| |
ws
Registered: Apr 2012
Posts: 251 |
ICU64 suddenly gone?
I just observed that my ICU64 is suddenly gone, and after getting the "Sorry, but this file contains a virus" warning upon trying to re-download it from the official google drive, i noticed that my antivirus quietly has anihilated the file, reason : "Trojan Generik.LBYTBYU".
I already contacted mathfigure about it, but i cannot believe that this is anything else but a false positive. |
|
| |
iAN CooG
Registered: May 2002
Posts: 3187 |
which AV? you better report the false positive and also run the test at virustotal, providing the url of the result is a plus but if 1-2 report a "generic" detection while others say it's OK should be enough to tell them to fix their signatures. |
| |
ws
Registered: Apr 2012
Posts: 251 |
I am using ESET. I have actually no experience with reporting false positives, but that is a good idea. Will look into it. |
| |
ws
Registered: Apr 2012
Posts: 251 |
huh... totally no idea what to make of this https://www.virustotal.com/gui/file/980e8d8750aa8a66a8e02183cd2.. |
| |
iAN CooG
Registered: May 2002
Posts: 3187 |
We're witnessing a new religion in the making: a lie spread so many times, now most take it as a truth.
Are all the ICU64 on csdb generating this alarm or just a specific one? |
| |
ws
Registered: Apr 2012
Posts: 251 |
It seems that only this version of ICU64 for VICE from CSDb acts the same as the version from mathfigures google drive (that version is inaccessible now):
ICU64 for VICE 3.x V0.1.3
The frodo versions are not impacted.
But this version of ICU for VICE is now also useless, since it reqires the icu64.exe of the "flagged" version above:
ICU64 for VICE 3.7 V0.1.3 |
| |
Martin Piper
Registered: Nov 2007
Posts: 718 |
Quote: huh... totally no idea what to make of this https://www.virustotal.com/gui/file/980e8d8750aa8a66a8e02183cd2..
This looks like a heuristic scan result, meaning it saw some code that was similar to code used in another virus, but it wasn't a precise match and it might or might not be malicious.
But given ICU64 launches a process and uses some form of process memory injection or inspection to get the emulated C64 memory, then this might itself be flagged as "maybe suspicious". I mean, doing such things with external processes is often used by suspicious code, so it's not a surprise it gets flagged during a scan.
But in this case we know ICU does this kind of process tweaking for legitimate reasons, so it's probably safe to ignore unless there is an exact and specific match with a known virus. |
| |
tlr
Registered: Sep 2003
Posts: 1787 |
Quoting Martin PiperBut in this case we know ICU does this kind of process tweaking for legitimate reasons, so it's probably safe to ignore unless there is an exact and specific match with a known virus.
Some antivirus programs just rip away the binary on the fly and don't let you override that though.
Sometimes there isn't even a warning about it. I'm pointing at you windows defender! |
| |
Fungus
Registered: Sep 2002
Posts: 680 |
This is due to AV's not being anything other than garbage anymore and they use "AI" which is so smart all it does it check that string literals match some crap someone reported. It will mistake EXE files for js exploits etc (defender is the worst at this) but other AV companies trade signatures and they get out there and then perfectly legit stuff is flagged. It's incredibly annoying... |
| |
ws
Registered: Apr 2012
Posts: 251 |
I have now submitted the .exe alongside a false positive mail, according to their rules, to ESET. Lets see if they can grasp the idiocy of the situation. |
| |
ws
Registered: Apr 2012
Posts: 251 |
Adding the ICU64.exe to your virus-scan exceptions also seems to work as a workaround. (If you are using ESET, you can use the hashes provided by the virustotal link under DETAILS above, make sure to add path to VICE and also path to the ICU exe in both exclusion options (the second option requires the hash)).
Not great, not terrible. |
| |
ws
Registered: Apr 2012
Posts: 251 |
Ok ESET Support confirmed: "It is a false positive that was fixed already in the latest update. Please update your ESET product."
so, if your antivirus kills ICU64.exe, it is now officially a good idea to submit a false positive mail to them. For ESET it is now fixed. |
| |
Martin Piper
Registered: Nov 2007
Posts: 718 |
\\Yay// |
| |
goerp
Registered: Feb 2006
Posts: 21 |
thanks for all the tips here!
i never thought reporting a false positive would work, so i never tried and kept using a very old version
i use a different AV but i'll try to report it there |
| |
Martin Piper
Registered: Nov 2007
Posts: 718 |
I used to work for a security software company. Handling false positives was important because it was related to accuracy of the product offering. If people saw the product was not accurate they wouldn't buy it. |
