This forum uses cookies. Click X button to hide this message. What is stored? / Privacy
Total Commander Forum Index Total Commander
Forum - Public Discussion and Support
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Virus Warning: Plugin 'Expander'
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Total Commander Forum Index -> Plugins and addons: devel.+support (English) Printable version
View previous topic :: View next topic  
Author Message
dschordsch
Junior Member
Junior Member


Joined: 04 Dec 2015
Posts: 18

PostPosted: Fri Oct 21, 2016 8:12 pm    Post subject: Virus Warning: Plugin 'Expander' Reply with quote

http://totalcmd.net/plugring/expander2.html

this plugin seems to contain a virus.

Do not install it!

i contacted Flint here, but he has not answered yet, so i thought i post a warning here.
Back to top
View user's profile Send private message Send e-mail
Hacker
Moderator
Moderator


Joined: 06 Feb 2003
Posts: 10927
Location: Bratislava, Slovakia

PostPosted: Sat Oct 22, 2016 4:45 am    Post subject: Reply with quote

dschordsch,
Quote:
this plugin seems to contain a virus.

Does not really look like it.

Roman
_________________
Mal angenommen, du drückst Strg+F, wählst die FTP-Verbindung (mit gespeichertem Passwort), klickst aber nicht auf Verbinden, sondern fällst tot um.
Back to top
View user's profile Send private message Send e-mail
MVV
Power Member
Power Member


Joined: 03 Aug 2008
Posts: 8063
Location: Russian Federation

PostPosted: Sat Oct 22, 2016 10:16 am    Post subject: Reply with quote

Interesting why AVs find 64-bit versios so much suspicious...
_________________
TCFS2 + TCFS2Tools: Full-screen mode for TC etc (forum)
TOTALCMD.NET: AskParam, CopyTree, NTLinks, Sudo, VirtualPanel…
Back to top
View user's profile Send private message Send e-mail
ZoSTeR
Power Member
Power Member


Joined: 29 Jul 2004
Posts: 917

PostPosted: Sat Oct 22, 2016 6:01 pm    Post subject: Reply with quote

I guess it's because off this stuff: "FastMM Embarcadero Edition (c) 2004 - 2011 Pierre le Riche".
Back to top
View user's profile Send private message
Dalai
Power Member
Power Member


Joined: 28 Jan 2005
Posts: 6087
Location: Meiningen (Südthüringen)

PostPosted: Sat Oct 22, 2016 6:33 pm    Post subject: Reply with quote

2ZoSTeR
I don't think so. Every executable (EXE, DLL etc) compiled with a newer Delphi version has this "signature". This applies to my own plugins, too, which have never been flagged as suspicious.

Regards
Dalai
_________________
#101164 Personal licence
Athlon X4 880K, 16 GiB RAM, Gigabyte F2A88X-D3HP, Win7 x64

Plugins: Services2, Startups
Back to top
View user's profile Send private message Send e-mail
dschordsch
Junior Member
Junior Member


Joined: 04 Dec 2015
Posts: 18

PostPosted: Wed Oct 26, 2016 8:45 am    Post subject: Reply with quote

I just see that even for the Total Commander there is one Virus Warning reported by ClamAV (which is an AV Software known to be ineffective).

I reported this here and wrote a comment and upvoted the file as not dangerous.

Still, the Expander plugin has 15 detections. The AskParam pluging has 6 detections, both including detections by Avast, which performs good in AV Software tests.
Back to top
View user's profile Send private message Send e-mail
karlchen
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 4526
Location: Germany

PostPosted: Wed Oct 26, 2016 9:49 am    Post subject: Reply with quote

dschordsch wrote:
I just see that even for the Total Commander there is one Virus Warning reported by ClamAV [...]
I reported this here and wrote a comment and upvoted the file as not dangerous.

In fact, ClamAV has flagged each and every Total Commander 9.0 beta and RC installation package, 32-bit+64-bit, as "Win.Trojan.Ramnit-5647".
Roughly 5 weeks ago I had reported this as "false positives" to them just like you and told them they were the only ones to identify the TC installers as malicious.
I vaguely suspect such feedback messages are sent to /dev/null immediately.
_________________
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.
Back to top
View user's profile Send private message Send e-mail
dschordsch
Junior Member
Junior Member


Joined: 04 Dec 2015
Posts: 18

PostPosted: Wed Oct 26, 2016 12:31 pm    Post subject: Reply with quote

karlchen wrote:
Roughly 5 weeks ago I had reported this as "false positives" to them just like you


five weeks and nothing happened? thats bad. Do you have a link to your post? I would add this as information to my post here, if you agree.
Back to top
View user's profile Send private message Send e-mail
karlchen
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 4526
Location: Germany

PostPosted: Thu Oct 27, 2016 2:38 am    Post subject: Reply with quote

Hi, dschordsch.

Actually I have not kept the link. Had not thought it would be necessary. 1st wrong assumption. Embarassed
Also had expected to get some kind of automatic receipt confirmation by e-mail. 2nd wrong assumption. Embarassed

Hey, by the way. By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as malicious. Last night ClamAV was still alone. Laughing
Some heuristical analysis has finally realized how malicious this harmless looking installer is. Viciously overwrites the previous release candidate. OMG!

Virustotal: tc900x32_rc3.exe
Virustotal: tc900x32_64_rc3.exe

Waiting for more smart sophisticated AV products to follow ...

Cheers,
Karl
_________________
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.
Back to top
View user's profile Send private message Send e-mail
dschordsch
Junior Member
Junior Member


Joined: 04 Dec 2015
Posts: 18

PostPosted: Thu Oct 27, 2016 6:05 am    Post subject: Reply with quote

Hi,

karlchen wrote:
By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as maliciousl


Oh my. I have sent reports to both AV Vendors now. See here.

Regards, dschordsch (aka Nille in the ClamWin forum).
Back to top
View user's profile Send private message Send e-mail
Horst.Epp
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 2972
Location: Germany

PostPosted: Thu Oct 27, 2016 6:10 am    Post subject: Reply with quote

karlchen wrote:
Hi, dschordsch.

Actually I have not kept the link. Had not thought it would be necessary. 1st wrong assumption. Embarassed
Also had expected to get some kind of automatic receipt confirmation by e-mail. 2nd wrong assumption. Embarassed

Hey, by the way. By now T.C. 9.0 rc3 has managed to be identified by 2 AV products as malicious. Last night ClamAV was still alone. Laughing
Some heuristical analysis has finally realized how malicious this harmless looking installer is. Viciously overwrites the previous release candidate. OMG!

Virustotal: tc900x32_rc3.exe
Virustotal: tc900x32_64_rc3.exe

Waiting for more smart sophisticated AV products to follow ...

Cheers,
Karl

Sorry, but did you ever heard Antiy-AVL as AV tool.
That is in the same categorie as ClamAV, almost useless.
_________________
Windows 10 x64 Version 1803
April 2018 Update (OS Build 17134.167)
TC 9.20 x64 and x86, Everything 1.4.1.906 (x64)
Back to top
View user's profile Send private message
dschordsch
Junior Member
Junior Member


Joined: 04 Dec 2015
Posts: 18

PostPosted: Thu Oct 27, 2016 7:04 am    Post subject: Reply with quote

karlchen wrote:
I vaguely suspect such feedback messages are sent to /dev/null immediately.


I just got an email that my false positive report sent to Antiy AV was rejected. The reason was 'Over Quota' which means, 'not enough space to save incoming emails' Shocked

I have now mailed their sales team. Hopefully they forward my mail to someone who can handle this issue.
Back to top
View user's profile Send private message Send e-mail
dschordsch
Junior Member
Junior Member


Joined: 04 Dec 2015
Posts: 18

PostPosted: Thu Oct 27, 2016 9:54 am    Post subject: Reply with quote

Update:

Seems that The Antiy AVS people have reacted already, it does not false detect the TC anymore:

https://www.virustotal.com/de/file/99f208920923abf165f66e41ba7d2324f25b568d721b9a815cde3c2b16cd7482/analysis/1477580250/

ClamWin still false detects it.
Back to top
View user's profile Send private message Send e-mail
karlchen
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 4526
Location: Germany

PostPosted: Wed Nov 02, 2016 4:08 pm    Post subject: Reply with quote

Total Commander 9.0 RC4, no more false positives today. Smile
Virustotal - TC 9.0 RC4 32-bit (installer)
Virustotal - TC 9.0 RC4 64-bit (installer)
_________________
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.
Back to top
View user's profile Send private message Send e-mail
karlchen
Power Member
Power Member


Joined: 06 Feb 2003
Posts: 4526
Location: Germany

PostPosted: Mon Nov 07, 2016 5:59 am    Post subject: Reply with quote

Now that totalcmd.net is available again, Virustotal results for expander v2.05 (last updated: 30.06.2014) have not really improved:
Virustotal on wdx_Expander2_0.5.zip (16 / 55)

Oops, Symantec here has just quarantined the files. Reason given: Bad reputation.

Translate this to:
There is no other hint that the files may be malicious than that some fool started shouting "stop, thief", and all others joined him.

This is what I call expert malware analysis. Evil or Very Mad

...

Looking forward to the day when Symantec prevents me from logging in to my own notebook, because my reputation is too bad. Rolling Eyes
_________________
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Total Commander Forum Index -> Plugins and addons: devel.+support (English) All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Imprint/Impressum: This site is maintained by Ghisler Software GmbH
Privacy Policy | Datenschutzerklärung | Politique de Confidentialité

Using phpBB © phpBB Group