Dark Bit Factory & Gravity

GENERAL => General chat => Topic started by: Clyde on October 13, 2007

Title: Virus found Win32/NSAnti
Post by: Clyde on October 13, 2007
Hello there,

I keep on getting the following virus warning when-ever downloading stuff:

Virus found Win32/NSAnti

I have AVG Free edition antivirus 7.5, and wondered if any people get the same, or know of a cure to this. As alot of demo stuff I can't download or use.

Many thanks,
Clyde.

Title: Re: Virus found Win32/NSAnti
Post by: .:] Druid [:. on October 13, 2007
Hey Clide, I do have exactly the same under vista with same antivirus.  It's an heuristic alert if I'm not mistaken (it's what I red on the web).  So, basicaly I stop the resident shield protection when this happens..and turn it back on afterwards.

I know, it's not THE solution but so far it does the job. I'll be looking for a more conveniant solution (maybe it'll come from AVG directly, it could be a problem on their side, it's most likely anyway).  Of course if I do find something, I'll post it here.

Cheers,
druid
Title: Re: Virus found Win32/NSAnti
Post by: Clyde on October 13, 2007
Cheers mate, thanks very much.
Title: Re: Virus found Win32/NSAnti
Post by: mike_g on October 13, 2007
Thats the same message I got a minute ago when I tried to unzip something from this site. Until now I had never seen it before. I guess I'll try downloading some other stuff and see if it happens again.

Edit: Oh yeah, I'm running vista with AVG too.
Title: Re: Virus found Win32/NSAnti
Post by: Jim on October 14, 2007
I have Vista with AVG.  I'm pretty sure that's not the problem - I think it's executables packed with kkrunchy that trigger the false positive, and that it's something fairly new that AVG is doing that triggers it.

<edit>
I think I've confimed that.

You can use PEID to check the exe format - it identifies over 400 different packers, apparently!http://peid.has.it/ (http://peid.has.it/)

And there's an amazing tutorial here about how to unpack kkrunchy'd EXEs.
http://azmoaore.wordpress.com/unpacking-tutorials/ (http://azmoaore.wordpress.com/unpacking-tutorials/)

This makes kkrunchy useless when you have AVG enabled which is a pain in the neck.  I might see if I can get in touch with AVG and let them know about the problem.

In the meantime, disabling AVG on Vista is tricky.

First, right click the AVG icon in the tooltray and select 'Quit AVG Control Centre'
Second, find AVG in the start menu, right click 'AVG Control Centre' and choose 'Run as Administrator'.
Choose Allow from the UAC dialog.
Third, right click the AVG icon in the tooltray and select 'Launch AVG Control Centre'
Fourth, right click 'Resident Shield' and select 'Properties'.
Finally, uncheck the 'Turn on AVG Resident Shield protection' and click 'OK'.

If you try this without 'Run as Administrator' it won't turn it off.

<edit2>
Reported to AVG under their 'false positives' programme.  We'll see if it gets fixed.

Jim
Title: Re: Virus found Win32/NSAnti
Post by: Shockwave on October 14, 2007
I also checked things out with this product;

http://dbfinteractive.com/index.php?topic=2511.0 (http://dbfinteractive.com/index.php?topic=2511.0)

It triggered the same alert, please see the steps that I took in the post I linked to, which included loading into memory, finding the entry point, complete decrunch, full virus scan with avg and kaspersky (which now show the file as clean), then re-compilation with kkrunchy which then show the file as infected.

It is not demoscene productions, it's AVG.
Title: Re: Virus found Win32/NSAnti
Post by: Clyde on October 14, 2007
Many thanks Jim & Shockwave.
Title: Re: Virus found Win32/NSAnti
Post by: taj on October 14, 2007

And there's an amazing tutorial here about how to unpack kkrunchy'd EXEs.
http://azmoaore.wordpress.com/unpacking-tutorials/ (http://azmoaore.wordpress.com/unpacking-tutorials/)


After watching that I just downgraded how I see my programming skills. Awesome skillz.
Title: Re: Virus found Win32/NSAnti
Post by: Shockwave on October 14, 2007
I was lucky, Alpha One taught me how to do all that stuff :)

For any would be reverse-engineers I would reccommend to look at the PORTABLE EXECUTABLE (http://en.wikipedia.org/wiki/Portable_Executable) format in great depth, and then when you understand that your coding skills will be more elite than 99 % of all so-called coders in the scene.

It is also really interesting to read up on it to see how windows treats your programs.
Title: Re: Virus found Win32/NSAnti
Post by: Paul on October 14, 2007
Same problem here, also vista and avg free 7.5
Something similar happened before, but avg got i fixed after a day or two.
Title: Re: Virus found Win32/NSAnti
Post by: Jim on October 14, 2007
Here's my response from AVG
Quote
Dear Sir/Madam,

Thank you for your email.

According to our virus lab, the virus is detected properly, because it is packed with packer, which is used very often by some virus/malware etc. We will fix the detection on this file in next virus base update.
Thank you for sending us the file and for your cooperation.

Best regards,

Marek Mikula
AVG Technical Support

I don't know whether that means they'll just keep a hash of kkrunchy.exe which is what I sent them, or whether they'll try to fix it more comprehensively.  Anyway, full marks to AVG/GriSoft for a sub-24hr response time.  nVidia and ATI should take note!

Jim
Title: Re: Virus found Win32/NSAnti
Post by: Shockwave on October 14, 2007
It wasa fast response but that email is ambiguous.
Title: Re: Virus found Win32/NSAnti
Post by: Jim on October 15, 2007
Quote
don't know whether that means they'll just keep a hash of kkrunchy.exe which is what I sent them
That's exactly what they've done.  Today's patch no longer detects kkrunchy_k7.exe as a virus, but all kkrunchy packed apps are still triggering AVG. Bah!

Jim
Title: Re: Virus found Win32/NSAnti
Post by: Shockwave on October 15, 2007
Time to get a better virus checker like Kaspersky.
Title: Re: Virus found Win32/NSAnti
Post by: Jim on October 15, 2007
I've sent them a follow-up email, but I suspect I'm pissing in the wind now.  Shame - I've used AVG for nearly 10 years now, and I don't want to change.  Is Kaspersky any good?  Is it free?  Does it work on Vista?  AVG answers yes to all those questions, and apart from this new kkrunchy problem, it's been flawless for me.

Jim
Title: Re: Virus found Win32/NSAnti
Post by: Shockwave on October 15, 2007
Hmm, Well Kaspersky is not free but I believe it to be the best, it will work on vista.

In fact when I used to do scambaiting Kaspersky was the only virus checker I knew that could detect my "tools" even though they had not been added to any database.

I have full confindence in Kaspersky but I guess it's up to you what you feel comfortable with.
Title: Re: Virus found Win32/NSAnti
Post by: taj on October 15, 2007
Quote

According to our virus lab, the virus is detected properly, because it is packed with packer, which is used very often by some virus/malware etc.


Oh great so AVG labs is now saying that any exe packed with a packer is a potential virus. Sigh. Time to remove AVG...idiots. OK in the mean tmie until I find another virus checker, yuo can do this:

Click on the AVG icon in your toolbar. Click on resident shield and then properties. Deselect resident shield.
Tada - of course things complain but it works.

Title: Re: Virus found Win32/NSAnti
Post by: Shockwave on October 15, 2007
I hate free virus scanners...
We are coders our hds are imperative and we use free scanners?
Title: Re: Virus found Win32/NSAnti
Post by: Yaloopy on October 15, 2007
NOD32, folks.
Title: Re: Virus found Win32/NSAnti
Post by: rain_storm on October 15, 2007
I did use NOD32 for awhile its very good and doesnt usually give false positives however I had to uninstall NOD32 when it started to interfere with my assembler it just would not let me assemble code that used fileio in dos but NOD didnt have any problem with win32 fileio
Title: Re: Virus found Win32/NSAnti
Post by: .:] Druid [:. on October 30, 2007
AVG updated their virus definition and the problem is gone.
Title: Re: Virus found Win32/NSAnti
Post by: Shockwave on October 31, 2007
Good :)