Guest sam Posted March 9, 2010 Share Posted March 9, 2010 My Virus Scanner Antivir Personal alarmed kivan-v8.1.exe to contain an trojan. D:/ (...) /kivan-v8.1.exe is trojan TR/Orsam.A.2433 I scanned the file at virustotal.com and got the following report: Datei kivan-v8.1.exe empfangen 2010.03.09 12:54:53 (UTC) Status: Beendet Ergebnis: 16/42 (38.1%) Antivirus Version letzte aktualisierung Ergebnis a-squared 4.5.0.50 2010.03.07 Trojan.Generic!IK AhnLab-V3 5.0.0.2 2010.03.07 - AntiVir 8.2.1.180 2010.03.05 TR/Orsam.A.2433 Antiy-AVL 2.0.3.7 2010.03.05 - Authentium 5.2.0.5 2010.03.06 - Avast 4.8.1351.0 2010.03.07 - Avast5 5.0.332.0 2010.03.07 - AVG 9.0.0.787 2010.03.07 - BitDefender 7.2 2010.03.07 - CAT-QuickHeal 10.00 2010.03.06 - ClamAV 0.96.0.0-git 2010.03.06 - Comodo 4091 2010.02.28 - DrWeb 5.0.1.12222 2010.03.07 - eSafe 7.0.17.0 2010.03.04 - eTrust-Vet 35.2.7342 2010.03.05 - F-Prot 4.5.1.85 2010.03.06 - F-Secure 9.0.15370.0 2010.03.07 - Fortinet 4.0.14.0 2010.03.07 - GData 19 2010.03.07 - Ikarus T3.1.1.80.0 2010.03.07 Trojan.Generic Jiangmin 13.0.900 2010.03.07 - K7AntiVirus 7.10.990 2010.03.04 Trojan.Win32.Agent Kaspersky 7.0.0.125 2010.03.07 - McAfee 5912 2010.03.06 Generic.dx McAfee+Artemis 5912 2010.03.06 Artemis!A62C49F60697 McAfee-GW-Edition 6.8.5 2010.03.07 Trojan.Orsam.A.2433 Microsoft 1.5502 2010.03.07 Trojan:Win32/Orsam!rts NOD32 4922 2010.03.07 - Norman 6.04.08 2010.03.07 Suspicious_Gen2.ROHL nProtect 2009.1.8.0 2010.03.07 - Panda 10.0.2.2 2010.03.07 Generic Trojan PCTools 7.0.3.5 2010.03.04 Trojan.Generic Prevx 3.0 2010.03.09 - Rising 22.37.06.04 2010.03.07 - Sophos 4.51.0 2010.03.07 Mal/Generic-A Sunbelt 5780 2010.03.07 Trojan.Win32.Generic!BT Symantec 20091.2.0.41 2010.03.07 Trojan Horse TheHacker 6.5.1.9.223 2010.03.07 - TrendMicro 9.120.0.1004 2010.03.07 PAK_Generic.001 VBA32 3.12.12.2 2010.03.05 Trojan.Win32.Agent.blqg ViRobot 2010.3.5.2214 2010.03.05 - VirusBuster 5.0.27.0 2010.03.06 - So 16 of 42 Scanners detected it to be a trojan. I read in a other forum, that the Weidu files are able to update themselves and other files, and this is why it was detected to be a trojan... But other WEIDU files are not detected to be a trojan, so... Does anybody now something about this MOD ? Link to comment
berelinde Posted March 9, 2010 Share Posted March 9, 2010 It isn't a trojan, it's a false positive. Some antiviral software flags Kivan as a trojan, but it's a case of too-broad virus definitions. Link to comment
Shaitan Posted March 9, 2010 Share Posted March 9, 2010 It is indeed annoying when we get false-positives. I hope It doesn't keep anybody from playing the nice mods from the various foras. Link to comment
Guest sam Posted March 9, 2010 Share Posted March 9, 2010 Well, thank you for your very fast answers - thought I had to wait maybe half a day to get an answer, but you were really quick... Got a bad worm on my notebook a few weeks before, so I'm kind of paranoid concerning potential malware... Thank's a lot! Link to comment
Guest sam Posted March 9, 2010 Share Posted March 9, 2010 Oh, there was already a tread about the trojan problem. Next time I maybe should do a little search before... I can't install Kivan on my computer, when I try, my antivirus software automatically erase the file when it's at 99% downloaded. What can I do to install the mod ? You could always turn off the antivirus program. If you wish to be absolutly sure that there is no virus, you can open the .exe archive with WinRAR or 7-Zip, extract the other files(not the setup-*modname*.exe), and then download the last WeiDU.exe from the "Windows binary" archive from here. And copy the WeiDU.exe and rename it as the setup-*modname*.exe, and run it. Trojan.Generic.1431897 That comes from the process that makes the WeiDU.exe, the anti-virus programs see it as a positive as virus falsely, as the program code has some same dinary values, which gives a false alert. You can always send a note to the anti-virus program maker that their program gives false alert, but that's usually already taken care of. Although I don't understand, why byreplacing the kivan-setup.exe with the weidu installer there's no detection anymore. If the former setup file also was an renamed weidu installer, why doesn't the virus-scanner detect it to be a trojan, too? Is it a different version?! Link to comment
berelinde Posted March 9, 2010 Share Posted March 9, 2010 No idea, but it might have something to do with the version of weidu packaged with Kivan. If that's the case, perhaps updating to a newer version would help. I'm going to be packaging Crossmod Banter Pack later this week, so maybe I'll update Kivan with the latest version of weidu at the same time. It's a great mod, and it really is a pity that anti-viral programs are aggressive to the point of insanity. I wonder how many players download Kivan, see that the mod is flagged as a trojan, and never bother coming here to find out the truth. (sigh) Link to comment
Lollorian Posted March 9, 2010 Share Posted March 9, 2010 The problem isn't in the WeiDU.exe being bundled, but with the compressed form of that WeiDU.exe inside the kivanv8.1.exe package. It may well be that the compressed code along with some compressed code from some neighboring file may together be some known virus signature that the antivir heuristics pick up It'd be great if kivan and Tashia were repackaged (and just to be safe, pre-scan them using some online scanner like virustotal ) Link to comment
berelinde Posted March 9, 2010 Share Posted March 9, 2010 No, I can narrow it down to the specific version of weidu shipped with Kivan. I got the same results with MacAffee that everyone else is getting with their AV software, removal of the executable, but I don't get that when I extract newer mods. There's no way to tell which version of weidu was shipped with v8, but I know that as of this moment, weidu v213 isn't getting flagged as a trojan, so I'll package with that one. Assuming that Domi gives the go-ahead for me to repackage her mod. Link to comment
Lollorian Posted March 9, 2010 Share Posted March 9, 2010 Hmm, I just checked my files and it looks like kivan has WeiDU 20800 ... and none of the other mods I extracted have that version (but a-aquared picks up the compressed package but not the extracted WeiDU) You're probably right then IT IZ WEIDOO!! (20800) Link to comment
Guest sam Posted March 9, 2010 Share Posted March 9, 2010 Well, I think repacking is a good idea... It`s to bad about the mod, not being played because of this. Thanks again for helping. Link to comment
Shaitan Posted March 9, 2010 Share Posted March 9, 2010 It is being played. Anything else would be insane. We are trying to make people download it no matter what scanners may say. Link to comment
berelinde Posted March 9, 2010 Share Posted March 9, 2010 Yup. If you've got sane AV software that allows you to download the mod and just deletes the executable, you can always download Kivan, download weidu v213, and just rename weidu.exe as setup-kivan.exe. Works 100% of the time. But Domi had a few other minor changes introduced in v9 alpha, which was tested, but never released. I'm not sure if they were ever included in v8.1, so maybe it would be good to look into that, as well. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.