Is Shadow Defender Infected?

I recently downloaded some of the installers for Shadow Defender. Ran them past Virustotal to check, and found that the 32bit versions of SD1.1.0.325_Setup.exe and SD1.1.0.326_Setup.exe were being flagged by 6 AV's (5 if you count McAfee and its GW edition as one).


I submitted the SD1.1.0.325_Setup.exe as a False Positive to each company that I could find the means to do so.



Norman - No reply, but is no longer detecting SD1.1.0.325_Setup.exe on VT.


McAfee -

Sophos -

I'm a little concerned, any thoughts?


P.S. Paretologic.com is also flagging Shadow Defender.

 

Something is strange. How about this, download hashcalc and post the sha1 and md5 of these infected installers.

I have what I presume to be clean copies. I have downloaded them more than a year ago at the time when Tony disappeared in anticipation of the sites disappearance. I'll post my hashes too and then we can compare.

UPDATE: Just uploaded to Virus Total :: ~ VirusTotal Results URL Removed per Policy ~

File name: SD1.1.0.325_Setup(x64).exe
Submission date: 2011-03-16 18:07:11 (UTC)
Current status: finished
Result: 1/ 34 (2.9%)

TheHacker 6.7.0.1.150 2011.03.16 Trojan/Downloader.Banload.bcjo

MD5 : 35edf53c0b4d3b8960047cfbfcbae7e3
SHA1 : a46c3b986acf1be42b87f2b1f57e3e13deaf282a
SHA256: 6fe018248990d0fefe3bd10a3f13112b890841936b9d370a8a19ecbcfcd0c915
ssdeep: 24576:m9mRTALRlsgZNfeS8PLWzSqvVWvHDHl39b6C8gD0qARLvUAolWFGukl:m9M0LRqCIMNO3
9nnD3AJOl6kl
File size : 1163893 bytes

The results I got are a little different to yours. Considering that I never heard of 'The Hacker' AV I would dismiss this as a false positive IF your hashes are identical

 

Here's the sha1, sha256 and md5 for both files, obtained from VT.


SD1.1.0.325_Setup.exe

MD5 : 4ed0f50233680ffc37fbe5cf8057c634
SHA1 : 8eb543949016eef31b2f93798cf096a2e09754ed
SHA256: 116766d2ef5f9894fb48387d2c21540def957b6ccd616d31f09e6ad8e24d6183


SD1.1.0.326_Setup.exe

MD5 : 2e676853ed629b91f8310f832940fd44
SHA1 : 2fbe5863bae11bace02b4d2fa9b153e9274df191
SHA256: bd83e59459cbce95254448f9f49642263b273125ed3d54ec621ec802143976fe


I also have a copy of those files from about a year ago, and IIRC the sha1 and md5 are the same. Would help if you could confirm this also.

Thanks.

 

I ran the same test on Virus Total using the SD1.1.0.325_Setup.exe file that I originally used to install Shadow Defender on my 32-bit XP system and got similar results to you.

Since installing Shadow Defender a while ago, no suspicious activity has been ever been detected on my system, despite being scanned (at different times) by all of the following AV/AM products: AntiVir, NOD32, MBAM, MSE, and Prevx.

I would therefore conclude that these are false positives that can safely be ignored.

For comparison, the MD5 and SHA-1 hashes of the SD1.1.0.325_Setup.exe file I used are as follows:

MD5: 4ED0F50233680FFC37FBE5CF8057C634
SHA-1: 8EB543949016EEF31B2F93798CF096A2E09754ED

 

Just sent an FP report to Symantec for SD1.1.0.326_Setup.exe.

Will post results if/when I get a reply.

 

Serapis,

You uploaded the x64 installer.

 

Yes I know, Just tried it with the 32bit installer too, the from 1 year ago and the one on the site. Both possess identical hashes.

I searched for telltale signs of the flagged virus and there were no such files on my PC. Therefore its a false positive IMO. I am still interested how your inquiries dig up.

 

I'm pretty sure there's no active malware in SD, but the report from Sophos is still kinda worrying.


Sent FP reports to VBA32 for versions 1.1.0.315 and 1.1.0.320.

 

I notice that the 32-bit installer for SD 1.1.0.325 available on download.cnet.com has a different file size and hashes to the one on the Shadow Defender website.

MD5 and SHA-1 hashes for the cnet version are as follows:

MD5: 101CDC867F7771FAAE6810483EF16439
SHA-1: E879EBFF5F807597E883734D589FE6478B805069

I'm not sure why this would be the case, or whether it matters.

 

When Tony first released SD 1.1.0.325 I found a small glitch/bug in it and later that day (as I remember) Tony changed it and re-released it but as the same version (not adding an a as tzuk did recently with a beta Sandboxie in a similar situation). I suggest if you are worried about size/hash etc that you download it from the Shadow Defender addresses given on this site in the Unofficial Shadow Defender forum.

Patrick (Shadow Defender mod)

 

Thanks for the info, Pegr and Patrick.

This seems like a reasonable explanation as to the different Hashes. I remember something similar when I reported a couple of FP's in v. 1.1.0.320 to Tony in Dec 2009, he made some changes then, also without changing the version number.

FWIW, the Shadow Defender on cnet (added: February 23, 2010), is only getting 2 hits on VT - Sophos & The Hacker.

While the same version installer from the Shadow Defender site is getting 5 - Sophos, The Hacker, K7AntiVirus & McAfee (both editions).

 

That makes sense. Thanks for the update, Patrick.

Regards

 

So which one is the most recent?

 

The links direct from ShadowDefender.

 

So as not to confuse things, "Tony" that just posted is not Shadow Defender Tony.

Patrick Shadow Defender mod

 

He's Twister Antivirus Tony.

 

AFAIK Tony is NOT an official representative of Twister (Filseclab). The English-speaking representative of Twister (Filseclab) is Bright Chu.

 

bellgamin is correct, i am just a mod from the Twistee forum.

 

I was just joking. I didn't want to make confusion that you are some sort of represent.
But, using Twister makes you Twister Tony .

 

Don't you guys think that if someone has taken the Shadow Defender web-site, he might also be serving infected files as legitimate?

 

That is possible as Eskro if my memory serves me right received an email out of the blue from shadowdefender support.

BTW are you Twister renegade??