Virus Gen:Variant.Kazy:367484


Message boards : Problems and bug reports : Virus Gen:Variant.Kazy:367484

Message board moderation

To post messages, you must log in.
AuthorMessage
Ma pomme

Send message
Joined: 3 Nov 13
Posts: 2
Credit: 5,688,937
RAC: 0
Message 2921 - Posted: 17 Apr 2014, 13:39:00 UTC
Hello,

Since some days, BitDefender antivirus detects a virus: Gen:Variant.Kazy:367484.

By exemple in:

asteroidsathome.net/boinc/downLoad/period_search_10210_windows_intelx86__sse3.exe.

=> no more job runs for asteroids on my computer.
The others jobs for Boinc runs fine.
What can I do ?

Regards.

17/04/2014 12:22:36 | Asteroids@home | Incomplete read of 2076.000000 < 5KB for period_search_10210_windows_intelx86__sse3.exe - truncating
17/04/2014 12:22:36 | Asteroids@home | Finished download of period_search_10210_windows_intelx86__sse3.exe
17/04/2014 12:22:36 | Asteroids@home | Started download of input_101740_12
17/04/2014 12:22:36 | Asteroids@home | [error] File period_search_10210_windows_intelx86__sse3.exe has wrong size: expected 289792, got 0
17/04/2014 12:22:36 | Asteroids@home | [error] Checksum or signature error for period_search_10210_windows_intelx86__sse3.exe


Bonjour,
Depuis quelques jours, BitDefender bloque systématiquement les calculs envoyés par asteriods.
Il détecte un virus de type Gen:Variant.Kazy:367484
Les autres jobs de Boinc se déroulent correctement.
Que puis-je faire, sans désactiver l'anti-virus bien sûr !!
Cordialement
ID: 2921 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2922 - Posted: 17 Apr 2014, 16:35:48 UTC - in response to Message 2921.  

Last modified: 17 Apr 2014, 16:38:36 UTC
What can I do ?

You are right, looks like some Antiviruses wrongly think that this file is 'bad':
https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/1397641270/

(I use ESET-NOD32 so have no problem)


1) First what you can do - as you are a customer of BitDefender - send them report about 'False Positive':
- send them this file (or URL) for analysis:
http://www.bitdefender.com/support/what-to-do-when-bitdefender-detects-legitimate-applications-491.html

(if you (temporarily) Disable Bitdefender's real-time protection you will be able to manually Download the file using browser)


2) While you wait for response from BitDefender support you may (temporarily) do this:
http://boincwiki.mundayweb.com/index.php?title=Add_the_BOINC_Data_directory_to_the_exclusions_of_my_antivirus_program


3) If the above is not enough to let BOINC contact asteroidsathome.net to get this file do what is written after "Also you can add a Firewall rule for an application" here:
http://www.bitdefender.com/support/how-to-add-exceptions-1163.html

"3. Browse to the application" means "find boinc.exe and tell BitDefender Firewall to allow all network/Internet communication that boinc.exe want to do"




- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2922 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Ma pomme

Send message
Joined: 3 Nov 13
Posts: 2
Credit: 5,688,937
RAC: 0
Message 2923 - Posted: 18 Apr 2014, 8:43:32 UTC
To BilBg

Thank you for your answser.

1) => I send a report to Bitdefender.
2) => I add an exception in Bitdefender.

3) => I don't do that today, because boinc manage correctly the others projects.

I will contact you again after the answser of Bitdefender.


Merci encore.
ID: 2923 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2933 - Posted: 30 Apr 2014, 2:54:16 UTC - in response to Message 2923.  

Last modified: 30 Apr 2014, 3:02:04 UTC

I just sent this to BitDefender Customer Care :

False Positive on:
period_search_10210_windows_intelx86__sse3.exe

http://asteroidsathome.net/boinc/download/period_search_10210_windows_intelx86__sse3.exe


The following files which do the same computing are declared 'clean':
period_search_10210_windows_intelx86__sse2.exe
period_search_10210_windows_intelx86.exe

Files can be found here:
http://asteroidsathome.net/boinc/download/

http://asteroidsathome.net/boinc/download/period_search_10210_windows_intelx86__sse2.exe

http://asteroidsathome.net/boinc/download/period_search_10210_windows_intelx86.exe


Problem noted here:
http://asteroidsathome.net/boinc/forum_thread.php?id=286


https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/

https://www.virustotal.com/en/file/cf289f8f60e3da1bcdb61007c318635d54a77ca8d0efdd792a62c4405809e6ec/analysis/

https://www.virustotal.com/en/file/7cae1da685be56dbaf440ee79ab387f6a25e8e996522a1a913b95e9fa4675f4d/analysis/


(I do the report on behalf of other user)





- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2933 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2952 - Posted: 3 May 2014, 19:30:39 UTC - in response to Message 2933.  

Last modified: 3 May 2014, 19:58:28 UTC

Answer from today:
_________________

Date: 2014 May 3 05:43:21 EEST

Dear BilBg,

Please be informed that we are currently working on resolving your Customer Care request, ticket no: 20140430..., and will be getting back to you shortly.
Thank you for your patience.

Regards,
Bitdefender Customer Care Team

_________________


P.S.
I have suspicion that all six Antiviruses which report 'Gen:Variant.Kazy.367484' are using the BitDefender engine.
So if BitDefender removes the wrong detection the 'Detection ratio: 13 / 52' will fall to 'Detection ratio: 7 / 52'
https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/1399145129/

The remaining 7 Antiviruses are not 'famous'

(Not used by many people, except McAfee and TrendMicro.
But who uses McAfee or TrendMicro deserves to be bombed with the famous False Positives like 'Artemis!' or 'TROJ_GEN' which they give for many innocent programs)





- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2952 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Conan
Avatar

Send message
Joined: 19 Jun 12
Posts: 32
Credit: 5,109,956
RAC: 1,758
Message 2953 - Posted: 4 May 2014, 0:11:40 UTC - in response to Message 2952.  
Dear BilBg,

I use TrendMicro and do not have any problems with false positives on any BOINC projects.

I used to use McAfee but it is not as good as it once was and is resource hungry.

I would prefer if you bombed me with money so I can pay the electricity bill.

Bombing me with false positives I haven't heard of (even from the company), or encountered (the problem you claim in your last sentence), will serve no purpose.

Asteroids runs fine for me.

Conan
ID: 2953 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2954 - Posted: 4 May 2014, 9:10:55 UTC - in response to Message 2953.  
"false positive identification of Windows systems files by Trend Micro Internet Security"
http://www.zdnet.com/trend-micro-gives-false-positive-details-4010009280/

"Trend Micro Office Scan blocks uploads as malicious"
http://setiathome.berkeley.edu/forum_thread.php?id=52047

"Trend Micro Office Scan reports TROJ_GEN.FA2CZLJ in BOINC file"
http://setiathome.berkeley.edu/forum_thread.php?id=62433

"Trend Micro Anti-virus issues with boinc2 download"
http://boinc.berkeley.edu/dev/forum_thread.php?id=3670

"3 different people had started 3 different threads already complaining how their Trend Micro would all of a sudden make a fuss of Seti's app"
http://boinc.berkeley.edu/dev/forum_thread.php?id=6246&postid=36176#36176


http://community.trendmicro.com/t5/Malware-Discussions/OfficeScan-False-Positive/td-p/62042
http://www.wilderssecurity.com/threads/trendmicro-false-positive.348378/


I do not say that TrendMicro is the worst, there are many other (McAfee, Comodo, Norton, Kaspersky):
http://setiathome.berkeley.edu/forum_thread.php?id=69133&postid=1276595#1276595

"AVG 2013 virus scanner false positive on SETI@home 7 for Windows"
http://setiathome.berkeley.edu/forum_thread.php?id=71784&postid=1373641#1373641


I often see TrendMicro-HouseCall and McAfee-GW-Edition in the VirusTotal results:
https://www.virustotal.com/en/file/110ad1536cef122e890ba0952600600cc767a229a196e5f5dd11b85195833a4f/analysis/1398152630/
https://www.virustotal.com/en/file/d29bcfa967c23c7264592576d62d95fa8c687e8662d19dccc73653a9efb6340d/analysis/1367663376/



- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2954 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile mikey
Avatar

Send message
Joined: 1 Jan 14
Posts: 300
Credit: 32,047,328
RAC: 14,928
Message 2955 - Posted: 4 May 2014, 13:00:48 UTC - in response to Message 2952.  

Last modified: 4 May 2014, 13:06:25 UTC

The remaining 7 Antiviruses are not 'famous'

(Not used by many people, except McAfee and TrendMicro.
But who uses McAfee or TrendMicro deserves to be bombed with the famous False Positives like 'Artemis!' or 'TROJ_GEN' which they give for many innocent programs)


AND McAfee is free for Verizon and some other smaller internet providers customers, so is used by ALOT of people. It used to be free for Comcast people too but I don't use them anymore so don't know. Using a free a/v is MUCH better then not using one at all.

Personally I just exclude the Boinc directories from my a/v altogether, that way any false positives are ignored and any real virus that then tries to infect the rest of my system will get caught. I don't care if a Boinc project sends me a real virus as long as it stays in the Boinc set of directories, if it comes out it will get caught and stopped. If it doesn't then I got it from them anyway and they can have it back! MOST Boinc projects are VERY good at running a/v protection, they don't want US sending them a virus either. I was going to say all instead of most, but there could be that 0.01% that doesn't.
ID: 2955 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2962 - Posted: 5 May 2014, 2:19:59 UTC - in response to Message 2955.  

Last modified: 5 May 2014, 2:47:14 UTC

If some project start to deliver a keylogger (or other form of info stealing) it does not need to spread (infect) outside the BOINC directory to do its 'job'

____________

Funny thing:

- the EICAR test file
http://en.wikipedia.org/wiki/EICAR_test_file

... have to be detected by all Antiviruses but some (McAfee among them) do not detect it when the file is in a .rar:
https://www.virustotal.com/en/file/462996fa40509762ca96597fa1b2c6131abc847cfc0146828e53d13ea159e6a2/analysis/1399255625/

... but detect it when in 'naked' form:
https://www.virustotal.com/en/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/1399255626/


EICAR test file (totally harmless file to test your Antivirus - expect a warning from it)
https://secure.eicar.org/eicar.com.txt





- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2962 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile mikey
Avatar

Send message
Joined: 1 Jan 14
Posts: 300
Credit: 32,047,328
RAC: 14,928
Message 2966 - Posted: 5 May 2014, 10:53:36 UTC - in response to Message 2962.  

If some project start to deliver a keylogger (or other form of info stealing) it does not need to spread (infect) outside the BOINC directory to do its 'job'


I have never heard of that before, thanks!
ID: 2966 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Conan
Avatar

Send message
Joined: 19 Jun 12
Posts: 32
Credit: 5,109,956
RAC: 1,758
Message 2969 - Posted: 5 May 2014, 12:53:41 UTC - in response to Message 2954.  
"false positive identification of Windows systems files by Trend Micro Internet Security"
http://www.zdnet.com/trend-micro-gives-false-positive-details-4010009280/

"Trend Micro Office Scan blocks uploads as malicious"
http://setiathome.berkeley.edu/forum_thread.php?id=52047

"Trend Micro Office Scan reports TROJ_GEN.FA2CZLJ in BOINC file"
http://setiathome.berkeley.edu/forum_thread.php?id=62433

"Trend Micro Anti-virus issues with boinc2 download"
http://boinc.berkeley.edu/dev/forum_thread.php?id=3670

"3 different people had started 3 different threads already complaining how their Trend Micro would all of a sudden make a fuss of Seti's app"
http://boinc.berkeley.edu/dev/forum_thread.php?id=6246&postid=36176#36176


http://community.trendmicro.com/t5/Malware-Discussions/OfficeScan-False-Positive/td-p/62042
http://www.wilderssecurity.com/threads/trendmicro-false-positive.348378/


I do not say that TrendMicro is the worst, there are many other (McAfee, Comodo, Norton, Kaspersky):
http://setiathome.berkeley.edu/forum_thread.php?id=69133&postid=1276595#1276595

"AVG 2013 virus scanner false positive on SETI@home 7 for Windows"
http://setiathome.berkeley.edu/forum_thread.php?id=71784&postid=1373641#1373641


I often see TrendMicro-HouseCall and McAfee-GW-Edition in the VirusTotal results:
https://www.virustotal.com/en/file/110ad1536cef122e890ba0952600600cc767a229a196e5f5dd11b85195833a4f/analysis/1398152630/
https://www.virustotal.com/en/file/d29bcfa967c23c7264592576d62d95fa8c687e8662d19dccc73653a9efb6340d/analysis/1367663376/


Well that is all news to me, have not struck any of this.
I use the Platinum version, perhaps that may be the reason.
It has more of an overhead than normal version, perhaps doing a bit more work.
I needed to do a small bit of extra work to set it up the way I wanted it to run, but now it is running fine.

Each to their own I suppose.

Conan
ID: 2969 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2980 - Posted: 7 May 2014, 4:53:50 UTC

I found another much easier form for False Positive or False Negative report to BitDefender, "Sample or URL Submit":
http://www.bitdefender.com/site/Main/automaticSampleUploader/





- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2980 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2981 - Posted: 7 May 2014, 5:21:28 UTC

I still don't have another answer from BitDefender and it still shows Gen:Variant.Kazy.367484 for period_search_10210_windows_intelx86__sse3.exe

The only Antivirus which fixed this False Positive is McAfee

Compare:
https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/1399145129/
https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/1399439314/




- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2981 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2982 - Posted: 7 May 2014, 5:49:41 UTC

Last modified: 7 May 2014, 6:24:45 UTC

I sent similar report to Lavasoft / Ad-Aware (easy: they accept URL to get the file, no need to send Zip)
http://lavasoft.com/support/securitycenter/report_false_positives.php

Ad-Aware - Gen:Variant.Kazy.367484 - 20140507 :

https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/1399439314/

SHA256:	a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374

File size 283.0 KB ( 289792 bytes )

File name:	period_search_10210_windows_intelx86__sse3.exe

URL to get the file:
http://asteroidsathome.net/boinc/download/period_search_10210_windows_intelx86__sse3.exe


Problem noted here:
http://asteroidsathome.net/boinc/forum_thread.php?id=286



And another similar report to Trend Micro (they insist to get password-protected Zip)
http://www.trendmicro.com/us/about-us/detection-reevaluation/index.html





- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2982 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2983 - Posted: 7 May 2014, 8:59:01 UTC

Reports sent also to G Data and MicroWorld-eScan
https://su.gdatasoftware.com/us/sample-submission/
http://support.mwti.net/support/index.php?/Tickets/Submit





- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2983 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 2990 - Posted: 8 May 2014, 0:41:10 UTC

OK, after all these reports the issue is now fixed for the most part
but McAfee is back again in the False Positive 'business' (Artemis!F4A88BF8B5CE) ;)
https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/1399507771/

Now 'Detection ratio: 6 / 51'

If someone (e.g. the admin of this project; or people using McAfee) want to rule-out the remaining 6 False Positives
use the big table on this page (use Ctrl+F to find the product) - it have links for every Antivirus directly to False Positive Submission:
http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm





- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 2990 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile BilBg
Avatar

Send message
Joined: 19 Jun 12
Posts: 221
Credit: 623,640
RAC: 0
Message 3006 - Posted: 10 May 2014, 2:59:51 UTC
Only 3 False Positives remained, who did the reports? (probably virustotal itself is notifying the vendors when 'Detection ratio' of some file go too much up or down):
https://www.virustotal.com/en/file/a27ce3d8c5ca4d58bac5d95185b53277ddd2dde5e33f61e151bcc65b28062374/analysis/1399628625/



- ALF - "Find out what you don't do well ..... then don't do it!" :)
ID: 3006 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote

Message boards : Problems and bug reports : Virus Gen:Variant.Kazy:367484