"net.exe" false positive trojan alert by Avira antivirus?

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

Post Reply
steveh
Posts: 271
Joined: Sat Dec 18, 2004 10:02 pm

"net.exe" false positive trojan alert by Avira antivirus?

Post by steveh »

Hi,
i'm compiling "make install" reactos trunk sources from time to time, and i become aware that this fails on my linux system due to antivirus alerts and the compiled module being moved into the quarantine directory. Compile of 0.3.8 source tree fails due to the same problem and same avira alert. I use RosBE-1.4 but the same also happened with RosBE-1.1 before. I got "error1"'s on "net.exe" since several weeks. I first suspected a filesystem problem with the absolute file path possibly being to long (?).
Only today i discovered that the problem is linked to avira, looking at the antivirus quarantine directory and at the antivirus guard logfile by coincidence (antivirus software is Avira Antivir for Linux)
The logfile shows that the alerts started on January 7, 2009.

I think the best solution would be if i exclude this file from antivirus guard scan, but first i would like to know if anybody else has got this trojan alert when compiling reactos on a linux or windows system, and using an antivirus software of Avira? :o
2009-02-25 22:41:05 linux antivir[4220]: AVGU: ALERT AntiVir ALERT: [TR/Dropper.Gen] <source directory prefix>/svn/reactos.org/ReactOS-0.3.8-REL-src/ReactOS-0.3.8/output-i386/base/applications/network/net/net.exe <<< Is the Trojan horse TR/Dropper.Gen
2009-02-25 22:41:05 linux antivir[4220]: AVGU: INFO The concerning file has been moved from <source directory prefix>/svn/reactos.org/ReactOS-0.3.8-REL-src/ReactOS-0.3.8/output-i386/base/applications/network/net/net.exe to /home/unwanted/2E844BD9.60A.

hto
Developer
Posts: 2193
Joined: Sun Oct 01, 2006 3:43 pm

Post by hto »

That's because a virus infected RosBE, so it now produces trojans. :)

dark
Posts: 278
Joined: Wed Apr 06, 2005 9:40 pm

Re: "net.exe" false positive trojan alert by Avira antivirus?

Post by dark »

It's unlikely anyone here would have antivirus installed on desktop linux. You don't really need virus protection if you take the time to thoroughly investigate everything you install and keep the system updated /OS independent advice.

User avatar
Black_Fox
Posts: 1584
Joined: Fri Feb 15, 2008 9:44 pm
Location: Czechia

Re: "net.exe" false positive trojan alert by Avira antivirus?

Post by Black_Fox »

Luckily we have 0-day worms to prove that the post-before-mine's opinion is partially based on myth. I agree, though, that Windows-based antivirus on Linux is basically not needed.

SpoonmAn
Posts: 77
Joined: Mon Dec 19, 2005 6:09 pm

Re: "net.exe" false positive trojan alert by Avira antivirus?

Post by SpoonmAn »

i´d say this is a false positive for sure, maybe caused by a heuristic scan. since parts of an operating system perform tasks that are also performed by malware and suspect files do not have same signatures as original windows files.

btw i partially agree with previous posters, you do not need av software on Linux systems, except if it is a server that also manages eventually unprotected windows clients

hto
Developer
Posts: 2193
Joined: Sun Oct 01, 2006 3:43 pm

Post by hto »

Black_Fox wrote: Luckily we have 0-day worms […]
Thank you very much. :)

steveh
Posts: 271
Joined: Sat Dec 18, 2004 10:02 pm

OT: why antivirus linux... platform independant java+javascr

Post by steveh »

Of course antivirus for linux is a very controversed subject.

Till 2007 i also was convinced linux don't need antivirus.
Unfortunately since 2008 there are more and more press reports about today's malware frequently attacks on legitimate websites whose servers are unsufficiently protected. And these webservers are then abused to distribute driveby-malware.

Of course i protect my webbrowser by allowing only very selectively execution of java + java-script. But a few legtimate websites are allowed java + javascript execution. Then there is only a small step to infections by platform-independant script malware... if one of these webservers were hijacked and abused for malware distribution.

And even if the OS itself is not infected in that case, i would not like to reinitialize my user profile and delete files which have become untrustable, after an infection.

dark
Posts: 278
Joined: Wed Apr 06, 2005 9:40 pm

Re: "net.exe" false positive trojan alert by Avira antivirus?

Post by dark »

Black_Fox wrote:Luckily we have 0-day worms to prove that the post-before-mine's opinion is partially based on myth.
Then don't run as administrator, get a limited account to do your work. (or just upgrade to vista or 7 and use UAC, maybe get a router...)

I've never had any problems other than other users with administrator privileges have installed malware (and yes I was able to track down who exactly each time).

For a business computer, you would probably need antivirus no matter what as there is legal obligation to not spread it.
steveh wrote:Of course antivirus for linux is a very controversed subject.

Till 2007 i also was convinced linux don't need antivirus.
Unfortunately since 2008 there are more and more press reports about today's malware frequently attacks on legitimate websites whose servers are unsufficiently protected. And these webservers are then abused to distribute driveby-malware.

Of course i protect my webbrowser by allowing only very selectively execution of java + java-script. But a few legtimate websites are allowed java + javascript execution. Then there is only a small step to infections by platform-independant script malware... if one of these webservers were hijacked and abused for malware distribution.

And even if the OS itself is not infected in that case, i would not like to reinitialize my user profile and delete files which have become untrustable, after an infection.
What I've learned from all my experience cleaning up computers is that at least 95% of the infections are caused by the user. There was even a study a while back with med students that found that they couldn't tell the difference between a browser pop-up and a legitimate message. It would just take some javascript and file selection to get average users to infect their computers, no matter what OS they're running.

Haos
Test Team
Posts: 2954
Joined: Thu Mar 22, 2007 5:42 am
Contact:

Re: "net.exe" false positive trojan alert by Avira antivirus?

Post by Haos »

Let us do not get off the topic. Net.exe should be reported to Avira as false positive. It is also a wise choice to add ROSBE dir and Reactos source tree to antivirus exclude list. Realtime scanning can seriously slow down your building process.

User avatar
Black_Fox
Posts: 1584
Joined: Fri Feb 15, 2008 9:44 pm
Location: Czechia

Re: "net.exe" false positive trojan alert by Avira antivirus?

Post by Black_Fox »

dark wrote:Then don't run as administrator, get a limited account to do your work. (or just upgrade to vista or 7 and use UAC, maybe get a router...)
These fine ideas are all already used, including using x64 Vista to stop 16-bit executables from working, also looking forward to Seven RTM of course. I'm just saying I don't believe that cautious attitude can completely remove the need for an antivirus.
hto wrote:Thank you very much. :)
I hope this is a mutual sarcasm :)

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests