Mailing List Archive

Without knowing the name of the infection I can't provide even a guess as to whether it is or not, but the exact answer to your question is for you to report it by filling out the form found @https://www.clamav.net/reports/fp including the file itself.

Sent from my iPad

-Al-

On Apr 7, 2021, at 18:03, Eero Volotinen <eero.volotinen@iki.fi> wrote:?
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
>
> Looks like this is (vistumbler) detected as false positive.
>
> How to fix this?
>
> Eero

Thanks. I submitted files via that url.

clamscan Vistumbler_v1*
/
root/Vistumbler_v10-7.exe: OK
/root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
/root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND

So. looks like this is false positive on vistumbler..

Eero

On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Without knowing the name of the infection I can't provide even a guess as
> to whether it is or not, but the exact answer to your question is for you
> to report it by filling out the form found @
> https://www.clamav.net/reports/fp including the file itself.
>
> Sent from my iPad
>
> -Al-
>
> On Apr 7, 2021, at 18:03, Eero Volotinen <eero.volotinen@iki.fi> wrote:?
>
>
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
>
> Looks like this is (vistumbler) detected as false positive.
>
> How to fix this?
>
> Eero
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Hello,

At first look, ClamAV is not the only one that flags it as malware :

https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection


Le 08/04/2021 à 11:41, Eero Volotinen a écrit :
> Thanks. I submitted files via that url.
>
>  clamscan Vistumbler_v1*
> /
> root/Vistumbler_v10-7.exe: OK
> /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
> /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND
>
> So. looks like this is false positive on vistumbler..
>
> Eero
>
> On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
> wrote:
>
> Without knowing the name of the infection I can't provide even a
> guess as to whether it is or not, but the exact answer to your
> question is for you to report it by filling out the form found
> @https://www.clamav.net/reports/fp
> <https://www.clamav.net/reports/fp> including the file itself.
>
> Sent from my iPad
>
> -Al-
>
> On Apr 7, 2021, at 18:03, Eero Volotinen <eero.volotinen@iki.fi
> <mailto:eero.volotinen@iki.fi>> wrote:?
>> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
>> <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>
>>
>> Looks like this is (vistumbler) detected as false positive.
>>
>> How to fix this?
>>
>> Eero
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

That signature has been in the ClamAV daily.ldb database since Jan 15 and appears to be looking for some relatively unique strings:

% sigtool -fWin.Malware.Generic-9819492-0|sigtool --decode-sigs
VIRUS NAME: Win.Malware.Generic-9819492-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
*Unable to get a list of running processes.
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
api-ms-win-core-synch-l1-2-0.dll
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
internal error: invalid forward reference offset
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>

-Al-

On Apr 8, 2021, at 03:24, Arnaud Jacques <webmaster@securiteinfo.com> wrote:
>
> Hello,
>
> At first look, ClamAV is not the only one that flags it as malware :
>
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection <https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection>
>
>
> Le 08/04/2021 à 11:41, Eero Volotinen a écrit :
>> Thanks. I submitted files via that url.
>> clamscan Vistumbler_v1*
>> /
>> root/Vistumbler_v10-7.exe: OK
>> /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
>> /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND
>> So. looks like this is false positive on vistumbler..
>> Eero
>> On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> <mailto:clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>> wrote:
>> Without knowing the name of the infection I can't provide even a
>> guess as to whether it is or not, but the exact answer to your
>> question is for you to report it by filling out the form found
>> @https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>
>> <https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>> including the file itself.
>> Sent from my iPad
>> -Al-
>> On Apr 7, 2021, at 18:03, Eero Volotinen <eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>
>> <mailto:eero.volotinen@iki.fi <mailto:eero.volotinen@iki.fi>>> wrote:?
>>> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>
>>> <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>>
>>>
>>> Looks like this is (vistumbler) detected as false positive.
>>>
>>> How to fix this?
>>>
>>> Eero

comment from developer

” Unfortunately autoit, which vistumbler is written in, gets flagged as a
false positive a lot. Vistumbler has struggled with this since the
beginning.

I recently submitted the 10.7 release files to microsoft for false
detection and they removed the false detection, so i think these files are
fine. However I have also just submitted a false positive report to
bitdefender, so we can see if they remove it too.

If vistumbler gets flagged by your AV company, my suggestion is to submit
it as a false positive to them. I really don't have the time to chase down
all these AV companies.

-Andrew”

On Thu 8. Apr 2021 at 13.49, Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> That signature has been in the ClamAV daily.ldb database since Jan 15 and
> appears to be looking for some relatively unique strings:
>
> % sigtool -fWin.Malware.Generic-9819492-0|sigtool --decode-sigs
> VIRUS NAME: Win.Malware.Generic-9819492-0
> TDB: Engine:81-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> *Unable to get a list of running processes.
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> 0Expected a "=" operator in assignment statement.*Invalid keyword at the
> start of this line.
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> api-ms-win-core-synch-l1-2-0.dll
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> internal error: invalid forward reference offset
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> Error parsing function call.0Incorrect number of parameters in function
> call.'"ReDim" used without an array variable.>
>
> -Al-
>
> On Apr 8, 2021, at 03:24, Arnaud Jacques <webmaster@securiteinfo.com>
> wrote:
>
>
> Hello,
>
> At first look, ClamAV is not the only one that flags it as malware :
>
>
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
>
>
> Le 08/04/2021 à 11:41, Eero Volotinen a écrit :
>
> Thanks. I submitted files via that url.
> clamscan Vistumbler_v1*
> /
> root/Vistumbler_v10-7.exe: OK
> /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
> /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND
> So. looks like this is false positive on vistumbler..
> Eero
> On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users <
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net
> <clamav-users@lists.clamav.net>>> wrote:
> Without knowing the name of the infection I can't provide even a
> guess as to whether it is or not, but the exact answer to your
> question is for you to report it by filling out the form found
> @https://www.clamav.net/reports/fp
> <https://www.clamav.net/reports/fp> including the file itself.
> Sent from my iPad
> -Al-
> On Apr 7, 2021, at 18:03, Eero Volotinen <eero.volotinen@iki.fi
> <mailto:eero.volotinen@iki.fi <eero.volotinen@iki.fi>>> wrote:?
>
>
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> <
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> >
>
> Looks like this is (vistumbler) detected as false positive.
>
> How to fix this?
>
> Eero
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

On Thu, 8 Apr 2021, Eero Volotinen wrote:

> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
>
> Looks like this is (vistumbler) detected as false positive.

and

On Thu, 8 Apr 2021, Arnaud Jacques wrote:
> At first look, ClamAV is not the only one that flags it as malware :
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection

and https://vistumbler.en.lo4d.com/virus-malware-tests
but that has a different sha256sum.
Hmm.

If I feed the github URL into virustotal it comes up clean
https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection

but if I download the file and give that to virustotal I get
https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
(the bit between file/ and /detection matches the sha256sum of my file and that on https://vistumbler.en.lo4d.com/virus-malware-tests ).

Initially that page reported
19 security vendors flagged this file as malicious
Size 6.92 MB
direct-cpu-clock-access invalid-signature
nsis overlay peexe runtime-modules signed
but when I asked virustotal to rescan, "19 security vendors" changed to "16 security vendors".

I have put my copy at:
https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe

I think this means that raw.github.com has given out at least three
different versions of this file. Eero, could you pass this back to
the Vistumbler developer "Andrew" (Calcutt?) please ?

# file Vistumbler_v10-7.exe
Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows,
Nullsoft Installer self-extracting archive

# host raw.github.com
raw.github.com has address 185.199.108.133
raw.github.com has address 185.199.109.133
raw.github.com has address 185.199.110.133
raw.github.com has address 185.199.111.133

On Thu, 8 Apr 2021, Eero Volotinen wrote:

> comment from developer
>
> "Unfortunately autoit, which vistumbler is written in, gets flagged
> as a false positive a lot. Vistumbler has struggled with this since
> the beginning.
>
> I recently submitted the 10.7 release files to microsoft for false
> detection and they removed the false detection, so i think these
> files are fine. However I have also just submitted a false positive
> report to bitdefender, so we can see if they remove it too.
>
> If vistumbler gets flagged by your AV company, my suggestion is to
> submit it as a false positive to them. I really don't have the time
> to chase down all these AV companies.
>
> -Andrew"

Not sure about this as it is open source, but if I were paying for
the software I would expect them to liase with the AV companies.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>
> Not sure about this as it is open source, but if I were paying for
> the software I would expect them to liase with the AV companies.
>

Well. not sure if this software is malware or not. a bit worried about
that.

Eero

got response:

” There are three downloads available for 10.7 The SHA256 of those files
should be

Vistumbler_v10-7.exe -
ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01
Vistumbler_v10-7.zip -
7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0
Vistumbler_v10-7_Portable.zip -
F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C

All 3 should contain the same files.

- the non portable zip is just vistumbler with default settings (storing
data in your profile temp directory and documents folder)
- the exe file is just the zip file packed into an installer with NSIS (
https://nsis.sourceforge.io/Main_Page )
- the portable version has different settings which cause temp files and
save files to be stored inside the same directory as the program (better
for portable use) instead of inside your windows profile.

I went and reanalyzed the file you submitted to virus total and it looks
like bitdefender no longer considers them viruses, so it seems they
consider it a false positive. You can see if you go to the link you posted
above,
https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detectionbitdefender
has removed the detection”


Eero

On Thu 8. Apr 2021 at 17.02, Andrew C Aitchison via clamav-users <
clamav-users@lists.clamav.net> wrote:

>
> On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
> >
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> >
> > Looks like this is (vistumbler) detected as false positive.
>
> and
>
> On Thu, 8 Apr 2021, Arnaud Jacques wrote:
> > At first look, ClamAV is not the only one that flags it as malware :
> >
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
>
> and https://vistumbler.en.lo4d.com/virus-malware-tests
> but that has a different sha256sum.
> Hmm.
>
> If I feed the github URL into virustotal it comes up clean
>
> https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
>
> but if I download the file and give that to virustotal I get
>
> https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
> (the bit between file/ and /detection matches the sha256sum of my file and
> that on https://vistumbler.en.lo4d.com/virus-malware-tests ).
>
> Initially that page reported
> 19 security vendors flagged this file as malicious
> Size 6.92 MB
> direct-cpu-clock-access invalid-signature
> nsis overlay peexe runtime-modules signed
> but when I asked virustotal to rescan, "19 security vendors" changed to
> "16 security vendors".
>
> I have put my copy at:
>
> https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
>
> I think this means that raw.github.com has given out at least three
> different versions of this file. Eero, could you pass this back to
> the Vistumbler developer "Andrew" (Calcutt?) please ?
>
> # file Vistumbler_v10-7.exe
> Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows,
> Nullsoft Installer self-extracting archive
>
> # host raw.github.com
> raw.github.com has address 185.199.108.133
> raw.github.com has address 185.199.109.133
> raw.github.com has address 185.199.110.133
> raw.github.com has address 185.199.111.133
>
> On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
> > comment from developer
> >
> > "Unfortunately autoit, which vistumbler is written in, gets flagged
> > as a false positive a lot. Vistumbler has struggled with this since
> > the beginning.
> >
> > I recently submitted the 10.7 release files to microsoft for false
> > detection and they removed the false detection, so i think these
> > files are fine. However I have also just submitted a false positive
> > report to bitdefender, so we can see if they remove it too.
> >
> > If vistumbler gets flagged by your AV company, my suggestion is to
> > submit it as a false positive to them. I really don't have the time
> > to chase down all these AV companies.
> >
> > -Andrew"
>
> Not sure about this as it is open source, but if I were paying for
> the software I would expect them to liase with the AV companies.
>
> --
> Andrew C. Aitchison Kendal, UK
> andrew@aitchison.me.uk
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Anyway, according to the official website "Vistumbler is wireless
network scanner", aka a hack tool and should be detected as PUA at minimum.

https://www.clamav.net/documents/potentially-unwanted-applications-pua


Le 09/04/2021 à 05:59, Eero Volotinen a écrit :
> got response:
>
> ” There are three downloads available for 10.7 The SHA256 of those files
> should be
>
> Vistumbler_v10-7.exe -
> ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01
> Vistumbler_v10-7.zip -
> 7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0
> Vistumbler_v10-7_Portable.zip -
> F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C
>
> All 3 should contain the same files.
>
> * the non portable zip is just vistumbler with default settings
> (storing data in your profile temp directory and documents folder)
> * the exe file is just the zip file packed into an installer with NSIS
> ( https://nsis.sourceforge.io/Main_Page
> <https://nsis.sourceforge.io/Main_Page> )
> * the portable version has different settings which cause temp files
> and save files to be stored inside the same directory as the program
> (better for portable use) instead of inside your windows profile.
>
> I went and reanalyzed the file you submitted to virus total and it looks
> like bitdefender no longer considers them viruses, so it seems they
> consider it a false positive. You can see if you go to the link you
> posted above,
> https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection
> <https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection>bitdefender
> has removed the detection”
>
>
> Eero
>
>
> On Thu 8. Apr 2021 at 17.02, Andrew C Aitchison via clamav-users
> <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
> wrote:
>
>
> On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
> >
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe>
> >
> > Looks like this is (vistumbler) detected as false positive.
>
> and
>
> On Thu, 8 Apr 2021, Arnaud Jacques wrote:
> > At first look, ClamAV is not the only one that flags it as malware :
> >
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
> <https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection>
>
> and https://vistumbler.en.lo4d.com/virus-malware-tests
> <https://vistumbler.en.lo4d.com/virus-malware-tests>
> but that has a different sha256sum.
> Hmm.
>
> If I feed the github URL into virustotal it comes up clean
> https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
> <https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection>
>
> but if I download the file and give that to virustotal I get
> https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
> <https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection>
> (the bit between file/ and /detection matches the sha256sum of my
> file and that on https://vistumbler.en.lo4d.com/virus-malware-tests
> <https://vistumbler.en.lo4d.com/virus-malware-tests> ).
>
> Initially that page reported
>       19 security vendors flagged this file as malicious
>       Size 6.92 MB
>        direct-cpu-clock-access invalid-signature
>        nsis overlay peexe runtime-modules signed
> but when I asked virustotal to rescan, "19 security vendors" changed
> to "16 security vendors".
>
> I have put my copy at:
> https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
> <https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe>
>
> I think this means that raw.github.com <http://raw.github.com> has
> given out at least three
> different versions of this file. Eero, could you pass this back to
> the Vistumbler developer "Andrew" (Calcutt?) please ?
>
> # file Vistumbler_v10-7.exe
> Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows,
> Nullsoft Installer self-extracting archive
>
> # host raw.github.com <http://raw.github.com>
> raw.github.com <http://raw.github.com> has address 185.199.108.133
> raw.github.com <http://raw.github.com> has address 185.199.109.133
> raw.github.com <http://raw.github.com> has address 185.199.110.133
> raw.github.com <http://raw.github.com> has address 185.199.111.133
>
> On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
> > comment from developer
> >
> > "Unfortunately autoit, which vistumbler is written in, gets flagged
> > as a false positive a lot. Vistumbler has struggled with this since
> > the beginning.
> >
> > I recently submitted the 10.7 release files to microsoft for false
> > detection and they removed the false detection, so i think these
> > files are fine. However I have also just submitted a false positive
> > report to bitdefender, so we can see if they remove it too.
> >
> > If vistumbler gets flagged by your AV company, my suggestion is to
> > submit it as a false positive to them. I really don't have the time
> > to chase down all these AV companies.
> >
> > -Andrew"
>
> Not sure about this as it is open source, but if I were paying for
> the software I would expect them to liase with the AV companies.
>
> --
> Andrew C. Aitchison                                     Kendal, UK
> andrew@aitchison.me.uk <mailto:andrew@aitchison.me.uk>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Well, wifi scanning tool is not really hacking tool.

Eero

On Fri 9. Apr 2021 at 15.59, Arnaud Jacques <webmaster@securiteinfo.com>
wrote:

> Anyway, according to the official website "Vistumbler is wireless
> network scanner", aka a hack tool and should be detected as PUA at minimum.
>
> https://www.clamav.net/documents/potentially-unwanted-applications-pua
>
>
> Le 09/04/2021 à 05:59, Eero Volotinen a écrit :
> > got response:
> >
> > ” There are three downloads available for 10.7 The SHA256 of those files
> > should be
> >
> > Vistumbler_v10-7.exe -
> > ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01
> > Vistumbler_v10-7.zip -
> > 7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0
> > Vistumbler_v10-7_Portable.zip -
> > F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C
> >
> > All 3 should contain the same files.
> >
> > * the non portable zip is just vistumbler with default settings
> > (storing data in your profile temp directory and documents folder)
> > * the exe file is just the zip file packed into an installer with NSIS
> > ( https://nsis.sourceforge.io/Main_Page
> > <https://nsis.sourceforge.io/Main_Page> )
> > * the portable version has different settings which cause temp files
> > and save files to be stored inside the same directory as the program
> > (better for portable use) instead of inside your windows profile.
> >
> > I went and reanalyzed the file you submitted to virus total and it looks
> > like bitdefender no longer considers them viruses, so it seems they
> > consider it a false positive. You can see if you go to the link you
> > posted above,
> >
> https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection
> > <
> https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection>bitdefender
>
> > has removed the detection”
> >
> >
> > Eero
> >
> >
> > On Thu 8. Apr 2021 at 17.02, Andrew C Aitchison via clamav-users
> > <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>>
> > wrote:
> >
> >
> > On Thu, 8 Apr 2021, Eero Volotinen wrote:
> >
> > >
> >
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> > <
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> >
> > >
> > > Looks like this is (vistumbler) detected as false positive.
> >
> > and
> >
> > On Thu, 8 Apr 2021, Arnaud Jacques wrote:
> > > At first look, ClamAV is not the only one that flags it as
> malware :
> > >
> >
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
> > <
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
> >
> >
> > and https://vistumbler.en.lo4d.com/virus-malware-tests
> > <https://vistumbler.en.lo4d.com/virus-malware-tests>
> > but that has a different sha256sum.
> > Hmm.
> >
> > If I feed the github URL into virustotal it comes up clean
> >
> https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
> > <
> https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
> >
> >
> > but if I download the file and give that to virustotal I get
> >
> https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
> > <
> https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
> >
> > (the bit between file/ and /detection matches the sha256sum of my
> > file and that on https://vistumbler.en.lo4d.com/virus-malware-tests
> > <https://vistumbler.en.lo4d.com/virus-malware-tests> ).
> >
> > Initially that page reported
> > 19 security vendors flagged this file as malicious
> > Size 6.92 MB
> > direct-cpu-clock-access invalid-signature
> > nsis overlay peexe runtime-modules signed
> > but when I asked virustotal to rescan, "19 security vendors" changed
> > to "16 security vendors".
> >
> > I have put my copy at:
> >
> https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
> > <
> https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
> >
> >
> > I think this means that raw.github.com <http://raw.github.com> has
> > given out at least three
> > different versions of this file. Eero, could you pass this back to
> > the Vistumbler developer "Andrew" (Calcutt?) please ?
> >
> > # file Vistumbler_v10-7.exe
> > Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS
> Windows,
> > Nullsoft Installer self-extracting archive
> >
> > # host raw.github.com <http://raw.github.com>
> > raw.github.com <http://raw.github.com> has address 185.199.108.133
> > raw.github.com <http://raw.github.com> has address 185.199.109.133
> > raw.github.com <http://raw.github.com> has address 185.199.110.133
> > raw.github.com <http://raw.github.com> has address 185.199.111.133
> >
> > On Thu, 8 Apr 2021, Eero Volotinen wrote:
> >
> > > comment from developer
> > >
> > > "Unfortunately autoit, which vistumbler is written in, gets
> flagged
> > > as a false positive a lot. Vistumbler has struggled with this
> since
> > > the beginning.
> > >
> > > I recently submitted the 10.7 release files to microsoft for false
> > > detection and they removed the false detection, so i think these
> > > files are fine. However I have also just submitted a false
> positive
> > > report to bitdefender, so we can see if they remove it too.
> > >
> > > If vistumbler gets flagged by your AV company, my suggestion is to
> > > submit it as a false positive to them. I really don't have the
> time
> > > to chase down all these AV companies.
> > >
> > > -Andrew"
> >
> > Not sure about this as it is open source, but if I were paying for
> > the software I would expect them to liase with the AV companies.
> >
> > --
> > Andrew C. Aitchison Kendal, UK
> > andrew@aitchison.me.uk <mailto:andrew@aitchison.me.uk>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> >
> > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> >
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>