Is Shadow Defender Infected?

Discussion in 'sandboxing & virtualization' started by RedDawn, Mar 16, 2011.

Thread Status:
Not open for further replies.
  1. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    I recently downloaded some of the installers for Shadow Defender. Ran them past Virustotal to check, and found that the 32bit versions of SD1.1.0.325_Setup.exe and SD1.1.0.326_Setup.exe were being flagged by 6 AV's (5 if you count McAfee and its GW edition as one).


    I submitted the SD1.1.0.325_Setup.exe as a False Positive to each company that I could find the means to do so.



    Norman - No reply, but is no longer detecting SD1.1.0.325_Setup.exe on VT.


    McAfee -
    Sophos -


    I'm a little concerned, any thoughts?


    P.S. Paretologic.com is also flagging Shadow Defender.
     
  2. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Something is strange. How about this, download hashcalc and post the sha1 and md5 of these infected installers.

    I have what I presume to be clean copies. I have downloaded them more than a year ago at the time when Tony disappeared in anticipation of the sites disappearance. I'll post my hashes too and then we can compare.

    UPDATE: Just uploaded to Virus Total :: ~ VirusTotal Results URL Removed per Policy ~

    File name: SD1.1.0.325_Setup(x64).exe
    Submission date: 2011-03-16 18:07:11 (UTC)
    Current status: finished
    Result: 1/ 34 (2.9%)

    TheHacker 6.7.0.1.150 2011.03.16 Trojan/Downloader.Banload.bcjo

    MD5 : 35edf53c0b4d3b8960047cfbfcbae7e3
    SHA1 : a46c3b986acf1be42b87f2b1f57e3e13deaf282a
    SHA256: 6fe018248990d0fefe3bd10a3f13112b890841936b9d370a8a19ecbcfcd0c915
    ssdeep: 24576:m9mRTALRlsgZNfeS8PLWzSqvVWvHDHl39b6C8gD0qARLvUAolWFGukl:m9M0LRqCIMNO3
    9nnD3AJOl6kl
    File size : 1163893 bytes

    The results I got are a little different to yours. Considering that I never heard of 'The Hacker' AV I would dismiss this as a false positive IF your hashes are identical
     
    Last edited by a moderator: Mar 16, 2011
  3. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    Here's the sha1, sha256 and md5 for both files, obtained from VT.


    SD1.1.0.325_Setup.exe

    MD5 : 4ed0f50233680ffc37fbe5cf8057c634
    SHA1 : 8eb543949016eef31b2f93798cf096a2e09754ed
    SHA256: 116766d2ef5f9894fb48387d2c21540def957b6ccd616d31f09e6ad8e24d6183


    SD1.1.0.326_Setup.exe

    MD5 : 2e676853ed629b91f8310f832940fd44
    SHA1 : 2fbe5863bae11bace02b4d2fa9b153e9274df191
    SHA256: bd83e59459cbce95254448f9f49642263b273125ed3d54ec621ec802143976fe


    I also have a copy of those files from about a year ago, and IIRC the sha1 and md5 are the same. Would help if you could confirm this also.

    Thanks.
     
  4. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I ran the same test on Virus Total using the SD1.1.0.325_Setup.exe file that I originally used to install Shadow Defender on my 32-bit XP system and got similar results to you.

    Since installing Shadow Defender a while ago, no suspicious activity has been ever been detected on my system, despite being scanned (at different times) by all of the following AV/AM products: AntiVir, NOD32, MBAM, MSE, and Prevx.

    I would therefore conclude that these are false positives that can safely be ignored.

    For comparison, the MD5 and SHA-1 hashes of the SD1.1.0.325_Setup.exe file I used are as follows:

    MD5: 4ED0F50233680FFC37FBE5CF8057C634
    SHA-1: 8EB543949016EEF31B2F93798CF096A2E09754ED
     
  5. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    Just sent an FP report to Symantec for SD1.1.0.326_Setup.exe.

    Will post results if/when I get a reply.
     
  6. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    Serapis,

    You uploaded the x64 installer.
     
  7. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Yes I know, Just tried it with the 32bit installer too, the from 1 year ago and the one on the site. Both possess identical hashes.

    I searched for telltale signs of the flagged virus and there were no such files on my PC. Therefore its a false positive IMO. I am still interested how your inquiries dig up.
     
  8. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    I'm pretty sure there's no active malware in SD, but the report from Sophos is still kinda worrying.


    Sent FP reports to VBA32 for versions 1.1.0.315 and 1.1.0.320.
     
  9. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I notice that the 32-bit installer for SD 1.1.0.325 available on download.cnet.com has a different file size and hashes to the one on the Shadow Defender website.

    MD5 and SHA-1 hashes for the cnet version are as follows:

    MD5: 101CDC867F7771FAAE6810483EF16439
    SHA-1: E879EBFF5F807597E883734D589FE6478B805069

    I'm not sure why this would be the case, or whether it matters. :doubt:
     
  10. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    780
    When Tony first released SD 1.1.0.325 I found a small glitch/bug in it and later that day (as I remember) Tony changed it and re-released it but as the same version (not adding an a as tzuk did recently with a beta Sandboxie in a similar situation). I suggest if you are worried about size/hash etc that you download it from the Shadow Defender addresses given on this site in the Unofficial Shadow Defender forum.

    Patrick (Shadow Defender mod)
     
  11. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    Thanks for the info, Pegr and Patrick.

    This seems like a reasonable explanation as to the different Hashes. I remember something similar when I reported a couple of FP's in v. 1.1.0.320 to Tony in Dec 2009, he made some changes then, also without changing the version number.



    FWIW, the Shadow Defender on cnet (added: February 23, 2010), is only getting 2 hits on VT - Sophos & The Hacker.

    While the same version installer from the Shadow Defender site is getting 5 - Sophos, The Hacker, K7AntiVirus & McAfee (both editions).
     
  12. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    That makes sense. Thanks for the update, Patrick.

    Regards
     
  13. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    So which one is the most recent? :doubt:
     
  14. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    722
    Location:
    Cumbria, England
    The links direct from ShadowDefender.
     
  15. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    780
    So as not to confuse things, "Tony" that just posted is not Shadow Defender Tony. :)

    Patrick Shadow Defender mod
     
  16. renegade08

    renegade08 Registered Member

    Joined:
    Aug 26, 2008
    Posts:
    431
    He's Twister Antivirus Tony.
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    AFAIK Tony is NOT an official representative of Twister (Filseclab). The English-speaking representative of Twister (Filseclab) is Bright Chu.
     
  18. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    722
    Location:
    Cumbria, England
    bellgamin is correct, i am just a mod from the Twistee forum.
     
  19. renegade08

    renegade08 Registered Member

    Joined:
    Aug 26, 2008
    Posts:
    431
    I was just joking. I didn't want to make confusion that you are some sort of represent.
    But, using Twister makes you Twister Tony ;) .
     
  20. renegade08

    renegade08 Registered Member

    Joined:
    Aug 26, 2008
    Posts:
    431
    Don't you guys think that if someone has taken the Shadow Defender web-site, he might also be serving infected files as legitimate?
     
  21. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    722
    Location:
    Cumbria, England
    That is possible as Eskro if my memory serves me right received an email out of the blue from shadowdefender support.

    BTW are you Twister renegade??
     
Loading...
Thread Status:
Not open for further replies.