Kitz Forum

Broadband Related => Router Monitoring Software => Topic started by: les-70 on October 13, 2013, 01:03:03 PM

Title: DMT infected with mal/encpk-aco?
Post by: les-70 on October 13, 2013, 01:03:03 PM
  Recently my virus protection software Sophos has taken a dislike to DMT 8.07. It lists it as having mal/encpk-aco and won't without manual intervention let me run it. 

   I am a bit surprised at this having used dmt for some time and with no apparent problems and always with Sophos running. Equally I would like to fully understand things before over riding the warning.  It is not a big issue with things like dslstats available but I would like understand things rather than immediately doing a total remove of dmt from the pc.

  Has any one else had or heard of this issue. 
Title: Re: DMT infected with mal/encpk-aco?
Post by: roseway on October 13, 2013, 01:15:50 PM
DMT hasn't changed recently, so I guess it must be a false positive. Presumably the virus it claims to detect is one which has recently been added to the Sophos virus database.
Title: Re: DMT infected with mal/encpk-aco?
Post by: les-70 on October 13, 2013, 01:49:33 PM
   I am inclined to agree.    However as I said ignoring a virus checker is not a thing I like to do.    Sophos also dislikes fresh downloads of dmt.  I have told Sophos to run it anyway as I can't detect any the extra files that are supposed to go with mal/encpk-aco.  Seems fine but I still worry.

 
Title: Re: DMT infected with mal/encpk-aco?
Post by: Chrysalis on October 20, 2013, 11:01:44 PM
3 possibilities.

1 - FP that will dissapear in few days when av vendor realises.
2 - Deliberate FP added by request of modem vendor to deter people from using DMT.
3 - The DMT is actually infected, this is more likely if you grabbed it of an unofficial download location.
Title: Re: DMT infected with mal/encpk-aco?
Post by: sheddyian on October 20, 2013, 11:56:51 PM
VirusTotal is a useful site - you can upload a file to it and it runs it past a large number of virus scanners.

https://www.virustotal.com/ (https://www.virustotal.com/)

Upload the program that Sophos is complaining about, and see how many other virus scanners think it's dodgy - might help you decide if it's a false positive or if something is wrong.

Ian

Title: Re: DMT infected with mal/encpk-aco?
Post by: les-70 on October 21, 2013, 08:25:47 AM
 Thanks for the advice.  :)

  Sophos has indeed updated its false positive and seems happy now. 

  Virus total shows two different checkers with false positives. 

 I am convinced it is OK but I guess router monitoring software could provide a nice location for something nasty,
Title: Re: DMT infected with mal/encpk-aco?
Post by: kitz on October 21, 2013, 12:43:02 PM
It sometimes seems like AV has got paranoid these days and there do seems to be quite a lot of false positives. 

AVs look for signature patterns and if they see something that relates to a known pattern then the program will be marked as suspect.  Key gens & program cracks are a common FP.  The crack itself may be clean, but the AV picks up the pattern that its trying to crack something so it sees it as a trojan.   I suppose this then makes it hard for anyone using a crack to find out now if it is a 'genuine crack' or does actually contain a nasty.


I have a couple of network tools which sniff packets that AVs always mark as trojans that I know arent.  Anything that does packet sniffing is regarded as a possible threat despite them being legitimate software and why the AV manufacturers have to whitelist them.  Wireshark and WinPcap are 2 popular network tools that at one time have been marked as containing viruses when in fact they dont.   However those 2 are well known and its not long before complaints get made and the AV company moves them to the OK list. 

Cain (http://en.wikipedia.org/wiki/Cain_and_Abel_%28software%29) is another valid program used to recover lost windows passwords, yet even today this will be marked as a virus by some AV software.   Anything that 'sniffs' or scans is always going to come up as suspect.

One of the things I had to do for an assignment when at college was write a messenger program.  Ive had AVs mark it in the past as a trojan, yet I 100% know that it isnt.  To this day I still dont know why it got picked on.

I think if enough users report a suspected FP then the AV company will whitelist it, its therefore harder and will take longer for the less well known program FPs to clear.