some heuristical analysis has finally realized how malicious this harmless looking installer is. Viciously overwrites the previous release candidate. OMG!

Virustotal: tc900x32_rc3.exe
Virustotal: tc900x32_64_rc3.exe

Waiting for more smart sophisticated AV products to follow ...

Cheers,
Karl

Sorry, but did you ever heard Antiy-AVL as AV tool.
That is in the same categorie as ClamAV, almost useless.

dschordsch · Post by *dschordsch » 2016-10-27, 13:04 UTC

karlchen wrote:I vaguely suspect such feedback messages are sent to /dev/null immediately.

I just got an email that my false positive report sent to Antiy AV was rejected. The reason was 'Over Quota' which means, 'not enough space to save incoming emails'

I have now mailed their sales team. Hopefully they forward my mail to someone who can handle this issue.

dschordsch · Post by *dschordsch » 2016-10-27, 15:54 UTC

Update:

Seems that The Antiy AVS people have reacted already, it does not false detect the TC anymore:

https://www.virustotal.com/de/file/99f208920923abf165f66e41ba7d2324f25b568d721b9a815cde3c2b16cd7482/analysis/1477580250/

ClamWin still false detects it.

karlchen · Post by *karlchen » 2016-11-02, 22:08 UTC

Total Commander 9.0 RC4, no more false positives today.

Virustotal - TC 9.0 RC4 32-bit (installer)
Virustotal - TC 9.0 RC4 64-bit (installer)

karlchen · Post by *karlchen » 2016-11-07, 11:59 UTC

Now that totalcmd.net is available again, Virustotal results for expander v2.05 (last updated: 30.06.2014) have not really improved:
Virustotal on wdx_Expander2_0.5.zip (16 / 55)

Oops, Symantec here has just quarantined the files. Reason given: Bad reputation.

Translate this to:
There is no other hint that the files may be malicious than that some fool started shouting "stop, thief", and all others joined him.

This is what I call expert malware analysis.

...

Looking forward to the day when Symantec prevents me from logging in to my own notebook, because my reputation is too bad.