Virus Warning: Plugin 'Expander'

Discuss and announce Total Commander plugins, addons and other useful tools here, both their usage and their development.

Moderators: white, Hacker, petermad, Stefan2

User avatar
MVV
Power Member
Power Member
Posts: 8702
Joined: 2008-08-03, 12:51 UTC
Location: Russian Federation

Post by *MVV »

I still can't enter totalcmd.net/wincmd.ru...
karlchen wrote:Looking forward to the day when Symantec prevents me from logging in to my own notebook, because my reputation is too bad. :roll:
No, it will quarantine your OS because of too bad reputation. :D
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Even worse - Symantec "bad reputation" only means that there were only few downloads from systems with Symantec, so the file is essentially unknown.
Author of Total Commander
https://www.ghisler.com
User avatar
karlchen
Power Member
Power Member
Posts: 4601
Joined: 2003-02-06, 22:23 UTC
Location: Germany

Post by *karlchen »

Just to illustrate Christian's words, here is Symantec's own diagnostic screen: Symantec on bad reputation
For more than a year they have known this file, but not been bothered to analyze it. Instead they come up with this braindead nonsense. (Cf. screenshot, please.) Unbelievable.
MX Linux 21.3 64-bit xfce, Total Commander 10.52 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
User avatar
Hacker
Moderator
Moderator
Posts: 13052
Joined: 2003-02-06, 14:56 UTC
Location: Bratislava, Slovakia

Post by *Hacker »

karlchen,
Yeah, Symantec itself does not really have a good reputation. :D
Their firewall blocked IP's that tried to connect to some well-known trojan ports, so if you wanted to cut a system with Symantec off the internet, you just created one packet with a faked source IP (which would be the DNS server of the target) and sent it to a well-known trojan port on the target machine. Symantec would see the packet and block all traffic to the (faked) source IP, thus blocking all communications with the DNS server, effectively cutting the machine off the internet. Well done! :D

Roman
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
User avatar
karlchen
Power Member
Power Member
Posts: 4601
Joined: 2003-02-06, 22:23 UTC
Location: Germany

Post by *karlchen »

Hi, Hacker.

They all - the producers of AV software - do not earn their money by protecting us from malware efficiently, but just by giving us the feeling they were really trying hard to protect us.
Heuristics and reputation checks are poor marketing lies to make us believe they were able to detect so far unknown malware, too, whereas in fact their detection still depends on ever growing antivirus definition files (their mug shots), which is only too easily fooled by changing the internal structure of an existing malware programme only slightly.
In brief they sell us the false feeling of being secure, but no real security.

Cheers,
Karl
MX Linux 21.3 64-bit xfce, Total Commander 10.52 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
User avatar
MVV
Power Member
Power Member
Posts: 8702
Joined: 2008-08-03, 12:51 UTC
Location: Russian Federation

Post by *MVV »

karlchen wrote:They all - the producers of AV software - do not earn their money by protecting us from malware efficiently, but just by giving us the feeling they were really trying hard to protect us.
Of course, and only complete fools release new viruses w/o checking them on most popular or all AVs...
Well, heuristics and proactive defence systems are generally able to protect by restricting usage of harmful system functions... but it is very hard to detect which application may be trusted and which not (so many AVs simply treat any unknown piece of software untrusted). E.g. recently on some machine I've noticed that Avast completely blocks signed Process Hacker's driver (it is a real pain at all to tell Avast not to block something because it never asks you, it informs you that it have deleted/blocked something, but here even ignore list didn't help)!
dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Post by *dschordsch »

Four months later: the expander plugin still has 14 detections, including detections by Avast, AVG, McAfee, Microsoft, Symantec.

Is anyone using the latest version of this plugin? Has anyone successfully installed it? I am too scared to try it out.
User avatar
Horst.Epp
Power Member
Power Member
Posts: 6449
Joined: 2003-02-06, 17:36 UTC
Location: Germany

Post by *Horst.Epp »

dschordsch wrote:Four months later: the expander plugin still has 14 detections, including detections by Avast, AVG, McAfee, Microsoft, Symantec.

Is anyone using the latest version of this plugin? Has anyone successfully installed it? I am too scared to try it out.
The actual version of my Bitdefender Antivirus Pro doesn't find anything.
Also the files are from 2014 so there can be no new unknown virus in it.
So I would trust it.
Windows 11 Home x64 Version 23H2 (OS Build 22631.3374)
TC 11.03 x64 / x86
Everything 1.5.0.1371a (x64), Everything Toolbar 1.3.2, Listary Pro 6.3.0.69
QAP 11.6.3.2 x64
User avatar
Dalai
Power Member
Power Member
Posts: 9364
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Post by *Dalai »

2dschordsch
The 32 bit plugin file is clean if you want to believe the VirusTotal scans. The scanners are bothered by the 64 bit plugin file. If the 64 bit plugin file is compiled from the same source (which I assume but don't know for sure) it's also pretty sure that it's clean.

Regards
Dalai
#101164 Personal licence
Ryzen 5 2600, 16 GiB RAM, ASUS Prime X370-A, Win7 x64

Plugins: Services2, Startups, CertificateInfo, SignatureInfo, LineBreakInfo - Download-Mirror
dschordsch
Junior Member
Junior Member
Posts: 18
Joined: 2015-12-04, 15:05 UTC

Post by *dschordsch »

So i just tried the plugin with Sandboxie and it did not create any files inside the sandbox, after i installed and used it. What do you think, is this an indicator that it is safe?
User avatar
Stefan2
Power Member
Power Member
Posts: 4132
Joined: 2007-09-13, 22:20 UTC
Location: Europa

Re: expander2.wdx "Expander2.ini" "Expander2.lng"

Post by *Stefan2 »

MVV wrote: 2016-11-09, 07:35 UTC <deleted>

Hello MVV, my search for an thread about expander2 found only this, so I use this to inform you....


This is related to the Expander2 version of 2016 as found at https://totalcmd.net/plugring/expander2.html

With that plugin comes no description how to use and there is at first no "Expander2.ini" for to see the syntax and use itself as INI.
Only if you actively install that plugin per double click or if one open one time the wdx plugin dialog in TC to execute the WDX, that ini file is created.

But if you configure that plugin by hand for some reason, you will be lost if you doesn't happend to have the older 2010-version with the "Expander2.lng" as guideline.



Maybe you want to include the "Expander2.ini" into the download archive or add a small how-to.


For all others , here is the content of that "Expander2.ini" text file, just created it in the same folder as the "Expander2.wdx":

Code: Select all

[Main]
FieldCount=64
Divider=" "
OldStyle=0
CaseSensitive=1
This is not needed if you install this plugin as you should, that is by double clicking on the downloaded wdx_Expander2_0.5.1.zip



Thank you MVV for maintaining this plugin!


That came up in this Thread in German with some more information:
https://ghisler.ch/board/viewtopic.php?p=427080#p427080






 
User avatar
Vingolf
Junior Member
Junior Member
Posts: 23
Joined: 2023-02-13, 08:17 UTC
Location: Europe

Re: expander2.wdx "Expander2.ini" "Expander2.lng"

Post by *Vingolf »

Stefan2 wrote: 2023-02-14, 11:34 UTC
Only if you actively install that plugin per double click [...] that ini file is created.

But if you configure that plugin by hand for some reason,
you will be lost if you doesn't happend to have the older 2010-version with the "Expander2.lng" as guideline.
This is not needed if you install this plugin as you should, that is by double clicking on the downloaded wdx_Expander2_0.5.1.zip

Thank you MVV for maintaining this plugin
 
Installing per double click is not sufficient, at least, in my case it was not :mrgreen:
Post Reply