For those who can't wait for Cyberfox or Waterfox

btw did your norton report the same virus as mine did?

 

I was just over on the developers site and there is a long thread about it. Apparently Norton is the only only one and there are screenshots of the file being loaded and scanned with virus total and it's clean. But here is the strange part if I'm understanding it correctly. Norton is somehow creating the file and then flagging it if that makes any sense. Here is the link if you want to read about it.

 

Thanks for the link... I just read through the first few posts so far.... BUT... the problem being is they are misrepresenting what happens during the install...

the vc redistributable is included as part of the "install package executable file". Also part of that file is the cyberfox/exe, the dlls, config files, etc.

In order for the install package to install cyberfox, it must copy the files that are compressed and packaged within itself. as it does so, it writes them out to the harddrive. Depending on the package either directly to the destination, or to a temp folder where it unpacks itself first.

in order for cyberfox to execute(start) the vc redistributable package it is including, it would NEED to save it out to the harddrive in order for the exe file to be launched. therefore itsn't not norton putting the file there, it is cyberfox's install package.

furthermore the response is actually more concerning as it seems like downplaying and misdirecting.... as i said before... the NORMAL way to do this would be if your program needs a redistributable like that, that your software installer would download it DIRECTLY from MS where it WOULD have a VALID signature showing the file is safe and unmodified from microsoft. likewise this would ensure you would be getting the most recent version with all the bug and security fixes.. this file that they included instead, i can only assume does not have that valid unmodified signature otherwise why would norton flag it?

if anything it's good to know others are finding alerts... and if anything its a little more concerning as if it was a "False positive" in a microsoft redistributable that forum thread shows it would have been reported to norton, and they would have added an exception for it by now so it wouldn't still be getting flagged if there wasn't an actual issue with it..

 

But why is Norton the only AV? I just noticed your other question about the file. I don't know and couldn't find it on the Norton logs.

 

either a) its a false positive... b) its a new virus/trojan so its not in most antivirus programs yet

there is a reason why many online scanners scan with 20+ some diff products at once... because some detect things others don't.. and get updated more frequently.. the problem is with a new virus you could scan and get 19/20 showing it clean only because it's new... sadly in todays day and age there is no 100% short of never downloading anything or running anything.. lol..

sadly... not working at norton or having an inside line to them... there is no way to know why they are detecting it that way.. if it is a real virus or a false positive.., the best we can do as end users is make an informed judgement on the subject... every persons judgement may be different than the next persons...

personally... for me... cyberfox is not worth the risk.. and i'm kicking myself over it trying it now... even if the virus alerts turn out to be a false positive.. my lesson has been learned.. i should have been safer... stick to known/trusted/reputable distribution channels/authors.. etc.. i shouldn't have just downloaded something some random guy posted in a forum and later made a sourceforge page for.

 

FYI.. Sadly this doesn't help answer the question of is it a new trojan or a false positive.... lol... BUT... According to Norton..
----------
Trojan.ADH is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.
-----------
This would tend to indicate that the detection is more prone to have false positives than other definitions, but also that it is more likely to detect newer threats that don't have direct definitions added for them yet.

Going a step beyond that, i go back to my former point that an executable that is signed by microsoft and in a non-modified format, shouldn't set something like that off... let alone it shouldn't still be detecting something that has been setting that off for a good month based on the other forum link you posted, which if it was a false positive detection one would also think it would have an exemption by now.. so i can only assume it was modified maliciously, modified on accident, or something else fishy/weird...

 

The easiest way to have checked that would have been to look at the microsoft runtime that norton is flagging. If the installer was tampered with in any way the ms digital signature would no longer be there. There is no way to tamper with the exe and not remove that digital signature trying to add malicious code to it.

To completely verify it's a false positive all you had to do was extract the cyberfox exe and get the vs runtime to verify this and that no other av on the market flags this ms runtime should also tell you something.

If you also look at the flag norton sent up it is a temp file that norton is creating itself as showed by the IS in addy line which should raise more flags as to the av your using. It's flagging a temp file it is creating itself.

 

Have you tried to download vcredist from microsoft and checked if norton gave the same alert? If it is false positive, norton should give the same alert when you execute it, right?

 

That is actually a great idea. I just did that at your suggestion, the signature on the one direct from ms checks out, and norton doesn't flag it as having any kind of issue with it.

Another interesting thing to note.. The most updated (and only one avail) from MS.. is only 7mb... that is for vc 2012 sp1... released in nov of last year.. Even taking into account a little extra overhead to repack, there is no real reason the cyberfox installer is an extra 10mb rather than just 7mb..

 

You know.. the interesting thing here is when earlier in this thread Bodhitree
suggested you might have a personal connection to cyberfox's development. I also had found the way you were talking hinted at the same but i figured i'd give you the benefit of the doubt.. Let's just say you've convinced me..

regarding just extracting a file from the install package, that wouldn't tell you anything other than the status of the file packed in the install package... that in no way tells you that once the install package extracts it that it does or does not modify it, or do something else before executing it on the respective system.

Anyways... false positive or not.. i'd rather be safe than sorry... there are people far smarter than I who have had their nuclear installations infected for months or years prior to the trojans being discovered... closer to home, the pentagon, fbi, state department etc have all had infections that were undercover for a long time.. it is far from unheard of for new viruses & trojans to be released and lay undetected for months until someone stumbles upon them and they start getting detected normally... personally i'll stick with more reputable sources... my lesson's been learned.. but to each their own..

 

As I have stated before I have spoken to the developer at times but in no way have any connection with the project why I do speak up is when I start to see people saying things about this browser because it's just something new and seems people like to knock new things.

Just as with your previous comment saying the ms runtime from the installer is 10 mbs when I have the same installer and it's 6.75 mbs. Also as I stated in my earlier post that if the installer was tampered with then the microsoft digital signature would have been broken and if you check the digital signature on the included runtime in the installer it's not broken. There is no way to add malicious code to that ms installer without breaking the code and since your av is falgging only the ms runtime it would have to be that direct ms runtime exe where the problem is correct. Or norton would be flagging other parts of the install which it is not, it is only flagging the ms runtime which is the same size as the one downloaded from ms 6.75 megs and has the digital signature intact.

So how can you explain that one and also explain why every av including all online testers register the cyberfox exe and ms runtime clean except your norton av. The same av that had its whole database hacked and stolen just over a year ago and posted on the net for all to see. Yet this is the av that you use and I would find something very fishy with you claiming the runtime in the cyberfox exe is 10 megs when it's only 6.75 the same as the one downloaded from ms that for me sends up many red flags as to your validity.

Also explain one other thing why is it only people with win 8 and norton getting this flag but not uses of win 7 and norton also very fishy.

 

actually i'm on windows 7.. thanks.. =)

i already addressed the issue of viruses and trojans and when they will and will not be detected by a virus scanner.... virus scanners as a rule of thumb are not good ways to protect yourself as they are reactive not proactive.. they only detect KNOWN threats that have been out for some time...

now.. SOME scanners do have an ability to watch for certain behaviors or other sigs that can flag something as suspicious or likely a threat. Those functions are to attempt to catch newer viruses or variants prior to them being discovered and added to the virus definitions.. these detection modes are notorious for catching both real threats and false positives...

that appears to be what norton is detecting this under... furthermore, because it is detecting it as a strong enough likelyhood it is removing the threat rather than even giving the user the option to ignore it.. so it is grading it on the scale of more likely to be a threat then a false positive..

as for the file size... my point was the redist is only 7meg... but the full cyberfox download/installation together is a good 10megs larger than than the other firefox derivatives.. which doesn't add up...

lastly let me just say the whole issue could have easily been avoided by the developer by practicing proper installation procedures and just have the installer or the os download the required runtime if it isn't already on the computer directly from ms and hence all sigs would be valid, and norton wouldn't see anything fishy... as i've established the version from ms doesn't get detected the way the version from cyberfox does.

he knew this was having these detections over a month ago with norton products... if it was an innocent false alarm, i would expect the notifications that have been sent to norton would have had things whitelisted/exempted since. seeing that it is still detecting that way, and the author is still distributing things the way he is... as i said before.. i'd rather be safe than sorry..

 

Your first post said the ms runtime was smaler then the one in the cyberfox installer just to be clear on why I said that you said the ms one was 7 megs and the cyberfox one was 10 megs just to clear that up we know it's not the case.

The cyberfox installer is slightly larger then firefox or the other x64 varient because the developer has options such as it's own updater and customized homeapge ( omni.ja ) that are options on install which are what accounts for the extra size, which is nice by the developer to have those as extra options for the end user which no other browser offers. Firefox has it's own updater so for the browser to be easy for the end user after many people asking as you can see in his forums he developed one for it. Different compression methods that inno setup ( which it was switched to after some problems arose with some systems having the installer hang and not finish when using advanced installer same issues occur with waterfox ) and nsis have will result in different size installers the unpacked mozilla firefox is 45mb on disk and cyberfox is 62mb on disk to take into account that the additional runtimes from the intel C ++ compiler and that its also compiled as x64bit making its binaries bigger.


I have 4 computers here 2 with windows 8 and 2 with windows 7. I proceeded over the last bit here to install norton on one win 7 machine and one win 8 machine after having read your first post and now have got around to checking what happened with cyberfox after running it through every online scanner and av program I could think of with no hits as a virus. I first took the cyberfox package and scanned with norton 360 and got no flags. I then extracted the installer and proceeded to scan the folder so scanning everything inside the cyberfox exe including the ms runtime and no flags. Lastly I then installed cyberfox on both windows 8 and windows 7 with norton running and got no flags.

So how can this be? I have just spent the last few hours on this and did not get a single av program, online scanner or the av you got your flag on to give me one single flag of the runtime as a virus or any part of the installer for that matter.

 

No dog in this fight but I'm W7. I'm also not very concerned about the issue, feeling it is just a fp!

 

It's ok he went directly to norton and they found nothing wrong with the file could also not explain why some machines running norton gave the flag if they did or for people like myself who tested it and it did not give the flag.

This is posted at the cyberfox support forums


Norton Closed The Case Can't Find Any Problems.

This message is an automatically generated reply -- do not reply to this
message.

This system is designed to analyze and process suspicious file submissions
into Symantec Security Response and cannot accept correspondence or
inquiries.

---------------------------------------------------------------------------
Submission Summary
---------------------------------------------------------------------------

We have processed your submission (Tracking #28346959) and your submission
is now closed. The following is a report of our findings for the files in
your submission:

File: vcredist_x64.exe
Machine: Machine
Determination: This file is clean.

---------------------------------------------------------------------------
Customer Notes
---------------------------------------------------------------------------

tracking no:3093144 this is the runtime included in cyberfox

---------------------------------------------------------------------------
Developer Notes
---------------------------------------------------------------------------

vcredist_x64.exe is a clean file.


---------------------------------------------------------------------------

This message was generated by Symantec Security Response automation.

Should you have any questions about your submission, please contact our
regional technical support from the Symantec Web site, and give them the
tracking number included in this message.


Symantec Technical Support
http://www.symantec.com/techsupp/

you can read the thread here and his correspondence with norton http://virtualcustoms.net/showthread.php/52936-Trojan-lurking-probablyFP/page4

Norton Closed The Case Can't Find Any Problems.

 

As you might perceive, I'm not very techy (although I did build an awesome PC). Just an ole guy who finds this stuff interesting so I potentially have a lot of stupid questions. Having cleared that up, I have everything java turned off from the java pcl file, not just in the browser. Is this the same runtime? If so could that be contributing to this in some crazy way?