False positive with avira virusscanners and mcafee too

[noeska]

Have a read here:
http://forum.sysinternals.com/forum_posts.asp?TID=21226
Sigh ...

I suppose new heuristics will produce false positive until worked on but Avira I've found always generate a lot - but as long as they're catching they have good scores eh.
Originally posted by ntunldr

Smallest trojan

So called "heuristics" checks Import table and if LdrLoadDll || LdrGetProcedureAddress found then -> TR/Dropper.Generic found!

And another funny detection DR/Delphi.Gen [dropper]

Code:

var
 dll: THANDLE;
 p1: pointer;
begin
 dll := LoadLibraryW('wininet.dll');
 if (dll <> 0) then
 begin
  p1 := GetProcAddress(dll, 'InternetSilentTrojanDownloadW');
  if (p1 <> nil) then;
  DbgPrint('RUSTOCK');
  LdrUnloadDll(dll);
 end;
end.

Lol

[chronozphere]

Friday I cleaned up my PC so avira isn't running here anymore.

Instead I've set up a dual boot (Windows 7 v.s Ubuntu 9.10). I can now try some cross-platform development.

[jdarling]

Combine this with the actual "virus" found in Delphi and now everyone is going to be paranoid . As it is you have to look at the actual exe signature/disasm in many cases. Every day people just don't have that knowledge/time/commitment, instead they just move on to the next product till they find something that works.

Personally, I look for opensource and corssplatform in an application. Not only because I have multiple environments to run it on, but also because I've never seen a virus in one of these (not to say it doesn't exist, just that I haven't seen it).

- Jeremy