virus programs blocking chunk

[exclusivebiz]

There seems to be some new virus definitions that are blocking chunkvnc.
It has been working great until this week.
I have ChunkVNC 3.2 in a linux repeater environment.
My clients have had to disable there antivirus programs in order for this to work. Is anyone experiencing the same? Thanks for your time.

[supercoe]

What antivirus program are they using?
Usually there isn't much you can do besides add InstantSupport as an exception or contact the virus scanner company about a false detection.

[exclusivebiz]

Thanks for the quick reply. Its AVG right now and I will look into if there are others. It just started this past week. It was fine with AVG previously.

[supercoe]

AVG 2011 was a problem for other users a few months ago as well, here is a fix that worked for them.

After a few try-and-error, I think I found the problem (or a way to avoid it at least).

In the file InstantSupport.au3 replace

FileCopy( @ScriptFullPath, $WorkingPath & "\InstantSupport.exe", 9 )

with

FileCopy( @ScriptDir & "\" & @ScriptName, $WorkingPath & "\InstantSupport.exe", 9 )

This avoid some AVG signature detection replacing a few bytes in the executable.

From thread: [topic=27023][/topic]

[exclusivebiz]

Thank you for the link. I remember those posts and actually modified the code back then. I checked the code again now and its the correct one.

I will try to gather some more details on which other AV software and versions.

[exclusivebiz]

This is from McAfee


Tojan detected

McAfee has detected an infected item in a shared folder on your network. To remove the threat, right-click the folder, change its properties to allow full access, and then click Scan.

About this Trojan

Detected Artemis!04972A5F0742 (Trojan)

Quarantined From: \Device\HarddiskVolumeShadowCopy9\Users\Jim\Downloads\remote (1).exe

We cannot remove a Trojan while the infected file is in a shared folder on your network. Allowing full access to the folder frees up the infected file allowing McAfee to fix the issue.



Then AVG:

Threat was Blocked!
File name: remote.exe
Virus identified Worm/Autoit.AMXK

[supercoe]

False detections, this happens a lot with programs created in AutoIT.

[exclusivebiz]

That I understand, question is why didnt it happen 2-3 months earlier when it was used no problem, suddenly now AVG and McAfee decided to make it a virus.

[exclusivebiz]

I have just updated AutoIT and tested with virustotal.
Seems that some entries have been eliminated, AVG and McAfee doesnt detect it as a virus anymore. So perhaps the AutoIT was the issue.

[Netzvamp]

I've changed some things to get our Remotesupporttool running on machines with Kaspersky Internet Security in ChunkVNC 3.2.

1. I've change the extraction directory at Line 44 to

Code: Select all

Global $WorkingPath = @AppDataDir & "\MyCompany-Instantsupport"

(Replace my Company with your Company )
That helped a lot, cause the previous directory with an random name and in the temp-folder got Kaspersky to think it's a malware (Userrating 0,5, thats bad ). And without that change there was no way to set the exe-file as an trusted program, cause everytime the trusted vnc-exe was on another place.
That change switched the Kaspersky-Rating from malware to an automatic trusted program (Userrating of 4,5, a very trusted program), so the user has nothing to do, it just works It looks like Kaspersky is not against UltraVNC, it's against an potential malware path like the temppath with an remoteadmintool inside.

2. I've removed the automatic remove of the vnc-files after the end of the remote-exe. That was helpfull, cause i've like to just manual add an shortcut to the Instantsupport.exe on the desktop. I've added on line 407 (first line under "Func _DeleteSelf( $Path, $iDelay = 5 )")

Code: Select all

$DeleteFiles = False

The second change is optional, but i think the first change is very helpfull against false detection. If there would be an inputarea on the compiler.exe for the "MyCompany"-part of the path, it should be no problem to use Appdata for extraction ...

EDIT: All changes in "src/InstantSupport.au3", if you like to repeat it

[B]

Sounds like good work, Netzvamp! Thanks. I wonder if Kaspersky would mind if the directory name were auto-incrementing instead of random, like "ChunkInstall1" and "ChunkInstall2".

I'm not on board with the step 2, because it goes against Chunk's in-and-out-and-gone-unless-you-install-the-service philosophy.

[Netzvamp]

Sounds like good work, Netzvamp! Thanks. I wonder if Kaspersky would mind if the directory name were auto-incrementing instead of random, like "ChunkInstall1" and "ChunkInstall2".

I'm not on board with the step 2, because it goes against Chunk's in-and-out-and-gone-unless-you-install-the-service philosophy.

That with the auto-increment foldernames should be no problem. The main reason for the false detection is the tempfolder. From the view of an heuristic it's right: There starts an vnc.exe extracted from another exe in an temppath, that looks clearly like an trojan
Step 2 is only for me, if you don't like it, you don't need it

[B]

Well, that's not true -- you could say that about ANY installer that wrote programs to anywhere but Program Files.

The real trojans have no problem writing to non-%TMP% directories -- in fact I've never found one there, but plenty in IE cache directories and user AppData folders and Windows subdirectories. So I hear you, but it's still not terrifically smart on KAV's part (and yet they're among the best at this).

[Netzvamp]

Well, that's not true -- you could say that about ANY installer that wrote programs to anywhere but Program Files.

There aren't much installer who use autoit to extract and start an winvnc.exe in the tempfolder, it's just an bad combination for Kaspersky I also don't like that behavior from Kaspersky, it's just wrong

Trojan-Discussion is a bit outside of the topic, but your right, most of the malware runs from the temporary internet files ...