NSIS False Positives: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
(+ GitHub False-Positive-Center)
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
There are hundreds of false positive made with NSIS. This page contains a list of some of them.
There are hundreds of false positive made with NSIS. This page contains a list of some of them.


== Does NSIS Contain a Virus? ==
No. NSIS is open source and you can check for yourself. Some people sadly use NSIS to distribute their malware. Even though most modern anti-virus vendors know how to extract and scan files from NSIS installers, some of them still generate signatures on the installer stub itself instead of the files in it. This causes a false positive on multiple installers generated using the same version of NSIS. This is a bug with the anti-virus and they normally fix it pretty quickly once reported back to them. It's like finding a virus in a zip file and marking all zip files as viruses as a result.
== What Can I Do About My Installer? ==
# Report the false positive to the AV vendor.
# Sign your installer. There have been reports it helps.
# Compile your own version of NSIS with some modifications to avoid the signatures.
== How Can I Help? ==
The following steps should be done for NSIS installer and the ZIP file. You can also perform them for your own installer.
# Upload NSIS to [https://www.virustotal.com/#/home/upload VirusTotal]
# Go to the Community tab ([https://www.virustotal.com/#/file/bd3b15ab62ec6b0c7a00f46022d441af03277be893326f6fea8e212dc2d77743/community example for 3.03]) and vote as safe
# In the detection tab, notice which vendors have a false positive
# Use [https://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm#Easily_Submit_Malware_To_All_Vendors this list] to notify each of them of the false positive
# Use [https://falsepositivewatch.com False Positive Watch] to get notified of changes to VirusTotal
# Repeat the process when there is a new false positive
== NSIS Virus Checker False Positives ==
== NSIS Virus Checker False Positives ==
This information is collected from [http://forums.winamp.com/forumdisplay.php?forumid=65 NSIS forum], simply by searching for "virus". Now updated on a regular basis!<br>
'''Bolded entries are still detected by the AV!'''
'''Bolded entries are still detected by the AV!'''
# '''AntiVir''' - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011])
# McAfee - [https://www.virustotal.com/de/file/006586dbb7375d45d3caf18d17b69a724dd7719a3fecc37240645d40a7e2b703/analysis/1460813111/ Apr 16, 2016] to [https://www.virustotal.com/de/file/006586dbb7375d45d3caf18d17b69a724dd7719a3fecc37240645d40a7e2b703/analysis/1462177688/ May 2, 2016]
# AntiVir - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011])
# Symantec 2011 - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011]). Fixed on [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317184605 Sep 29, 2011]
# Symantec 2011 - Sep 26, 2011 (see Virustotal results from [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317010793 Sep 26, 2011]). Fixed on [http://www.virustotal.com/file-scan/report.html?id=4e83ec0eea9ad15ab6a233ce56d2d61f436db03fd461e937b1c27ab96f14f34c-1317184605 Sep 29, 2011]
# Sunbelt - Dec 9, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/786b5087c0a506007d634cda09045b5ffb52897dccd9f47861bf2b7595a6e24d-1260395329 Dec 9, 2009], [http://www.virustotal.com/analisis/786b5087c0a506007d634cda09045b5ffb52897dccd9f47861bf2b7595a6e24d-1261471025 Dec 22, 2009])
# Sunbelt - Dec 9, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/786b5087c0a506007d634cda09045b5ffb52897dccd9f47861bf2b7595a6e24d-1261471025 Dec 22, 2009])
# '''McAfee VirusScan''' (DAT Version 5797) - Nov 9, 2009
# McAfee VirusScan (DAT Version 5797) - Nov 9, 2009
# Sunbelt - June 5, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244191930  June 5, 2009], [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244888211 June 13, 2009])
# Sunbelt - June 5, 2009 (see Virustotal results from [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244191930  June 5, 2009], [http://www.virustotal.com/analisis/1489ef6ec4476b096d8cfd389bce95267fc8fff51bb958915843d2c7214abc79-1244888211 June 13, 2009])
# Vipre - May 11, 2009
# Symantec Enterprise - Oct 31, 2007 Definitions
# Symantec Enterprise - Oct 31, 2007 Definitions
# McAfee VirusScan (DAT Version 5150) - Oct 26, 2007
# McAfee VirusScan (DAT Version 5150) - Oct 26, 2007
Line 51: Line 65:
# Mcafee - Mar 11, 2004
# Mcafee - Mar 11, 2004
# Norton - Feb 24, 2004
# Norton - Feb 24, 2004
# '''avast!''' - ???
# Vipre May 11 2009
<br />
<br />


Line 78: Line 90:


== Where to report false positives ==
== Where to report false positives ==
* McAfee: http://www.mcafee.com/us/threat_center/dispute/dispute_form.asp
* '''Various: [https://github.com/yaronelh/False-Positive-Center False-Positive-Center (GitHub user yaronelh)]'''
* Various: [https://www.techsupportalert.com/how-to-report-malware-or-false-positives-to-multiple-antivirus-vendors/ How to Report Malware or False Positives to Multiple Antivirus Vendors] (partly outdated)
* ALYac: https://en.estsecurity.com/support/report
* Antiy-AVL: https://www.antiy.net/contacts/
* Avast: https://www.avast.com/en-us/false-positive-file-form.php#pc
* Avira: https://analysis.avira.com/en/submit
* AVG: https://www.avg.com/en-us/false-positive-file-form
* Bitdefender: https://www.bitdefender.com/submit/
* BKav: https://www.bkav.com/contact-us
* CrowdStrike Falcon: https://www.crowdstrike.com/contact-us/#VTscanner_(at)_crowdstrike_(dot)_com
* Cyren: https://www.cyren.com/support/reporting-av-misclassifications#FTP_TLS
* eGambit (Tehtris): https://tehtris.com/en/false-positive-negative-requests/
* Elastic: https://discuss.elastic.co/t/submitting-false-positives/232322/1# https://app.slack.com/client/TNLBGCXTQ/CRGSUQC20 https://github.com/elastic/detection-rules
* Emsisoft: fp at emsisoft.com and use "Submit as false alert" as the subject. Zip/Rar with password in the e-mail body.
* Fortinet: https://fortiguard.com/virusscanner
* GData: https://www.gdatasoftware.com/securitylabs
* Gridinsoft: https://anti-malware.gridinsoft.com/file-check/# or whitelist at gridinsoft.com for ISVs.
* Jiangmin: https://www.jiangmin.com/Abouts/address/ virus_(at)_jiangmin_(dot)_com
* Lionic: https://www.lionic.com/reportfp/# support at lionic.com
* Malwarebytes: https://support.malwarebytes.com/hc/en-us/articles/360038524154-Report-a-false-positive-to-Malwarebytes-Support
* MaxSecure: infp at maxpcsecure dot com or https://www.maxsecureantivirus.com/submit_aFalse_Positive.htm
* McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB85568
* Microsoft: https://www.microsoft.com/en-us/wdsi/filesubmission
* Rising: http://mailcenter.rising.com.cn/filecheck_en/#rising-global.com
* SangFor: https://community.sangfor.com/forum.php?mod=viewthread&tid=3104#https://sec.sangfor.com.cn/login.html?lang=EN-US
* SecureAge: https://www.secureage.com/article-report-false-positive
* Sophos: https://support.sophos.com/support/s/filesubmission?language=en_US
* Symantec (Norton): https://submit.symantec.com/false_positive/
* Trend Micro: https://www.trendmicro.com/en_us/about/legal/detection-reevaluation.html


== Online Virus Scanners ==
== Online Virus Scanners ==
Line 84: Line 124:
Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives:
Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives:


* [http://virusscan.jotti.org/ Jotti's malware scan] (20 engines)
* [https://virusscan.jotti.org/ Jotti's malware scan] (15 engines)
* [http://www.virustotal.com/ Virustotal] (40 engines)
* [https://metadefender.opswat.com/ Metadefender] (30 engines)
* [http://www.drweb-online.com/en/virustest.html Dr. Web]
* [https://www.virustotal.com/ VirusTotal] (~70 engines)
* [http://www.fortinet.com/FortiGuardCenter/antivirus/virus_scanner.html Fortinet]
* [https://alternativeto.net/software/virustotal/ VirusTotal Alternatives]
* [http://www.kaspersky.com/scanforvirus Kaspersky]
* [https://vms.drweb-av.de/online/ Dr. Web]
* [http://sandbox.norman.no/live_4.html Norman]
* [https://fortiguard.com/faq/onlinescanner Fortinet]
* [https://virusdesk.kaspersky.com/ Kaspersky]

Latest revision as of 09:13, 31 July 2023

There are hundreds of false positive made with NSIS. This page contains a list of some of them.

Does NSIS Contain a Virus?

No. NSIS is open source and you can check for yourself. Some people sadly use NSIS to distribute their malware. Even though most modern anti-virus vendors know how to extract and scan files from NSIS installers, some of them still generate signatures on the installer stub itself instead of the files in it. This causes a false positive on multiple installers generated using the same version of NSIS. This is a bug with the anti-virus and they normally fix it pretty quickly once reported back to them. It's like finding a virus in a zip file and marking all zip files as viruses as a result.

What Can I Do About My Installer?

  1. Report the false positive to the AV vendor.
  2. Sign your installer. There have been reports it helps.
  3. Compile your own version of NSIS with some modifications to avoid the signatures.

How Can I Help?

The following steps should be done for NSIS installer and the ZIP file. You can also perform them for your own installer.

  1. Upload NSIS to VirusTotal
  2. Go to the Community tab (example for 3.03) and vote as safe
  3. In the detection tab, notice which vendors have a false positive
  4. Use this list to notify each of them of the false positive
  5. Use False Positive Watch to get notified of changes to VirusTotal
  6. Repeat the process when there is a new false positive

NSIS Virus Checker False Positives

Bolded entries are still detected by the AV!

  1. McAfee - Apr 16, 2016 to May 2, 2016
  2. AntiVir - Sep 26, 2011 (see Virustotal results from Sep 26, 2011)
  3. Symantec 2011 - Sep 26, 2011 (see Virustotal results from Sep 26, 2011). Fixed on Sep 29, 2011
  4. Sunbelt - Dec 9, 2009 (see Virustotal results from Dec 22, 2009)
  5. McAfee VirusScan (DAT Version 5797) - Nov 9, 2009
  6. Sunbelt - June 5, 2009 (see Virustotal results from June 5, 2009, June 13, 2009)
  7. Vipre - May 11, 2009
  8. Symantec Enterprise - Oct 31, 2007 Definitions
  9. McAfee VirusScan (DAT Version 5150) - Oct 26, 2007
  10. AVG Antivirus - Oct 8, 2007
  11. Trend Micro OfficeScan - Sep 21, 2007
  12. Sophos - Aug 18, 2007
  13. Norton - Jul 17, 2007
  14. AntiVir Guard - Jun 27, 2007
  15. AVG Antivirus - Dec 7, 2006
  16. NOD32 - Nov 14, 2006
  17. F-PROT - Sep 21, 2006
  18. F-Secure - Sep 13, 2006
  19. Kaspersky - Sep 13, 2006
  20. Norman - Sep 11, 2006
  21. AVG Antivirus - Sep 11, 2006
  22. Fortinet - Jul 3, 2006
  23. AntiVir - Jul 1, 2006
  24. Norton & Symantec - Jul 1, 2006
  25. Kaspersky - Jun 21, 2006
  26. BitDefender - Jun 13, 2006
  27. OneCare - Jun 07, 2006
  28. AVG Antivirus - Jun 06, 2006
  29. Norton - May 20, 2006
  30. AntiVir - Feb 22, 2006
  31. Ad-Aware - Nov 22, 2005
  32. Mcafee - Nov 16, 2005
  33. AntiVir - Oct 12, 2005
  34. ArcaVir - Aug 21, 2005
  35. MS Antispyware - Aug 09, 2005
  36. MS Antispyware - Jul 26, 2005
  37. AVG Antivirus - Jul 10, 2005
  38. MS Antispyware - May 18, 2005
  39. MS Antispyware - Apr 22, 2005
  40. AVG Antivirus - Apr 21, 2005
  41. MS Antispyware - Mar 01, 2005
  42. PCCillin - Sep 17, 2004
  43. BitDefender - Aug 29, 2004
  44. Mcafee - Aug 26, 2004
  45. Sophos AV - Aug 16, 2004
  46. Norton - Aug 09, 2004
  47. Mcafee - Mar 11, 2004
  48. Norton - Feb 24, 2004


False Positive By Anti-Malware programs

  • Symantec (Norton): 5
  • MS Antispyware: 5
  • AVG Spyware: 5
  • AntiVir: 4
  • Mcafee: 4
  • Kaspersky: 2
  • BitDefender: 2
  • Sunbelt: 2
  • F-PROT: 1
  • F-Secure: 1
  • Norman: 1
  • Ad-Aware: 1
  • ArcaVir: 1
  • Fortinet: 1
  • OneCare: 1
  • PCCillin: 1
  • Sophos: 1
  • Spyware Terminator: 1
  • StopZilla: 1
  • Total False Positives: 38

Where to report false positives

Online Virus Scanners

Here is a list of free online virus scanners useful to check NSIS installers and stubs for false positives: