NSIS False Positives: Difference between revisions
(+ GitHub False-Positive-Center) |
|||
(75 intermediate revisions by 23 users not shown) | |||
Line 1: | Line 1: | ||
There are hundreds of | There are hundreds of false positive made with NSIS. This page contains a list of some of them. | ||
== Does NSIS Contain a Virus? == | |||
No. NSIS is open source and you can check for yourself. Some people sadly use NSIS to distribute their malware. Even though most modern anti-virus vendors know how to extract and scan files from NSIS installers, some of them still generate signatures on the installer stub itself instead of the files in it. This causes a false positive on multiple installers generated using the same version of NSIS. This is a bug with the anti-virus and they normally fix it pretty quickly once reported back to them. It's like finding a virus in a zip file and marking all zip files as viruses as a result. | |||
== What Can I Do About My Installer? == | |||
# Report the false positive to the AV vendor. | |||
# Sign your installer. There have been reports it helps. | |||
# Compile your own version of NSIS with some modifications to avoid the signatures. | |||
== How Can I Help? == | |||
The following steps should be done for NSIS installer and the ZIP file. You can also perform them for your own installer. | |||
# Upload NSIS to [https://www.virustotal.com/#/home/upload VirusTotal] | |||
# Go to the Community tab ([https://www.virustotal.com/#/file/bd3b15ab62ec6b0c7a00f46022d441af03277be893326f6fea8e212dc2d77743/community example for 3.03]) and vote as safe | |||
# In the detection tab, notice which vendors have a false positive | |||
# Use [https://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm#Easily_Submit_Malware_To_All_Vendors this list] to notify each of them of the false positive | |||
# Use [https://falsepositivewatch.com False Positive Watch] to get notified of changes to VirusTotal | |||
# Repeat the process when there is a new false positive | |||
== NSIS Virus Checker False Positives == | |||
'''Bolded entries are still detected by the AV!''' | '''Bolded entries are still detected by the AV!''' | ||
# McAfee - [https://www.virustotal.com/de/file/006586dbb7375d45d3caf18d17b69a724dd7719a3fecc37240645d40a7e2b703/analysis/1460813111/ Apr 16, 2016] to [https://www.virustotal.com/de/file/006586dbb7375d45d3caf18d17b69a724dd7719a3fecc37240645d40a7e2b703/analysis/1462177688/ May 2, 2016] | |||
# AntiVir - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011]) | |||
# Symantec 2011 - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011]). Fixed on [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317184605 Sep 29, 2011] | |||
# Sunbelt - Dec 9, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/786b5087c0a506007d634cda09045b5ffb52897dccd9f47861bf2b7595a6e24d-1261471025 Dec 22, 2009]) | |||
# McAfee VirusScan (DAT Version 5797) - Nov 9, 2009 | |||
# Sunbelt - June 5, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244191930 June 5, 2009], [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244888211 June 13, 2009]) | |||
# Vipre - May 11, 2009 | |||
# Symantec Enterprise - Oct 31, 2007 Definitions | |||
# McAfee VirusScan (DAT Version 5150) - Oct 26, 2007 | |||
# AVG Antivirus - Oct 8, 2007 | |||
# Trend Micro OfficeScan - Sep 21, 2007 | |||
# Sophos - Aug 18, 2007 | |||
# Norton - Jul 17, 2007 | |||
# AntiVir Guard - Jun 27, 2007 | |||
# AVG Antivirus - Dec 7, 2006 | |||
# NOD32 - Nov 14, 2006 | |||
# F-PROT - Sep 21, 2006 | |||
# F-Secure - Sep 13, 2006 | |||
# Kaspersky - Sep 13, 2006 | |||
# Norman - Sep 11, 2006 | |||
# AVG Antivirus - Sep 11, 2006 | |||
# Fortinet - Jul 3, 2006 | |||
# AntiVir - Jul 1, 2006 | |||
# Norton & Symantec - Jul 1, 2006 | |||
# Kaspersky - Jun 21, 2006 | |||
# BitDefender - Jun 13, 2006 | |||
# OneCare - Jun 07, 2006 | |||
# AVG Antivirus - Jun 06, 2006 | |||
# Norton - May 20, 2006 | |||
# AntiVir - Feb 22, 2006 | |||
# Ad-Aware - Nov 22, 2005 | |||
# Mcafee - Nov 16, 2005 | |||
# AntiVir - Oct 12, 2005 | |||
# ArcaVir - Aug 21, 2005 | |||
# MS Antispyware - Aug 09, 2005 | |||
# MS Antispyware - Jul 26, 2005 | |||
# AVG Antivirus - Jul 10, 2005 | |||
# MS Antispyware - May 18, 2005 | |||
# MS Antispyware - Apr 22, 2005 | |||
# AVG Antivirus - Apr 21, 2005 | |||
# MS Antispyware - Mar 01, 2005 | |||
# PCCillin - Sep 17, 2004 | |||
# BitDefender - Aug 29, 2004 | |||
# Mcafee - Aug 26, 2004 | |||
# Sophos AV - Aug 16, 2004 | |||
# Norton - Aug 09, 2004 | |||
# Mcafee - Mar 11, 2004 | |||
# Norton - Feb 24, 2004 | |||
<br /> | <br /> | ||
==== False Positive By Anti-Malware programs ==== | ==== False Positive By Anti-Malware programs ==== | ||
* Symantec (Norton): 5 | |||
* MS Antispyware: 5 | * MS Antispyware: 5 | ||
* AVG Spyware: 5 | |||
* AVG | * AntiVir: 4 | ||
* AntiVir: | * Mcafee: 4 | ||
* Mcafee: | |||
* Kaspersky: 2 | * Kaspersky: 2 | ||
* BitDefender: 2 | * BitDefender: 2 | ||
* Sunbelt: 2 | |||
* F-PROT: 1 | |||
* F-Secure: 1 | |||
* Norman: 1 | * Norman: 1 | ||
* Ad-Aware: 1 | * Ad-Aware: 1 | ||
Line 54: | Line 85: | ||
* PCCillin: 1 | * PCCillin: 1 | ||
* Sophos: 1 | * Sophos: 1 | ||
* '''Total False Positives: | * Spyware Terminator: 1 | ||
* StopZilla: 1 | |||
* '''Total False Positives: 38''' | |||
== Where to report false positives == | |||
* '''Various: [https://github.com/yaronelh/False-Positive-Center False-Positive-Center (GitHub user yaronelh)]''' | |||
* Various: [https://www.techsupportalert.com/how-to-report-malware-or-false-positives-to-multiple-antivirus-vendors/ How to Report Malware or False Positives to Multiple Antivirus Vendors] (partly outdated) | |||
* ALYac: https://en.estsecurity.com/support/report | |||
* Antiy-AVL: https://www.antiy.net/contacts/ | |||
* Avast: https://www.avast.com/en-us/false-positive-file-form.php#pc | |||
* Avira: https://analysis.avira.com/en/submit | |||
* AVG: https://www.avg.com/en-us/false-positive-file-form | |||
* Bitdefender: https://www.bitdefender.com/submit/ | |||
* BKav: https://www.bkav.com/contact-us | |||
* CrowdStrike Falcon: https://www.crowdstrike.com/contact-us/#VTscanner_(at)_crowdstrike_(dot)_com | |||
* Cyren: https://www.cyren.com/support/reporting-av-misclassifications#FTP_TLS | |||
* eGambit (Tehtris): https://tehtris.com/en/false-positive-negative-requests/ | |||
* Elastic: https://discuss.elastic.co/t/submitting-false-positives/232322/1# https://app.slack.com/client/TNLBGCXTQ/CRGSUQC20 https://github.com/elastic/detection-rules | |||
* Emsisoft: fp at emsisoft.com and use "Submit as false alert" as the subject. Zip/Rar with password in the e-mail body. | |||
* Fortinet: https://fortiguard.com/virusscanner | |||
* GData: https://www.gdatasoftware.com/securitylabs | |||
* Gridinsoft: https://anti-malware.gridinsoft.com/file-check/# or whitelist at gridinsoft.com for ISVs. | |||
* Jiangmin: https://www.jiangmin.com/Abouts/address/ virus_(at)_jiangmin_(dot)_com | |||
* Lionic: https://www.lionic.com/reportfp/# support at lionic.com | |||
* Malwarebytes: https://support.malwarebytes.com/hc/en-us/articles/360038524154-Report-a-false-positive-to-Malwarebytes-Support | |||
* MaxSecure: infp at maxpcsecure dot com or https://www.maxsecureantivirus.com/submit_aFalse_Positive.htm | |||
* McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB85568 | |||
* Microsoft: https://www.microsoft.com/en-us/wdsi/filesubmission | |||
* Rising: http://mailcenter.rising.com.cn/filecheck_en/#rising-global.com | |||
* SangFor: https://community.sangfor.com/forum.php?mod=viewthread&tid=3104#https://sec.sangfor.com.cn/login.html?lang=EN-US | |||
* SecureAge: https://www.secureage.com/article-report-false-positive | |||
* Sophos: https://support.sophos.com/support/s/filesubmission?language=en_US | |||
* Symantec (Norton): https://submit.symantec.com/false_positive/ | |||
* Trend Micro: https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html | |||
== Online Virus Scanners == | == Online Virus Scanners == | ||
Line 60: | Line 124: | ||
Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives: | Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives: | ||
* [ | * [https://virusscan.jotti.org/ Jotti's malware scan] (15 engines) | ||
* [ | * [https://metadefender.opswat.com/ Metadefender] (30 engines) | ||
* [ | * [https://www.virustotal.com/ VirusTotal] (~70 engines) | ||
* [ | * [https://alternativeto.net/software/virustotal/ VirusTotal Alternatives] | ||
* [ | * [https://vms.drweb-av.de/online/ Dr. Web] | ||
* [ | * [https://fortiguard.com/faq/onlinescanner Fortinet] | ||
* [https://virusdesk.kaspersky.com/ Kaspersky] |
Latest revision as of 09:13, 31 July 2023
There are hundreds of false positive made with NSIS. This page contains a list of some of them.
Does NSIS Contain a Virus?
No. NSIS is open source and you can check for yourself. Some people sadly use NSIS to distribute their malware. Even though most modern anti-virus vendors know how to extract and scan files from NSIS installers, some of them still generate signatures on the installer stub itself instead of the files in it. This causes a false positive on multiple installers generated using the same version of NSIS. This is a bug with the anti-virus and they normally fix it pretty quickly once reported back to them. It's like finding a virus in a zip file and marking all zip files as viruses as a result.
What Can I Do About My Installer?
- Report the false positive to the AV vendor.
- Sign your installer. There have been reports it helps.
- Compile your own version of NSIS with some modifications to avoid the signatures.
How Can I Help?
The following steps should be done for NSIS installer and the ZIP file. You can also perform them for your own installer.
- Upload NSIS to VirusTotal
- Go to the Community tab (example for 3.03) and vote as safe
- In the detection tab, notice which vendors have a false positive
- Use this list to notify each of them of the false positive
- Use False Positive Watch to get notified of changes to VirusTotal
- Repeat the process when there is a new false positive
NSIS Virus Checker False Positives
Bolded entries are still detected by the AV!
- McAfee - Apr 16, 2016 to May 2, 2016
- AntiVir - Sep 26, 2011 (see Virustotal results from Sep 26, 2011)
- Symantec 2011 - Sep 26, 2011 (see Virustotal results from Sep 26, 2011). Fixed on Sep 29, 2011
- Sunbelt - Dec 9, 2009 (see Virustotal results from Dec 22, 2009)
- McAfee VirusScan (DAT Version 5797) - Nov 9, 2009
- Sunbelt - June 5, 2009 (see Virustotal results from June 5, 2009, June 13, 2009)
- Vipre - May 11, 2009
- Symantec Enterprise - Oct 31, 2007 Definitions
- McAfee VirusScan (DAT Version 5150) - Oct 26, 2007
- AVG Antivirus - Oct 8, 2007
- Trend Micro OfficeScan - Sep 21, 2007
- Sophos - Aug 18, 2007
- Norton - Jul 17, 2007
- AntiVir Guard - Jun 27, 2007
- AVG Antivirus - Dec 7, 2006
- NOD32 - Nov 14, 2006
- F-PROT - Sep 21, 2006
- F-Secure - Sep 13, 2006
- Kaspersky - Sep 13, 2006
- Norman - Sep 11, 2006
- AVG Antivirus - Sep 11, 2006
- Fortinet - Jul 3, 2006
- AntiVir - Jul 1, 2006
- Norton & Symantec - Jul 1, 2006
- Kaspersky - Jun 21, 2006
- BitDefender - Jun 13, 2006
- OneCare - Jun 07, 2006
- AVG Antivirus - Jun 06, 2006
- Norton - May 20, 2006
- AntiVir - Feb 22, 2006
- Ad-Aware - Nov 22, 2005
- Mcafee - Nov 16, 2005
- AntiVir - Oct 12, 2005
- ArcaVir - Aug 21, 2005
- MS Antispyware - Aug 09, 2005
- MS Antispyware - Jul 26, 2005
- AVG Antivirus - Jul 10, 2005
- MS Antispyware - May 18, 2005
- MS Antispyware - Apr 22, 2005
- AVG Antivirus - Apr 21, 2005
- MS Antispyware - Mar 01, 2005
- PCCillin - Sep 17, 2004
- BitDefender - Aug 29, 2004
- Mcafee - Aug 26, 2004
- Sophos AV - Aug 16, 2004
- Norton - Aug 09, 2004
- Mcafee - Mar 11, 2004
- Norton - Feb 24, 2004
False Positive By Anti-Malware programs
- Symantec (Norton): 5
- MS Antispyware: 5
- AVG Spyware: 5
- AntiVir: 4
- Mcafee: 4
- Kaspersky: 2
- BitDefender: 2
- Sunbelt: 2
- F-PROT: 1
- F-Secure: 1
- Norman: 1
- Ad-Aware: 1
- ArcaVir: 1
- Fortinet: 1
- OneCare: 1
- PCCillin: 1
- Sophos: 1
- Spyware Terminator: 1
- StopZilla: 1
- Total False Positives: 38
Where to report false positives
- Various: False-Positive-Center (GitHub user yaronelh)
- Various: How to Report Malware or False Positives to Multiple Antivirus Vendors (partly outdated)
- ALYac: https://en.estsecurity.com/support/report
- Antiy-AVL: https://www.antiy.net/contacts/
- Avast: https://www.avast.com/en-us/false-positive-file-form.php#pc
- Avira: https://analysis.avira.com/en/submit
- AVG: https://www.avg.com/en-us/false-positive-file-form
- Bitdefender: https://www.bitdefender.com/submit/
- BKav: https://www.bkav.com/contact-us
- CrowdStrike Falcon: https://www.crowdstrike.com/contact-us/#VTscanner_(at)_crowdstrike_(dot)_com
- Cyren: https://www.cyren.com/support/reporting-av-misclassifications#FTP_TLS
- eGambit (Tehtris): https://tehtris.com/en/false-positive-negative-requests/
- Elastic: https://discuss.elastic.co/t/submitting-false-positives/232322/1# https://app.slack.com/client/TNLBGCXTQ/CRGSUQC20 https://github.com/elastic/detection-rules
- Emsisoft: fp at emsisoft.com and use "Submit as false alert" as the subject. Zip/Rar with password in the e-mail body.
- Fortinet: https://fortiguard.com/virusscanner
- GData: https://www.gdatasoftware.com/securitylabs
- Gridinsoft: https://anti-malware.gridinsoft.com/file-check/# or whitelist at gridinsoft.com for ISVs.
- Jiangmin: https://www.jiangmin.com/Abouts/address/ virus_(at)_jiangmin_(dot)_com
- Lionic: https://www.lionic.com/reportfp/# support at lionic.com
- Malwarebytes: https://support.malwarebytes.com/hc/en-us/articles/360038524154-Report-a-false-positive-to-Malwarebytes-Support
- MaxSecure: infp at maxpcsecure dot com or https://www.maxsecureantivirus.com/submit_aFalse_Positive.htm
- McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB85568
- Microsoft: https://www.microsoft.com/en-us/wdsi/filesubmission
- Rising: http://mailcenter.rising.com.cn/filecheck_en/#rising-global.com
- SangFor: https://community.sangfor.com/forum.php?mod=viewthread&tid=3104#https://sec.sangfor.com.cn/login.html?lang=EN-US
- SecureAge: https://www.secureage.com/article-report-false-positive
- Sophos: https://support.sophos.com/support/s/filesubmission?language=en_US
- Symantec (Norton): https://submit.symantec.com/false_positive/
- Trend Micro: https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html
Online Virus Scanners
Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives:
- Jotti's malware scan (15 engines)
- Metadefender (30 engines)
- VirusTotal (~70 engines)
- VirusTotal Alternatives
- Dr. Web
- Fortinet
- Kaspersky