- Avg false positive issues .exe#
- Avg false positive issues software#
- Avg false positive issues windows#
I have also decided to generate score for every Antivirus program according to their false positive issues.īefore I continue with more information about this report… let me say a few words about the term “False Positive”: There are people who say that I don’t use the term “False Positive” correctly, simply because the alerts about my tools are not a mistake and the Antivirus programs have to display an alert about a program that can be used by hackers for bad purposes (like my password-recovery tools).
Avg false positive issues .exe#
exe files of NirSoft from VirusTotal Web site and then processes the collected information and generates the desired report. I have created a small program that downloads the Antivirus scans result of all. In order to find out which Antivirus programs cause more troubles with the tools of NirSoft, I decided to generate a report with the number of false positive alerts of every Antivirus program. This turns the mIRC client into a remote access trojan.As you may know, some of the powerful tools on NirSoft Web site, especially the tools that recover passwords, are constantly targeted by many Antivirus programs. The mirc.ini file is modified to reference a dropped file name notes.ini, alias.ini, server.ini, or popup.ini. The worm deletes files in folders and subfolders where the folder name contains the following strings: The worm terminates running process that contain the following strings in the name: LoadCurrentProfile=Rundll16.exe powprof.dll,LoadCurrentUserProfile HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
The worm also copies itself to the %WinDir% directory as Rundll16.exe and adds a registry run key for that file (note the worm filename is Rundll16 not Rundll32):
Avg false positive issues windows#
In a similar fashion, a copy is saved to the WINDOWS SYSTEM directory utilizing the filename of an existing file found in that directory and a WIN.INI run key is created to load that copy at startup. Run\%Executable filename%=%Worm Executable% HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ A registry run key is created for the created/overwritten file, to load the worm at startup: This may result in other applications being overwriten, such as \Program Files\WinZip\WinZip32.exe. This is accomplished by selecting an executable filename and appending 16, 32, or 2K to the end of it. The worm randomly selects applications in the Program Files folder to mimic. The worm uses this information to copy itself to these locations with the aforementioned filenames. When the attachment is run, the worm displays a fake error message:Ĭopies of the worm are saved to the root directory of local drives with one of the following filenames:Ī list of available network shares and mapped drives is saved to the file C:\Shares.txt. It arrives in an email message containing the following information:
Avg false positive issues software#
The worm also drops an mIRC backdoor script and disables certain security software and deletes files and folders. This is a mass-mailing worm that also spreads via network shares and mapped drives. This is the info on the worm, if you want to look into it further: Just curious, so you didn't have AVG remove it? May very well be false positive as I'm sure the other scans would have picked it up.
0 kommentar(er)
