AVIRA and BD detect by file size?!

Discussion in 'other anti-virus software' started by Lawliet, Sep 7, 2008.

Thread Status:
Not open for further replies.
  1. Lawliet

    Lawliet Registered Member

    Joined:
    May 19, 2008
    Posts:
    15
    Hi guys~


    Yesterday i discover an interesting phenomenon!
    The detail picture is about the sample property
    Please do pay attention to the last number(271995)
    http://farm4.static.flickr.com/3082/2835442818_fc90e8efe3_o.png

    BitDefender reports:Trojan.Generic.74723
    http://farm4.static.flickr.com/3213/2835479372_0af6dc46fc_o.png

    AVIRA report:TR/Agent.271995
    http://farm4.static.flickr.com/3107/2834356088_1a34695fda_o.png

    All is false positive!
    These two vendors report false alarm while the file is clean
    After i edit the file size(the file is a self-extracting document) or decompress
    It then i use AVIRA and BD to rescan it once again,they do not detect it anymore

    My dear friend tested it using other AVs,many of them get a false alarm
    While edit the file size of the sample or decompress it,they all found nothing

    thanks
     
    Last edited: Sep 7, 2008
  2. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Maybe you could upload your samples to VirusTotal.com or virusscan.jotti.org to check with multiple AV products.

    The only reason I can think of is, over-zealous Heuristics. But that's my best guess...
     
  3. Lawliet

    Lawliet Registered Member

    Joined:
    May 19, 2008
    Posts:
    15
    Hi vijayind thank you for you reply

    Sample i don`t want upload to VT or VT like web site
    Because these vendors if get my sample,will certain to fix.
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If I interpreted this message correctly, you don't want to send the sample to Virustotal because if you did that, the vendors would fix the false positives immediately. But why would you not want them to fix it?
     
  5. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
  6. Lawliet

    Lawliet Registered Member

    Joined:
    May 19, 2008
    Posts:
    15
    Hello Firecat

    Just curious!
    If I know the answer,i certainly will report this sample
     
  7. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    I Would just submit it. could be a glitch that needs to be fixed for all you know.
     
  8. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    well, your choice.
    I am using KIS 2009 on my laptop right now. No FP here.
    http://picfu.com/link/52664/3e5c4ce59446b20c
     
  9. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Also keep in mind depending what is compiled with it could also be seeing a Backdoor in the compile of a program. if Im reading you right
     
  10. Lawliet

    Lawliet Registered Member

    Joined:
    May 19, 2008
    Posts:
    15
    Other vendors report:
    Asquared :Trojan.Generic
    Ikarus:Trojan.Generic
    Norman:Trojan Smalltroj.BSXG
    Norton:Trojan Horse
    QuickHeal:TrojanDownloader.Agent.efy
    TheHacker:Trojan/Downloader.Agent.efy
    VBA32:infected Trojan-Downloader.Win32.Agent.efy
    VirusBuster:Trojan.Agent.DZIW

    Has nothing to do with the file size...
    I thank unpack engine have some problem.
     
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Lawliet, how do you know this file is a FP ?
     
  12. Lawliet

    Lawliet Registered Member

    Joined:
    May 19, 2008
    Posts:
    15
    I analyze have not had any malicious behavior
    Sample only folder and ini file inside,no any exe/dll file
     
  13. tetsuo55

    tetsuo55 Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    126
    The file size has nothing to do with it.

    When you change the filesize you change the signature of the file. Just report the file so they can remove the false positive
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    it depends what is that .ini file containing.
     
  15. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    sorry:-can't believe what I'm reading here!
     
  16. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    +1 - WTH is the point of this post? :thumbd: o_O
     
  17. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Yeah, an easy way to goof up COM, BAS, and a few others IN WIN 9X ONLY, is to turn on Wordwrap in Notepad and in Wordpad. It screws up the viral code's format. Try it with EICAR on a 9x box.
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Avira, Problem? Blasphemy!!!!

    Dont ever, question, their ability and capability.

    HE IS BACK!!!!!
     
  19. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    ..a junior malware writer, maybe? :D
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I'd say the whole point was that you should report false positives to AV vendors to get them fixed. If you attitude is like

    then you can as well do everyone else a service and keep your mouth shut instead. :rolleyes:
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Sorry, it isnt in my blood.:mad:
     
  22. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    There was no flourish. All stage presentations use a flourish! Or cheasy music.
     
  23. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I can't believe he won't send the samples off because it seems he doesn't want the problem he has or thinks he has identified sorting out!
     
  24. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    This thread as ran its coarse for sure now. its just going aimlessly into the wind. :cautious:
     
  25. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    What I wonder is how the original poster came to the conclusion that Avira and BitDefender detect malware based on file sizes (as suggested in the topic of this thread)? I don't see much logic or any proof in his posting.
     
Loading...
Thread Status:
Not open for further replies.