Let me start by saying that I know people have already been posting about NAV finding viruses and possibly giving a...what were the words..."false positive" (??). Maybe this is along the same lines, maybe not. So, on to MY problem.
NAV (yes, fully updated) detected the Suspicious.Lop threat in the following file:
c:\programdata\boinc\einstein.phys.uwm.edu\einstein_s5r5_3.01_graphics_windows_intelx86.exe
Now, i didnt read all the previous posts, but i will assume (*ducks head*) that they were all aimed towards NAV detecting viruses in data files. If I am assuming correctly and am correct in saying the executable is not the data file, then my problem is slightly different (please correct me if I'm wrong).
Could this be an actual virus, or could this be another "false positive" (no, i havent sent it off to be analyzed)? Has anyone else seen this?
Another note to add is that i get the following message in my BOINC messages log:
4/9/2009 5:31:26 AM|Einstein@Home|Started download of einstein_S5R5_3.01_graphics_windows_intelx86.exe 4/9/2009 5:31:29 AM|Einstein@Home|Finished download of einstein_S5R5_3.01_graphics_windows_intelx86.exe 4/9/2009 5:31:29 AM|Einstein@Home|[error] Checksum or signature error for einstein_S5R5_3.01_graphics_windows_intelx86.exe
It does not do this for my other 2 projects (SETI@Home and Docking@Home), and it seems to have done this every time it tried to download that file since I reattached the project a few days ago (sorry, just noticed the messages).
Any thoughts/suggestions/criticisms/opinions/etc?
Copyright © 2024 Einstein@Home. All rights reserved.
NAV detected Suspicious.Lop in E@H executable
)
Upload your version of that file to http://www.virustotal.com/ and get it analyzed by lots of other AV scanners as well. When they say it's clear, can't find whatever NAV is saying, then it's a false positive and you have to contact Norton/Symantec.
Could one of the
)
Could one of the administrators fill out Symantec's false positive submission form at https://submit.symantec.com/false_positive/index.html? Having the authors of the program explain what is wrong to Symantec could help them modify the Suspicious.Lop heuristics to ignore your application by possibly including a SHA-256 signature (MD5 is broken, so there is the remote chance of a virus author creating a virus whose MD5 collides with Einstein@home's MD5) of the file to ignore.
Here is the information that is needed to fill out the form that the user of Norton software must supply to fill out the form: the name of the detection given by Symantec is Suspicious.Lop, and this is a "malware" (e.g. virus or trojan) threat. This is not a "security risk" (e.g. spyware, adware, and joke programs).
RE: (MD5 is broken, so
)
MD5 is probably broken by the AV software, which tries to delete the "virus" from the exe file while downloading.
Gruß,
Gundolf
Computer sind nicht alles im Leben. (Kleiner Scherz)
RE: RE: (MD5 is broken,
)
I think he possibly meant that MD5 has been 'cracked' by hackers, so wouldn't be a sufficient guarantee of authenticity for the project's report, or sufficient to distinguish the genuine Einstein application from a malware impersonator. Supplying a SHA-256 signature would be more secure.
Same here, Norton Antivirus
)
Same here, Norton Antivirus 2009 detect it as a Lop Virus - High Risk
See this screenshot
http://img8.imageshack.us/my.php?image=77511793.jpg
RE: Could one of the
)
I just did.
BM
BM
RE: Another note to add is
)
That's most likely because of NAV blocking the file.
If possible, tell NAV not to touch the BOINC directory at all (at least for the time being).
BM
BM