NSIS False Positives: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
(+ GitHub False-Positive-Center)
 
(82 intermediate revisions by 24 users not shown)
Line 1: Line 1:
There are hundreds of <s>installers</s> false positive made with NSIS. This page contains a list of some of them.
There are hundreds of false positive made with NSIS. This page contains a list of some of them.


== NSIS False Positives ==
== Does NSIS Contain a Virus? ==
This information is collected from [http://forums.winamp.com/forumdisplay.php?forumid=65 NSIS forum], simply by searching for "virus". Now updated on a regular basis!
No. NSIS is open source and you can check for yourself. Some people sadly use NSIS to distribute their malware. Even though most modern anti-virus vendors know how to extract and scan files from NSIS installers, some of them still generate signatures on the installer stub itself instead of the files in it. This causes a false positive on multiple installers generated using the same version of NSIS. This is a bug with the anti-virus and they normally fix it pretty quickly once reported back to them. It's like finding a virus in a zip file and marking all zip files as viruses as a result.
 
== What Can I Do About My Installer? ==
* Fortinet - Jul 3, 2006 ("PossibleThreat!06490" in "lzma_solid" from NSIS 2.17 but not 2.18 - fixed in virus definitions Jul 5, 2006)
# Report the false positive to the AV vendor.
* AntiVir - Jul 1, 2006 ("TR/Dldr.Zlob.VV.2" in "lzma_solid" from NSIS 2.17 but not 2.18 - fixed in virus definitions Jul 5, 2006)
# Sign your installer. There have been reports it helps.
* Norton &amp; Symantec - Jul 1, 2006 ("Trojan.Zlob" in "lzma_solid" from NSIS 2.17 but not 2.18 - fixed in virus definitions Jul 3, 2006)
# Compile your own version of NSIS with some modifications to avoid the signatures.
* Kaspersky - Jun 21, 2006
== How Can I Help? ==
* BitDefender - Jun 13, 2006
The following steps should be done for NSIS installer and the ZIP file. You can also perform them for your own installer.
* OneCare - Jun 07, 2006
# Upload NSIS to [https://www.virustotal.com/#/home/upload VirusTotal]
* AVG - Jun 06, 2006
# Go to the Community tab ([https://www.virustotal.com/#/file/bd3b15ab62ec6b0c7a00f46022d441af03277be893326f6fea8e212dc2d77743/community example for 3.03]) and vote as safe
* Norton - May 20, 2006
# In the detection tab, notice which vendors have a false positive
* AntiVir - Feb 22, 2006
# Use [https://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm#Easily_Submit_Malware_To_All_Vendors this list] to notify each of them of the false positive
* Ad-Aware - Nov 22, 2005
# Use [https://falsepositivewatch.com False Positive Watch] to get notified of changes to VirusTotal
* Mcafee - Nov 16, 2005
# Repeat the process when there is a new false positive
* AntiVir - Oct 12, 2005
== NSIS Virus Checker False Positives ==
* ArcaVir - Aug 21, 2005
'''Bolded entries are still detected by the AV!'''
* MS Antispyware - Aug 09, 2005
# McAfee - [https://www.virustotal.com/de/file/006586dbb7375d45d3caf18d17b69a724dd7719a3fecc37240645d40a7e2b703/analysis/1460813111/ Apr 16, 2016] to [https://www.virustotal.com/de/file/006586dbb7375d45d3caf18d17b69a724dd7719a3fecc37240645d40a7e2b703/analysis/1462177688/ May 2, 2016]
* MS Antispyware - Jul 26, 2005
# AntiVir - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011])
* AVG - Jul 10, 2005
# Symantec 2011 - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011]). Fixed on [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317184605 Sep 29, 2011]
* MS Antispyware - May 18, 2005
# Sunbelt - Dec 9, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/786b5087c0a506007d634cda09045b5ffb52897dccd9f47861bf2b7595a6e24d-1261471025 Dec 22, 2009])
* MS Antispyware - Apr 22, 2005
# McAfee VirusScan (DAT Version 5797) - Nov 9, 2009
* AVG - Apr 21, 2005
# Sunbelt - June 5, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244191930  June 5, 2009], [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244888211 June 13, 2009])
* MS Antispyware - Mar 01, 2005
# Vipre - May 11, 2009
* PCCillin - Sep 17, 2004
# Symantec Enterprise - Oct 31, 2007 Definitions
* BitDefender - Aug 29, 2004
# McAfee VirusScan (DAT Version 5150) - Oct 26, 2007
* Mcafee - Aug 26, 2004
# AVG Antivirus - Oct 8, 2007
* Sophos AV - Aug 16, 2004
# Trend Micro OfficeScan - Sep 21, 2007
* Norton - Aug 09, 2004
# Sophos - Aug 18, 2007
* Mcafee - Mar 11, 2004
# Norton - Jul 17, 2007
* Norton - Feb 24, 2004
# AntiVir Guard - Jun 27, 2007
# AVG Antivirus - Dec 7, 2006
# NOD32 - Nov 14, 2006
# F-PROT - Sep 21, 2006
# F-Secure - Sep 13, 2006
# Kaspersky - Sep 13, 2006
# Norman - Sep 11, 2006
# AVG Antivirus - Sep 11, 2006
# Fortinet - Jul 3, 2006
# AntiVir - Jul 1, 2006
# Norton &amp; Symantec - Jul 1, 2006
# Kaspersky - Jun 21, 2006
# BitDefender - Jun 13, 2006
# OneCare - Jun 07, 2006
# AVG Antivirus - Jun 06, 2006
# Norton - May 20, 2006
# AntiVir - Feb 22, 2006
# Ad-Aware - Nov 22, 2005
# Mcafee - Nov 16, 2005
# AntiVir - Oct 12, 2005
# ArcaVir - Aug 21, 2005
# MS Antispyware - Aug 09, 2005
# MS Antispyware - Jul 26, 2005
# AVG Antivirus - Jul 10, 2005
# MS Antispyware - May 18, 2005
# MS Antispyware - Apr 22, 2005
# AVG Antivirus - Apr 21, 2005
# MS Antispyware - Mar 01, 2005
# PCCillin - Sep 17, 2004
# BitDefender - Aug 29, 2004
# Mcafee - Aug 26, 2004
# Sophos AV - Aug 16, 2004
# Norton - Aug 09, 2004
# Mcafee - Mar 11, 2004
# Norton - Feb 24, 2004
<br />
<br />


==== False Positive By Anti-Malware programs ====
==== False Positive By Anti-Malware programs ====
* Symantec (Norton): 5
* MS Antispyware: 5
* MS Antispyware: 5
* Norton: 4
* AVG Spyware: 5
* AntiVir: 3
* AntiVir: 4
* AVG: 3
* Mcafee: 4
* Mcafee: 3
* Kaspersky: 2
* BitDefender: 2
* BitDefender: 2
* Sunbelt: 2
* F-PROT: 1
* F-Secure: 1
* Norman: 1
* Ad-Aware: 1
* Ad-Aware: 1
* ArcaVir: 1
* ArcaVir: 1
* Fortinet: 1
* Fortinet: 1
* Kaspersky: 1
* OneCare: 1
* OneCare: 1
* PCCillin: 1
* PCCillin: 1
* Sophos: 1
* Sophos: 1
* '''Total False Positives: 27'''
* Spyware Terminator: 1
* StopZilla: 1
* '''Total False Positives: 38'''


== Where to report false positives ==
* '''Various: [https://github.com/yaronelh/False-Positive-Center False-Positive-Center (GitHub user yaronelh)]'''
* Various: [https://www.techsupportalert.com/how-to-report-malware-or-false-positives-to-multiple-antivirus-vendors/ How to Report Malware or False Positives to Multiple Antivirus Vendors] (partly outdated)
* ALYac: https://en.estsecurity.com/support/report
* Antiy-AVL: https://www.antiy.net/contacts/
* Avast: https://www.avast.com/en-us/false-positive-file-form.php#pc
* Avira: https://analysis.avira.com/en/submit
* AVG: https://www.avg.com/en-us/false-positive-file-form
* Bitdefender: https://www.bitdefender.com/submit/
* BKav: https://www.bkav.com/contact-us
* CrowdStrike Falcon: https://www.crowdstrike.com/contact-us/#VTscanner_(at)_crowdstrike_(dot)_com
* Cyren: https://www.cyren.com/support/reporting-av-misclassifications#FTP_TLS
* eGambit (Tehtris): https://tehtris.com/en/false-positive-negative-requests/
* Elastic: https://discuss.elastic.co/t/submitting-false-positives/232322/1# https://app.slack.com/client/TNLBGCXTQ/CRGSUQC20 https://github.com/elastic/detection-rules
* Emsisoft: fp at emsisoft.com and use "Submit as false alert" as the subject. Zip/Rar with password in the e-mail body.
* Fortinet: https://fortiguard.com/virusscanner
* GData: https://www.gdatasoftware.com/securitylabs
* Gridinsoft: https://anti-malware.gridinsoft.com/file-check/# or whitelist at gridinsoft.com for ISVs.
* Jiangmin: https://www.jiangmin.com/Abouts/address/ virus_(at)_jiangmin_(dot)_com
* Lionic: https://www.lionic.com/reportfp/# support at lionic.com
* Malwarebytes: https://support.malwarebytes.com/hc/en-us/articles/360038524154-Report-a-false-positive-to-Malwarebytes-Support
* MaxSecure: infp at maxpcsecure dot com or https://www.maxsecureantivirus.com/submit_aFalse_Positive.htm
* McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB85568
* Microsoft: https://www.microsoft.com/en-us/wdsi/filesubmission
* Rising: http://mailcenter.rising.com.cn/filecheck_en/#rising-global.com
* SangFor: https://community.sangfor.com/forum.php?mod=viewthread&tid=3104#https://sec.sangfor.com.cn/login.html?lang=EN-US
* SecureAge: https://www.secureage.com/article-report-false-positive
* Sophos: https://support.sophos.com/support/s/filesubmission?language=en_US
* Symantec (Norton): https://submit.symantec.com/false_positive/
* Trend Micro: https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html


== Online Virus Scanners ==
== Online Virus Scanners ==
Line 54: Line 124:
Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives:
Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives:


* [http://virusscan.jotti.org/ Jotti's malware scan] (15 engines)
* [https://virusscan.jotti.org/ Jotti's malware scan] (15 engines)
* [http://www.virustotal.com/ Virustotal] (28 engines)
* [https://metadefender.opswat.com/ Metadefender] (30 engines)
* [http://www.drweb-online.com/en/virustest.html Dr. Web]
* [https://www.virustotal.com/ VirusTotal] (~70 engines)
* [http://www.fortinet.com/FortiGuardCenter/antivirus/virus_scanner.html Fortinet]
* [https://alternativeto.net/software/virustotal/ VirusTotal Alternatives]
* [http://www.kaspersky.com/scanforvirus Kaspersky]
* [https://vms.drweb-av.de/online/ Dr. Web]
* [http://sandbox.norman.no/live_4.html Norman]
* [https://fortiguard.com/faq/onlinescanner Fortinet]
* [https://virusdesk.kaspersky.com/ Kaspersky]

Latest revision as of 09:13, 31 July 2023

There are hundreds of false positive made with NSIS. This page contains a list of some of them.

Does NSIS Contain a Virus?

No. NSIS is open source and you can check for yourself. Some people sadly use NSIS to distribute their malware. Even though most modern anti-virus vendors know how to extract and scan files from NSIS installers, some of them still generate signatures on the installer stub itself instead of the files in it. This causes a false positive on multiple installers generated using the same version of NSIS. This is a bug with the anti-virus and they normally fix it pretty quickly once reported back to them. It's like finding a virus in a zip file and marking all zip files as viruses as a result.

What Can I Do About My Installer?

  1. Report the false positive to the AV vendor.
  2. Sign your installer. There have been reports it helps.
  3. Compile your own version of NSIS with some modifications to avoid the signatures.

How Can I Help?

The following steps should be done for NSIS installer and the ZIP file. You can also perform them for your own installer.

  1. Upload NSIS to VirusTotal
  2. Go to the Community tab (example for 3.03) and vote as safe
  3. In the detection tab, notice which vendors have a false positive
  4. Use this list to notify each of them of the false positive
  5. Use False Positive Watch to get notified of changes to VirusTotal
  6. Repeat the process when there is a new false positive

NSIS Virus Checker False Positives

Bolded entries are still detected by the AV!

  1. McAfee - Apr 16, 2016 to May 2, 2016
  2. AntiVir - Sep 26, 2011 (see Virustotal results from Sep 26, 2011)
  3. Symantec 2011 - Sep 26, 2011 (see Virustotal results from Sep 26, 2011). Fixed on Sep 29, 2011
  4. Sunbelt - Dec 9, 2009 (see Virustotal results from Dec 22, 2009)
  5. McAfee VirusScan (DAT Version 5797) - Nov 9, 2009
  6. Sunbelt - June 5, 2009 (see Virustotal results from June 5, 2009, June 13, 2009)
  7. Vipre - May 11, 2009
  8. Symantec Enterprise - Oct 31, 2007 Definitions
  9. McAfee VirusScan (DAT Version 5150) - Oct 26, 2007
  10. AVG Antivirus - Oct 8, 2007
  11. Trend Micro OfficeScan - Sep 21, 2007
  12. Sophos - Aug 18, 2007
  13. Norton - Jul 17, 2007
  14. AntiVir Guard - Jun 27, 2007
  15. AVG Antivirus - Dec 7, 2006
  16. NOD32 - Nov 14, 2006
  17. F-PROT - Sep 21, 2006
  18. F-Secure - Sep 13, 2006
  19. Kaspersky - Sep 13, 2006
  20. Norman - Sep 11, 2006
  21. AVG Antivirus - Sep 11, 2006
  22. Fortinet - Jul 3, 2006
  23. AntiVir - Jul 1, 2006
  24. Norton & Symantec - Jul 1, 2006
  25. Kaspersky - Jun 21, 2006
  26. BitDefender - Jun 13, 2006
  27. OneCare - Jun 07, 2006
  28. AVG Antivirus - Jun 06, 2006
  29. Norton - May 20, 2006
  30. AntiVir - Feb 22, 2006
  31. Ad-Aware - Nov 22, 2005
  32. Mcafee - Nov 16, 2005
  33. AntiVir - Oct 12, 2005
  34. ArcaVir - Aug 21, 2005
  35. MS Antispyware - Aug 09, 2005
  36. MS Antispyware - Jul 26, 2005
  37. AVG Antivirus - Jul 10, 2005
  38. MS Antispyware - May 18, 2005
  39. MS Antispyware - Apr 22, 2005
  40. AVG Antivirus - Apr 21, 2005
  41. MS Antispyware - Mar 01, 2005
  42. PCCillin - Sep 17, 2004
  43. BitDefender - Aug 29, 2004
  44. Mcafee - Aug 26, 2004
  45. Sophos AV - Aug 16, 2004
  46. Norton - Aug 09, 2004
  47. Mcafee - Mar 11, 2004
  48. Norton - Feb 24, 2004


False Positive By Anti-Malware programs

  • Symantec (Norton): 5
  • MS Antispyware: 5
  • AVG Spyware: 5
  • AntiVir: 4
  • Mcafee: 4
  • Kaspersky: 2
  • BitDefender: 2
  • Sunbelt: 2
  • F-PROT: 1
  • F-Secure: 1
  • Norman: 1
  • Ad-Aware: 1
  • ArcaVir: 1
  • Fortinet: 1
  • OneCare: 1
  • PCCillin: 1
  • Sophos: 1
  • Spyware Terminator: 1
  • StopZilla: 1
  • Total False Positives: 38

Where to report false positives

Online Virus Scanners

Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives:

Retrieved from "https://nsis.sourceforge.io/mediawiki/index.php?title=NSIS_False_Positives&oldid=25863"