Kitz Forum
Broadband Related => Router Monitoring Software => Topic started by: les-70 on October 13, 2013, 01:03:03 PM
-
Recently my virus protection software Sophos has taken a dislike to DMT 8.07. It lists it as having mal/encpk-aco and won't without manual intervention let me run it.
I am a bit surprised at this having used dmt for some time and with no apparent problems and always with Sophos running. Equally I would like to fully understand things before over riding the warning. It is not a big issue with things like dslstats available but I would like understand things rather than immediately doing a total remove of dmt from the pc.
Has any one else had or heard of this issue.
-
DMT hasn't changed recently, so I guess it must be a false positive. Presumably the virus it claims to detect is one which has recently been added to the Sophos virus database.
-
I am inclined to agree. However as I said ignoring a virus checker is not a thing I like to do. Sophos also dislikes fresh downloads of dmt. I have told Sophos to run it anyway as I can't detect any the extra files that are supposed to go with mal/encpk-aco. Seems fine but I still worry.
-
3 possibilities.
1 - FP that will dissapear in few days when av vendor realises.
2 - Deliberate FP added by request of modem vendor to deter people from using DMT.
3 - The DMT is actually infected, this is more likely if you grabbed it of an unofficial download location.
-
VirusTotal is a useful site - you can upload a file to it and it runs it past a large number of virus scanners.
https://www.virustotal.com/ (https://www.virustotal.com/)
Upload the program that Sophos is complaining about, and see how many other virus scanners think it's dodgy - might help you decide if it's a false positive or if something is wrong.
Ian
-
Thanks for the advice. :)
Sophos has indeed updated its false positive and seems happy now.
Virus total shows two different checkers with false positives.
I am convinced it is OK but I guess router monitoring software could provide a nice location for something nasty,
-
It sometimes seems like AV has got paranoid these days and there do seems to be quite a lot of false positives.
AVs look for signature patterns and if they see something that relates to a known pattern then the program will be marked as suspect. Key gens & program cracks are a common FP. The crack itself may be clean, but the AV picks up the pattern that its trying to crack something so it sees it as a trojan. I suppose this then makes it hard for anyone using a crack to find out now if it is a 'genuine crack' or does actually contain a nasty.
I have a couple of network tools which sniff packets that AVs always mark as trojans that I know arent. Anything that does packet sniffing is regarded as a possible threat despite them being legitimate software and why the AV manufacturers have to whitelist them. Wireshark and WinPcap are 2 popular network tools that at one time have been marked as containing viruses when in fact they dont. However those 2 are well known and its not long before complaints get made and the AV company moves them to the OK list.
Cain (http://en.wikipedia.org/wiki/Cain_and_Abel_%28software%29) is another valid program used to recover lost windows passwords, yet even today this will be marked as a virus by some AV software. Anything that 'sniffs' or scans is always going to come up as suspect.
One of the things I had to do for an assignment when at college was write a messenger program. Ive had AVs mark it in the past as a trojan, yet I 100% know that it isnt. To this day I still dont know why it got picked on.
I think if enough users report a suspected FP then the AV company will whitelist it, its therefore harder and will take longer for the less well known program FPs to clear.