NAV detected Suspicious.Lop in E@H executable

Shaggy
Shaggy
Joined: 25 Nov 08
Posts: 1
Credit: 507793
RAC: 0
Topic 194280

Let me start by saying that I know people have already been posting about NAV finding viruses and possibly giving a...what were the words..."false positive" (??). Maybe this is along the same lines, maybe not. So, on to MY problem.

NAV (yes, fully updated) detected the Suspicious.Lop threat in the following file:

c:\programdata\boinc\einstein.phys.uwm.edu\einstein_s5r5_3.01_graphics_windows_intelx86.exe

Now, i didnt read all the previous posts, but i will assume (*ducks head*) that they were all aimed towards NAV detecting viruses in data files. If I am assuming correctly and am correct in saying the executable is not the data file, then my problem is slightly different (please correct me if I'm wrong).

Could this be an actual virus, or could this be another "false positive" (no, i havent sent it off to be analyzed)? Has anyone else seen this?

Another note to add is that i get the following message in my BOINC messages log:

4/9/2009 5:31:26 AM|Einstein@Home|Started download of einstein_S5R5_3.01_graphics_windows_intelx86.exe
4/9/2009 5:31:29 AM|Einstein@Home|Finished download of einstein_S5R5_3.01_graphics_windows_intelx86.exe
4/9/2009 5:31:29 AM|Einstein@Home|[error] Checksum or signature error for einstein_S5R5_3.01_graphics_windows_intelx86.exe

It does not do this for my other 2 projects (SETI@Home and Docking@Home), and it seems to have done this every time it tried to download that file since I reattached the project a few days ago (sorry, just noticed the messages).

Any thoughts/suggestions/criticisms/opinions/etc?

Jord
Joined: 26 Jan 05
Posts: 2952
Credit: 5779100
RAC: 0

NAV detected Suspicious.Lop in E@H executable

Upload your version of that file to http://www.virustotal.com/ and get it analyzed by lots of other AV scanners as well. When they say it's clear, can't find whatever NAV is saying, then it's a false positive and you have to contact Norton/Symantec.

Jesse Viviano
Jesse Viviano
Joined: 8 Jun 05
Posts: 33
Credit: 133045917
RAC: 0

Could one of the

Could one of the administrators fill out Symantec's false positive submission form at https://submit.symantec.com/false_positive/index.html? Having the authors of the program explain what is wrong to Symantec could help them modify the Suspicious.Lop heuristics to ignore your application by possibly including a SHA-256 signature (MD5 is broken, so there is the remote chance of a virus author creating a virus whose MD5 collides with Einstein@home's MD5) of the file to ignore.

Here is the information that is needed to fill out the form that the user of Norton software must supply to fill out the form: the name of the detection given by Symantec is Suspicious.Lop, and this is a "malware" (e.g. virus or trojan) threat. This is not a "security risk" (e.g. spyware, adware, and joke programs).

Gundolf Jahn
Gundolf Jahn
Joined: 1 Mar 05
Posts: 1079
Credit: 341280
RAC: 0

RE: (MD5 is broken, so

Message 92343 in response to message 92342

Quote:
(MD5 is broken, so there is the remote chance of a virus author creating a virus whose MD5 collides with Einstein@home's MD5)


MD5 is probably broken by the AV software, which tries to delete the "virus" from the exe file while downloading.

Gruß,
Gundolf

Computer sind nicht alles im Leben. (Kleiner Scherz)

Richard Haselgrove
Richard Haselgrove
Joined: 10 Dec 05
Posts: 2139
Credit: 2752885405
RAC: 1391683

RE: RE: (MD5 is broken,

Message 92344 in response to message 92343

Quote:
Quote:
(MD5 is broken, so there is the remote chance of a virus author creating a virus whose MD5 collides with Einstein@home's MD5)

MD5 is probably broken by the AV software, which tries to delete the "virus" from the exe file while downloading.

Gruß,
Gundolf


I think he possibly meant that MD5 has been 'cracked' by hackers, so wouldn't be a sufficient guarantee of authenticity for the project's report, or sufficient to distinguish the genuine Einstein application from a malware impersonator. Supplying a SHA-256 signature would be more secure.

PzSniper
PzSniper
Joined: 17 Aug 08
Posts: 1
Credit: 176561
RAC: 0

Same here, Norton Antivirus

Message 92345 in response to message 92344

Same here, Norton Antivirus 2009 detect it as a Lop Virus - High Risk

See this screenshot

http://img8.imageshack.us/my.php?image=77511793.jpg

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4267
Credit: 244931268
RAC: 16433

RE: Could one of the

Message 92346 in response to message 92342

Quote:
Could one of the administrators fill out Symantec's false positive submission form


I just did.

BM

BM

Bernd Machenschalk
Bernd Machenschalk
Moderator
Administrator
Joined: 15 Oct 04
Posts: 4267
Credit: 244931268
RAC: 16433

RE: Another note to add is

Quote:

Another note to add is that i get the following message in my BOINC messages log:

4/9/2009 5:31:26 AM|Einstein@Home|Started download of einstein_S5R5_3.01_graphics_windows_intelx86.exe
4/9/2009 5:31:29 AM|Einstein@Home|Finished download of einstein_S5R5_3.01_graphics_windows_intelx86.exe
4/9/2009 5:31:29 AM|Einstein@Home|[error] Checksum or signature error for einstein_S5R5_3.01_graphics_windows_intelx86.exe


That's most likely because of NAV blocking the file.

If possible, tell NAV not to touch the BOINC directory at all (at least for the time being).

BM

BM

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.